SIGNIFICANT PREPROCESSING METHOD IN EEG BASED EMOTIONS CLASSIFICATION

221

IMPROVED METHOD FOR THE FORMATION OF

LINGUISTIC STANDARDS FOR

OF INTRUSION DETECTION SYSTEMS

1

AKHEMETOV BAKHYTZHAN , 2KORCHENKO ANNA,3AKHMETOVA SANZIRA ,

4

ZHUMANGALIEVA NAZYM

1

Assoc Prof., Doctor of Technical , Institute of Information and Telecommunication Technologies, Kazakh National Technical University named after K. I. Satpayev, Almaty, Kazakhstan,

2

Department of Information Technology Security, National Aviation University, Kyiv, Ukraine.

3

Institute of Information and Telecommunication Technologies, Kazakh National Technical University named after K. I. Satpayev, Almaty, Kazakhstan,

4

Institute of Information and Telecommunication Technologies, Kazakh National Technical University named after K. I. Satpayev, Almaty, Kazakhstan,

E-mail: [email protected]

,

[email protected]

,

[email protected]

,

4

[email protected]

ABSTRACT

Due to intensive development of digital business, malicious software and other cyber threats are becoming more common. To increase the level of security necessary special remedies that can be effective when new types of threats and allow fuzzy conditions to detect cyberattacks targeting multiple resources of information systems. Different attacking effects on related resources give rise to different sets of parametric anomalies in a heterogeneous environment. Known tuple model of the formation of a set of core components that allow to detect cyberattacks. For its effective application requires a formal approach to the formation of fuzzy (linguistic) standards. To this end a method is developed that focuses on the tasks of identifying cyberattacks on computer systems, which is based on mathematical models and methods of fuzzy logic and is implemented through six basic stages: the formation of subsets of identifiers linguistic assessments, forming the base matrix of frequencies, the formation of the derivative matrix of frequencies, the formation of fuzzy terms, the formation of the reference fuzzy numbers, visualization of linguistic standards. The method allows to improve the process of formalization of linguistic standards receive options to improve the efficiency of construction of the corresponding intrusion detection systems.

Keywords: Artificial Neural Network (ANN), Static Var Compensator (SVC), Autonomous Hybrid Power System (AHPS)

1. INTRODUCTION

1.1 Relevance

The formation of many markets and industries today it is difficult to imagine without information technologies. Due to the development of digital business and the Internet, malicious software and other cyber threats are becoming more prevalent and pervasive. In this regard, the necessary means to detect cyberattacks on various resources of

222 successful response to cyberattacks. Important in detecting anomalies, generated by cyberattacks, is the formation of fuzzy standards [2]. On this basis, the development of methods that improve the process of formalization of receiving linguistic standards of the parameters for the intrusion detection systems, there is actual scientific task.

1.2 Analysis Of Existing Research

A number of famous, quite effective developments used to solve these problems, detect cyberattacks, such as: the tuple model to form the basic component for the detection of cyberattacks [2], fuzzy approaches to intrusion detection [3]–[4] and detecting anomalies [5]; the corresponding fuzzy model [1], [6]–[7], methods [8]–[10] and intrusion detection system [11]–[13]; the sets of fuzzy rules [3]–[4], [8], [14]–[22], as well as other developments that are used for solving problems in fuzzy environment [23]. These studies demonstrated efficiency of application of mathematical apparatus of fuzzy sets, and its use to formalize the approach to identifying cyberattacks would improve the process of creating appropriate systems of detection of intrusions. It should be noted that many of the attacking effects on the resources of the information systems generate a lot of anomalies among the heterogeneous variables in a parametric environment [2].

For effective application of known models [2], [24] the formal implementation of the process of formation of fuzzy (linguistic) standards that will allow in a given linguistic variable identifies the search term [10]. On this term by using the corresponding sets of rules to determine the level of abnormal condition created by the impact of the corresponding class of cyberattacks.

1.3 Main Objective Of Research

Based on the analysis of existing research and the relevance of the task the aim of this work is to develop an improved (generalized) method of formation of linguistic standards (MFLS) for intrusion detection systems, operating in formalized fuzzy environment.

With such a method (when solving the tasks of identifying cyberattacks) can be formalized receiving process standards of the parameters for a given group of linguistic variables used to identify certain types of attacks on specific parametric heterogeneous environment in a specified time period.

2. MAINPARTOFRESEARCH

For construction of a subset of linguistic standards

Т

е_ij (see (13) in [2]), displaying the characteristic judgement of the expert concerning the anomalous state of the parameter

P

_ij we will develop an appropriate method that allows to formalize the process of obtaining standards of the parameters for the specified groups of linguistic variables for a specific environment. Improved method for the formation of linguistic standards (MFLS) is focused on solving the tasks of identifying cyberattacks on computer systems is a further development of the method of linguistic terms using statistical data [23] and is based on six stages.

