Goal of research
Development of creation of a pilot version of the system for monitoring attacks on information resources in the web space, which uses intelligent technologies to solve monitoring problems.
For detection and classification of computer attacks neural network methods are used, in particular fully connected neural networks, convolutional neural networks, etc. For the implementation of the monitoring system microservice-based architecture is used based on Docker, Zabbix, Kibana, Elasticsearch tools.
Empirical base of research
UNSW NB-15 and CICIDS datasets are used.
Results of research:
theoretical analysis of the application of intelligent methods for monitoring computer attacks in the web space, systematization of computer attacks features and characteristics of protected objects;
extensive analysis and review of existing publicly available computer attack datasets containing current computer attack scenario;
algorithms for detection and classification of computer attacks on information resources using intelligent machine learning methods are developed. Classification algorithms based on convolutional neural networks and "random forest" algorithm are proposed and tested;
an approach to balancing the training set is proposed, which allows to improve the quality of the classification algorithm on classes with a small number of examples. As a result, the classification quality (F-measure) is increased from 0.970 to 0.998, and the accuracy of attack recognition for classes with a small number of examples is increased (different level for each of the 6 small classes);
monitoring system infrastructure is developed which collects, stores and processes information about computer attacks and protected objects;
a pilot version of the computer attack detection system is developed and tested on current computer attack scenarios;
2 articles are published on scientific conferences;
1 Phd student internship is performed (HSE internship program).
Level of implementation, recommendations on implementation or outcomes of the implementation of the results
The degree of implementation is small, improvements are needed in terms of the interface and integration with existing systems for detecting computer attacks.