Keywords

1 Introduction

The computer networks currently constitute as the main form of transmitting data and services. Therefore, the task of monitoring the information has turn to be a key factor in technology sectors [1]. The information security issues have existed around since it has been created. However, as the technology goes further and information management systems become increasingly powerful, the issue of information security becomes also increasingly critical [2].

Considering its intrinsic nature, the network operation analysis is based on stochastic events. The argument for this type of methodology is based on the principle that human actions behave as random elements [3]. In fact, the variability of available services is considerable, and therefore the types of user behavior eventually follow this trend.

Some important elements should be considered in data traffic management, such as trustfulness, confidentiality, integrity and reliability [4, 5].

Among the mentioned elements, reliability is the main object of analysis of this article. It can be defined as the capacity to provide access to information systems as soon as they are requested [4]. A system with low reliability ultimately leads to dissatisfaction and low user productivity.

The establishment of a set of criteria should be done to avoid false positives [6], which in turn may even lead to problems of a legal nature. For instance, a significant loss of network data packets can either be interpreted as a malicious attack, as may represent an intense use of the computer network.

It is possible to gather information from network logs of the data packets that pass through the network devices. Data extraction can provide the manager an important tool in decision making.

Some data may be considered interesting to the analysis of the packet traffic, among which are: the origin logical IP address, request time, response waiting time, type of obtained result, the amount of response data in the transaction and the destination logical IP address [7].

Due the stochastic behavior of the networks, the analysis methods based on classical logic may not be a suitable tool for this scenario [8]. A new logical system is needed to deal with it. Therefore, the Paraconsistent annotated evidential logic Eτ has a structure that becomes a natural technique to look for evidence of problems, whether caused both by the standard operation of the network or intentional elements [9]. In the latter case, it may be constituted by users or malicious application [10].

Once again, the use of Paraconsistent logic Eτ arises as a feasible alternative to take decisions under uncertainty, inconsistency and contradiction, in several areas such as robotics, electronics, traffic control, among others [11].

2 Methodology

The development of the proposal is based on the analysis of network data communication over five days and three ranges (mornings, afternoons and evenings), of five hours each. For each range, several parameters were obtained, among which: date and time of the request, the source IP address, destination IP address, type of connection made, the result of the request operation, response waiting time, amount of data response and total transactions.

From the network requests log, it was possible to extract network usage information expressed in Table 1.

Table 1. Network parameters obtained from transactions logs
Full size table

Some significant information can be obtained considering the parameter “Standard Deviation” in association with “Average Response Time” as a measure of dispersion and “Average Packet Size”. In this case, it is possible to make an association between the lowest standard deviation (86841.53 ms), its average response time (12579.59 ms) and average packets size (20589.08 bytes), which leads to believe that in the period from 13:00 to 17:59 on Tuesday presented the network operating normally, with low response time, even though with a considerable amount of data in transit. On Wednesday, from 18:00 to 22:59, the network had its worst performance, having obtained the largest delay in average response time (29514.48 ms) and slightly higher average packets size compared to the previous example (26382.09 bytes), with a standard deviation slightly below the maximum limit obtained (246460.67 ms). In this case, it may be viable to conclude that the network had dealt with operations problems.

However, during the computer network operation, handle dynamic and highly stochastic events may be a high complexity task. Therefore, a logical analyzer – Para-analyzer [12] will be used upon the data obtained to make an analysis under the light of an artificial intelligence tool. Four parameters shall be used as factors: average response time (R), its standard deviation (D), average packets size (P) and the total transactions (T).

The number of intervals that were selected for each parameter is based on the occurrence of significant variances in the evaluations of favorable and unfavorable evidences by the specialists. A larger number of intervals often presented very close or even repeated values, which in turn would generate unnecessary redundancy in this study.

It is considered that a low response time is a good indicator because it suggests that the network did not suffer consequences of a possible congestion and was able to answer its requests in an acceptable time. For this, three intervals shall be considered, based on the minimum and maximum values obtained from the network log: R1, R2 and R3.

A low standard deviation of the average response time also leads to the belief of a homogeneous network operation. In other words, no significant discrepancies between the hosts in operation were detected. Along with the previous factor, three intervals shall be considered: D1, D2 and D3.

The average packet size is also an important factor, but it has an element of uncertainty that must be considered. Networks with low average size packets may indicate little use, which can be considered a plus. Moreover, networks that suffer attacks should also have this tendency, since the data packets used for this purpose are individually small. Four intervals will be considered: P1, P2, P3 and P4.

Finally, the number of transactions may be considered a significant factor since a high value may suggest problems relating to malicious attacks or high degree of utilization of the network. Once again, four intervals shall be used: T1, T2, T3, and T4.