Stage 1 – formation of subsets of identifiers linguistic assessments. The creation of the subset

i

LE

is based on the set of all possible identifiers (ID) of linguistic evaluations (judgments) expert

LE

submitted as

LE

=

=

U

c

l l 1

{

LE }

=

1

{ LE

,

LE

₂, …,

LE }

_c ,

( l

=

1,c )

, (1) and that display used expert judgment to characterize the parameters

P

_i [2], [24] when observed in a

m

-dimensional parametric heterogeneous environment [2], and the

c

– number of such ID.

For example, when

с

=

10

according to (1) the set

LE

can be represented as follows:

LE

=

=

U

10 l

l 1

{

LE }

=

{ LE

₁,

LE

₂, …,

LE }

₁₀ =

VS

{ LE

,

LE

_S,

LE

_A,

LE

_B,

LE

_VB,

LE

_Y,

LE

_M,

O

LE

,

LE

L,

LE }

H =

{"VS", "S", "A", "B",

"VB", "Y", "M", "O", "L", "H"}

, (2) where

LE

₁=

LE

_VS=

"VS"

,

LE

₂=

LE

_S=

"S"

,

3

LE

=

LE

A=

"A"

,

LE

4=

LE

B=

"B"

,

LE

5=

LE

VB

=

"VB"

,

LE

6=

LE

Y=

"Y"

,

LE

7=

LE

M =

"M"

,

8

LE

=

LE

_O=

"O"

,

LE

₉=

LE

_L=

"L"

and

LE

₁₀=

H

LE

=

"H"

ID, respectively, are of such linguistic

assessments (judgments) of expert as «VERY SMALL» (when

l

=

1

), «SMALL» (when

l

=

2

), «AVERAGE» (when

l

=

3

), «BIG» (when

l

=

4

), «VERY BIG» (when

l

=

5

), «YOUTH» (when

=

223

=

l

8

), «LOW» (when

l

=

9

) and «HIGH» (when

=

l

10

).

Next, we form the subset ID of expert judgments

U

n i

i 1

{

LE }

=

=

{LE

₁,

LE

₂, …,

LE }

_n , (3)

where

LE

_i ⊆

LE

,

( i

=

1,n )

defined as:

i

LE

=

U

i m

ij j 1

{

LE }

=

=

{LE

_i1,

LE

_{i 2},…, i im

LE

}

, (4)

in this case

LE

_ij

( j

=

1,m )

_i ID is a subset of the expert's judgments regarding the values of the parameters

P

ij (see (8) в [2]) in

m

-dimensional parametric heterogeneous environment. Taking into consideration (4) we will write formula (3) in the following form:

U

n i

i 1

{

LE }

=

=

U U

i m n

ij i 1 j 1

{

{

LE }}

= =

=

{{LE

₁₁,

LE

₁₂, …,

1 1m

LE

}

,

{LE

₂₁,

LE

₂₂, …, 2 2m

LE

}

, …,

n1

{LE

,

LE

_n2, …, n nm

LE

}}

. (5)

Thus, taking into account

LE

ij⊆

LE

i, about j

-th parameter the expert can apply a set from

r

j statements (linguistic estimates), displayed by a subset

ij

LE

=

=

=

U

j

j r

ijk ij1 ij 2 ijr

k 1

{

LE } { LE ,LE ,...,LE

}

, (6)

where

LE

_ijk

( k

=

1,r )

_j –

k

-th identifier of a linguistic assessment of the expert concerning a state j-the parameter when

i

-th cyberattacks in a certain environment, but

r

_j – number of identifiers

in

LE

_ij.

Further, the expression (5) with (6) takes the following form:

U

n i

i 1

{

LE }

=

=

U U

i m n

ij i 1 j 1

{

{

LE }}

= =

=

= = =

U U U

j i r

m n

ijk i 1 j 1 k 1

{

{

{

LE } } }

=

111

{{{ LE

,

LE

₁₁₂, …,

1

11r

LE

}

,

{ LE

₁₂₁,

LE

₁₂₂,

…,

2

12 r

LE

}

, …,

1

1m 1

{ LE

,

1

1m 2

LE

, …,

1 m1

1m r

LE

}}

,

{{ LE

₂₁₁,

LE

₂₁₂, …,

1

21r

LE

}

,

{ LE

₂₂₁,

LE

₂₂₂,

…,

2

22 r

LE

}

, …,

2

2 m 1

{ LE

,

2

2 m 2

LE

, …,

2 m2

2 m r

LE

}}

, …,

{{ LE

n11,

LE

n12, …,

LE

n1r1

}

,

n21

{ LE

,

LE

_{n 22}, …,

2

n 2 r

LE

}

, …,

n

nm 1

{ LE

,

n

nm 2

LE

, …,

n mn

nm r

LE

}}}

. (7)

