4239
DETECTION ENVIRONMENT FORMATION METHOD FOR
ANOMALY DETECTION SYSTEMS
1 NAZYM ZHUMANGALIYEVA, 2 ANNA KORCHENKO, 3 ALIYA DOSZHANOVA,
4 AIGUL SHAIKHANOVA, 5 SHANGYTBAYEVA GULMIRA 6 AVKUROVA ZHADYRA.
1 Kazakh National Research Technical University after K.I. Satpayev, 2, Department of Information
Technology Security, National Aviation University, Kyiv, Ukraine 3,Almaty University of Power
Engineering and Telecommunications , 4, Shakarim State University of the City of Semey ,5 K.Zhubanov
Aktobe Regional State University, 6 L.N.Gumilyov Eurasian National University
E-mail: 1[email protected],2[email protected], 3[email protected]. 4[email protected] 5[email protected], 6[email protected]
ABSTRACT
Due to the intensive development of the digital business, malicious software and other cyber threats are becoming more common. In order to increase the level of security there are needed appropriate special countermeasures, which are able to remain effective when new types of threats occur and which allow to detect cyber attacks targeting on a set of information system resources in fuzzy conditions. Different attacking effects on the corresponding resources generate various sets of anomalies in a heterogeneous parametric environment. There is known a tuple model of the formation of a set of basic components that allow to identify cyber attacks. For its effective application a formal implementation of the approach to the formation of sets of basic detection rules is necessary. For this purpose, there has been developed a method that focuses on solving problems of cyber attacks detection in computer systems, which is implemented through three basic steps: formation of anomaly identifiers subsets; formation of decisive functions; formation of conditional detection expressions. Using this method, it is possible to form the necessary set of detection rules, which determine the level of anomalous state of values in a heterogeneous parametric environment, characteristic for the impact of a certain type of attack. The use of this method at the creation intrusion detection systems will expand their functionality regarding the cyber attacks detection in a weakly formalized fuzzy environment.
Keywords: detection rules, attacks, cyber attacks, anomalies, intrusion detection systems, anomaly detection systems,
attack detection systems.
1. RELEVANCE
Nowadays, the intensive development, as well as the enormous scale and rate of information technology implementation in modern business have become a natural process for developed corporations. The level of company informatization is one of the main factors for its successful development, and in the conditions of a large market dynamism and complication of its infrastructure, information becomes a strategic resource. The development of information technologies is being transformed so quickly that the classic protection mechanisms cannot remain effective and provide adequate security for information system resources, and malicious software and other cyber threats are becoming more common. In this regard, there are needed special tools in order to detect and to prevent security
4240 According to this, the actual scientific task is the formalization of the detection rules creation process, which make it possible to detect cyber attacks targeting on various information system resources in fuzzy conditions.
2.. ANALYSIS OF EXISTING RESEARCH
Effective security tools used to solve problems of cyber attacks detection are: the tuple model for generating a set of basic components for cyber attacks detection [11], fuzzy approaches for intrusions detection [12]-[13] and for anomalies detection [14]; corresponding fuzzy models [11], [15], methods [16]-[23] and intrusion detection systems [24]-[27]; sets of fuzzy rules [1]-[10]; as well as other developments used to solve protection problems under fuzzy conditions [28], [29]. These researches have shown the effectiveness of using the mathematical apparatus of fuzzy sets, and its use in order to formalize the approach for cyber attacks identifying will improve the process of creating appropriate intrusion detection systems. It should be noted that the set of attacking effects on the information systems resources gives a rise to many anomalies among the values in a heterogeneous parametric environment [11], [15]. For an effective application of the well-known model [11], a formal implementation of the formation process of sets of basic detection rules is necessary, which will allow searching for an identifying term [17], [21]-[23] in a given linguistic variable. Using this term, using the appropriate set of rules, we can determine the level of the anomalous state generated by the influence of the corresponding class of cyber attacks.
3. MAIN OBJECTIVE OF RESEARCH
On the basis of the analysis of existing researches and the relevance of the task, the main objective of this work is to develop a detection environment formation method (DEFM) for anomaly detection systems operating in a weakly formalized fuzzy environment. Using this method (at solving problems of cyber attacks detection), it is possible effectively to detect the level of the anomalous state characteristic for a certain type of attacks regarding to a specific heterogeneous parametric environment in a given time interval.
4. MAIN PART OF RESEARCH
In order to create subsets of the basic detection rules DRi (see (19) in [11]), we will develop an appropriate method that will allow to formalize the process of obtaining the corresponding rules used to detect the
i
-th cyber attack based on parametricsub-environments of various dimensions [11], [15]. The proposed DEFM is focused on solving problems of attacks detection in computer systems, and is based on three stages: formation of anomaly identifiers subsets; formation of decisive functions; formation of conditional detection expressions.
Stage 1 – formation of anomaly identifiers subsets.
The subset
IA
i is built on the basis of the set of all possibleIA
anomaly identifiers (ID), represented asIA
=
о 1 2 о 1{
IA } { IA , IA , ..., AI }
,
( о 1, )
,(1)
and by means of which (in linguistic form) it is possible to display possible levels of an anomalous state in a
m
-dimensional heterogeneous parametric environment that can be generated by a cyber attack with IDCA
i [11], and
– an amount of anomalyID.
