In the scenarios of specific conditions and crises such as the coronavirus pandemic, the availability of e-learning ecosystem elements is further highlighted. The growing importance for securing such an ecosystem can be seen from DDoS (Distributed Denial of Service) attacks on e-learning components of the Croatian e-learning system. The negative impact of the conducted attack is visible in numerous users who were prevented from participating in and implementing the planned teaching process. Network anomalies such as conducted DDoS attacks were identified as one of the crucial threats to the e-learning systems. In this paper, an overview of the network anomaly phenomenon was given and botnets’ role in generating DDoS attacks, especially IoT device impact. The paper analyzes the impact of the COVID-19 pandemic on the e-learning systems in Croatia. Based on the conclusions, a research methodology has been proposed to develop a cyber-threat detection model that considers the specifics of the application of e-learning systems in crisis, distinguishing flash crowd events from anomalies in the communication network. The proposed methodology includes establishing a theoretical basis on DDoS and flash crowd event traffic, defining a laboratory testbed setup for data acquisition, development of DDoS detection model, and testing the applicability of the developed model on the case study. The implementation of the proposed methodology can improve the quality of the teaching process through timely DDoS detection and it gives other socio-economic contributions such as developing a specific research domain, publicly available dataset of network traffic, and raising the cyber-security of the e-learning systems.

在冠状病毒大流行等特定条件和危机的情况下，进一步突出了电子学习生态系统元素的可用性。从对克罗地亚电子学习系统的电子学习组件的 DDoS（分布式拒绝服务）攻击可以看出，保护此类生态系统的重要性日益增加。在许多被阻止参与和实施计划的教学过程的用户中，所进行的攻击的负面影响是显而易见的。DDoS 攻击等网络异常被确定为电子学习系统的关键威胁之一。在本文中，概述了网络异常现象以及僵尸网络在产生 DDoS 攻击中的作用，尤其是对物联网设备的影响。本文分析了 COVID-19 大流行对克罗地亚电子学习系统的影响。基于这些结论，提出了一种研究方法来开发网络威胁检测模型，该模型考虑了电子学习系统在危机中的应用的具体情况，将突发人群事件与通信网络中的异常区分开来。所提出的方法包括建立 DDoS 和闪电人群事件流量的理论基础，定义用于数据采集的实验室测试平台设置，DDoS 检测模型的开发，以及在案例研究中测试开发模型的适用性。所提出的方法的实施可以通过及时的 DDoS 检测来提高教学过程的质量，并提供其他社会经济贡献，例如开发特定的研究领域、公开可用的网络流量数据集、