The aim of this work is the development and improvement of methods of the intrusion detection based on the use of adaptive fuzzy logic model of decision-making methods in conjunction with AIS . Setting up and testing of the model is performed on the basis of analysis of the information obtained in the processing of real IP-traffic, details of which are presented in a public samples network traffic KDD Cup 1999.
While developing the model takes into account that the classification of the events, which are happening in the shortage of a priori information about the source properties of the stochastic nature of the intrusion and classified events. Intrusion detection system contains modules of adaption, modify rules, the formation of dynamic ratings for events classification rules, decision-making, which offer more efficiency in the sense of Pareto solutions of problems of intrusion detection.
As an acceptable solution it is proposed to form dynamically the basis of such decision rules Rj, each of which has a value of the function of quality fj above given threshold fα, which is defined by the decision maker depending on the criticality of the controlled object. Fuzzy decision rules Rj, for which fj> fα, a subset of effective rules are Rα. Through the use of the classification of the states included in the network of rules Rα provided higher value of the likelihood of intrusion detection , as well as the minimum number of false alarms. This is true in terms of stationary processes occurring in the network. When qualitative changes it is advisable to adjust the composition of traffic rules subset Rα with the new values fj.
There are the results of experiments, which are conducted to investigate the effect on the level of the likelihood of different volumes of test samples, adaptively changing values fj, at varying thresholds CFα, fα , influence the frequency modification of the rule base and others. Usage of the adaptation mode significantly increases the likelihood classification of network conditions. Thus, with increasing sample sizes the length of the confidence interval level and the likelihood of false positives is well approximated by a power function of the square root of the ratio magnification scope. This is caused by fi quality function productive correction and increases its evaluation.As it turned out, the proposed model is locally stable within the classes of attacks, as well as sensitive to the adjustable parameters a,b,c of fuzzy rules and thresholds CFα, fα forming a subset of effective rules Rα . This moment allows to the decision maker to make decisions taking into account the specific features of the administration of computer networks, including earlier detection of the facts of these classes of attacks.
In a further refinement of the proposed approach it is promised to consider the multidimensional problem of classification on a set of alternative characters, the development of approximation Pareto approach for multidimensional optimization problems, as well as the feasibility of using the advance filter traffic.