For example, at
9
according to (1) the setIA
can be represented as follows:
IA
=
9 о 1 2 9 о 1{
IA } { IA , IA , ..., AI }
Н БНВ НС С ВС
{ IA , IA
, IA , IA , IA ,
БВН В П Г
IA
, IA , IA , IA }
{"Н", "
БНВ
", "НC", "
C",
"ВC", "
БВН
", "В", "П",
"Г"}
(2) where:IA
1
IA
Н
"Н"
,IA
2
IA
БНВ
"БНВ"
,IA
3
IA
НС
"НС"
,IA
4
IA
С
"С"
,
5
IA
IA
ВС
"ВС"
,IA
6
IA
БВН
"БВН"
,
7
IA
IA
В
"В"
,IA
8
IA
П
"П"
,
9 Г
IA
IA
"Г"
are respectively the anomaly IDs by which in linguistic forms: “LOW (L)” (at
1
), “MORE LOW THAN HIGH (MLTH)” (at
2
), “BELOW AVERAGE (BA)” (at
3
), “AVERAGE (A)” (at
4
), “ABOVE AVERAGE (AA)” (at
5
), “MORE HIGH THAN LOW (MHTL) (at
6
), “HIGH (H)” (at
7
), “LIMIT (L)” (at
8
), “BOUNDARY (B)” (at
9
), possible anomaly levels can be displayed.4241
n i i 1{
IA }
=
{IA
1,IA
2, …,IA }
n ,
( i 1,n )
,(3)
where
IA
i
IA
will be defined as:i
IA
=
i iv
iu i1 i 2 iv
u 1
{
IA } { IA , IA , ..., IA }
,
i( u 1,v )
, (4)in this case
v
i denotes the amount of anomaly IDs, by which in linguistic forms it is possible to display possible anomaly levels generated by cyber attacks with IDCA
i. Therefore, an expression (3) takinginto account (4) will be represented in the following form:
n i i 1{
IA }
=
iv n
iu
i 1 u 1
{
{
IA }}
=1
11 12 1v
{{ IA , IA , ..., IA }
,2
21 22 2v
{ IA , IA , ..., IA }
, …,n
n1 n2 nv
{ IA , IA , ..., AI }}
. (5) For example, atn 3
(i.е. for cyber attacks with IDCA
1=CA
SN=SN
,CA
2=CA
DS=DS
and3
CA
=CA
SP=SP
) andv
1
v
2
v
3
5
takinginto account (1), we define the necessary IDs in order to display the corresponding anomaly level. Then the expression (5) taking into account (2) will have the following form:
3 i i 1{
IA }
=
iv 3
iu
i 1 u 1
{
{
IA }}
=11 12 13 14 15
{{ IA , IA , IA , IA , IA }
,21 22 23 24 25
{ IA , IA , IA , IA , IA }
,
31 32 33 34 35
{ IA , IA , IA , IA , IA }}
SNБНВ SNБВН S
SNН NВ SNП
{{ IA
, IA
, IA
, IA
, IA
}
,DSН DSБНВ DSБВН DSВ DSП
{ IA
, IA
, IA
, IA
, IA
}
,
SPН SPБНВ SPБВН SPВ SPП
{ IA
, IA
, IA
, IA , IA
}}
БНВ
БВН
{{"Н", "
", "
", "В", "П"}
,БНВ
БВН
{"Н", "
", "
", "В", "П"}
,БНВ
БВ
{"Н", "
", "
Н
", "В",
"П"}}
, (6) where: SN – Scanning of ports, DS – Denial of service, SP – Spoofing, as well as
11 SNН
IA
IA
"Н"
,IA
12
IA
SNБНВ
"БНВ"
,
БВН
13 SN
IA
IA
"БВН"
,IA
14
IA
SNВ
"В"
,
15 SNП
IA
IA
"П"
, respectively, the IDs of such anomalous states in the attacking environment, which represent a different degree of expertconfidence regarding to the influence of a cyber attack with an ID
CA
1=CA
SN [11];
DS
21 Н
IA
IA
"Н"
,IA
22
IA
DSБНВ
"БНВ"
,
Н
23 DSБВ
IA
IA
"БВН"
,IA
24
IA
DSВ
"В"
,
S
25 DП
IA
IA
"П"
IA
15
IA
SNП
"П"
,respectively, the IDs of such anomalous states in the attacking environment, which represent a different degree of expert confidence regarding to the influence of a cyber attack with an ID
2
CA
=CA
DS;IA
31
IA
SPН
"Н"
,IA
32
SPБНВ
IA
"БНВ"
,IA
33
IA
SPБВН
"БВН"
,
P
34 S В
IA
IA
"В"
,IA
35
IA
SPП
"П"
15 SNП
IA
IA
"П"
, respectively, the IDs of such anomalous states in the attacking environment, which represent a different degree of expert confidence regarding to the influence of a cyber attack with an IDCA
3
CA
SP.Stage 2 – formation of decisive functions.
In order to implement this stage, we introduce the set of all arguments of the decisive functions
АF
and a subset of such argumentsАF
i .
n i i 1{
АF }
=
{АF
1,АF
2, …,АF }
n ,
( i 1,n )
, (7)where
АF
i
АF
, will be defined as:i
АF
= i wia a 1
{ АF }
={АF
i1
АF
i 2
...
