Гібридний метод та система виявлення аномального трафіку в інформаційно-комунікаційних системах
Вантажиться...
Дата
2025
Автори
Назва журналу
Номер ISSN
Назва тому
Видавець
Хмельницький національний університет
Анотація
У статті запропоновано гібридний метод виявлення аномального трафіку в інформаційно-комунікаційних
системах (ІКС), що поєднує сигнатурний аналіз, метод на основі самоподібності та нечіткий метод. Реалізація
методу виконана на базі модульної архітектури системи Snort 3 з використанням власного програмного модуля, що
інтегрує зовнішню бібліотеку аналізу трафіку. Запропонований підхід дозволяє підвищити достовірність виявлення
загроз за рахунок комплексної оцінки ризиків та адаптації до змін у мережевому середовищі. Проведено
багаторівневе тестування системи в умовах лабораторного та реального трафіку. За результатами
експериментів доведено переваги гібридного методу в порівнянні з традиційними системами виявлення (Snort,
Suricata) за ключовими метриками якості: точність, повнота, специфічність та F1-міра. Окремо проаналізовано
вплив реалізованої системи на ресурсне навантаження ІКС. Показано, що використання гібридного методу
забезпечує ефективне виявлення атак при нижчому завантаженні процесора, що підвищує стійкість та
масштабованість мережевої інфраструктури.
The article presents the implementation and assessment of the reliability of a hybrid method for detecting anomalous traffic in information and communication systems (ICS), which combines classical approaches to signature-based detection with a self-similaritybased method and a fuzzy method. The purpose of the study is to increase the reliability of detecting attacks in a network environment with dynamically changing traffic parameters, reduce the number of false positives, and ensure the rational use of computing resources. The proposed approach is based on the use of Snort 3, an open-source platform for detecting and preventing intrusions that has a modular architecture and supports multi-threaded processing. Based on the Snort 3 API, a separate module has been developed that performs a full cycle of network traffic analysis: capture, decoding, classification, risk assessment, and decision-making. The system implements three complementary components: signature detection, traffic classification by self-similarity, and fuzzy risk assessment. The key innovation is the use of the Hurst metric to detect long-term dependencies in time series, which allows for effective identification of atypical or hidden activity, including zero-day attacks. To verify the system's performance, a large-scale test environment was created with two isolated subnets, traffic generators, port mirroring, and a server platform emulating the ICS. A dataset of over 5.4 million records was collected with clear labeling of normal and abnormal traffic. In addition to laboratory modeling, testing was performed in real-world network operation conditions, which allowed taking into account the impact of background noise, extraneous activity, and traffic variability. To evaluate the results, commonly used metrics were used - TP, FP, TN, FN, as well as derived indicators: Precision, Recall, Accuracy, Specificity, and F1-measure. A comparative analysis of the effectiveness of the developed system with traditional solutions - the original Snort and the Suricata system - was conducted. According to all metrics, the hybrid model demonstrated higher attack detection reliability, better ability to distinguish between anomalous and normal traffic, as well as a lower level of type II errors. In particular, in laboratory conditions, Accuracy was achieved - 99.12%, Precision - 99.44%, Recall - 99.62%, F1-score - 99.53%. In real traffic conditions, accuracy remained high, and the average processor load when using the hybrid system was the lowest among the tested solutions - 40.5%. The results obtained indicate the prospects of the hybrid approach in the context of the development of new generation cyber defense systems. The proposed model demonstrates the ability to flexibly scale, effectively adapt to changes in the environment, and a high level of detection reliability without excessive load on the infrastructure. In practical terms, the development can be used as a standalone system or as a module in complex solutions for detecting and countering intrusions in the ICS
The article presents the implementation and assessment of the reliability of a hybrid method for detecting anomalous traffic in information and communication systems (ICS), which combines classical approaches to signature-based detection with a self-similaritybased method and a fuzzy method. The purpose of the study is to increase the reliability of detecting attacks in a network environment with dynamically changing traffic parameters, reduce the number of false positives, and ensure the rational use of computing resources. The proposed approach is based on the use of Snort 3, an open-source platform for detecting and preventing intrusions that has a modular architecture and supports multi-threaded processing. Based on the Snort 3 API, a separate module has been developed that performs a full cycle of network traffic analysis: capture, decoding, classification, risk assessment, and decision-making. The system implements three complementary components: signature detection, traffic classification by self-similarity, and fuzzy risk assessment. The key innovation is the use of the Hurst metric to detect long-term dependencies in time series, which allows for effective identification of atypical or hidden activity, including zero-day attacks. To verify the system's performance, a large-scale test environment was created with two isolated subnets, traffic generators, port mirroring, and a server platform emulating the ICS. A dataset of over 5.4 million records was collected with clear labeling of normal and abnormal traffic. In addition to laboratory modeling, testing was performed in real-world network operation conditions, which allowed taking into account the impact of background noise, extraneous activity, and traffic variability. To evaluate the results, commonly used metrics were used - TP, FP, TN, FN, as well as derived indicators: Precision, Recall, Accuracy, Specificity, and F1-measure. A comparative analysis of the effectiveness of the developed system with traditional solutions - the original Snort and the Suricata system - was conducted. According to all metrics, the hybrid model demonstrated higher attack detection reliability, better ability to distinguish between anomalous and normal traffic, as well as a lower level of type II errors. In particular, in laboratory conditions, Accuracy was achieved - 99.12%, Precision - 99.44%, Recall - 99.62%, F1-score - 99.53%. In real traffic conditions, accuracy remained high, and the average processor load when using the hybrid system was the lowest among the tested solutions - 40.5%. The results obtained indicate the prospects of the hybrid approach in the context of the development of new generation cyber defense systems. The proposed model demonstrates the ability to flexibly scale, effectively adapt to changes in the environment, and a high level of detection reliability without excessive load on the infrastructure. In practical terms, the development can be used as a standalone system or as a module in complex solutions for detecting and countering intrusions in the ICS
Опис
Ключові слова
гібридний метод, виявлення аномального трафіку, інформаційно-комунікаційна система, Snort 3, самоподібність, нечітка логіка, сигнатурний аналіз, аналіз трафіку, hybrid method, anomalous traffic detection, information and communication system, Snort 3, self-similarity, fuzzy logic, signature analysis
Бібліографічний опис
Петляк Н. Гібридний метод та система виявлення аномального трафіку в інформаційно-комунікаційних системах / Н. Петляк // Вісник Хмельницького національного університету. Технічні науки. – 2025. – № 2. – С. 561-569.