COMPARATIVE ANALYSIS OF RANDOM FOREST AND XGBOOST MACHINE LEARNING MODELS IN THE TASK OF SECURITY INCIDENT CLASSIFICATION

Abstract

The article presents a comparative study of the effectiveness of the Random Forest and XGBoost machine learning models in the problem of multi-class classification of security incidents in information systems. In the process of the study, two incident classification models based on the Random Forest and XGBoost algorithms were built. 
In addition to the empirical assessment of the quality of the models, the paper describes their principles of operation and provides a mathematical justification. For Random Forest, a probabilistic model of an ensemble of trees was formulated, indicator functions were used, the regression function and the generalized error of the model were analyzed. For XGBoost, the procedure for building a tree at each iteration, optimization of the loss functional with a regularization component, the use of second-order gradients and the growth criterion were considered in detail. Such a formalization provides a deeper theoretical understanding of the mechanisms of operation of the algorithms and explains their behavior in real conditions. 
A comparative analysis of the effectiveness of the models was conducted on key classification metrics: accuracy, recall, precision, and F1-measure. It was determined that the Random Forest model showed a slightly higher overall accuracy (91.97%) and a better ability to detect false positive incidents, which is an important advantage in conditions of SOC overload with a large number of signals. In turn, the XGBoost model demonstrated stable classification of true threats (TruePositive), which is critical for rapid response in information security systems. 
The results of the study can be effectively used in the integration of the developed models into SIEM, SOAR, and other information security platforms for automated preliminary classification of events.