АF }
iwi ,
i( a 1,w )
, (8) in this casew
i – the amount of subsets ofarguments of the decisive functions used to detect the
i
-th cyber attack, and the symbol
indicates the direct composition of the sets. Taking into account the expression (8) the formula (7) will be written in the following form:
n i i 1{
АF }
=
i w nia a 1 i 1
{ { АF }}
=
11
{{АF
,АF
12, ..., 1 1wАF }
21
{АF
,АF
22, …,АF }
2w2
…n1
{АF
,АF
n 2, …,АF
nwn}
,
i( i 1,n, a 1,w )
, (9) The subsetАF
ia
АF
i will be defined as:ia
АF
=
jr
ias s 1
4242
j
ia1 ia 2 iar
{ АF , АF , ..., АF }
,( s 1,r )
j (10)where
r
j – amount of units inАF
ia (that displaysthe amount of units in
T
ije (see (13) in [11])).Then the expression (9) taking into account (10) takes the following form:
n i i 1{
АF }
=
i w nia a 1 i 1
{ { АF }}
=
i
jr
n w
ias a 1
i 1 s 1
{
{
{
АF }}}
=
j j
111 112 11r 121 122 12r
{{{ АF , АF , ..., АF
} { АF , АF , ..., АF
} ...
1 1 1 j
1w 1 1w 2 1w r
{ АF
, АF
, ..., АF
}},
j j
211 212 21r 221 222 22r
{{ АF , АF , ..., АF
} { АF , АF , ..., АF
} ...
{ АF
2w 12, АF
2w 22, ..., АF
2w r2 j}},
...,
j j
n11 n12 n1r n21 n22 n2r
{{ АF , АF , ..., АF
} { АF , АF , ..., АF
} ...
n n n j
nw 1 nw 2 nw r
{ АF
, АF
, ..., АF
}}}
=
{{
AF ,
111AF ,
121...,
АF
1w 11
,
AF ,
111AF ,
121...,
АF
1w 21
,
...,
AF ,
111AF ,
121...,
АF
1w r1 1
,
AF ,
111AF ,
122...,
АF
1w 11
,
AF ,
111AF ,
122...,
АF
1w 21
,
...,
AF ,
111AF ,
122...,
АF
1w r1 1
,
...,
AF ,
111 2 12rАF ,
...,
1 1w 1
АF
,
AF ,
111 2 12rАF ,
...,
1 1w 2
АF
,
...,
AF ,
111 2 12rАF ,
...,
1 1 1w r
АF
,
АF ,
112AF ,
121...,
АF
1w 11
,
АF ,
112AF ,
121...,
АF
1w 21
,
...,
АF ,
112AF ,
121...,
АF
1w r1 1
,
АF ,
112AF ,
122...,
АF
1w 11
,
АF ,
112AF ,
122...,
АF
1w 21
,
...,
АF ,
112AF ,
122...,
АF
1w r1 1
,
...,
АF ,
112 2 12rАF ,
...,
1 1w 1
АF
,
АF ,
112 2 12rАF ,
...,
1 1w 2
АF
,
...,
АF ,
112 2 12rАF ,
...,
1 1 1w r
АF
,
...,
1 11r
АF ,
AF ,
121...,
1 1w 1АF
,
1 11r
АF ,
AF ,
121...,
1 1w 2АF
,
...,
1 11rАF ,
AF ,
121...,
1 1 1w rАF
,
1 11r
АF ,
AF ,
122...,
1 1w 1АF
,
1 11r
АF ,
AF ,
122...,
1 1w 2АF
,
...,
1 11rАF ,
AF ,
122...,
1 1 1w rАF
,
...,
1 11rАF ,
2 12rАF ,
...,
АF
1w 11
,
1 11r
АF ,
2 12r
АF ,
...,
АF
1w 21
,
...,
АF ,
11r1 2 12rАF ,
...,
1 1 1w r
АF
},
...,
{
АF ,
n11АF ,
n21...,
АF
nw 1n
,
АF ,
n11АF ,
n21...,
АF
nw 2n
,
...,
АF ,
n11АF ,
n21...,
АF
nw rn j
,
АF ,
n11АF ,
n22...,
n nw 1АF
,
АF ,
n11АF ,
n22...,
n nw 2АF
,
...,
АF ,
n11АF ,
n22...,
n j nw rАF
,
...,
АF ,
n11АF
n2r2,
...,
АF
nw 1n
,
АF ,
n11АF
n2r2,
...,
АF
nw 2n
,
...,
АF ,
n11АF
n2r2,
...,
АF
nw rn j
,
АF ,
n12АF ,
n21...,
АF
nw 1n
,
АF ,
n12АF ,
n21...,
АF
nw 2n
,
...,
АF ,
n12АF ,
n21...,
АF
nw rn j
,
АF ,
n12АF ,
n22...,
n nw 1АF
,
АF ,
n12АF ,
n22...,
n nw 2АF
,
...,
АF ,
n12АF ,
n22...,
n j nw rАF
,
...,
АF ,
n12АF
n2r2,
...,
АF
nw 1n
,
АF ,
n12АF
n2r2,
...,
АF
nw 2n
,
...,
АF ,
n12АF
n2r2,
...,
АF
nw rn j
,
...,
1 n1r
АF ,
АF ,
n21...,
АF
nw 1n
,
АF ,
n1r1АF ,
n21...,
АF
nw 2n
,
...,
АF ,
n1r1АF ,
n21...,
АF
nw rn j
,
1 n1r
АF ,
АF ,
n22...,
n nw 1АF
,
1 n1r
АF ,
АF ,
n22...,
n nw 2АF
,
...,
1 n1r
АF ,
АF ,
n22...,
n j nw rАF
,
...,
1 n1rАF ,
2 n2rАF
,
...,
АF
nw 1n
,
1 n1r
АF ,
2 n2r
АF
,
...,
АF
nw 2n
,
...,
АF ,
n1r1 2 n2rАF
,
...,
n j nw r
АF
}}
=11
{{ SAF
,
SAF
12
, …,
SAF
1w1
}
, …,{ SAF
i1
,
SAF
i 2
, …,
SAF
iwi
}
, …,n1
{ SAF
,
SAF
n 2
, …,
SAF
nwn
}}
, (11) where, for clarity, there are used angle brackets
" "
," "
, which separate the subsets of arguments of the decisive functions (SAF
ia), which reflect the values of termsT
ijep.Taking into account the expression (11), we determine that in order to identify the
i
-th cyber attack, the total amount of argument subsets is calculated using the formula
mii j
j 1
4243 Then (11) taking into account (12) it can be written in the following form
n i i 1{
AF }
=
i w nia i 1 a 1
{ {
SAF }}
,( a 1,w )
i (13)Next, we introduce the set of all binary decisive functions
SF
and a subset of such functionsSF
i .
