CYBERSECURITY AND CRITICAL INFRASTRUCTURE PROTECTION SIGNATURE AND STATISTICAL ANALYZERS IN THE CYBER ATTACK DETECTION SYSTEM

The globalization of information exchange and the widespread introduction of information technologies in all spheres of society's life created the problem of protecting information processed in information systems from challenges and threats in the cybernetic space. The presence of important information in the functioning of the systems and critical national infrastructures objects enables its usage by the negatively-minded elements and groupings for the implementation of unlawful actions in the cyberspace by violating the integrity, availability, and confidentiality of information, and inflicting damage on information resources and information systems. In this case, the possibility of using information technologies in the cybernetic space in the interests of carrying out military-political and power confrontation, terrorism, and hacking cyber attacks are of particular concern. Today, intrusion detection and attack systems are usually software or hardware-software solutions that automate the process of monitoring events occurring in the information system or network, and independently analyze these events in search of security issues signs. An analysis of modern approaches to the development of such systems shows that it is the signature analysis of network traffic provides effective results in the development of protection modules of cyber systems. In addition, for the reliable protection of information systems, it is not only necessary to develop separate mechanisms of protection, but also to implement a systematic approach that includes a set of interrelated measures. The purpose of the article is to develop a system for recognizing cyber threats based on signature analysis, which would reduce the time of an attack detection of a cyber defense system while the number and complexity of cyber attacks are increasing.

monitoring systems is the way to create a hierarchical multilevel structure of cyber attack detection at the beginning of their implementation. Furthermore, a hierarchical approach allows solving difficult problems of the information protection process managing from cyber attacks in the distributed information systems (IS) as a sequence of local tasks, coordinated with each other.
The threats estimation of critically important systems involves two aspects: situational analysis and threats detection [1], [6], [7], [9]. The situational analysis is a detailed analysis of software settings functioning of the IS. While carrying out such an analysis it is necessary to organize similar data and estimate it separately according to each group. There is an example of such analysis, presented in fig. 1. Figure 1 -Threat type diagram [1] Nowadays, for information systems protection, it is necessary not only to develop private mechanisms protection but also to implement a system approach, which involves a complex of connected actions. Any information safety-related system aims to prevent them from cyber attacks, protect the legal interests of a business entity from information security incidents, prevent from financial looting, dissemination, diseconomy, misrepresentation, and destruction of information.
For today, systems of cyber intrusion and cyber attacks detection usually present program or machine-program solutions, which help automate actions control process taking place in the information system or a network, and also analyze these actions directly to detect some cybersecurity warnings [4], [5]. As the number of different types and ways of organization network hacking has increased for the recent years, cyber attack detection system (CADS) became a necessary component of the security infrastructure of most organizations [2], [3].
In general, modern systems of intrusion and cyber attacks detection are far from ergonomic and effective solutions, according to security. But the improvement of efficiency should be considered not only in the detection sphere of improper activities on the infrastructure of secure information objects but also according to everyday exploitation of these measures and saving of computing power and information resources of a security system owner.
If to talk straight about modules of data-processing, it should be remembered that every cyber attack signature in the system of information processing concerning a cyber attack is a basic element for detecting of most general actionscyber attack phase detecting (the stage of its implementation). The definition of a signature itself is generalized to a final rule. On the contrary, each cyber attack is developed for the phase number of its development. The easier cyber attack is, the simpler it can be detected and there are more opportunities to analyze it.
The purpose of the article is to develop a system for recognizing cyber threats based on signature analysis, which would reduce the time of an attack detection of a cyber defense system while the number and complexity of cyber attacks are increasing.
To compass this purpose, the following problems should be solved:  to create a detection system of the aberrant behavior which is built upon the capability of the cyber attack detecting system to have a knowledge of some characteristics which describe the correct (or permissive) behavior of the object of observation;  to develop a signature analyzer model which enables a cyber attack or cyber intrusion detection for critically important information structures;  to develop a statistical analyzer on basis of the average-case analysis model and the rootmean-square deviation of network traffic settings.
The main material research. The cyber attack scenario is a transition diagram which transits to an analogical diagram of the final determined automated device. Cyber attack phases can be described in the following way: ports testing; identification of program and machine tools; banner gathering; exploits usage; disorganization of network functioning with help of attacks for a customer service refusal; managing through backdoors; Trojans set searching; web proxies searching, presence signs removing and so on (in appropriate caseswith different level of detail).
