MACHINE LEARNING IMPLEMENTATION FOR THE CLASSIFICATION OF ATTACKS ON WEB SYSTEMS. PART 2

K. Smirnova, A. Smirnov, V. Plotnikov

MACHINE LEARNING IMPLEMENTATION FOR THE CLASSIFICATION OF ATTACKS ON WEB SYSTEMS. PART 2

Дата

2017

Автори

K. Smirnova, A. Smirnov, V. Plotnikov

Анотація

The possibility of applying machine learning for the classification of malicious requests to aWeb application is considered. This approach excludes the use of deterministic analysis systems (for example, expert systems),and is based on the application of a cascade of neural networks or perceptrons on an approximate model to the real humanbrain. The main idea of the work is to enable to describe complex attack vectors consisting of feature sets, abstract terms forcompiling a training sample, controlling the quality of recognition and classifying each of the layers (networks) participatingin the work, with the ability to adjust not the entire network, but only a small part of it, in the training of which a mistake orinaccuracy crept in. The design of the developed network can be described as a cascaded, scalable neural network.When using neural networks to detect attacks on web systems, the issue of vectorization and normalization of features isacute. The most commonly used methods for solving these problems are not designed for the case of deliberate distortion ofthe signs of an attack.The proposed approach makes it possible to obtain a neural network that has been studied in more detail by small features,and also to eliminate the normalization issues in order to avoid deliberately bypassing the intrusion detection system. Byisolating one more group of neurons in the network and teaching it to samples containing various variants of circumvention ofthe attack classification, the developed intrusion detection system remains able to classify any types of attacks as well as theiraggregates, putting forward more stringent measures to counteract attacks. This allows you to follow the life cycle of theattack in more detail: from the starting trial attack to deliberate sophisticated attempts to bypass the system and introducemore decisive measures to actively counteract the attack, eliminating the chances of a false alarm system.