n i i 1{ SF }
=
{SF
1 ,SF
2, …,SF }
n , ( i1,n ),(14) where
SF
i
SF
,( i 1,n )
will be defined asi
SF
=
iw
ia a 1
{
SF }
={ SF
i1,SF
i 2, …,i iw
SF }
, а(15)
ia ia
SF
SF (
SAF
ia)
. (16) We should note that the functionSF
ia defines the relationships inSAF
ia, formed by the expert in the form of logical chains (based on disjunctions and conjunctions) for the subsequent construction of detection expressions, focused on identifying thei
-th cyber attack.An expert in order to obtain a specific set of binary functions that reveals a
i
-th cyber attack creates a corresponding template that defines relationships inSAF
ia.For example, if
ia
SAF
=
АF , АF , АF
111 112 113
, and the templateshave the form
АF
АF
АF
or
АF
( АF
АF )
, then respectively11
SF
=АF
111
АF
112
АF
113 orSF
11=111
АF
( АF
112
АF )
113 .The specific values of the elements of a subset
i
АF
( i 1,n )
are formed on the basis of the binary equivalence functionE( x
,y )
, which takes the value 1 only ifx
andy
are equal, ie,:E( x
,y )
=
1, при x
y
0, при x
y.
(17)On the basis of this we define, that
ias iа
АF
E ( NUM , s )
, and as argumentsE( x
,y )
, we will use fuzzy terms indexes epij
T
and fp iP
.Let consider an example of the formation of decisive functions, at
n 3
,i 1,3
( f 1
CA
= f SNCA
=SN
f, f 2CA
= f DSCA
=DS
f andf 3
CA
= f SPCA
=SP
f ),
1 3
m
m
2
,m
2
3
,
1
r
5
,r
2
r
33
(see the example (15) in [11]).According to (12)
m1
1 j 1 2
j 1
w
r
r r
5 3
15
,
m2
2 j
j 1
w
r
r r r
1
2 35 3 3 45
,
m3
3 j
j 1
w
r
r r
1
25 3 15
,and the expression (11) will be defined as:
3 i i 1{
AF }
=
{AF
1,AF
2,AF }
3 =
i w 3ia a 1 i 1
{ { AF }}
=
i
jr
3 w
ias a 1
i 1 s 1
{
{
{
AF }} }
=
111 112 113 114 115
{{{ AF , AF , AF , AF , AF }
{ AF , AF , AF }},
121 122 123
211 212 213 214 215
{{ AF , AF , AF , AF , AF }
{ AF , AF , AF } { AF , AF , AF }},
221 222 223
231 232 233
311 312 313 314 315
{{ AF , AF , AF , AF , AF }
{ AF , AF , AF }}}
321 322 323
{
AF ,
111AF
121
,
AF ,
112AF
121
,
AF ,
113AF
121
,
AF ,
114AF
121
,
AF ,
115AF
121
,
...,
AF ,
111AF
123
,
AF ,
112AF
123
,
AF ,
113AF
123
,
AF ,
114AF
123
,
AF ,
115AF
123
},
{
AF ,
211AF ,
221AF
231
,
AF ,
212AF ,
221AF
231
,
SF ,
213AF ,
221AF
231
,
AF ,
214AF ,
221AF
231
,
AF ,
215AF ,
221AF
231
...,
AF ,
211AF ,
223AF
233
,
AF ,
212AF ,
223AF
233
,
AF ,
213AF ,
223AF
233
,
AF ,
214AF ,
223AF
233
,
AF ,
215AF ,
223AF
233
},
{
AF ,
311AF
321
,
AF ,
312AF
321
,
AF ,
313AF
321
,
AF ,
314AF
321
,
AF ,
315AF
321
,
...,
4244 11
{{ SAF
,
SAF
12
, …,
SAF
1 15
}
,{ SAF
21
,
SAF
22
, …,
SAF
2 45
}
,31
{ SAF
,
SAF
32
, …,
SAF
3 15
}}
. (18) In [11] there was determined that in order todetect cyber attacks SN ( f 1
CA
= f SNCA
=SN
f ) and SP ( f3
CA
= f SPCA
=SP
f ), it is necessary simultaneously to use two parameters defining the2
-dimensional parametric sub-environment (NVC-AV-(КВК-ВВК)-sub-environment and NSС-NPSA-(КОП-КПОА)-sub-environment), and for a cyber attack DS ( f2
CA
= f DSCA
=DS
f) – three parameters defining the3
-dimensional parametric sub-environment (NSС-SPR-DBR-(КОП-СОЗ-ЗМЗ)-sub-environment) (see (9) in [11]). And also: NVC (КВК) – “Number of virtual channels (Количество виртуальных каналов)”,AVC (ВВК) – “Age of virtual channel (Возраст виртуального канала)”,
NSC (КОП) – “Number of simultaneous connections to the server (Количество одновременных подключений к серверу)”,
NPSA (КПОА) – “Number of packets with the same sender and recipient address (Количество пакетов с одинаковым адресом отправителя и получателя)”,
SPR (СОЗ) – “Speed of processing requests from customers (Скорость обработки запросов от клиентов)”,
DBК (ЗМЗ) – “Delay between requests from one user (Задержка между запросами от одного пользователя)”.