For example, when

n

=

3

(i.e., to cyberattacks ID

CA

₁=

CA

_SN=

SN

– «Scanning of ports (SN)»,

2

CA

=

CA

_DS=

DS

– «Denial of service (DS)» and

3

CA

=

CA

SP=

SP

– «Spoofing (SP)»),

=

=

1 3

m

m

2

,

m

₂

=

3

,

r

₁

=

5

,

r

₂

=

r

₃

=

3

the expression (7) can be defined as:

U

3 i

i 1

{

LE }

=

=

U U

i m 3

ij i 1 j 1

{

{

LE }}

= =

=

= = =

U U U

j i r

m 3

ijk i 1 j 1 k 1

{

{

{

LE } } }

=

111

{{{ LE

,

LE

₁₁₂,

LE

₁₁₃,

LE

₁₁₄,

LE

₁₁₅

}

,

121

{ LE

,

LE

₁₂₂,

LE

₁₂₃

}}

,

211

{{ LE

,

LE

₂₁₂,

LE

₂₁₃,

LE

₂₁₄,

LE

₂₁₅

}

,

{ LE

₂₂₁

,

LE

₂₂₂,

LE

₂₂₃

}

,

231

{ LE

,

LE

232,

LE

233

}}

,

311

{{ LE

,

LE

312,

LE

313,

LE

314,

LE

315

}

,

321

{ LE

,

LE

₃₂₂,

LE

₃₂₃

}}}

=

SNNVC1

{{{ LE

,

LE

_{SNNVC 2},

LE

_SNNVC3,

LE

_SNNVC4,

N SN VC5

LE

}

,

{ LE

_SNVCA1,

LE

_SNVCA2,

LE

_SNVCA3

}}

,

DSNCC1

{{ LE

,

LE

DSNCC2,

LE

DSNCC3,

LE

DSNCC4,

N DS CC5

LE

}

,

{ LE

_DSSPR1,

LE

_DSSPR2,

LE

_DSSPR3

}

,

DSDВR1

{ LE

,

LE

_DSDВR2,

LE

_DSDВR3

}}

,

SPNCC1

{{ LE

,

LE

_SPNCC2,

LE

_SPNCC3,

C SPNC 4

LE

,

LE

SPNCC5

}

,

N S SP P А1

{ LE

,

LE

_SPNPSА2,

LE

_SPNPSА3

}}}

=

{{{" VS", "S", "A", "B", "VB"}

,

{"Y", "M", "O"}}

,

{{" VS", "S", "A", "B", "VB"}

,

{"L", "A", "H"}

,

{"S", "A", "B"}}

,

{{" VS", "S", "A", "B", "VB"}

,

{"S", "A", "B"}}}

,

where:

LE

₁₁₁

=

LE

_SNNVC1

=

"VS"

,

LE

₁₁₂=

C SNNV 2

LE

=

"S"

,

LE

₁₁₃=

LE

_SNNVC3=

"A"

,

LE

₁₁₄=

C SNNV 4

LE

=

"B"

,

LE

₁₁₅=

LE

_SNNVC5=

"VB"

and

121

224 123

LE

=

LE

SNVCA3=

"O"

– ID, respectively, are

such linguistic experts that show the status of settings

P

11=

P

SNNVC=

NVC

«Numbers of Virtual channels» and

P

₁₂=

P

_SNVCA

=

VCA

«Virtual Channel Age» in

2

-dimensional parametrical sub-environment [2];

211

LE

=

LE

DSNCC1=

"VS"

,

LE

212=

LE

DSNCC2=

"S"

,

LE

₂₁₃=

LE

_DSNCC3=

"A"

,

LE

₂₁₄=

LE

_DSNCC4

=

"B"

,

LE

₂₁₅=

LE

_DSNCC5=

"VB"

,

LE

₂₂₁=

R DSSP 1

LE

=

"L"

,

LE

₂₂₂=

LE

_DSSPR2=

"A"

,

LE

₂₂₃=

R DSSP 3

LE

=

"H"

and

LE

₂₃₁=

LE

_DSDВR1=

"S"

,

232

LE

=

LE

_DSDВR2=

"A"

,

LE

₂₃₃=

LE

_DSDВR3=

"B"

–

respectively the ID of linguistic experts, showing the status of parameters

P

₂₁=

P

_DSNCC=

NCC

«Number of concurrent connections to the server»,

22

P

=

P

_DSSPR

=

SPR

«Speed of processing requests

from the clients» and

P

23=

P

DSDВR

=

DВR

«The delay between requests from the single user» in

3

-dimensional parametrical sub-environment;

311

LE

=

LE

_SPNCC1=

"VS"

,

LE

₃₁₂=

LE

_SPNCC2=

"S"

,

LE

₃₁₃=

LE

_SPNCC3=

"A"

,

LE

₃₁₄=

LE

_SPNCC4=

"B"

,

LE

₃₁₅=

LE

_SPNCC5=

"VB"

and

LE

₃₂₁=

LE

_SPNPSА1=

"S"

,

LE

₃₂₂=

LE

SPNPSА2=

"A"

,

LE

323=

LE

SPNPSА3

=

"B"

– ID, respectively, are such expert judgments

that show the status of settings

P

31=

=

SPNCC

P

NCC

and

P

₃₂=

P

_SPNPSА

=

NPSА

«Number of packages with the same sender and receiver address» in

2

-dimensional parametrical sub-environment.

