<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">oo</journal-id><journal-title-group><journal-title xml:lang="ru">Открытое образование</journal-title><trans-title-group xml:lang="en"><trans-title>Open Education</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1818-4243</issn><issn pub-type="epub">2079-5939</issn><publisher><publisher-name>Plekhanov Russian University of Economics</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.21686/1818-4243-2026-2-4-17</article-id><article-id custom-type="elpub" pub-id-type="custom">oo-1170</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>УЧЕБНЫЕ РЕСУРСЫ</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>EDUCATIONAL RESOURCES</subject></subj-group></article-categories><title-group><article-title>Разработка модели машинного обучения для решения задачи классификации недопустимых событий информационной безопасности</article-title><trans-title-group xml:lang="en"><trans-title>Development of a Machine Learning Model for Solving the Problem of Classifying Unacceptable Information Security Events</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Добрецова</surname><given-names>Д. А.</given-names></name><name name-style="western" xml:lang="en"><surname>Dobretsova</surname><given-names>D. A.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Москва</p></bio><bio xml:lang="en"><p>Moscow</p></bio><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Российский экономический университет им. Г.В. Плеханова</institution><country>Россия</country></aff><aff xml:lang="en"><institution>Plekhanov Russian University of Economics</institution><country>Russian Federation</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2026</year></pub-date><pub-date pub-type="epub"><day>02</day><month>05</month><year>2026</year></pub-date><volume>30</volume><issue>2</issue><fpage>4</fpage><lpage>17</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Добрецова Д.А., 2026</copyright-statement><copyright-year>2026</copyright-year><copyright-holder xml:lang="ru">Добрецова Д.А.</copyright-holder><copyright-holder xml:lang="en">Dobretsova D.A.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://openedu.rea.ru/jour/article/view/1170">https://openedu.rea.ru/jour/article/view/1170</self-uri><abstract><p>Целью исследования является разработка и обоснование подхода к выявлению и классификации недопустимых событий информационной безопасности на объектах критической информационной инфраструктуры с использованием методов машинного обучения. Предлагаемый подход направлен на повышение эффективности идентификации недопустимых событий в условиях обработки больших объёмов разнородных данных и ограничений по времени реагирования.Актуальность исследования обусловлена ростом количества и сложности кибератак на объекты критической информационной инфраструктуры, а также необходимостью своевременного выявления событий информационной безопасности, способных привести к существенным негативным последствиям для устойчивости функционирования критически важных систем. Ограничения традиционных сигнатурных и экспертных методов, связанные с высокой динамикой событий и наличием шума в данных, требуют применения интеллектуальных методов обработки информации.Материалы и методы исследования. В работе использованы методы машинного обучения, статистического анализа и обработки данных событий информационной безопасности. В качестве исходных данных применены журналы событий и сетевой трафик реального объекта критической информационной инфраструктуры энергетического сектора. Разработана методика формирования обучающей выборки, включающая предобработку данных, экспертную разметку, отбор информативных признаков и балансировку классов. Для классификации недопустимых событий использован алгоритм случайного леса.Результаты. Экспериментальные исследования подтвердили эффективность предложенной модели по показателям точности, полноты и F1-меры при минимальном уровне ложноположительных срабатываний. Показана возможность практического применения предложенного подхода для автоматизации процессов мониторинга и выявления недопустимых событий на объектах критической информационной инфраструктуры.