An expert in order to obtain a specific set of functions that detect SN and SP creates a template
АF
АF
, and for DS –
АF
( АF
АF )
.Further, according to the generated templates, as well as according to (15) and (18), we define, for example,
SF
3:3
SF
=
w3 3a a 1{
SF }
=
31 32
{( E ( NUM , 1 ) E ( NUM , 1))
,( E
( NUM
31, 2 )
E
( NUM
32, 1 )), ( E( NUM
31, 3 )
E
( NUM
32, 1 )), ( E( NUM
31, 4 )
E
( NUM
32, 1 )),( E
( NUM
31, 5 )
E
( NUM
32, 1 ))},
31 32
{( E ( NUM , 1 ) E ( NUM , 2 ))
,( E
( NUM
31, 2 )
E
( NUM
32, 2 )),( E
( NUM
31, 3 )
E
( NUM
32, 2 )),( E
( NUM
31, 4 )
E
( NUM
32, 2 )),( E
( NUM
31, 5 )
E
( NUM
32, 2 ))},
31 32
{( E ( NUM , 1 ) E ( NUM , 3 ))
,( E
( NUM
31, 2 )
E
( NUM
32, 3 )), ( E( NUM
31, 3 )
E
( NUM
32, 3 )), ( E( NUM
31, 4 )
E
( NUM
32, 3 )), ( E( NUM
31, 5 )
E
( NUM
32, 3 ))}.Figure 1 shows the expert distribution of all possible levels of anomaly generated by the attacking environment and displayed by the identifiers of the attacking actions through different values of the parameters of the NSC-NPSA-(КОП-КПОА)-sub-environment.
From the graphical interpretation (Fig. 1) it can be seen that the support blocks with the БВН, Б and П (“MORE HIGH THAN LOW”, “HIGH”, “LIMIT”) identifiers are the most significant for identifying SN.
On the basis of this, an example of concrete calculations will be presented only for the decisive functions
( SF , ..., SF
3 11 3 15)
fromSF
3, i.e.
3 11
SF
( E ( NUM ,1 ) E ( NUM ,3 ))
31
32 ,
3 12
SF
( E( NUM
31,2 )
E
( NUM
32,3 )),
3 13
SF
( E( NUM
31,3 )
E
( NUM
32,3 )),
3 14
SF
( E( NUM
31,4 )
E
( NUM
32,3 )),
3 15 31 32
SF
(E(NUM ,5) E(NUM ,3)).
(19)Note that at j 1 ,
r
1
5
,NUM
31
3
and
s 1,5
for e 31T
(see (27) in [16])e 31
T
=
5 ep 31s s 1{
~
T }
={T
~
311ep,~
T
312ep ,~
T
313ep,~
T
314ep ,ep 315
T }
~
=ep 31
{ ОМ
~
, ep31
М
~
, ep31
С
~
,~
Б
31ep,ОБ }
~
31epthe equivalence function according to (17) takes the value
31
E( NUM
, 1 )E( NUM
31, 2 )31
E( NUM
, 4 )E( NUM
31, 5 ) 0because
NUM
31
3 1 2 4 5
.This follows from the fact that
~
T
313ep
~
T
311ep
ep312
T
~
~
T
314ep
ep 315
T
~
, i.е.~
С
31ep
ep31
ОМ
~
ep31
М
~
~
Б
31ep
4245 П В Н Б Н В
(КОП1, КПОА1) (КОП2, КПОА1) (КОП3, КПОА1)(КОП4, КПОА1)
(КОП1, КПОА2) (КОП2, КПОА2) (КОП3, КПОА2) (КОП4, КПОА2)
Б В Н 0, 01 0 0, 10 0 μ
~
C
~
Б
~
Мx
1,000
x
0,008
ОМ
~
М
~
еp C~
~
Б
ОБ
~
μ КОП4 КОП3 КОП2 КОП1 К П О А 1 К П О А 2 0, 08 2 0, 82 0
Т
SРКОПеpТ
SР К П О А еp31 31 31 31 31
32
32
32
0,580
0,250
0,0630,095 0,280 0,500 1,000
AL
317AL
316AL
315AL
314AL
313AL
312AL
311A
L
32 1A
L
32 2A
L
32 3A
L
324A
L
325еp еp еp еp
еp
еp
еp
f
p КПО
P А S
P ~
fp КОП SPP
~
Н Н Н Н Н
Н Н Н
[image:7.612.105.506.93.499.2]Б Н В Б Н В 0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9, 1 0 0, 1 0, 2 0, 3 0, 4 0, 5 0, 6 0, 7 0, 8 0, 9, 1 0
Fig. 1. Graphical interpretation of expert distribution of identifiers of attacking actions (displayed by two-dimensional support areas Н, БНВ, БВН, В, П)
