Methodology of formation of fuzzy associative rules with weighted attributes from SIEM database for detection of cyber incidents in special information and communication systems

Authors

  • Ihor Subach Institute of special communications and information security National technical university of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv, Ukraine https://orcid.org/0000-0002-9344-713X
  • Artem Mykytiuk Institute of special communications and information security National technical university of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv, Ukraine https://orcid.org/0000-0002-8307-9978

DOI:

https://doi.org/10.20535/2411-1031.2023.11.1.283575

Keywords:

cyber protection, cyber incident, SIEM, theory of fuzzy sets, data mining, associative rules

Abstract

The article presents the method of forming associative rules from the database of the SIEM system for detecting cyber incidents, which is based on the theory of fuzzy sets and methods of data mining. On the basis of the conducted analysis, a conclusion was made about the expediency of detecting cyber incidents in special information and communication systems (SICS) by applying rule-oriented methods. The necessity of applying data mining technologies, in particular, methods of forming associative rules to supplement the knowledge base (KB) of the SIEM system with the aim of improving its characteristics in the process of detecting cyber incidents, is substantiated. For the effective application of cyber incident detection models built on the basis of the theory of fuzzy sets, the use of fuzzy associative rule search methods is proposed, which allow processing heterogeneous data about cyber incidents and are transparent for perception. The mathematical apparatus for forming fuzzy associative rules is considered and examples of its application are given. In order to increase the effectiveness of the methods of searching for fuzzy associative rules from the database of the SIEM it is proposed to use weighting coefficients of attributes that characterize the degree of manifestation of their importance in the fuzzy rule. A formal formulation of the problem of forming fuzzy associative rules with weighted attributes and which are used for the identification of cyber incidents is given. A scheme of their formation and application for identification of cyber incidents is proposed. The method of forming fuzzy associative rules with weighted attributes from the database of the SIEM is given. The problem of determining the weighting coefficients of the relative importance of SIEM system DB attributes is formulated and a method for its solution is proposed. The formulation of the problem of finding sets of elements that have a weighted fuzzy support of at least the given one and are used to form fuzzy associative rules with weighted attributes is given. Methods for its solution are proposed.

Author Biographies

Ihor Subach, Institute of special communications and information security National technical university of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv

doctor of technical science, associate professor, head at the cybersecurity and application of information systems and technologies academic department

Artem Mykytiuk, Institute of special communications and information security National technical university of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv

postgraduate student

References

I. Subach, A. Mykytiuk, and V. Kubrak, “Architecture and functional model of a perspective proactive intellectual SIEM for cyber protection of objects of critical infrastructure”, Information technology and security, vol. 7, no. 2, pp. 208-215, 2019, doi: https://doi.org/10.20535/2411-1031.2019.7.2.190570.

I. Subach, and V. Fesokha, “Model of detection of anomalies in information and telecommunication networks of military management bodies on the basis of fuzzy sets and fuzzy logic output”, Collection scientific works MITI, vol. 3, pp. 158-164, 2017.

I. Subach, B. Gerasimov, and E. Nikiforov, “Models of knowledge delivery for use in deision support systems”, Scientific and technical information, vol. 1, pp. 7-11, 2005.

F. S. Tsai, “Network intrusion detectionusing association rules”, International journal of recent trends in engineering, vol. 2, no. 2, pp. 202-204, 2009.

Y. Wang, I. Kim, G. Mbateng, and S.-Y. Ho, “A latent class modeling approach to detect network intrusion”, Comput. Commun., vol. 30, no. 1, pp. 93-100, 2006, doi: https://doi.org/10.1016/j.comcom.2006.07.018.

R. Shanmugavadivu, and N. Nagarajan, “Network intrusion detection system using fuzzy logic”, Indian journal of computer science and engineering, vol.2, no.1, pp. 101-111, 2011.

N. Naidu, and D. R. V. Dharaskar, “An Effective Approach to Network Intrusion Detection System using Genetic Algorithm”, Int. J. Comput. Appl., vol. 1, no. 3, pp. 26-32, 2010, doi: https://doi.org/10.5120/89-188.

D. M. Farid, and M. Z. Rahman, “Anomaly network intrusion detection based on improved self adaptive bayesian algorithm”, J. Comput., vol. 5, no. 1, 2010, doi: https://doi.org/10.4304/jcp.5.1.23-31.

