Korchenko A. Methods for identifying abnormal states for intrusion detection systems

The functionality of modern intrusion detection and blocking systems depends to a great extent on their capabilities to detect new cyberattacks in real time. Systems for countering cyberattacks are well developed, but their effective operation requires appropriate information that is supposed to be helpful in detecting attack actions. As a rule, such data is formed post facto and requires certain time. So, detection and blocking of new cyberattacks are characterized by the conflict between the readiness of cyberattack counteraction systems to immediately respond to an intrusion and the lack of readiness of detection tools to appropriately inform the counteraction functional. In order to deal with this problem, it is necessary to design specific tools that would enable enlarged functional capabilities of modern intrusion detection systems through the a priori formation of information about anomalous states in information systems caused by certain cyberattack types. For this purpose, the most effective approach consists in using the expert knowledge, which, as a rule, is represented in the form of the expert’s judgments about the parameters abnormality level caused by the effect of new types of threats. The dissertation deals with a pressing applied scientific problem related to detection of new kinds of cyberattacks within the shortest possible time by designing an appropriate methodology of creating systems for detecting anomalous states caused by new types of threats. The methodology is supposed to focus on creation of tools that would enlarge the functionality of modern intrusion detection systems. Also, on the basis of the proposed methodology and the corresponding structural solution, an algorithmic support and a software model of a system for detecting anomalous states created by cyberattacks are designed. The model can be used either autonomously or to expand the functionality of modern intrusion detection systems. The conducted experiments confirmed the reliability of the theoretical principles and practical developments of the dissertation. The results of the study have been adopted by the Saifer BIS Ltd Company. They are also used in the educational process at the Department of Data Protection Computerized Systems of the National Aviation University, at the Information Security Department of the Institute of Information and Telecommunications Technologies of K.I. Satbayev Kazakh National Research Technical University and at the Department of Computer Science and Automatics of the University (Technical-Humanistic Academy) of Bielsko-Biała, Poland.