DESIGN OF ADAPTIVE SYSTEM OF DETECTION OF CYBER-ATTACKS, BASED ON THE MODEL OF LOGICAL PROCEDURES AND THE COVERAGE MATRICES OF FEATURES

The results of the research aimed at the further development of detection models of cyber threats, as well as of common classes of anomalies and cyber-attacks in mission critical computer systems (MCCS) are presented. It is shown that one of the promising directions of synthesis of adaptive systems of detection and prevention of cyber-attacks is the application of models of logical procedures of detection, based on the coverage matrices of features of anomalies, threats and cyber-attacks within the known and new classes of the MCCS intrusions.    The model of detection of cyber-attacks, anomalies and threats to MCCS was designed, which is based on the application of learning samples in the form of matrices of features and elementary classifiers for each of the modeled classes. The studies on minimization of the number of training samples, represented in a binary form of discerning features were carried out. The program "Threat Analyzer” was developed which allows automatic generation of dimensions of training matrix of features of anomalies, cyber threats, or cyber-attacks, without requiring the participation of experts. It is shown that for the object detection within known classes of cyber threats, attacks, anomalies, the usage in the training matrices of representative sets of 3-4 features long allows maximizing the effectiveness of the algorithm, reaching up to 98 %.


Introduction
Global development of mission-critical computer systems (MCCS) in energy, industry, communications and transport, infrastructure objects of major metropolitan areas, etc. requires constant monitoring of cyber threats, as well as vulnerabilities in the technical components and the software.The imperfection of the existing methods of cyber defense, as well as the changing nature of cyber-attacks, may lead MCCS to unsafe conditions.In addition, attackers increasingly are not individual hackers or a group of hackers, but the cyber armies from the countries − potential enemies.One of the priority areas for protection, contributing to the timely detection of cyber-attacks and prevention of their consequences, is the way of the development of adaptive systems of detection and prevention of cyber-attacks (ASDCA).One of the prospective and actual directions of ASDCA syn-thesis is the application of the models of logical procedures of recognition, based on the coverage matrix of features of anomalies, threats and cyber-attacks within existing and new classes of intrusion.

Analysis of scientific literature data and the problem statement
There are quite a large number of publications in this subject area.In particular, the papers [1][2][3] present reviews of methods of detection of anomalies, with proposed principles of classification of the methods for detection based on machine learning and statistical analysis.The overview of modern machine learning methods for cyber-attacks recognition systems (CARS) is well presented in the works [4][5][6].However, certain methods,
The methods of computational intelligence, in particular neural networks (NN) for the tasks of detecting cyber-attacks, are described in the works [16,17].[13,18] describe the models and methods of adapting genetic algorithms for the task of detection of cyber-attacks.The works [19,20] describe the computational immune systems, which can be used for the task of setting up ASDCA.
The bayesian network for ASDCA, described in [21], is the model enabling collection of snapshots of a MCCS performance every few seconds for their subsequent analysis.[22] considers the possibility of application of MAR splines in ASDCA, enabling building of exact approximation of the behavior of a standard user, or of the attacking side, according to specified parameters.A large number of works is devoted to statistical analysis of the data in ASDCA [15,23], to signature models [24] and theoretical aspects of the use of Markov chains [5,6,24] and the Petri nets [25] for the systems of cyber-attacks recognition.
A typical flaw of the most CARS described in [17,19,20,24] is faulty triggering, because almost always only one technology of detection is involved (as a general rule, identification of attacks) in these systems.According to many authors [8,10,12,16,24,26,27], the most promising direction of the development of the methods for detection of cyber-attacks and anomalies is a combination of existing approaches in adaptive hybrid CARS with capacity for self-learning.
In the cited works, of certain interest in solving the tasks of providing a cyber defense of MCCS and the development of the systems of detection of cyber-attacks, the problem of the account of hard-to-explain and loosely connected features of threats, attacks and anomalies is not solved.Thus, further research is needed, aimed at developing methodological and theoretical bases for the creation of adaptive systems of detection of cyber-attacks, capable of fast learning or self-learning, and providing sustainable functioning of MCCS as an integral part of cybersecurity of the state.

The purpose and objectives of the study
The purpose of the study is to design a model for training the adaptive system of detection of cyber-attacks (ASDCA), which is being developed, based on the use of the apparatus of logical functions and elementary classifiers.The model allows taking into account the hard-to-explain features of threats, attacks and anomalies in the critically important computer systems, and it also reduces the time required for training ASDCA under conditions of the increase in the number of cyber threats.
To achieve the objectives of the work, the following tasks must be solved: − to design a model of logical procedures of detection of anomalies and cyber-attacks, based on the coverage matrices of features and the concept of an elementary classifier; − to minimize the number of training samples for the features which are located in the ASDCA repository.