It should be noted that the expert Express his opinions on the state of the observed actual values of various parameters in a particular environment, but it can use the same statements from the set of

LE

, displayed appropriate language identifiers. For example, ID linguistic evaluation expert

"VS"

for parameters

P

₁₁=

P

_SNNVC=

NVC

(

LE

₁₁₁

=

=

N SN VC1

LE

"VS"

) and

P

₂₁=

P

_DSNCC=

NCC

(

211

LE

=

LE

_DSNCC1=

"VS"

) are merely linguistic

equivalents of certain values of these quantities and, in fact, some characterize their relative condition, display the appropriate experts.

Stage 2 – formation of the basic matrix of frequencies. To obtain such matrix is filled in with

the set of identifiers of the intervals

N

and a subset of these identifiers

N

_i, which are displayed as

U

n i

i 1

{

N }

=

=

{N

₁,

N

₂, …,

N }

_n , (8)

where

N

_i

⊆

N

,

( i

=

1,n )

we will define as

i

N

=

U

i m

ij j 1

{

N }

=

=

{N

_i1,

N

_{i 2}, …, i im

N

}

, (9)

in this case

N

ij

( j

=

1,m )

i – the ID subset of intervals, for determining which linguistic expert carries out the evaluation regarding the values of the parameters

P

_ij (see (8) in [2]) in

m

-dimensional parametric heterogeneous environment. Taking into account (9) we will write down formula (8) in the following form:

U

n i

i 1

{

N }

=

=

U U

i m n

ij i 1 j 1

{

{

N }}

= =

=

{{N

₁₁,

N

₁₂, …, 1 1m

N

}

,

21

{N

,

N

₂₂, …, 2 2m

N

}

, …,

n1

{N

,

N

_{n 2}, …, n nm

N

}}

. (10)

Further, taking into account

N

_ij ⊆

N

_i, about j -th parameter expert for forming the borders of their assessments may use the set of

r

_j intervals, the displayed subset

ij

N

=

=

U

j

r

ijk k 1

{

N

}

=

{ N

_{ij 1},

N

_{ij 2}, …,

j

ijr

N

}

, (11)

where

N

_ijk

( k

=

1,r )

_j – identifier of

k

-th interval used for the formation of frequencies of occurrence of experts on the current state j-th parameter relative

i

-th cyberattacks in a certain environment, but

r

_j – the number of IDs fixed intervals on which the assessment.

Then the expression (10) with (11) takes the following form:

U

U U

i

m

n n

i ij

i 1 i 1 j 1

{

N } {

{

N }}

= = =

=

=

= = =

=

U U U

j i r

m n

ijk i 1 j 1 k 1

{

{

{

N

}}}

111

{{{ N

,

N

112, …,

N

11r1

}

,

{ N

121,

N

122, …,

2

12r

N

}

, …,

1

1m 1

{ N

,

1

1m 2

N

, …,

1 m1

1m r

N

}}

,

211

{{ N

,

N

₂₁₂, …,

1

21r

N

}

,

{ N

₂₂₁,

N

₂₂₂, …,

2

22r

N

}

, …,

2

2m 1

{ N

,

2

2m 2

N

, …,

2 m2

2m r

N

}}

, …,

n11

{{ N

,

N

_n12, …,

1

n1r

N

}

,

{ N

_n21,

N

_n22, …,

2

n 2r

N

}

, …,

n

nm 1

{ N

,

n

nm 2

N

, …,

n mn

nm r

225 Based on the elements of the subsets

LE

_ij and

ij

N

formed synthesis table of assessments (table 1), the content of which is based on the current fixation evidence (judgments, evaluations), expert, where

f

_ijsq

(s,q

=

1,r )

_j – elements of empirical data showing the number (frequency) of the same utterances (the use of linguistic assessments of the subset

LE

_ij) expert, characterizing the state of the j-th parameter on

the interval ID

N

_ijq min max ijq ijq

[ N

; N

]

(q

=

1,r )

_j ,

where

N

_ijqmin and

N

_ijqmax respectively the lower and upper bound

q

-th interval.

