Development of adaptive expert system of information security using a procedure of clustering the attributes of anomalies and cyber attacks

Abstract

The paper presents results of the research aimed at the further development of models for the intelligent systems of recognition of cyber threats, anomalies and cyber attacks. A structural scheme of adaptive expert system (AES) of information security, capable of self-learning, is proposed, which takes into account potential errors of the third kind, which may arise and accumulate while training a system of intelligent detection of complex targeted cyber attacks and preliminary process of splitting a space of attributes of the objects of recognition. We developed a model for calculating information criterion of functional effectiveness, based on entropic and distance criteria of Kullback-Leibler in the course of clustering the attributes of objects of recognition in computer systems, which allows obtaining input fuzzy classification training matrix. A procedure for the operation of AES as an element of the system for intelligent recognition of cyber threats (SIRCT) was explored in the training mode by a priori classified training matrix that allowed us to build correct decisive rules for the recognition of cyber attacks. We designed AES "Threat Analyzer" and conducted its test research under conditions of real CoS performance at several enterprises. It was found that the proposed model of AES learning makes it possible to achieve results of the recognition of the standard classes of cyber attacks at the level from 76.5 % to 99.1 %, which is at the level of recognition effectiveness by the best hybrid neural networks and genetic algorithms.