Методи та моделі експертних систем розпізнавання кібератак на основі кластеризації реалізацій ознак

Abstract

Дисертаційна робота містить результати досліджень, які спрямовані на подальший розвиток методів та моделей для адаптивних систем розпізнавання кібератак на основі кластеризації реалізацій ознак. Запропоновано структурну схему здатної до самонавчання експертної системи (ЕС) з інформаційної безпеки. Розроблено модель ЕС у складі системи інтелектуального розпізнавання кіберзагроз (СІРКЗ) та метод її навчання, у яких застосовується процедура нечіткої кластеризації реалізацій ознак кібератак та корекції вирішальних правил, що дозволяє створювати адаптивні механізми самонавчання СІРКЗ. Запропоновано застосовувати в якості оціночного показника ефективності навчання ЕС модифіковану інформаційну умову функціональної результативності (ІУФР), яка ґрунтується на ентропійному та інформаційно-дистанційному критерії Кульбака-Лейблера. Удосконалено метод розбиття простору реалізацій ознак на кластери в ході реалізації процедури розпізнавання кібератак, а також метод навчання ЕС, які являють собою ітераційну процедуру пошуку глобального максимуму ІУФР. Проведені тестові дослідження ЕС та порівняльний аналіз із існуючими методами та моделями, які використовуються у інтелектуальних системах розпізнавання кібератак. The dissertation contains the results of researches aimed at further development of methods and models for adaptive systems of recognition of cyber attacks on the basis of clusterization of the implementation of features. A structural scheme of an expert system for information security capable of self-education is proposed. On the basis of the analysis of available scientific publications, it was found that the complexity of application to intelligent recognition systems of target cyber attacks of the formalized apparatus of analysis and synthesis is that a specific information complex and their subsystems of information security consist of heterogeneous elements that are described using different models. It is shown that the application of elements of adaptive information protection can be based on the use of advanced methods of intelligent recognition of cyber attacks. For the first time, an expert system model has been developed as part of intelligent intrusion detection systems, in which, unlike existing ones, the procedure of fuzzy clusterization of the implementation of cyber attacks and the subsequent correction of decisive rules is applied, which allows for the creation of adaptive self-learning mechanisms for intelligent cyber attacks detection systems. For the first time, it is suggested to use the modified informational condition of functional effectiveness as an estimator of the effectiveness of the training of the expert system based on the entropy and informational-remote criterion of the Kulbak-Leibler, and, unlike the existing one, allows to receive the entrance educational matrix, which is used as an object of study , and build correct decisive rules for recognizing cyber attacks on critical information systems. The method of partitioning the realization of features into clusters in the course of implementing the cyber attacks recognition procedure, which differs from existing, is simultaneously optimized when calculating control tolerances during the analysis by an expert system of difficult explanatory implementations of the objects of observation, and allows for each step of the training to change the test tolerance deviations for all implementations of cyber attacks simultaneously. The method of teaching the expert system is improved, which is an iterative procedure for finding the global maximum of the information condition of functional efficiency, and, unlike the existing one, prevents possible cases of one object acquisition of objects of recognition of basic realizations of signs of observation objects, as well as errors during the task of making decisions in the course of machine learning procedures. Further development of simulation models for the composite construction of intelligent detection systems for cyber attacks by simultaneously optimizing control tolerances during the analysis of recognition objects, allowing them to conduct research, to select rational methods of counteraction and neutralization of consequences, to analyze more complex and previously unknown types of cyber attacks on critical information systems. The practical significance of the results is that the dissertation developed a software implementation of the expert system for the recognition of cyber attacks, which allows to increase the efficiency of recognition, depending on the class of cyber attacks, up to 70-99%, and reduce the time of debugging of the information security systems projects by 15-20% CYIS at the expense of simulation of a cyber attacks. An EU-based self-learning tool, "Analyzer of Cyberthreats", allows you to take into account the known statistical parameters of clustering implementations of features of recognition objects, as well as errors during the decision making task during machine learning. The proposed expert system allows to increase the efficiency of functioning of cybersecurity systems. The results of the work have been implemented in the scientific and technical developments of "Protection of Information" Ltd. and in the educational process at the Chernihiv National Technological University, as well as at the National Aviation University.