S.-J. Horng et al., “A novel intrusion detection system based on hierarchical clustering and support vector machines”, Expert Syst. with Appl., vol. 38, no. 1, pp. 306-313, 2011, doi: https://doi.org/10.1016/j.eswa.2010.06.066.

H. Kabamba, “An evolution strategy approach toward ruleset generation for network intrusion detection systems (IDS)”, International Journal of Soft Computing and Engineering, vol. 2, iss. 5, pp. 1-5, 2012.

I. Subach, V. Fesokha, and N. Fesokha, “Analysis of existing solutions for preventing invasion in information and telecommunication networks”, Information technology and security, vol. 5, no. 1, pp. 29-41, 2017, doi: https://doi.org/10.20535/2411-1031.2017.5.1.120554.

T. Lappas, and K. Pelechrinis, “Data mining techniques for (network) intrusion detection systems”, 2007. [Online]. Available: https://www.researchgate.net/publication/228745997_Data_Mining_Techniques_for_Network_Intrusion_Detection_Systems. Accessed on: Feb. 21, 2023.

A. Youssef, and A. Emam, “Network intrusion detection using data mining and network behaviour analysis”, Int. J. Comput. Sci. Inf. Technol., vol. 3, no. 6, pp. 87-98, 2011, doi: https://doi.org/10.5121/ijcsit.2011.3607.

I. Subach, and V. Fesokha, “Model of detecting cybernetic attacks on information-telecommunication systems based on description of anomalies in their work by weighed fuzzy rules”, Information technology and security, vol. 5, no. 2, pp. 145-152, 2017, doi: https://doi.org/10.20535/2411-1031.2017.5.2.136984.

I. Subach, Y. Zdorenko, and V. Fesokha, “Method for detecting cyber-attacks of the JS (HTML) / ScrInject type based on the use of the mathematical apparatus of the theory of fuzzy sets”, Collection scientific works MITI, vol. 4, pp. 125-131, 2018.

I. Subach, A. Mykytiuk, S. Korotaev, and V. Kubrak, “Rule-oriented method of cyber incidents detection by SIEM based on fuzzy logical inference”, Inf. technol. security, CEUR., vol. 2859, pp. 210-219, 2020, doi: https://doi.org/10.5281/zenodo.7123656.

A. Rothstein, Medical diagnostics on fuzzy logic. Vinnytsia, Ukraine: Continent-PRIM, 1996.

A. Gyenesei, “A fuzzy approach for mining quantitative association rules”, Acta Cybernetica, vol. 15, pp. 305-320, 2001.

A. Gyenesei, “Fuzzy partitioning of quantitative attribute domains by a cluster goodness index”, TUCS Technical Reports, no. 368, Oct. 2000. [Online]. Available: https://www.researchgate.net/publication/2359339_Fuzzy_Partitioning_of_Quantitative_Attribute_Domains_by_a_Cluster_Goodness_Index. Accessed on: Feb. 13, 2023.

Wai-Ho Au, and K. C. C. Chan, “An effective algorithm for discovering fuzzy rules in relational databases”, in Proc. 1998 IEEE Int. Conf. Fuzzy Syst. IEEE World Congr. Comput. Intell., Anchorage, AK, USA, doi: https://doi.org/10.1109/fuzzy.1998.686309.

K. C. C. Chan, and W.-H. Au, “Mining fuzzy association rules in a database containing relational and transactional data”, in Data Mining and Computational Intelligence. Heidelberg, Germany: Physica-Verlag HD, 2001, pp. 95–114, doi: https://doi.org/10.1007/978-3-7908-1825-3_4.

Downloads

Published

2023-06-29

How to Cite

Subach, I., & Mykytiuk, A. (2023). Methodology of formation of fuzzy associative rules with weighted attributes from SIEM database for detection of cyber incidents in special information and communication systems. Collection "Information Technology and Security", 11(1), 47–59. https://doi.org/10.20535/2411-1031.2023.11.1.283575

Issue

Vol. 11 No. 1 (2023)

Section

INFORMATION SECURITY RISK MANAGEMENT

License

Copyright (c) 2023 Collection "Information Technology and Security"

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The authors that are published in this collection, agree to the following terms:

  1. The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
     
  2. The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
     
  3. Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).