FORMAL MODELS OF COMPUTER ATTACKS IN CORPORATE NETWORKS

Abstract

In today's digital environment, there has been a rapid increase in the number and complexity of cyber threats, due to both technological advances and the growing availability of tools for carrying out attacks. Attackers are using increasingly sophisticated methods, combining various techniques of intrusion, camouflage, and bypassing defenses, which requires researchers and cybersecurity specialists to create more accurate, formal, and analytical models of attack behavior. Such models make it possible not only to describe known cyber incident scenarios, but also to predict possible ways in which threats may develop, assess risks, and anticipate new attack options based on existing patterns. Modeling computer attacks allows us to view intrusions as a structured set of interrelated actions by an attacker, accompanied by certain technological and behavioral characteristics, and it is this representation that greatly simplifies the automatic detection of attacks or their early identification.

Formal attack models make it possible to systematically represent the intrusion process as a sequence of steps, each of which is aimed at achieving a specific intermediate goal—gathering information, scanning the network, exploiting vulnerabilities, establishing a foothold in the system, covering tracks, or further expanding access. This makes it possible to analyze attack behavior at different levels of the system, detect anomalies in component interactions, and identify points where effective response or blocking of malicious activity is possible. This makes models an important tool for creating artificial intelligence methods that can automatically classify events, identify suspicious patterns, and prevent cyber incidents from developing in real time.

The study focuses on comparing and critically analyzing existing approaches to building models of computer attacks. It examines the advantages and disadvantages of conceptual models that describe the logic of an attack at an abstract level, graph models that represent intrusions as a system of states with transitions between them, and formal mathematical models that allow for the quantitative assessment of risks and vulnerabilities. Particular attention is paid to machine learning methods, which are increasingly used due to their ability to process large amounts of data, identify multidimensional dependencies, and adapt to the rapidly changing environment of cyber threats. Such approaches form the basis of modern intrusion detection systems, as they allow learning from both known and previously unknown types of anomalies.

The network level of research is key, as it reflects the way nodes communicate with each other, the types of connections, the traffic structure, and other characteristics that are often decisive for detecting or classifying an attack. Analyzing network parameters allows us to understand which nodes interact, which protocols are used, and which types of requests are characteristic of certain scenarios—all of which makes it possible to recreate the attack mechanism even in cases where the attacker tries to hide their presence. Even details such as the name of the service, port, or traffic intensity can help determine whether a connection is part of normal system operation or contains suspicious elements.

For a practical demonstration of attack model building, the well-known KDD-99 dataset was used, which includes a large number of examples of network connections, each of which has a set of characteristic features and belongs to one of the types of attacks or normal activity. This dataset is widely used in academic and practical cybersecurity research because it allows you to conduct experiments, compare models, preprocess data, build classification algorithms, and analyze their effectiveness. Its use allows theoretical approaches to be combined with real data, creating a basis for testing models, demonstrating their practical value, and understanding how the results obtained can be applied in real-world conditions to detect and predict cyber incidents.

Keywords: computer attacks, risk models, risk level, attack probability, attack impact, multi-stage attacks, attack lifecycle, Markov models, conditional transition probabilities, network features, traffic header characteristics, attack classification, DoS, Probe, R2L, U2R, machine learning, feature normalization, traffic anomalies, statistical indicators, state graphs, sequential state model, risk assessment.