Dynamic model of an information system with a threshold adaptive protection operator

Dynamic model of an information system with a threshold adaptive protection operator

Polin M.D. (SPbPU, St. Petersburg, Russia)
Efremov A.A. (SPbPU, St. Petersburg, Russia)

Abstract

This paper investigates the problem of ensuring the stability of information systems under anomalous load conditions characteristic of Distributed Denial-of-Service (DDoS) attacks. A deterministic dynamic model is proposed, grounded in queueing theory and describing the coupled dynamics of the request queue length, the level of adaptive protection, and the utilization of computational resources–namely, the central processing unit and the network channel. The model incorporates a nonlinear saturation effect in request processing under overload, which accurately reflects the degradation of server infrastructure efficiency as the number of concurrent requests increases. The core component of the model is an adaptive protection algorithm implemented through a threshold-based operator that activates only when the queue exceeds a critical threshold and automatically deactivates once the load normalizes, thereby minimizing the risk of blocking legitimate traffic and eliminating false positives during normal operation. To ensure universality of the analysis, the system of differential equations is transformed into a dimensionless form, which enables the identification of key dimensionless parameter groups and eliminates dependence on specific units of measurement. A rigorous stability analysis based on the spectrum of the Jacobian matrix confirms the asymptotic stability of the system, provided that the intensity of normal traffic does not exceed the processing capacity. Numerical simulations were conducted for three distinct attack scenarios: a short-term burst, a multi-stage attack with repeated waves, and a low-and-slow attack followed by a sharp surge. To enhance model adequacy, a mechanism for conditional engagement of reserve computational resources was introduced, activated only after the cessation of the attack and in the presence of persistent overload. Model validation against the public CICDDoS2019 dataset confirmed its high accuracy, demonstrating both qualitative and quantitative agreement. The obtained results highlight the model’s practical applicability for designing predictive protection systems in cloud and distributed environments, as well as for optimizing the parameters of adaptive mechanisms in real-world information infrastructures.

Keywords

DDoS attack; dynamic modeling; queueing theory; adaptive protection; dynamic operator; dimensionless analysis; stability; cybersecurity.

Edition

Proceedings of the Institute for System Programming, vol. 38, issue 3, part 4, 2026, pp. 59-70

ISSN 2220-6426 (Online), ISSN 2079-8156 (Print).

DOI: 10.15514/ISPRAS-2026-38(3)-46

For citation

Polin M.D., Efremov A.A. Dynamic model of an information system with a threshold adaptive protection operator. Proceedings of the Institute for System Programming, vol. 38, issue 3, part 4, 2026, pp. 59-70 DOI: 10.15514/ISPRAS-2026-38(3)-46.

Full text of the paper in pdf (in Russian) Back to the contents of the volume