Table 1 Generalized table of assessments

LE

_ij

LE

N

ij

ij 2

N

… …

LE

ij 12

f

… …

LE

ij 22

f

… …

…

LE

ijs 2

f

… …

…

LE

j

ijr 2

f

… …

Further on the basis of generalized evidence on the elements of the subset

LE

_ij (see table 1) formed the basic matrix of frequencies

ij 12

f

… …

=

=

ij ijsq

F

f

ij 22

f

… …

ijs 2

f

… …

j

ijr 2

f

… … .

(1 3)

For example, if you want to build a matrix

F

_ij

=

_j

(s,q

1,r )

, which will be the basis for building

standards

T

_ije, when

n

=

3

(i.e. cyberattacks with

ID

CA

₁=

CA

_SN=

SN

,

CA

₂=

CA

_DS=

DS

and

CA

₃

=

CA

SP=

SP

),

m

1

=

m

3

=

2

,

m

2

=

3

,

r

1

=

5

,

=

=

2 3

r

r

3

the expression (12) can be defined as:

U

U U

i

m

3 3

i ij

i 1 i 1 j 1

{

N } {

{

N }}

= = =

=

=

= = =

=

U U U

j i r

m 3

ijk i 1 j 1 k 1

{

{

{

N }}}

111

{{{ N

,

N

₁₁₂,

N

₁₁₃,

N

₁₁₄,

N

₁₁₅

}

,

121

{ N

,

N

₁₂₂,

N

₁₂₃

}}

,

211

{{ N

,

N

₂₁₂,

N

₂₁₃,

N

₂₁₄,

N

₂₁₅

}

,

221

{ N

,

N

₂₂₂,

N

₂₂₃

}

,

{ N

₂₃₁,

N

₂₃₂,

N

₂₃₃

}}

,

311

{{ N

,

N

₃₁₂,

N

₃₁₃,

N

₃₁₄,

N

₃₁₅

}

,

321

{ N

,

N

322,

N

323

}}}

=

SNNVC1

{{{ N

,

N

_SNNVC2,

N

_SNNVC3,

N

_SNNVC4,

SNNVC5

N

}

,

{ N

_SNVCA1,

N

_SNVCA2,

N

_SNVCA3

}}

,

DSNCC1

{{ N

,

N

_DSNCC2,

N

_DSNCC3,

N

_DSNCC4,

DSNCC5

N

}

,

{ N

DSSPR1,

N

DSSPR2,

N

DSSPR3

}

,

R DSDВ 1

{ N

,

N

_DSDВR2,

N

_DSDВR3

}}

,

SPNCC1

{{ N

,

N

_SPNCC2,

N

_SPNCC3,

SPNCC4

N

,

N

_SPNCC5

}

,

N SP PSА1

{ N

,

N

SPNPSА2,

N

SPNPSА3

}}}

. (14) For example, according to (14) when

n

=

1

, (

=

i

3

i.e., to cyberattacks with ID

CA

₃=

CA

_SP=

SP

),

j

=

2

,

r

j

=

3

для

{ N

321,

N

322,

N

323

}

on the basis of the generalized tables (see table 1) build the current table of assessments (table 2) on the elements of the subset

LE

_ijk

=

LE

_32k

=

N SP PSАk

LE

( r

₂

=

3

,

k

=

1,3 )

, where

LE

₃₂₁

=

=

NP SP SА1

LE

"S"

,

LE

322

=

LE

SPNPSА2

=

"A"

,

=

323

LE

LE

_SPNPSА3

=

"B"

and

N

_ijk

=

N

_32k

=

SPNPSАk

N

, but

N

_ij1

=

N

321=

N

SPNPSА1

NPS min SP А1

[ N

;

N

_SPmax_NPSА1

]

<=>

[0; 10],

N

ij 2

=

N

322=

SPNPSА2

N

[ N

_SPmin_NPSА2

;

N

_SPmax_NPSА2

]

<=>

[11;

100],

N

_{ij 3}

=

N

₃₂₃=

N

_SPNPSА3 min_NPS

SP А3

[ N

;

NPSА max SP 3

[image:5.612.88.530.104.746.2]

N

]

<=>

[101; 1000].

226 The current table estimates for

LE

₃₂

32

LE

=

SP

LE

32 SPNPSА

N

=

N

SP 1

N

N

_{SP 2}

N

_{SP 3}

" S "

3 1 0

" A"

_{1 4 2}

" B"

_{0 2 3}

Then, when

s,q

=

1,3

according to expression (13) using the data of table 2, we generate the matrix of frequencies, i.e.

=

=

=

=

32 SPNPSА 32sq SPNPSАsq

F

F

f

f

f

3212

f

f

₃₂₁₃

f

3222

f

f

₃₂₂₃

f

3232

f

f

₃₂₃₃

=

Stage 3 – formation of the derivative matrix of frequencies. To implement this step, you create a vector of sums (

VS

_ij) the appropriate columns of the frequency matrix of (13), i.e.

