Quarterly journal published in SPbPU
and edited by prof. Peter Zegzhda
Peter the Great St. Petersburg Polytechnic University
Institute of computer sciences and technologies
information security of computer systems
Information Security Problems. Computer Systems
Published since 1999.
ISSN 2071-8217
ALGORITHM FOR RAPID DETECTION OF TRAFFIC ANOMALIES IN HIGH-SPEED CORPORATE MULTISERVICE COMMUNICATION NETWORKS

Ageev S.A., Ageeva N.S., Karetnikov V.V., Privalov A.A., Sikarev I.

Annotation: The article proposes an adaptive heuristic (behavioral) algorithm for detecting traffic anomalies in high-speed corporate multiservice communication networks, functioning in real time. The main results of his research are given. The relevance of this study is determined by the fact that the vast majority of information and network security management processes, as well as risk management processes for implementing their threats in high-speed enterprise multiservice communication networks need to be implemented in close to real-time. The approach proposed in the work is based on the concept of a conditional nonlinear Pareto - optimal filtration by V. S. Pugachev. The essence of this approach is that the traffic parameter is estimated in two stages - at the first stage, the forecast of parameter values is estimated, and at the second stage, with the following parameter observations, their values are corrected. In the proposed method and algorithm, traffic parameter values are predicted in a small sliding window, and adaptation is implemented on the basis of pseudo-gradient procedures, the parameters of which are adjusted using the Tacagi-Sugeno fuzzy inference method. A feature of the developed procedures for evaluating the characteristics of high-speed traffic of multi-service communication networks is that they allow taking into account the dynamics of changes in network traffic parameters. The proposed method and algorithm belong to the class of adaptive methods and algorithms with preliminary training. The average relative error of estimating the estimated traffic parameters does not exceed 10%, which is a sufficient value for the implementation of operational network management tasks. The procedure for detecting abnormal traffic behavior of a high-speed multiservice communication network in operation is implemented based on the Mamdani fuzzy logic output method, in which traffic parameter state intervals are determined based on the security policy received in the network. A study of the proposed method for detecting abnormal behavior of network traffic has shown its high efficiency.
Keywords: pseudogradient algorithm, conditionally nonlinear Pareto - optimal filtering, fuzzy logical Takagi-Sugeno conclusion, fuzzy rule base, fuzzy knowledge base.
Pages 20-30