44, Nekrasovskiy, Taganrog, 347928, Russia.
Phone: 8 (8634) 371-905.
The Department of IT Security; post-graduate student.
681.324
EX. , .


. ї , . .
; PST; .
E.S. Abramov, I.D. Sidorov
METHOD OF DETECTION OF DISTRIBUTED INFORMATION IMPACTS ON THE BASIS OF HYBRID NEURAL NETWORK
Described the method of probabilistic suffix trees for detecting anomalous behavior ofprograms. Use "fingerprint" of the normal behavior of applications in order to further detect anomalous behavior as something deviating from the model. As a basic model uses a probabilistic suffix trees.
Probabilistic suffix tree; PST; detection of abnormal behavior.

() . , , . :
1. .
, ,
.
2. , . , , , , .
3.
. , .
, , , , . -
, . .
() - , , , .
.
[1] - , . , .
, .
, . - , . , -. .
- . , , .
150 ,
, [2], 50 ( ASCII-). , (telnet, ftp ..). [3].
. FTP- -
:
- FTP Username login
- FTP password attempt
- FTP password attempt
- FTP password attempt
- Disconnect from server
- Same FTP Username login
- FTP password attempt
- FTP password attempt
- FTP password attempt
- Disconnect from server
- Same FTP Username login
- FTP password attempt
- FTP password attempt
- FTP password attempt
- Disconnect from server
. , - . , , , , . , , , , .
, (self-organizing map, SOM) .
SOM 51- -, .
.
, , , .. -.
,
.
150 . 50
( ASCII- ). ,
(telnet, ftp ..), , :
GET / HTTP/1.1 Host: global.ebay.com User-Agent: Mozilla; 80 - HTTP; Anonymous; 21 - ftp.
- .
- ( ).
Matlab-a. Matlab Compiler .NET- save_vectors.dll. . ,
- -
. , - , - , 50 - 50 . [0,1]. 150 . , - , . [0,1]. <yn,ya>, yn - -
, ya - .
. 1 , . 2 - 4 - .
. 5 , .
. 1.
. 2.
. 3.
4. ( 100 )
. 5.

, . . - ї. 150 . :
- yn>0.7 ya<0.3, .
- yn<0.3 ya>0.7, .
- .
(ї, ї, ї) 150 .
Web-cepeepa, web-, ftp-, torrent-. .

1. . 33 000 (Web, torrent), 33 000 (FTP-bruteforce)
33 000 , DDoS- (TCP SYN Flood , ).
2. . (12 000 + 12 000 = 24 000 ) ( ). , , , - .
3. . . ~50 . [0,1]. ( ) 25 20 ( 25*20=500 , ).
150 . . , , . , , 150 . , - .
(150 , 500 ), 2. <1,0>, - <0,1>. , - , - .
- , - , - . - 21 7 ( ). - trainlm - ,
.
4. . . . , 0,3.
. 6.
:
- packets_on_vector = 150;
- ;
- som_x = 25;
- som_y = 20;
- () ;
- som_size = 500;
- ;
- duster_step = 5;
- : [21 7];
- : ['tansig' 'tansig' 'purelin'].
1
,
-
140 99 56 40%
360 326 34 9,4%
500 410 90 18%
40%, - 9,4%, - 18%.
2
, FTP brute
-
140 99 41 29,3%
140 137 3 2,1%
280 236 44 15,7%
29,3%, - 2,1%, -15,7%.
3
,
-
140 138 2 1,4%
360 360 0 0%
500 498 2 0,4%
1,4%, - 0%, - 0,4%.

Snort. Snort - , , , . , , , CGI , OS .. , ,
.
Snort :
1. , TCPdump.
2. .
3. .
. MySQL, .
Snort (^ ї), , . , . , . .
, DoS- , DoS- . . , -
2-3 . ,
( ) , . , , . .
1. . , , . (, , ), . - , ї . , , , .. , ї.
2. . -
, . , .
3. .
, . .
Snort ї:
# Druber - ftp hack
alert tcp any any -> $HOME_NET 21 ( msg:"FTP Potential Brute Force Attack"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 20,
seconds 60; classtype:suspicious-login; sid:3000002; rev:5; )
# cover other ftp daemons like freeftpd and warftpd
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt";
flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/53 0\s+(Login|User|Failed|Not)/smi"; class-type:unsuccessful-user; threshold: type threshold, track by_dst, count 5, seconds 300; sid:2002383; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP sa brute force failed login unicode attempt";
flow:to_server,established; content:"PASS"; reference:url; threshold:type threshold, track by
_src, count 6000, seconds 1200; priority: 1; class-type:attempted-user; sid:2000001;)
, -, DoS- ,
.

1. Cannady, J. (1998) Applying Neural Networks to Misuse Detection. Proceedings of the 21st National Information Systems Security conference. P. 368 - 381.
2. . ., . ., . ., . .
// VI - ї, - . - 2004. - . 81 - 86.
3. ., - .- [http://neurnews.iu4.bmstu.ru/, ], 03.12.2009.

ї
. .
E-mail: juic@mail.ru.
347928, . , . , 44.
.: 8(8634)371-905.
; .
Abramov Eugene Sergeevich
Taganrog Institute of Technology - Federal State-Owned Educational Establishment of Higher Vocational Education Southern Federal University.
E-mail: juic@mail.ru.
44, Nekrasovskiy, Taganrog, 347928, Russia.
Phone: 8(8634) 371-905.
The Department of IT Security; associate professor.

ї
. .
E-mail: idsidorov@gmail.com.
347928, . , . , 44.
.: 8(8634)371-905.
; .
Igor D. Sidorov
Taganrog Institute of Technology - Federal State-Owned Educational Establishment of Higher Vocational Education Southern Federal University.
E-mail: idsidorov@gmail.com.
44, Nekrasovskiy, Taganrog, 347928, Russia.
Phone: 8(8634) 371-905.
The Department of IT Security; assistant.
004.056.53
.

. ,