=

ij

VS

vs

_ijq

=

=

j

ij1 ij 2 ijq ijr

vs ,vs ,...,vs ,...,vs

= = = =

=

∑

∑

∑

∑

j j j j j

r r r r

ijs1 ijs2 ijsq ijsr

s 1 s 1 s 1 s 1

f

,

f

,...,

f

,...,

f

=

=

∑

U

j j

r r

ijsq s 1 q 1

f

,

(s,q

=

1,r )

_j , (15)

where

f

_ijsq − are the elements of the matrix

F

_ij.

Further by the member of

VS

ij defined a maximum value according to the formula

=

=

∨

j

r

ij _{q 1} ijq

vsm

vs

, (16)

which is used to form the derivative matrix of frequencies

=

=

' '

ij ijsq ij ijq ijsq

F

f

( vsm /vs ) f

<=>

=

=

'

ij ij ijq ij

F

( vsm /vs )F

' ij 12

f

… …

' ij 22

f

… …

' ijs 2

f

… …

j

' ijr 2

f

… …

. (17) Consider the formation of

F

_ij' on a concrete example. To do this, when

i

=

3

,

j

=

2

we will create a vector of sums

VS

_ij

=

VS

₃₂ the appropriate columns of the frequency matrix of (13) using expression (15), i.e.

=

32

VS

vs

_32q

=

vs

₃₂₁

,vs

₃₂₂

,vs

₃₂₃

=

=

=

∑

U

3 3 32sq

s 1 q 1

f

<=>

VS

_{SP PSАN}

=

vs

_SPNPSАq

=

=

NPSА NP

SP 1 SP SА2 SPNPSА3

vs

,vs

,vs

= =

=

∑

U

3 3 S NPS 1

А P sq s

q 1

f

4 , 7 , 5

,

(q

=

1, 3 )

.

Then from

VS

₃₂

=

VS

_{SPNP АS} by the formula (16) we will define a maximum element

=

=

∨

=

3

32 _{q 1} 32 q

vsm

vs

vs

₃₂₁

∨

vs

₃₂₂

∨

vs

₃₂₃

=

∨ ∨

=

4

7

5

vsm

_SPNPSА

=

7

,

and the derivative matrix of frequencies

=

=

' '

32 32sq

F

f

( vsm /vs

_{32 32q}

) f

_32sq

=

F

_SPNPSА'

we will get according to the expression (17)

=

=

NPSА NP

'

SP SP SА SPNPSАq SPNPSА

F

( vsm

/vs

)F

5,3 1 0

1,8 4 2,8

0 2 4,2 .

Stage 4 – formation of fuzzy terms. The construction of subsets of the fuzzy terms

T

_i is based on the set of all possible terms

T

, showing the specific status of the corresponding parameters from

P

_i in

m

_i-dimensional parametrical sub-environment [2], i.e.

U

n i

i 1

{

T }

=

=

{T

₁,

T

₂, …,

T }

_n , (18)

where

T

_i ⊆

T

,

( i

=

1,n )

, and

i

T

=

U

i m

ij j 1

{

T }

=

=

{Т

_i1,

Т

_{i 2}, …, i im

227 thus

Т

ij

( j

=

1,m )

i is a fuzzy subset of terms relative to the values of the parameters is a fuzzy subset of terms relative to the values of the parameters

P

_ij (see (8) in [2]). Taking into account (19) formula (18) we will write in the following form:

U

n i

i 1

{

T }

=

=

U U

i m n

ij i 1 j 1

{

{

T }}

= =

=

11

{{T

,

T

₁₂, …, 1 1m

T

}

,

{T

₂₁,

T

₂₂, …, 2 2m

T

}

,

…,

{T

_n1,

T

_{n 2}, …, n nm

T

}}

,

( j

=

1,m )

_i . (20)

Thus, taking into account

T

ij⊆

T

i and (20), a subset of the fuzzy terms defined as:

ij

T

=

=

U

j

r

ij s s 1

{

_~

T }

=

{ Т

_~

_ij1,

_~

Т

_{ij 2}, …,

j

ijr

Т

}

~

, (21)

where

Т

_ijs

~

( s

=

1,r )

j – are fuzzy terms, and

r

j –

the number of members in

T

_ij.

Further, the expression (20) with (21) takes the following form:

U

n i

i 1

{

T }

=

=

U U

i m n

ij i 1 j 1

{

{

T }}

= =

=

= = =

U U U

j i r

m n

ijs i 1 j 1 s 1

{

{

{

T } } }

~

=

111

{{{ T

~

,

_~

T

112, …,

~

T

11r1

}

,

{ T

~

121,

~

T

122, …, 2

12 r

T

}

~

, …,

{ T

~

1m 11 ,

~

T

1m 21 , …,

~

T

1m r1 m1

}}

,

{{ T

~

211,

212

T

~

, …,

~

T

21r1

}

,

{ T

~

221,

~

T

222, …,

~

T

22 r2

}

, …, 2

2 m 1

{ T

~

,

~

T

2 m 22 , …,

~

T

2m r2 m2

}}

, …,

{{ T

~

n11,

~

T

n12,

…,

1

n1r

T

}

~

,

{ T

_~

n 21,

_~

T

n22, …,

~

T

n 2 r2

}

, …,

{ T

~

nm 1n , n

nm 2

T

~

, …,

~

T

nm rn mn

}}}

. (22)

