Article Preview
Top1. Introduction
It is highly important to quickly detect anomalies in complex computer networks, the ones that can be caused by malicious attacks. Such attacks can result in network inability to function properly, data loss or misrepresentation or even its leak. For early detection of anomalies special software systems are used to detect and classify them. Similar systems are built on the basis of the traditional signature-based techniques to detect anomalies (Afek et al., 2019; AlYousef & Abdelmajeed, 2019), as well as machine learning techniques (Sultana et al., 2019; Yu et al., 2017). Signature-based techniques do not allow detection of anomalies caused by attacks that are some modifications of well-known attacks (Chakravarty et al., 2019), and approaches based on machine learning can result in false responses and anomaly miss-outs (Gao et al., 2019; Umer et al., 2017).
Many specialists have been working to overcome these drawbacks (Xu et al., 2018; Raman et al., 2017; Le et al., 2017). In particular, the signatures are used as a training set to train classifiers (Hoang & Nguyen, 2019). There are hybrid approaches based on ensembles of classifiers (Khraisat et al., 2019; Zhang et al., 2018). The existing approaches however do not allow detection of anomalies that are relevant to new or formally known modified attacks with high accuracy and low number of false positive responses at the same time.
In these conditions the search for more reliable approaches to detect anomalies has become urgent. The paper offers a hybrid approach to detect anomalies by signature analysis and weighted voting of classifiers that are built on the basis of machine learning. The classifiers were chosen to be logistic regression, stochastic gradient descent and decision tree. Such a choice is explained by relatively low computational complexity of algorithms, because the anomaly detection system is designed to operate in real time. The experiments carried out proved that the suggested approach features high accuracy of detection of well-known and new anomalies as well as high repetitiveness.
Further, the paper is organized as follows: section 2 considers some studies about anomaly detection where we will choose suitable components to implement the combined approach as well as view various datasets and choose a suitable to investigate the suggested approach; section 3 describes the suggested approach; section 4 fully considers the experiment carried out and draws the conclusion about the effectiveness of the suggested approach and the potential of the research in this field.