and fuzzy values of current parameters f
31
P
~
, f32
P
~
regarding to linguistic standards T31еp, еp 32T , respectively Also
E( NUM
31, 3 ) 1 becauseNUM
31
3
,which follows from the fact that
~
T
313ep
~
T
313ep, i.е.ep 31
С
~
~
С
31ep.Similarly for
e 32
T
=
3 ep 32s s 1{
T }
~
={Т
~
321еp ,еp 322
Т
~
,~
Т
323еp}
=ep 32
{ М
~
,~
С
32ep,~
Б }
32epat j 2 ,
r
2
3
,NUM
32
3
,s 1,3
(see (27) in [16]) the equivalence function according to (17) takes the value32
E( NUM
, 1 )E( NUM
32, 2 ) 0because
NUM
32
3 1 2
.This follows from the fact that
~
T
323ep
~
T
321ep
ep322
T
~
, i.е.~
Б
32еp
еp 32М
~
ep32
С
~
, and 32E( NUM
, 3 ) 1 becauseNUM
32
3
, which follows from the fact that~
T
323ep
~
T
323ep, i.е.еp 32
Б
~
~
Б
32еp.Therefore
3 11
SF
( E ( NUM , 1 ) E ( NUM , 3 ))
31
32 = ( 1 0 ) 0,
3 12
SF
( E( NUM
31, 2 )
E
( NUM
32, 3 ))= 4246
3 13
SF
( E( NUM
31, 3 )
E
( NUM
32, 3 ))= ( 1 1 ) 1,
3 14
SF
( E( NUM
31, 4 )
E
( NUM
32, 3 ))=
( 1 0 ) 0,
3 15
SF
( E( NUM
31, 5 )
E
( NUM
32, 3 ))=( 1 0 ) 0 . (20)
Stage 3 – formation of conditional detection expressions.
The conditional detection expressions that display the generated basic rules for identifying the
i
-th cyber attack (see (19) in [11]) can be represented in the following way:i
DR
wi iaa 1
{
DR }
=
{DR
i1,DR
i 2, …,i iw
DR }
={
DR
i1
i1
vi iu u 1{ if SF then {
IA }},
i 2
DR
iv
i 2 iu
u 1
{ if SF then {
IA }},
…,i iw
DR
ia
vi iu u 1{if SF then {
IA }}}
,
i( a 1,w
,u 1,v )
i . (21)We should note that, formally, each
SF
ia can be associated with thev
i-th amount of identifiers of the anomaly and, therefore, each basic rule can be generated by thev
i amount of detection expressions, i.e.:i
DR
{DR
i1,DR
i 2, …, i iwDR }
{
DR
i1
{ if SF then IA ,
i1 i1i1 i 2
if SF then IA , ...,
i
i1 iv
if SF then IA },
i 2
DR
{ if SF then IA ,
i 2 i1i 2 i 2
if SF then IA , ...,
i
i 2 iv
if SF then IA },
…,i iw
DR
{if SF then IA ,
iwi i1i
iw i 2
if SF then IA , ...,
i i
iw iv
if SF then IA }}
ori
DR
i iw v
a 1 u 1
{
{
if
SF
iathen
IA }}
iu ,
i( a 1,w
,u 1,v )
i (22) Obviously, the possible amount of conditional detection expressions for identifying of thei
-th cyber attack is determined by the formula
i
CDR
w v
i
i, (23)and their amount to identifying of
n
attacks iscalculated by the expression
CDR
n ii 1
CDR
.It should be noted that from the total amount of possible detection expressions, not all are decisive (i.e., they affect the intrusion detection process) for identifying the
i
-th cyber attack, which also follows from Fig. 1 and (20) (here the decisive will beDR
3 11–DR
3 15).Regarding this, we consider an example of the implementation of the stage 3 at
i 3
(
CA
3
CA
SР
SР
),j 1,2
(P
31
P
SPКОП
КОП
,P
32
P
SPКПОА
КПОА
),u
3
5
,
3
w
15
.Then the total amount of rules is determined by the formula (23), i.e.