Next, it needs to generate the values displayed in the component

Т

_ijs

~

, what for the following

transformations are used. On

F

_ij' matrix elements according to expression (23) the vector of maxima is under construction

=

=

ij ijq

FM

fm

=

j

ij1 ij 2 ijq ijr

fm , fm ,..., fm ,..., fm

= = = =

=

∨ ∨

j j

∨

j

∨

j

j

r r r r

' ' ' '

ijs1 ijs2 ijsq ijsr

s 1

f

,

s 1

f

,...,

s 1

f

,...,

s 1

f

= =

∨

U

j j r

r ' ijsq s 1 q 1

f

,

(s,q

=

1,r )

_j . (23)

Based on

FM

_ij we generate the matrix of membership functions

=

µ

=

ij ijsq

M

µ

_ij12 … …

µ

_{ij 22} … …

…

µ

_{ijs 2} … …

…

µ

j

ijr 2 … …

, (24) each element of which is given by the expression

=

µ

'

ijsq

f

ijsq

/fm

ijs

(s,q

=

1,r )

j . Using (24), we

define the fuzzy sets of terms (numbers)

Т

_ijs

~

on

the basis of the expression

ijs

Т

~

=

U

₌

µ

=

j

r

ijsq ijsq q 1

{

/ x

}

{

µ

_ijs1

/ x

_ijs1

,

µ

_ijs2

/ x

_ijs2

,...,

µ

j j

ijsr

/ x

ijsr

}

,

(q

=

1,r )

j , (25)

where

=

j

max max ijsq ijq ij r

x

N

/N

(q

=

1,r )

_j . (26)

Note that the fuzzy number (FN)

Т

_ijs

~

(s

=

1,r )

j

accordingly interpreting linguistic utterances of experts

LE

_ijk

( k

=

1,r )

_j , the display elements of

the subset

LE

_ij⊆

LE

(see (7)).

Show the process of formation

T

_ij of a specific

example, when

n

=

3

(i.e. for cyberattacks ID

CA

₁ =

CA

_SN=

SN

,

CA

₂=

CA

_DS=

DS

and

CA

₃=

CA

_SP =

SP

),

m

1

=

m

3

=

2

,

m

2

=

3

,

r

1

=

5

,

=

=

2 3

r

r

3

the expression (22) can be defined as:

