DETECTION OF ATTACKS OF THE U2R CATEGORY BY MEANS OF THE SOM ON DATABASE NSL-KDD

Annotation. Creating an effective system for detecting network attacks requires the use of qualitatively new approaches to information processing, which should be based on adaptive algorithms capable of self-learning. The mathematical apparatus of the Kohonen self-organizing map (SOM) was used as a research method. Python language with a wide range of modern standard tools was used as a software implementation of the Kohonen SOM addition, this section compiles the Python software model «SOM_U2R» using a Kohonen SOM. Created «SOM_U2R» software model on database NSL-KDD an error research was performed for different number of epochs with different map sizes. On the «SOM_U2R» model the research of parameters of quality of detection of attacks is carried out. It is determined that on the «SOM_U2R» created software model the error of the second kind of detection of network classes of attacks Buffer_overflow and Rootkit is 6 %, and for the class Loadmodule reached 16 %. In addition, a survey of the F-measure was conducted for a different number of epochs of learning the Kohonen SOM. It is determined that for all network attack classes (except Buffer_overflow) the F-measure increases, reaching its maximum value at 50 epochs.

On the one hand, neural networks with different topologies can detect different attacks, but erroneous triggers also do not always occur on the same network packets when analyzed using different types of neural networks. In addition, each type of neural network has its advantages and disadvantages that need to be considered or additional research. For example, the RBF learns faster than the MLP, it is necessary to determine the number of radial elements, their location and deviation values, the RBF model requires slightly more elements, namely it will run slower and requires more memory than the MLP model.
On the other hand, attempts are being made to use neural networks at different levels. For example, in [11] the structure of a hypothetical complex is considered, and consists of five neural networks (NNs) of the multilayer perceptron type. In [9] reviewed existing datasets, the most common of which is the NSL-KDD database, initiated by the US DARPA Agency based on the KDD'99 database [7]. It should be noted that today there are a number of scientific papers by various scientists and scholars on the definition of network attacks in the categories of DoS and Probe, but there is little work on the study of network classes for categories R2L and U2R. According to [6], existing intrusion detection systems based on SOM have difficulties due to the long computation time and low detection rate of U2R and R2L attacks.
In [3], a research of two approaches to detecting network attacks using a single neural network and a set of neural networks based on the calculation of quality indicators for detecting attacks, among which errors of the first and second kind are important.
Setting task. The rapid development of computer networks and information technology causes a number of problems related to the security of network resources, which require effective approaches. The use of neural network technology is the most rational, because neural networks have the following advantages: solving problems with unknown patterns; resistance to input data noise; adaptation to changes in the environment; potential ultra-high speed. In this paper, it is necessary to identify network attack classes of the U2R category. U2R network attacks are system attacks in which a hacker starts a system with a normal user account and tries to abuse vulnerabilities in the system to gain superuser privileges. This type of attack is   Step 1. Arrange the weight vectors of the node in random order on the map.
Step 2. Randomly select the input vector.
Step 3. Bypass each node on the map.
Step 4. To find the similarity between the input vector and the weight vector of the map node, you must use the euclidean distance.
Step 5: Remember the node that has the shortest distance as the Best Matching Unit (BMU).
Step 6. Update the weight vectors of the nodes near the BMU inclusive, by approaching the input vector according to the following formula: -proximity function; a(s)-learning rate; D(t)-vector target input; s -current iteration; u -index of the best matching node on the map; v -node index on the map.
Step 7. Increase s and repeat until λ < s , where λ -limit of iterations.   The    (Fig. 4). at around 50 epochs. For Buffer_overflow, the maximum value of the Fmeasure is observed in 30 epochs, but to ensure maximum efficiency in detecting network attacks, the neural network must be stopped at 50 epochs. As the Rootkit and Loadmodule network attack classes show the best results at the 50 epoch mark, thus sacrificing the growth of the Buffer_overflow network class.