DETECTION OF INVASION ON THE BASIS OF ANALYSIS OF ANOMALOUS BEHAVIOR OF A LOCAL NETWORK USING MACHINE-LEARNING ALGORITHMS WITH A TEACHER

Journal of the Ural Federal District. Information security Pub Date : 1900-01-01 DOI:10.14529/SECUR200109

G. Asyaev, A. N. Sokolov

{"title":"DETECTION OF INVASION ON THE BASIS OF ANALYSIS OF ANOMALOUS BEHAVIOR OF A LOCAL NETWORK USING MACHINE-LEARNING ALGORITHMS WITH A TEACHER","authors":"G. Asyaev, A. N. Sokolov","doi":"10.14529/SECUR200109","DOIUrl":null,"url":null,"abstract":"The paper presents models of the intrusion detection process based on three machine learn-ing methods: the decision tree method, the nearest neighbor method and the random forest method. The main task in modeling is to classify the ACS states (abnormal, normal). Parameters affecting the detection of anomalous behavior are considered: protocol, service data, flags used, number of unsuccessful attempts to enter, duration of the attack. To simulate the process of anomaly detection, the data set of the transport and network level of the control system, consisting of raw TCP/IP dumps in a situation where the network has been subjected to multiple attacks, was selected. For each TCP/IP connection, 3 qualitative and 38 quantitative features were recorded, among which the most important features affecting the learning were high-lighted. The response was predicted in a control (test) sample. The main criteria for choosing a mathematical model for the task were the number of correctly recognized (accuracy) anoma-lies, accuracy (precision) and completeness (recall) of answers. The optimal algorithm for detec-tion of anomalies was chosen on the basis of the conducted research","PeriodicalId":270269,"journal":{"name":"Journal of the Ural Federal District. Information security","volume":"230 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of the Ural Federal District. Information security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14529/SECUR200109","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

The paper presents models of the intrusion detection process based on three machine learn-ing methods: the decision tree method, the nearest neighbor method and the random forest method. The main task in modeling is to classify the ACS states (abnormal, normal). Parameters affecting the detection of anomalous behavior are considered: protocol, service data, flags used, number of unsuccessful attempts to enter, duration of the attack. To simulate the process of anomaly detection, the data set of the transport and network level of the control system, consisting of raw TCP/IP dumps in a situation where the network has been subjected to multiple attacks, was selected. For each TCP/IP connection, 3 qualitative and 38 quantitative features were recorded, among which the most important features affecting the learning were high-lighted. The response was predicted in a control (test) sample. The main criteria for choosing a mathematical model for the task were the number of correctly recognized (accuracy) anoma-lies, accuracy (precision) and completeness (recall) of answers. The optimal algorithm for detec-tion of anomalies was chosen on the basis of the conducted research

查看原文本刊更多论文

利用机器学习算法和教师对局部网络的异常行为进行分析，从而检测入侵

本文提出了基于决策树、最近邻和随机森林三种机器学习方法的入侵检测模型。建模的主要任务是对ACS状态(异常、正常)进行分类。影响异常行为检测的参数包括:协议、服务数据、使用的标志、尝试进入失败的次数、攻击持续时间。为了模拟异常检测的过程，选取控制系统的传输层和网络层的数据集，由网络遭受多次攻击时的TCP/IP原始转储组成。对于每个TCP/IP连接，记录了3个定性特征和38个定量特征，其中突出了影响学习的最重要特征。在对照(测试)样本中预测了反应。为任务选择数学模型的主要标准是正确识别的异常数(准确性)，答案的准确性(精度)和完整性(召回率)。在研究的基础上，选择了最优的异常检测算法

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of the Ural Federal District. Information security

自引率

0.00%

发文量