The benefits of such an approach are obvious -in the case, separate processing of various stages of cyber attacks, it is possible to recognize a cyber threat in the process of its preparation and formation, and not at the stage of its implementation, as in the existing systems. At the same time, the elemental basis for recognition can be a signature search, detection of anomalies, the use of expert methods and systems, trust relationships and other information methods to assess what is happening in the information environment. A general approach to analysis allows us to determine distributed (in all senses) cyber threats, both in logical and physical space. The general scheme of event handling also allows searching for distributed cyber attacks by further data aggregating from different sources and constructing metadata about known incidents.
The cyber attack detection systems, like most modern software products, must meet some requirements [10], [11]. These are modern development technologies, orientation on the features of modern information networks and compatibility with other programs. To understand how to use CADS correctly, you need to identify how they work and what their vulnerabilities are. If we do not take into account various non-essential innovations in the field of detection of cyber attacks, then we can safely assert that there are two main technologies of constructing the CADS.
The most widespread cyber threats to information resources can be considered as potentially possible cases of natural, technical or human-induced nature, which may lead to unwanted effects on the information system, as well as on the information stored therein. The emergence of a cyber threat, that is finding the source of actualization of certain events in the threat, is characterized by such an element as vulnerability. By integrating a variety of approaches, as well as suggestions for solving this issue, we believe that the following kinds of cyber threats to information security can be identified: disclosure of information resources; violation of their integrity; failure of the equipment itself.
Traditionally, CADS are classified according to two characteristics: the method of detection and the level of the system on which the protection is carried out. Although these two classification features are most important in the selection of systems for detecting cyber attacks, there are still other characteristics that play an equally important role in the design of the CADS. After all, the safest solution can not be achieved by considering one or two aspects of taxonomy. All developers of attack detection systems and organizations that use CADS should understand and study their classification to choose the best solutions for information security systems. In the study of various aspects of taxonomy and the application of various options, we can achieve a higher level of information systems security.
The systems for detecting abnormal behavior are based on the fact that CADS has some features that characterize the correct or permissible behavior of the object of observation. The block diagram of the cyber security of the information system is presented in fig. 2. Sensors of cyber intrusion devices identify unusual behavior, anomalies in the operation of a single object. The difficulties of their application in practice are associated with the instability of the objects themselves, which are protected, and with external objects interacting with them. The object of observation can be the network as a whole, a separate computer, network service, user, etc. Sensors operate on the condition that the intruder violates the normal functioning of the information system.
The measures and methods traditionally used to detect abnormalities include the following:  threshold values: the observation of an object is expressed in the form of numerical intervals; exceeding these intervals is considered to be an abnormal behavior; thresholds can be static and dynamic;  statistical measures: the decision on the availability of a cyber attack is taken based on a large number of data collected through their statistical pre-processing;  parametric: for the detection of a cyber attack a special "normal system profile" is constructed based on templates (some policy which this object must usually follow);  nonparametric: the profile is built on observation of the object during the training period;  measures based on rules (signatures): they are very similar to nonparametric statistical measures; in the period of training an idea of the normal behavior of the object is being formed, which is written in the form of special "rules";  other measures: neural networks, genetic algorithms, which allow classifying some set of known sensor-indicator signs; in modern CADS the first two methods are mainly used.
Usually, abnormal activity detection systems use logging books and current user activity as a data source for analysis. The advantages of cyber attack detection systems based on the technology of detecting abnormal behavior can be estimated as follows:  anomaly detection systems are capable of detecting new types of cyber attacks, the signatures for which have not yet been developed;  they do not require renewal of signatures and rules of cyber attacks detection;  detection of anomalies generates information that can be used in criminal detection systems.
The disadvantages of systems based on the technology of detecting abnormal behavior are:  systems require long and qualitative training;  systems generate many mistakes of the second kind;  systems are usually too slow at work and require a large number of computing resources.
Let's consider one of the effective methods for detecting intrusions and cyber attacks, which is based on the signature approach. Signatory methods allow you to describe a cyber attack with a set of rules or using a formal model, which can be used as a character string, semantic expression in a special language, etc. The essence of this method is to use a specialized database of cyber attacks templates (signatures) to find actions which fall under the definition of "cyber attack".