3
CDR
w v
3
3
15 5 75
,And the expression (22) will be represented in the following way:
3
DR
{ ... ,
DR3 11
{ if SF then IA ,
3 11 313 11 32 3 11 33
if SF then IA , if SF then IA ,
3 11 34 3 11 35
if SF then IA , if SF then IA },
3 12
DR
{ if SF then IA ,
3 12 313 12 32 3 12 33
if SF then IA , if SF then IA ,
3 12 34 3 12 35
if SF then IA , if SF then IA },
3 13
DR
{ if SF then IA ,
3 13 313 13 32 3 13 33
if SF then IA , if SF then IA ,
3 13 34 3 13 35
if SF then IA , if SF then IA },
3 14
DR
{ if SF
3 14then IA ,
313 14 32 3 14 33
if SF
then IA , if SF then IA ,
3 14 34 3 14 35
if SF
then IA , if SF
then IA },
3 15
DR
{ if SF then IA ,
3 15 313 15 32 3 15 33
if SF then IA , if SF then IA ,
3 15 34 3 15 35
[image:8.612.106.295.268.433.2]4247 3 13
DR
{if SF
3 13then IA ,
31if SF
3 13then IA ,
32if SF
3 13then IA ,
333 13 34
if SF
then IA ,
if SF
3 13then IA }
35
{ if ( E
( NUM
31, 1 )
E
( NUM
32, 3 ))then
IA
31, if ( E( NUM
31, 2 )
E
( NUM
32, 3 ))then
IA
32, if ( E( NUM
31, 3 )
E
( NUM
32, 3 ))then
IA
33,if ( E
( NUM
31, 4 )
E
( NUM
32, 3 ))then
IA
34,if ( E
( NUM
31, 5 )
E
( NUM
32, 3 ))then
IA }
35 ={ if ( E
( NUM
SPКОП, 1 )
E
( NUM
SPКПОА, 3 ))then
"Н"
,if ( E
( NUM
SPКОП, 2 )
E
( NUM
SPКПОА, 3 ))then
"БНВ"
, if ( E( NUM
SPКОП, 3 )
E
( NUM
SPКПОА, 3 ))then
"БВН"
, if ( E( NUM
SPКОП, 4 )
E
( NUM
SPКПОА, 3 ))then
"В"
,if ( E
( NUM
SPКОП, 5 )
E
( NUM
SPКПОА, 3 ))then
"П"}.After checking all the rules in
DR
3 13, we determine that the identification of the anomalous state is carried out by means of a conditional expression
SPКОП SPКПОА
if ( E( NUM ,3 ) E( NUM ,3 ))
then
"БВН"
=if ( 1 1 )then
"БВН"
. The Figure 1 graphically shows the current block (in the form of a shaded rectangular area formed byf 31
P
~
,~
P
32f
) interpreting the anomaly in the
2
-dimensional parametric NSC-NPSA-(КОП-КПОА)-sub-environment generated by the corresponding attacking SP-environment at the moment of time
f.Here, even during visual comparing, it can be determined that the obtained current block is more closer to the fuzzy two-dimensional support area with the identifier
"БВН"
(“MORE HIGH THAN LOW”), and the used rule can literally be interpreted as: “If the current value of the fuzzy parameter “Number of simultaneous connections to the server (КОП)” at the moment of time
fis more closer to the standard fuzzy number “Average (Среднее – С)” and, at the same time, the current value of the fuzzy parameter “Number of packets with the same address of the sender and recipient (КПОА)” at the moment of time
f is more closerto the standard fuzzy number “High (Большое – Б)”, then the level of the anomalous state that can
be generated by the spoofing will be “More High than Low (БВН)”.
Also, using the developed software for the formation of standards of parameters for cyber attack detection systems [30], using various initial data, there is created the current state area, which allows visually to assess the anomalous state in the system in order to make the necessary decision. Here, the current block is generated, for example, in the form of a red rectangular area formed by f
31
P
~
and f 32
P
~
, which interprets the anomaly in the2
-dimensional parametric NSC-NPSA--(КОП-КПОА)-sub-environment generated by the corresponding attacking SP-environment at the moment of time
f [11].An example of the work of software for the formation of standards of parameters with different input data is shown on Fig. 2.
This software allows to automate the process of formation of standards of parameters for modern systems of anomaly detection and to display the results of the detection of an anomalous state in a given period of time
f.4248
Fig. 2. Example of the work of software for the formation of standards of parameters (Determination of the current state of the system)
5. CONCLUSIONS
Therefore, in the work there was proposed the DEFM, which on the basis of the basic tuple model [11], using the mechanism of formation the subsets of anomaly identifiers, formalizing the process of creation of decisive functions and conditional detection expressions, allows to form the necessary set of detection rules used to determine the level of anomalous state which is characteristic to a certain type of attacks. The use of this method at the creation anomaly detection systems will expand their functionality regarding to the detection of cyber attacks in a weakly formalized fuzzy environment.
REFERENCES
[1]. Mohammad Almseidin, Szilveszter Kovacs, «Intrusion detection mechanism using fuzzy rule interpolation», Journal of Theoretical and Applied Information Technology, vol. 96, no. 16, pp. 5473-5488, 2018.
[2]. Shanmugavadivu R., Nagarajan N. «Network Intrusion Detection System Using Fuzzy Logic», Indian Journal of Computer Science and Engineering (IJCSE), Vol. 2, No. 1, pp. 101-111, 2011.
[3]. Linda O., Vollmer T., Wright J., Manic M. «Fuzzy Logic Based Anomaly Detection for Embedded Network Security Cyber Sensor», in Proc. IEEE Symposium Series on Computational Intelligence, Paris, France, April, 2011, pp. 202-209.
[4]. Bridges S.M., Vaughn R.B. «Fuzzy data mining and genetic algorithms applied to intrusion detection». In: Proceedings of the 23rd National Information Systems Security Conference. October 2000, pp. 13-31. [5]. Shahaboddin Shamshirband, Nor Badrul
Anuar, Miss Laiha, Mat Kiah, Sanjay Misra «Anomaly Detection using Fuzzy Q-learning Algorithm» Acta Polytechnica Hungarica. Vol. 11, № 8, 2014, pp. 5-28.
[6]. John E. Dickerson, Jukka Juslin, Ourania Koukousoula, Julie A. Dickerson «Fuzzy Intrusion Detection» IFSA World Congress and 20th NAFIPS International Conference, 2001. Joint 9th. Vol. 3, pp. 1506-1510. [7]. Chi-Ho Tsang, Sam Kwong, Hanli Wang «
Genetic-Fuzzy Rule Mining Approach and Evaluation of Feature Selection Techniques for Anomaly Intrusion Detection » Pattern Recognition, Vol. 40, №. 9, Sept. 2007, pp. 2373-2391.