U

3 i

i 1

{

T }

=

=

U U

i m 3

ij i 1 j 1

{

{

T }}

= =

=

= = =

U U U

j i r

m 3

ijs i 1 j 1 s 1

{

{

{

T } } }

~

=

111

{{{ T

~

,

_~

T

112,

_~

T

113,

_~

T

114,

_~

T

115

}

, 121

{ T

~

,

_~

T

122,

_~

T

123

}}

, 211

{{ T

~

,

_~

T

212,

_~

T

213,

_~

T

214,

_~

T

215

}

, 221

{ T

~

,

_~

T

222,

_~

T

223

}

,

{ T

_~

231,

_~

T

232,

_~

T

233

}}

, 311

{{ T

228 321

{ T

~

,

_~

T

322,

_~

T

323

}}}

= 11

{{{VS

~

,

_~

S

11,

_~

A

11,

_~

B

11,

VB }

_~

11 , 12

{ Y

~

,

_~

M

12,

_~

O }}

12 , 21

{{VS

~

,

_~

S

21,

_~

A

21,

_~

B

21,

VB }

_~

21 , 22

{ L

~

,

_~

A

22,

_~

H }

22 ,

{ S

_~

23,

_~

A

23,

_~

B }}

23 , 31

{{VS

~

,

_~

S

31,

_~

A

31,

_~

B

31,

VB }

_~

31 , 32

{ S

~

,

_~

A

32,

_~

B }}}

32 =

SNNVC1

{{{ T

~

,

_~

T

SNNVC2,

_~

T

SNNVC3,

_~

T

SNNVC4, NV

SN C5

T

}

~

,

{ T

_~

SNVCA1,

_~

T

SNVCA2,

_~

T

SNVCA3

}}

, DSNCC1

{{ T

~

,

_~

T

DSNCC2,

_~

T

DSNCC 3,

_~

T

DSNCC 4, DSNC 5C

T

}

~

,

{ T

_~

DSSPR1,

_~

T

DSSPR2,

_~

T

DSSP 3R

}

, DSDВR1

{ T

~

,

_~

T

DSDВR2,

_~

T

DSDВR3

}}

, SPNCC1

{{ T

~

,

_~

T

SPNCC2,

_~

T

SPNCC 3,

_~

T

SPNCC 4, SPNC 5C

T

}

~

,

{ T

_~

SPNPSА1,

_~

T

SPNPSА2,

_~

T

SPNPSА3

}}}

= SNNVC

{{{VS

~

,

_~

S

SNNVC,

_~

A

SNNVC,

_~

B

SNNVC, N C

SN V

VB

}

~

,

{ Y

_~

SNVCA,

_~

M

SNVCA,

_~

O

SNVCA

}}

, DSNCC

{{VS

~

,

_~

S

DSNCC,

_~

A

DSNCC,

_~

B

DSNCC, DSNCC

VB

}

~

,

{ L

_~

DSSPR,

_~

A

DSSPR,

H

_~

DSSPR

}

,

{ S

_~

DSDВR, DSDВR

A

~

,

_~

B

DSDВR

}}

, SPNCC

{{VS

~

,

_~

S

SPNCC,

_~

A

SPNCC, SPNCC

B

~

,

VB

_~

SPNCC

}

, SPNPSА

{ S

~

,

_~

A

SPNPSА,

_~

B

SPNPSА

}}}

. (27) According to (27) when

i

=

3

,

j

=

2

,

r

_j

=

3

for

321

{ T

~

,

_~

T

322,

_~

T

323

}

we will form

T

32⊆

T

, i.e.:

32

T

=

=

U

3 32 s

s 1

{

T

}

~

=

{ T

_~

321,

_~

T

322,

_~

T

323

}

=

SPNPSА1

{ T

~

,

_~

T

SPNPSА2,

_~

T

SPNPS 3А

}

= 32

{ S

~

,

_~

A

32,

_~

B }

32 ,

(s

=

1,3 )

,

where

_~

Т

321=

_~

T

SPNPSА1=

_~

S

32,

_~

T

322=

_~

T

SPNPSА2=

32

A

~

and

_~

T

323=

_~

T

SPNPSА3=

_~

B

32 respectively are FN 32

S

~

,

_~

A

32 and

_~

B

32, interpreting statements of the expert that are displayed by

LE

SPNPSА1=

"S"

,

N SP PSА2

LE

=

"A"

and

LE

SPNPSА3=

"B"

.

Further on the basis of expression (23) construct the vector of maxima on the respective lines '

=

32

F

' SPNPSА

F

i.e.

=

=

SPNPSА SPNPSАs

FM

fm

=

NPSА NP

SP 1 SP SА2 SPNPSА3

fm

, fm

, fm

5 ,3; 4 ; 4 ,2

.

Based on

FM

_SPNPSА by the expression (24) we will form a matrix of membership functions

А SPNPS

M

thus obtaining:

=

SPNPSА

M

µ

SPNPSАsq

=

1 0,2 0

0,5 1 0,7

0 0,5 1 ,

where

µ

_SPNPSАsq

=

'

SPNPSАsq SPNPSАs

f

/fm

. On the

basis of the calculated according to the expression (24)

µ

_{SPNPSА sq}

(s,q

=

1,3 )

and to the expression

(26)

x

_{SPNPSА sq} we will define sets of fuzzy terms

А SPNPS

Т

~

by the formula (25), i.e.

32 s

Т

~

=

{

µ

32s1

/ x

32s1

,

µ

32s2

/ x

32s2

,

µ

32s3

/ x

32s3

}

<=>

_~

Т

_SPNPSАs=

{

µ

_SPNPSАs1

/ x

_SPNPSАs1

,

µ

_SPNPSАs2

/ x

_SPNPSАs2

,

µ

_SPNPSАs3

/

x

_SPNPSАs3

}

,

=

(s

1,3 )

,

where according to the expression (26)

x

_SPNPSАsq

=

j

max ma x

SPNPSАq SPNPS rА

N

/ N

,

(q

=

1,3 )

or

=

=

U

3 SP sq

q 1 NPSА

{

x

}

{ 0,01; 0,1; 1}

.

Thus, these members of the subset

T

₃₂ (numeric form) are respectively display the members of the subset

LE

₃₂ (7) (linguistic form) and are presented in the following form:

321

Т

~

=

_~

T

SPNPSА1=

_~

S

32=

{ 1/0,01;

0,2/0,1;

0/1}

, 322

T

~

=

_~

T

SPNPSА2=

_~

A

32=

{ 0,5/0,01;

1/0,1;

0,7/1}

,

323

T

~

=

_~

T

SPNPSА3=

_~

B

32=

{ 0/0,01;

0,5/0,1;

0/1}

.

Stage 5 – formation of reference FN. To implement this step we use the fuzzy subset (linguistic) reference standards

Т

еij (see (13) in [2]), each of which displays a characteristic judgment of the expert (see step 1) regarding the anomalous state of the parameter

P

_ij.