An Anomaly Detection and Network Filtering System for Linux Based on Kohonen Maps and Variable-order Markov Chains

Modern cyber-physical systems can be defined as distributed systems for processing data from various sensors, while the distribution is provided by a data transmission network. With the complexity of the hardware base, the components of such a system can be executed on minicomputers running the Linux operating system, and solve problems of routing packets and processing them in order to determine software-defined routes. Accordingly, such systems are subject to attacks from outside, which can lead to anomalies in the operation of network subsystems, Therefore, it is necessary to have systems for detecting anomalies in real time, and such tools must be lightweight since the performance of minicomputers is limited. In this paper, we consider a solution for processing network packets at the second OSI level and building detectors based on Markov chains of variable order as well as traffic classification using self-organized Kohonen maps. These solutions are based on well known fundamental works by Russian and Finnish mathematicians and computer scientists, their modern practical applications, so we describe all the used concepts. We present all necessary architectural solutions and algorithms. As a result, we offer a free software solution for Linux as the basis for implementing effective intelligent firewalls. The solution inside is based on a Netfilter hook and packet_mmap.