</p></abstract><trans-abstract xml:lang="en"><p>The aim of the study is to develop and substantiate an approach for detecting and classifying unacceptable information security events in critical information infrastructure systems using machine learning methods. The proposed approach is focused on improving the effectiveness of identifying unacceptable events under conditions of large-scale heterogeneous data processing and strict time constraints for response.The increasing number and complexity of cyberattacks targeting critical information infrastructure, as well as the need for timely detection of information security events that may lead to significant negative consequences for the stability of critical systems determine the relevance of the study. The limitations of traditional signature-based and expertdriven methods, caused by the high dynamics of security events and data noise, necessitate the use of intelligent data processing techniques.Materials and methods. The study employs machine learning methods, statistical analysis, and processing of information security event data. Event logs and network traffic of a real object of critical information infrastructure of the energy sector are used as initial data. A methodology for forming a training sample has been developed, including data preprocessing, expert labeling, informative features’ selection, and class balancing. A Random Forest algorithm was used to classify unacceptable events.Results. Experimental results demonstrate the effectiveness of the proposed model in terms of precision, recall, and F1-score with a minimal level of false positives. The findings confirm the practical applicability of the proposed approach for automating monitoring and detection of unacceptable information security events in critical information infrastructure systems.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>информационная безопасность</kwd><kwd>машинное обучение</kwd><kwd>критическая информационная инфраструктура</kwd><kwd>классификация событий</kwd><kwd>недопустимые события</kwd><kwd>поведенческий анализ</kwd><kwd>киберугрозы</kwd><kwd>автоматизация ИБ.</kwd></kwd-group><kwd-group xml:lang="en"><kwd>information security</kwd><kwd>machine learning</kwd><kwd>critical information infrastructure</kwd><kwd>event classification</kwd><kwd>unacceptable events</kwd><kwd>behavioral analysis</kwd><kwd>cyber threats</kwd><kwd>information security automation.</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Lee R. M., Assante M. J., Conway T. Analysis of the Cyber Attack on the Ukrainian Power Grid [Электрон. ресурс]. SANS Industrial Control Systems, 2016. Режим доступа: https://icscsi.org/library/Documents/Cyber_Events/E-ISAC%20-%20Analysis%20of%20the%20Cyber%20Attack%20on%20the%20Ukrainian%20Power%20Grid.pdf.</mixed-citation><mixed-citation xml:lang="en">Lee R. M., Assante M. J., Conway T. Analysis of the Cyber Attack on the Ukrainian Power Grid [Internet]. SANS Industrial Control Systems; 2016. Available from: https://icscsi.org/library/Documents/Cyber_Events/E-ISAC%20-%20Analysis%20of%20the%20Cyber%20Attack%20on%20the%20Ukrainian%20Power%20Grid.pdf.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Cybersecurity and Infrastructure Security Agency (CISA). DarkSide Ransomware: Best Practices for Preventing Business Disruption [Электрон. ресурс]. CISA Reports, 2021. Режим доступа: https://www.cisa.gov/sites/default/files/publications/AA21-131A_Darkside_Ransomware.pdf.</mixed-citation><mixed-citation xml:lang="en">Cybersecurity and Infrastructure Security Agency (CISA). DarkSide Ransomware: Best Practices for Preventing Business Disruption [Internet]. CISA Reports; 2021. Available from: https://www.cisa.gov/sites/default/files/publications/AA21-131A_Darkside_Ransomware.pdf.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Методика оценки угроз безопасности ФСТЭК России [Электрон. ресурс]. Режим доступа: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokument-ot-5-fevralya-2021-g.</mixed-citation><mixed-citation xml:lang="en">Metodika otsenki ugroz bezopasnosti FSTEK Rossii = Methodology for assessing security threats of the Federal Service for Technical and Export Control of Russia [Internet]. Available from: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokument-ot-5-fevralya-2021-g. (In Russ.)