The signature method can protect from a viral or hacker cyber attack when its signature is already known (for example, the unchanged fragment of the virus body) and it is included in the database of CADS. If the network is experiencing the first attack from the outside, the first infection is still unknown, and the database simply lacks the signature for its search -the signature method CADS will not be able to signal the danger because it considers the attacking activity to be legitimate.
Most of the existing software products which claim to use the signature method, in fact, realize the most primitive way of signature recognition. In such systems, the signature method is implemented as an algorithm that examines only the dynamics of cyberattack development. And it is based on a state machine to assess the scenario of the developing attack. According to the plan, this approach should allow tracking the dynamics of the development of cyber attacks by the actions of the intruder, while as the module for data collection even the systems for detecting cyber attacks can be used.
Signature analyzer model. Thus, the effectiveness of the signature CADS is determined by three main factors: the efficiency of refinement of the signature base, its completeness from the point of view of the determination of the cyber attack signature, as well as the presence of intelligent algorithms for reducing the attacking party's actions to some basic steps, within which there is a comparison with the signatures.
To implement the chosen method of determination and identification CADS, models of the signature and statistical analyzers of network traffic are offered, and the fuzzy intellectual system is used to determine the sources of cyber-media and the choice of solutions for their elimination. The structure of the universal signature parser flow packets of network traffic is presented in fig. 3.
The mechanism of signature analyzer functioning includes two stages: filtering and collecting fragments of packages, recognition of cyber-criminals by signatures.
The work of the analyzer is described by the following model. Denote the network traffic coming from the packet capture module, as a flow in the form of a set   The work of the statistical analyzer is described by the following model. and the local characteristics can be calculated using the following formula: As a weight function ) (z F the function of the form for finding ) (N W was chosen: where tis the time interval on which local characteristics are calculated; S krationing factor. To determine the local characteristics, the range of possible values X is divided into B intervals: and the hit frequencies in the corresponding intervals are calculated not for the whole stream, but for the n most recent events. Local characteristics are calculated by (2) and (3).
When designing an intellectual (expert) system, was chosen the fuzzy logic model [8]. This is because a significant amount of information on the causes and source of cyber attacks (CA) can only be obtained expertly or in the form of heuristic descriptions of processes. To determine the sources of CA security system should be represented by the model of the information network on which it is oriented. Such a model divides the process of the information moving between computers across the network environment to several levels. Thus, the primary security problem can be represented by the decomposition of security tasks at individual levels of the network.
Represent a separate level of security in the form of a nonlinear object with a plurality of input variables and one output variable y : ) ,..., , ( n y x x x f y  (4) As input variables, we will select signs of CA sources. The output variable y is a network status indicator.
The model uses the following assumptions and limitations:  input variables } { i x within one level are independent;  separate network functions are isolated on each of the network levels. Integrated Intelligent Decision-making Support System (IIDmSS) for identifying intruders contains a set of functional components which allow you to automate control actions as much as possible when changing the security situation. The structure of the decision-making information system for determining cyber intrusions is presented in fig. 5.
Conclusion. The current state of the systems for detecting cyber attacks on information systems is full of weaknesses and vulnerabilities, which, unfortunately, allow harmful influences to successfully destroy information security systems. This situation is a result of the rapid development of technologies and methods which are used by cybercriminals to achieve their goals. The attacking side will always have an advantage due to the factors of unexpectedness and unpredictability of its actions. Therefore, intrusion detection systems are needed to quickly detect and prevent security breaches (especially caused by previously unknown cyber attacks) which are characterized by unclear criteria.
From this perspective, the following tasks were solved in the work:  the system for detecting an abnormal behavior that takes into account the multiplicity of monitoring parameters is developed;  the signature analyzer model for detecting anomalies during the cyber attack is proposed;  the model of the statistical analyzer, which task is to minimize the probability of making a false decision by the cyber attack detection system is designed. Figure 5 -The structure of the decision-making information system In general, when new threats and anomalies arise from attacking actions with unidentified or unclearly defined properties, these tools do not always remain effective, they require long time resources for being adapted. That is why intrusion detection systems should be continuously investigated and refined to ensure continuity in their effective functioning. Today, for information protection, not just the development of private security mechanisms is required, but also the implementation of a systematic approach that contains a set of interrelated measures. The main objective of any information security system should be the creation of conditions for the safe operation of the enterprise, cyber threats prevention, protection of enterprise legitimate interests from illegal encroachments, prevention of theft financial means, disclosure, loss, leakage, distortion, and destruction of the official information.