MACHINE LEARNING IMPLEMENTATION FOR THE CLASSIFICATION OF ATTACKS ON WEB SYSTEMS. PART 2

K. Smirnova, A. Smirnov, V. Plotnikov
2017 Avtomatizaciâ Tehnologičeskih i Biznes-Processov  
The possibility of applying machine learning for the classification of malicious requests to a Web application is considered. This approach excludes the use of deterministic analysis systems (for example, expert systems), and is based on the application of a cascade of neural networks or perceptrons on an approximate model to the real human brain. The main idea of the work is to enable to describe complex attack vectors consisting of feature sets, abstract terms for compiling a training sample,
more » ... a training sample, controlling the quality of recognition and classifying each of the layers (networks) participating in the work, with the ability to adjust not the entire network, but only a small part of it, in the training of which a mistake or inaccuracy crept in. The design of the developed network can be described as a cascaded, scalable neural network. When using neural networks to detect attacks on web systems, the issue of vectorization and normalization of features is acute. The most commonly used methods for solving these problems are not designed for the case of deliberate distortion of the signs of an attack. The proposed approach makes it possible to obtain a neural network that has been studied in more detail by small features, and also to eliminate the normalization issues in order to avoid deliberately bypassing the intrusion detection system. By isolating one more group of neurons in the network and teaching it to samples containing various variants of circumvention of the attack classification, the developed intrusion detection system remains able to classify any types of attacks as well as their aggregates, putting forward more stringent measures to counteract attacks. This allows you to follow the life cycle of the attack in more detail: from the starting trial attack to deliberate sophisticated attempts to bypass the system and introduce more decisive measures to actively counteract the attack, eliminating the chances of a false alarm system.
doi:10.15673/atbp.v9i3.713 fatcat:cif3l7drlzeyvcxdhakvzpjtgm