</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Евдокимова Д.А., Микрюков А.А. Актуальные задачи выявления недопустимых событий на объектах критической информационной инфраструктуры // Открытое образование. 2024. Т. 28. № 4. DOI: 10.21686/1818-4243-2024-4-33-42.</mixed-citation><mixed-citation xml:lang="en">Yevdokimova D.A., Mikryukov A.A. Actual tasks of identifying unacceptable events at critical information infrastructure facilities. Otkrytoye obrazovaniye = Open Education. 2024; 28: 4. DOI: 10.21686/1818-4243-2024-4-33-42. (In Russ.)</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Евдокимова Д.А., Микрюков А.А. Задача детектирования недопустимых событий информационной безопасности в информационной инфраструктуре // Открытое образование. 2025. Т. 29. № 1. DOI: 10.21686/1818-4243-2025-1-65-76.</mixed-citation><mixed-citation xml:lang="en">Yevdokimova D.A., Mikryukov A.A. The problem of detecting unacceptable information security events in the information infrastructure. Otkrytoye obrazovaniye = Open Education. 2025; 29: 1. DOI: 10.21686/1818-4243-2025-1-65-76. (In Russ.)</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">ML-модель [Электрон. ресурс]. Режим доступа: https://www.decosystems.ru/ml-model/.</mixed-citation><mixed-citation xml:lang="en">ML-model’ = ML model [Internet]. Available from: https://www.decosystems.ru/ml-model/. (In Russ.)</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Scarfone K., Mell P. Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800-94 [Электрон. ресурс]. Gaithersburg: National Institute of Standards and Technology, 2007. 127 с. Режим доступа: https://icscsi.org/library/Documents/Standards/NIST%20-%20800-94%20-%20Guide%20to%20Intrusion%20Detection%20and%20Prevention%20Systems.pdf.</mixed-citation><mixed-citation xml:lang="en">Scarfone K., Mell P. Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800-94 [Internet]. Gaithersburg: National Institute of Standards and Technology; 2007. 127 p. Available from: https://icscsi.org/library/Documents/Standards/NIST%20-%20800-94%20-%20Guide%20to%20Intrusion%20Detection%20and%20Prevention%20Systems.pdf.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Sommer R., Paxson V. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection [Электрон. ресурс] // IEEE Symposium on Security and Privacy. 2010. С. 305–316. Режим доступа: https://ai.nsu.ru/attachments/download/2429.</mixed-citation><mixed-citation xml:lang="en">Sommer R., Paxson V. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection [Internet]. IEEE Symposium on Security and Privacy. 2010: 305–316. Available from: https://ai.nsu.ru/attachments/download/2429.</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Chandola V., Banerjee A., Kumar V. Anomaly Detection: A Survey [Электрон. ресурс] // ACM Computing Surveys. 2009. Т. 41. № 3. С. 1–58. Режим доступа: https://vs.inf.ethz.ch/edu/HS2011/CPS/papers/chandola09_anomaly-detection-survey.pdf.</mixed-citation><mixed-citation xml:lang="en">Chandola V., Banerjee A., Kumar V. Anomaly Detection: A Survey [Internet]. ACM Computing Surveys. 2009; 41; 3: 1–58. Available from: https://vs.inf.ethz.ch/edu/HS2011/CPS/papers/chandola09_anomaly-detection-survey.pdf.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Siddiqui M. A., Wang M., Lee J. Detecting Internet Worms Using Data Mining Techniques [Электрон. ресурс] // Journal of Network and Computer Applications. 2008. Т. 31. № 4. С. 300–313. Режим доступа: https://www.researchgate.net/publication/228630212_Detecting_Internet_Worms_Using_Data_Mining_Techniques.</mixed-citation><mixed-citation xml:lang="en">Siddiqui M. A., Wang M., Lee J. Detecting Internet Worms Using Data Mining Techniques [Internet]. Journal of Network and Computer Applications. 2008; 31; 4: 300–313. Available from: https://www.researchgate.net/publication/228630212_Detecting_Internet_Worms_Using_Data_Mining_Techniques.</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Zuech R., Khoshgoftaar T. M., Wald R. Intrusion detection and Big Heterogeneous Data: A Survey [Электрон. ресурс] // Journal of Big Data. 2015. Т. 2. № 1. С. 1–41. Режим доступа: https://www.researchgate.net/publication/276397551_Intrusion_detection_and_Big_Heterogeneous_Data_a_Survey.