The Task of Detecting Unacceptable Information Security Events in the Information Infrastructure

The purpose of the study is to develop an advanced approach to solving the task of detecting unacceptable events in the field of information security to improve incident detection accuracy and reduce the number of false positives. An unacceptable event is defined as an event resulting from a cyberattack that either makes it impossible to achieve the strategic goals of an organization or significantly disrupts its core activities. The proposed solution for detecting unacceptable events is based on a neural network classifier trained on data related to unacceptable events, including attributes, precursors, and compromise indicators of unacceptable events. This solution provides comprehensive event analysis and reduces the likelihood of missing unacceptable events, making it particularly relevant for protecting critical information infrastructure. The relevance of the study is driven by the rapid increase in the number and complexity of cyberattacks and the necessity to implement automated threat detection methods associated with unacceptable events that lead to negative consequences. As cyber threats grow more complex and diverse, traditional detection methods are becoming increasingly ineffective, necessitating improvements in existing technologies to protect information systems.

The novelty of the proposed solutions lies in improving the accuracy of detecting unacceptable events through the use of machine learning methods and a neural network classifier, as well as reducing response time by utilizing the Elastic Stack tool for data collection, processing, aggregation, and visualization.

Materials and methods. To address the task of detecting unacceptable events, the Elastic Stack tool was employed, enabling the collection, aggregation, and visualization of event data. The primary analytical tool is a neural network classifier trained on a set of attributes, precursors, and compromise indicators of unacceptable events. The research methods include the application of event correlation mechanisms, anomaly analysis, and machine learning, all integrated into a unified system.

Results. A solution for detecting unacceptable events was proposed, based on the use of identified attributes, precursors, and compromise indicators of unacceptable information security events.

Conclusion. The identified attributes, precursors, and compromise indicators of unacceptable events provide an effective solution for detecting such events. The application of the proposed solution contributes to improving the protection of information systems and reducing risks associated with cyberattacks, which is particularly critical for ensuring the security of critical information infrastructure.

1. Evdokimova D.A., Mikryukov A.A. Actual tasks of identifying unacceptable events at critical information infrastructure facilities. Otkrytoye obrazovaniye = Open education. 2024; 28; 4: 33-42. (In Russ.)

2. Chto takoye reyestr nedopustimykh sobytiy v informatsionnoy bezopasnosti = What is the register of unacceptable events in information security [Internet]. LianMedia.ru News. Available from: https://lianmedia.ru/ (Cited: 20.12.2024). (In Russ.)

3. Kotenko I.V., Saenko I.B., Yusupov R.M. New generation of security incident monitoring and management systems. Trudy SPIIRAN = Proceedings of SPIIRAS. 2017; 6; 1: 45-59. (In Russ.)

4. Kotenko I.V., Kuleshov A.A., Ushakov I.A. System for collecting, storing and processing information and security events based on Elastic Stack. SPIIRAN = SPIIRAS. 2021; 65; 2: 5-27. (In Russ.)

5. Zhaksybay S.M. Information security event management using a SIEM system. Intellectual Technologies on Transport. 2023; S1. Special Issue. MMIS-2023: 66-69.

6. Tokarev M.N. SIEM system as a tool for ensuring information security in an organization. Aktual’nyye issledovaniya = Current research. 2024; 2 (184). Part I: 51-53. (In Russ.)

7. Kak rabotayut sistemy obnaruzheniya i predotvrashcheniya vtorzheniy (IDS i IPS) = How intrusion detection and prevention systems (IDS and IPS) work. [Internet]. Habr.com. Available from: https://habr.com/ru/articles/710378/ (Cited: 23.12.2024). (In Russ.)

8. GOST R 59547-2021. Zashchita informatsii. Monitoring informatsionnoy bezopasnosti. Obshchiye polozheniya = Information protection. Information security monitoring. General provisions. Moscow: Standartinform; 2022. (In Russ.)

9. Indikatory komprometatsii v Kaspersky Endpoint Security dlya Windows 12.0. = Indicators of compromise in Kaspersky Endpoint Security for Windows 12.0.. Support.kaspersky.com. Available from: https://support.kaspersky.com/KESWin/12.0/ru-RU/213408.htm (Cited: 13.01.2025). (In Russ.)

10. Batyuk A. Using AI in detecting computer attacks and responding to information security incidents [Internet]. Positive Technologies. Available from: https://www.ptsecurity.com/ (Cited: 20.12.2024). (In Russ.)

11. Zhiznennyy tsikl atak: etapy, metody, i zashchita = Life cycle of attacks: stages, methods, and protection. [Internet]. Positive Technologies. Available from: https://www.ptsecurity.com/ruru/research/analytics/cybersecurity-threatscape-2022-q2/ (Cited: 20.12.2024). (In Russ.)

12. Metodika opredeleniya aktual’nykh ugroz bezopasnosti personal’nykh dannykh pri ikh obrabotke v informatsionnykh sistemakh personal’nykh dannykh, utverzhdena zamestitelem direktora FSTEK Rossii = Methodology for determining current threats to the security of personal data when processing them in personal data information systems, approved by the Deputy Director of the FSTEC of Russia on February 14; 2008. (In Russ.)

13. Fedorchenko A.V., Levshun D.S., Chechulin A.A., Kotenko I.V. Analysis of methods for correlating security events in SIEM systems. Part 1. Trudy SPIIRAN = Proceedings of SPIIRAS. 2016; 4 (47): 5-27. (In Russ.)

14. Elastic Stack [Internet]. Elastic.co. Available from: https://www.elastic.co/ (Cited: 02.10.2024).

15. Positive Technologies. MaxPatrol O2 — avtopilot dlya rezul’tativnoy kiberbezopasnosti = Positive Technologies. MaxPatrol O2 — an autopilot for effective cybersecurity. 2023. [Internet]. Positive Technologies. Available from: https://www.ptsecurity.com/upload/corporate/ru-ru/products/o2/maxpatrol-o2-pb.pdf (Cited: 02.10.2024). (In Russ.)

16. GOST ISO/IEC 27001-2013. Informatsionnaya tekhnologiya. Metody i sredstva obespecheniya bezopasnosti. Sistemy upravleniya informatsionnoy bezopasnost’yu. Trebovaniya = Information technology. Security methods and tools. Information security management systems. Requirements (ISO/ IEC 27001:2013, IDT). Moscow: Standartinform; 2014. (In Russ.)

17. GOST ISO/IEC 27002-2013. Informatsionnaya tekhnologiya. Metody i sredstva obespecheniya bezopasnosti. Prakticheskiye pravila upravleniya informatsionnoy bezopasnost’yu = Information technology. Security methods and tools. Practical rules for information security management (ISO/IEC 27002:2013, IDT). Moscow: Standartinform; 2014. (In Russ.)