Balakin S. Methods and ways of increasing the reliability of the identification of unauthorized actions and attacks in the computer network

The thesis is devoted to solving the actual scientific and technical problem - increasing the reliability of identification of unauthorized actions and attacks in the computer network. For effective, reliable and high-speed identification of unauthorized actions and attacks in a computer network, methods should be implemented and used based on both artificial immune systems and the ability to diagnose intrusions. Such an approach will increase the effectiveness of identifying unauthorized actions and will provide an opportunity to autonomously detect suspicious activity. The work defines methods for detecting unauthorized actions and attacks in a computer network through the use of artificial immune systems and diagnostics based on the Dempster-Shafer theory, which makes it possible to effectively detect intrusions. The possibilities of using the operators of immune systems for modeling the work of the proposed methods are explored. Based on these properties, procedures are proposed for identifying unauthorized actions and attacks in a computer network. The necessary criteria and requirements are formulated for ensuring timely detection of intrusions in computer networks. The basic directions of development of modern methods of analysis of intrusions and possibilities of autonomous detection of intrusions are determined. An analysis of modern intrusions has shown the feasibility of developing methods that will be able to detect both known and new intrusions. A comparative analysis of models and methods that can be used for intrusion recognition in a computer network is carried out. The comparative characteristics of the methods are indicated on their strengths and weaknesses. The requirements for the selected methods are formed on the basis of maintaining the speed and the ability to independently identify the intrusion (without the use and access to signature databases). Detection of intrusions by means of diagnostics enables to expand the spectrum of potential intrusions by using Dempster-Shafer operators. When combining different technologies with the use of Dempster-Shafer methods it is possible to achieve high speed and reliability of detection of intrusions in computer networks. The research of the effectiveness of the method of detection of intrusions in a computer network on the basis of AIS and diagnostics was carried out. On the basis of the analysis of the information obtained, the following conclusion was made: with a correct training sample and a correct choice of learning parameters, the AIS method has the same high reliability as the diagnostic method. AIS requires additional time to create a training sample, but this allows the system to respond more quickly to new types of intrusions and reduce the number of false positives. The diagnostic method is less burdensome for the user system, but more often it identifies suspicious activity as intrusion. The results of the comparative analysis of intrusions show that the proposed methods outperform the known antiviral products used in the comparative test and are capable of detecting unknown intrusions. Proved the effectiveness of proposed methods. The results of theoretical and experimental research are introduced into the production and educational process.