</mixed-citation><mixed-citation xml:lang="en">Zuech R., Khoshgoftaar T. M., Wald R. Intrusion detection and Big Heterogeneous Data: A Survey [Internet]. Journal of Big Data. 2015; 2; 1: 1–41. Available from: https://www.researchgate.net/publication/276397551_Intrusion_detection_and_Big_Heterogeneous_Data_a_Survey.</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Buczak A. L., Guven E. A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection [Электрон. ресурс] // IEEE Communications Surveys &amp; Tutorials. 2016. Т. 18. № 2. С. 1153–1176. Режим доступа: https://www2.cs.uh.edu/~acl/cs6397/Presentation/2016-IEEE-A%20survey%20of%20DM%20and%20ML%20methods%20for%20cyber%20security%20ID.pdf.</mixed-citation><mixed-citation xml:lang="en">Buczak A. L., Guven E. A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection [Internet]. IEEE Communications Surveys &amp; Tutorials. 2016; 18;2: 1153–1176. Available from: https://www2.cs.uh.edu/~acl/cs6397/Presentation/2016-IEEE-A%20survey%20of%20DM%20and%20ML%20methods%20for%20cyber%20security%20ID.pdf.</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Positive Technologies. Машинное обучение в информационной безопасности [Электрон. ресурс]. Режим доступа: https://www.ptsecurity.com/ru-ru/our-technologies/ml-tekhnologii/.</mixed-citation><mixed-citation xml:lang="en">Positive Technologies. Mashinnoye obucheniye v informatsionnoy bezopasnosti = Machine Learning Educational Resources in Information Security [Internet]. Available from: https://www.ptsecurity.com/ru-ru/our-technologies/ml-tekhnologii/.</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Использование машинного обучения для борьбы с DDoS атаками [Электрон. ресурс]. Режим доступа: https://habr.com/ru/articles/785942/.</mixed-citation><mixed-citation xml:lang="en">Ispol’zovaniye mashinnogo obucheniya dlya bor’by s DDoS atakami = Using Machine Learning to Combat DDoS Attacks [Internet]. Available from: https://habr.com/ru/articles/785942/. (In Russ.)</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Ангапов В.Д., Бобров А.В., Тимонин В.А., Вишняков А.С. Использование технологий машинного обучения в защите информационных систем // Наука, техника и образование. 2023. № 4(92). С. 20–26. DOI: 10.24411/2312-8267-2023-10401.</mixed-citation><mixed-citation xml:lang="en">Angapov V.D., Bobrov A.V., Timonin V.A., Vishnyakov A.S. Using Machine Learning Technologies to Protect Information Systems. Nauka, tekhnika i obrazovaniye = Science, Technology, and Education. 2023; 4(92): 20-26. DOI: 10.24411/2312-8267-2023-10401. (In Russ.)</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Machine Learning Based Network Vulnerability Analysis of Industrial Internet of Things [Электрон. ресурс]. Режим доступа: https://arxiv.org/abs/1911.05771.</mixed-citation><mixed-citation xml:lang="en">Machine Learning Based Network Vulnerability Analysis of Industrial Internet of Things [Internet]. Available from: https://arxiv.org/abs/1911.05771.</mixed-citation></citation-alternatives></ref><ref id="cit17"><label>17</label><citation-alternatives><mixed-citation xml:lang="ru">Как самому разработать систему обнаружения компьютерных атак на основе машинного обучения [Электрон. ресурс]. Режим доступа: https://habr.com/ru/articles/538296/.</mixed-citation><mixed-citation xml:lang="en">Kak samomu razrabotat’ sistemu obnaruzheniya komp’yuternykh atak na osnove mashinnogo obucheniya = How to develop a computer attack detection system based on machine learning [Internet]. Available from: https://habr.com/ru/articles/538296/. (In Russ.)</mixed-citation></citation-alternatives></ref><ref id="cit18"><label>18</label><citation-alternatives><mixed-citation xml:lang="ru">Breiman L. Random Forests [Электрон. ресурс] // Machine Learning. 2001. Т. 45. № 1. С. 5–32. Режим доступа: https://link.springer.com/article/10.1023/A:1010933404324.</mixed-citation><mixed-citation xml:lang="en">Breiman L. Random Forests [Internet]. Machine Learning. 2001; 45; 1: 5–32. Available from: https://link.springer.com/article/10.1023/A:1010933404324.</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