The concepts of Paraconsistent logic Eτ will be used from this point. According to Abe [12]: “The atomic formulas of the logic Eτ are of the type p(μ, λ), where (μ, λ) ∈ [0, 1]2 and [0, 1] is the real unitary interval (p denotes a propositional variable)”. Therefore, p(μ, λ) can be intuitively read: “It is assumed that p’s favorable evidence is μ and contrary evidence is λ.”. This will lead to the following conclusion:

  • p (1.0, 0.0) can be read as a true proposition,

  • p (0.0, 1.0) as false,

  • p (1.0, 1.0) as inconsistent,

  • p (0.0, 0.0) as paracomplete, and

  • p (0.5, 0.5) as an indefinite proposition.

To determine the uncertainty and certainty degrees, the formulas are [10]:

  • Uncertainty degree: Gun(μ, λ) = μ + λ - 1 (0 ≤ μ, λ ≤ 1);

  • Certainty degree: Gce(μ, λ) = μ − λ (0 ≤ μ, λ ≤ 1);

An order relation is defined on [0, 1]2: (μ1, λ1) ≤ (μ2, λ2) ⇔ μ1 ≤ μ2 and λ1 ≤ λ2, constituting a lattice that will be symbolized by τ.

With the uncertainty and certainty degrees, it is possible to manage the following 12 output states, showed in the Table 2.

Table 2. Extreme and nn-extreme states
Full size table

All states are represented in Fig. 1.

Fig. 1.
figure 1

All states in Lattice τ

Full size image

Initially, for each analyzed factor, the opinions of two experts in the field of networks shall be considered, both senior professional with a large experience in the field. For each factor, intervals will be taken and rated, with a certain degree of favorable evidence (represented by μ) and unfavorable evidence (represented by λ).

Also weights to each factor/intervals will be applied, considering the importance degree that each expert deems appropriate. The data from which the Paraconsistent algorithm will be applied is applied can be expressed in Table 3.

Table 3. Distribution of factors and grades for the Para-analyzer algorithm
Full size table

To study the proposition: “The computer network is functioning within normal operational limits”, values were tabulated and applied for the Para-analyzer algorithm, as seen in Table 4.

Table 4. Favorable and unfavorable evidences and weights of first scenario
Full size table

The factors listed above are not able to lead to important conclusions alone. In this case, the combined influence of the factors, with their respective applied weights, could contribute to a more appropriate response to the initial proposition. This is determined by the global analysis of the points that represent the Cartesian plane [13].

The global analysis is calculated considering the favorable evidences (μ) multiplied by their respective weights, and finally added. The same is done to the unfavorable evidence (λ) [13]. Considering the tabulated values, the global analysis obtained was 0.63 of favorable evidence and 0.48 of unfavorable evidence. With a minimum demand level of 0.5, it was observed that the factors were proved feasible for the R1 response time, D1 standard deviation of average response time, and T1 transactions. No average size of packets (P) interval showed viable result, as seen in Fig. 2.

Fig. 2.
figure 2

Analysis of first scenario result by the Para-analyzer algorithm.

Full size image

For comparison, another set of weights can be used where a higher weight is applied to each extreme position of the analyzed factor interval. The objective of this approach is to balance the weight factor to each other while applying a slightly lower relative weight in the intermediate intervals that may generate a higher level of uncertainty, as seen in Table 5.

Table 5. Favorable and unfavorable evidences and weights of second scenario.
Full size table

In this second scenario, the obtained global analysis was 0.62 of favorable evidence and 0.49 of unfavorable evidence, which is slightly less than in the first scenario. With a minimum demand level of 0.5, it was observed that the factors that were viable remain the same: R1 response time, D1 standard deviation of average response time, and T1 transactions. Again, no average packets size factor interval (P) presented viable result, as can be seen in Fig. 3.

Fig. 3.
figure 3

Analysis of second scenario result by the Para-analyzer algorithm.

Full size image

3 Analysis of the Results

From the obtained results, it can be observed that among the analyzed factors, the intervals R1, D1 and T1 gathered a common standard of viability. On the other hand, there was no significant influence on the factor P, in any of the intervals. All the evaluated scenarios showed inconclusive results.

The interpretation of the results leads to the belief that a network with reduced response time (R1), a low standard deviation of the average response time (D1) and small number of transactions (T1) are conditions that reflect the behavior of the computer network within normal limits. However, the average size factor package does not follow the same line of reasoning, and can be proven by its own data in the log, where a significant amount of data in transit was verified with a reduced response time. Therefore, it can be concluded that the average of the data packets may not be indicative of problems in the network, only an indication of intensive use of the infrastructure.