HYBRID METHOD AND SYSTEM FOR DETECTING ABNORMAL TRAFFIC IN INFORMATION AND COMMUNICATION SYSTEMS

Abstract

The article presents the implementation and assessment of the reliability of a hybrid method for detecting anomalous traffic in information and communication systems (ICS), which combines classical approaches to signature-based detection with a self-similarity-based method and a fuzzy method. The purpose of the study is to increase the reliability of detecting attacks in a network environment with dynamically changing traffic parameters, reduce the number of false positives, and ensure the rational use of computing resources. The proposed approach is based on the use of Snort 3, an open-source platform for detecting and preventing intrusions that has a modular architecture and supports multi-threaded processing. Based on the Snort 3 API, a separate module has been developed that performs a full cycle of network traffic analysis: capture, decoding, classification, risk assessment, and decision-making. The system implements three complementary components: signature detection, traffic classification by self-similarity, and fuzzy risk assessment. The key innovation is the use of the Hurst metric to detect long-term dependencies in time series, which allows for effective identification of atypical or hidden activity, including zero-day attacks. To verify the system's performance, a large-scale test environment was created with two isolated subnets, traffic generators, port mirroring, and a server platform emulating the ICS. A dataset of over 5.4 million records was collected with clear labeling of normal and abnormal traffic. In addition to laboratory modeling, testing was performed in real-world network operation conditions, which allowed taking into account the impact of background noise, extraneous activity, and traffic variability. To evaluate the results, commonly used metrics were used - TP, FP, TN, FN, as well as derived indicators: Precision, Recall, Accuracy, Specificity, and F1-measure. A comparative analysis of the effectiveness of the developed system with traditional solutions - the original Snort and the Suricata system - was conducted. According to all metrics, the hybrid model demonstrated higher attack detection reliability, better ability to distinguish between anomalous and normal traffic, as well as a lower level of type II errors. In particular, in laboratory conditions, Accuracy was achieved - 99.12%, Precision - 99.44%, Recall - 99.62%, F1-score - 99.53%. In real traffic conditions, accuracy remained high, and the average processor load when using the hybrid system was the lowest among the tested solutions - 40.5%. The results obtained indicate the prospects of the hybrid approach in the context of the development of new generation cyber defense systems. The proposed model demonstrates the ability to flexibly scale, effectively adapt to changes in the environment, and a high level of detection reliability without excessive load on the infrastructure. In practical terms, the development can be used as a standalone system or as a module in complex solutions for detecting and countering intrusions in the ICS.