[8]. Zadeh L.A. «Outline of a New Approach to the Analysis of Complex Systems and Decision Processes» IEEE Transactions on Systems, Man, and Cybernetics, Vol. SMC-3, №. 1, January 1973, рр. 28-44.
[9]. Gómez J., González F., Dasgupta D. «An Immuno-Fuzzy Approach to Anomaly Detection» The 12th IEEE International Conference on Fuzzy Systems, FUZZ-IEEE 25-28 May 2003, рр. 1219-1224.
4249 Engineering and Development. Vol. 17, № 1, Mar. 2013, pp. 255-269.
[11].Korchenko A.А. The tupel model of basic components' set formation for cyberattacks, Legal, regulatory and metrological support information security system in Ukraine, 2014, V.2 (28), pp. 29-36. (in Russian)
[12].Yao J.T., Zhao S.L., Saxton L.V. «A study on fuzzy intrusion detection» Proc. of SPIE Data Mining, Intrusion Detection, Information Assurance, And Data Networks Security, Orlando, Florida, USA, Vol. 5812, 2005, pp. 23-30.
[13].Fries P. «A Fuzzy-Genetic Approach to Network Intrusion Detection Terrence» Genetic and Evolutionary Computation Conference, GECCO (Companion) July 12-16, 2008, рр. 2141-2146.
[14]. Akhmetov, B., Kydyralina L, Lakhno V., Mohylnyi G., AkhmetovaJ., Tashimova A., model for a computer decision support system on mutual investment in the cybersecurity of educational institutions //International Journal of Mechanical Engineering and Technology (IJMET)//, Volume 9, Issue 10, October 2018, pp. 1114–1122,
[15].A. Korchenko, K. Warwas, A. Kłos-Witkowska, «The Tupel Model of Basic Components' Set Formation for Cyberattacks», in Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2015 IEEE 8th International Conference on, 2015, pp. 478-483.
[16].Korchenko A.А. The formation method of linguistic standards created for the intrusion detection systems, Zahist ìnformacìï, vol. 16, №1, 2014, pp. 5-12. (in Russian)
[17].В. Akhemetov, А. Korchenko, S. Akhmetova, N. Zhumangalieva, «Improved method for the formation of linguistic standards for of intrusion detection systems», Journal of Theoretical and Applied Information Technology, vol. 87, no. 2, pp. 221-232, 2016. [18].Tereykovsky I., Korchenko A., Vikulov P., Shakhoval O., The etalons models of linguistic variables for sniffing attacks detection, Zahist ìnformacìï, vol. 19, №3, 2017, pp. 228-242. (in Russian)
[19].Mikolaj Karpinski, Poland, Anna Korchenko, Pavlo Vikulov, Ukraine, Roman Kochan. The Etalon Models of Linguistic Variables for Sniffing-Attack Detection // Proceedings of the 2017 IEEE 9th International Conference on «Intelligent Data Acquisition and
Advanced Computing Systems: Technology and Applications» (IDAACS’2017), Romania, Bucharest, September 21-23, 2017: Vol. 1. – Pp. 258-264.
[20].Tereykovsky I., Korchenko А., Vikulov Р., Ireifidzh I., Etalons models of linguistic variables for email-spoofing-attack detection systems, Bezpeka ìnformacìï, vol. 24 №2, pp. 21-28, 2018. (in Russian)
[21].Korchenko А. Method of parameter fuzzification based on linguistic standards for cyber attacks detection, Bezpeka ìnformacìï, 2014, vol. 20, issue 1, pp. 21-28. (in Russian) [22].Korchenko А., The method of -level of
nominalization for intrusion detection systems, Zahist ìnformacìï, vol. 16, №4, 2014, pp. 292-304. (in Russian)
[23].Korchenko А.О. The detection method of identification terms for intrusion detection system, Bezpeka ìnformacìï, 2014, Vol.20, №3, pp. 217-223. (in Russian)
[24].Tereykovsky I., Korchenko А., «Cyber attack detection system», Bezpeka ìnformacìï, 2017, Vol.23, №3, pp. 176-180. (in Russian) [25].Deep neural networks in cyber attack
detection systems / Bapiyev, I.M., Aitchanov, B.H., Tereikovskyi, I.A., Tereikovska, L.A., Korchenko, A.A. // International Journal of Civil Engineering and Technology Vol. 8, Issue 11, November 2017, PP. 1086-1092. [26].Lakhno, V., Akhmetov, B., Korchenko, A.,
Alimseitova, Z., Grebenuk, V., Development of a decision support system based on expert evaluation for the situation center of transport cybersecurity, Journal of Theoretical and Applied Information Technology, 2018, 96(14), с. 4530-4540.
[27].Borowik B., Borowik Barbara, Karpinskyi V., Klos–Witkowska A., Shaikhanova A. (2018, July). Wind turbine model with PIC microcontroller power control. In 2018 18th International Multidisciplinary Scientific Conference (SCEM2018). Vol. 18, Issue 4.1, pp. 823-830
[28].Belginova, S., Uvaliyeva, I., & Ismukhamedova, A. (2018, May). Decision support system for diagnosing anemia. In 2018 4th International Conference on Computer and Technology Applications (ICCTA) (pp. 211-215).
4250 [30].Korchenko A, Zaritskyi O., Taras P., Bychkov