The model of logical procedures of detection of anomalies and cyber-attacks based on the coverage matrices of features
To create an effective system of cyber defense (SCD) of MCCS, the choice and implementation of adequate technical components must be preceded by a stage of description, analysis and modeling of cyber threats and vulnerabilities of MCCS.Thus, it is clear that the cyber threats must be initially recognized, identified and categorized.
Incomplete initial data about cyber threats to MCCS have a dual quality.First, it is the lack of prehistory (sometimes, partial), including, at the level of the data about the structure of the entire object of a cyber-attack [12,14,23,24], prior to the start of activities of the attacking side.And, secondly, limited capabilities of monitoring a concrete target of a cyber-attack and identification of the threats, belonging in a particular class.In an extreme case, only general multitude of threats to information security (IS) of MCCS and the ways to implement them are known in advance.Incomplete monitoring and evaluation of IS incidents in adverse events means that the subject can only assess the feedback from the object from the point of view of its preference.
However, in the case of occurring new cyber threats and vulnerabilities to MCCS, such an approach may not always contribute to effective protection against the attacks.So we shall consider below a model of logical procedures for detection of cyber-attacks (cyber threats, anomalies) (LPDCA) to MCCS, proposed in this work.
Let there exists a set of cyber threats to MCCS, general classification of threats is provided in [2,4,15,24].The indicator of danger of each cyber threat depends on the values of a set of factors that increase or decrease the protection of MCCS from a given threat.The indicators, decreasing protection of MCCS are considered to be risk indicators [24], and those increasing it − protection indicators [4,6].To formalize the dependency of MCCS's degree of protection on corresponding values, one can apply one of the following approaches [16,19,24]: 1) a cyber threat within a class depends on one indicator, i.e. the relationships of one-to-one correspondence exist between the degree of threat and the values of the indicator (factor); 2) a cyber threat depends on the values of many indicators; 3) the same indicators influence the degree of protection of MCCS not from one but from many kinds of cyber threats.
To ensure clarity, completeness and integrity of classification, we introduce the following requirements to the classification of cyber threats: -disjoint classes of threats (it defines the uniqueness of class selection based on an external rule, allowing to make a decision); -applicability (adding a class should not cause splitting more than one class in two parts); -objectivity (presence or absence of a class must be confirmed by known classifications); -extensibility (adding a class is possible by splitting existing classes); -the number of classes is finite.
The information, to be taken as the basis for building classifiers of cyber threats for adaptive systems of detection of cyber-attacks (ASDCA), may be presented in different forms, for example in the form of hard-to-explain features of anomalies in the performance of the system, of a cyber-attack or a threat to IS of MCCS.The following indicators can be used with this aim: threshold values of parameters of incoming and outgoing traffic; unintended packet addresses; attributes of database queries, etc.As the attack grows in complexity, the information features can be rather blurred.
For example, in the course of a complex cyber-attack in late December 2015 on the MCCS of power system of Ukraine in Ivano-Frankivsk Region, the power substation's computer center operator on duty saw the cursor's arrow on the display shift, though he had not touched the mouse.The cursor then moved on to the virtual switch, responsible for the physical switch and switched it.The operator was not able to log in at that time.The investigation showed the attack had been prepared during an extended period (not less than six months).The hackers first embedded Blackenergy 3 software into computers of the substation, and then a malicious program, claiming control of the power substations.In addition to the introduction of the virus, the attacking side launched a snowballing flow of calls to the call center of "Prikarpattyaoblenergo" so that the people could not report interruptions of power supply.Simultaneously 30 substations were cut off.
In a general case, the problem of detection of anomalies, cyber-attacks or threats to MCCS boils down to the following [1,3,9,14,24,28,29].Certain set of objects is explored, in our case this is PA − the number of possible targets from the side that attacks MCCS.The objects of this set are described by the features ax1 axn {s ,...,s }, represented, for example, in a binary form.It is known that the set of PA is displayed in the form of the combination of disjoint subsets (classes) of cyber threats to MCCS -1 l (CT ,...,CT ).Let us assume that there is a finite set of objects a1 am {ss ,...,ss } from PA, about which we know which classes of anomalies, attacks or threats they belong in (these are precedents, i.e. the objects used for training, -OUT).It is required, based on a set of values of features, specified in the OUT, i.e. the description of a certain object an ss from PA, to identify this class and to adjust the performance of ASDCA for MCCS, accordingly.It is not known in advance, to which class the object can be attributed to.
A distinctive feature of the logical procedures examined in the work is the ability to obtain a reliable result when there is no a priori information about the function of distribution of existing values of features of a threat, cyber-attack or anomaly.Hereinafter we shall refer to such procedures as logical procedures.And there is no need to specify the so-called metrics in the space of object descriptions, characterizing each class.Therefore, for each feature of a cyber-attack (anomaly, threat, vulnerability, etc.), a binary function of similarity between its values is defined, allowing distinguishing objects and their representations (sub descriptions).
As the informative fragments, it is advisable to use only those fragments in the ASDCA that reflect typical patterns in the descriptions of the objects used for training (OUT).Therefore, the presence (absence) of such fragments in the categorized object allows determining its belonging in the class.When the logical procedures of detection of cyber-attacks (LPDCA) are applied, we also accept as informative those fragments that are found in the descriptions of the objects of the same class of cyber-attacks, but missing from the descriptions of objects from other classes.The fragments used include also a meaningful description of the OUT in terms of designing ASDCA.
To build LPDCA, the so-called elementary classifiers (EC) [16,19,21,28,29] are used.EC is a fragment that briefly describes the object and which is used for training ASDCA.For the objects under consideration (cyber threats, anomalies, vulnerabilities, etc.) 1 l (CT ,...,CT ), many EC with preset properties are designed.We believe that, firstly, in the OUT it is advisable to use the classifiers that are present in the descriptions of the objects of the same class but absent in the descriptions of other classes' objects.Secondly, the aggregate of features and classifiers, characterizing all the objects of the analyzed class, are to be applied to the OUT.
The next problem when designing ASDCA is the presence of the OUT in the sample with characteristics, which are bordering different classes of cyber-attacks 1 l (CT ,...,CT ).Each of these OUT is not atypical for its class, because its description is not similar to the informative representations of the OUT from other classes.The presence of atypical OUT in the training sample increases the length of the informative representations that distinguish objects from different classes.And since the long informative descriptions are less often present in new objects, this increases the share of unrecognized cyber-attacks (cyber threats, anomalies, vulnerabilities) in MCCS, which is particularly characteristic for the sophisticated types of cyber-attacks discussed above.
The algorithms of the synthesis of workable implementations for LPDCA depend directly on the success of the research of metrical (quantitative) properties of many informative fragments, i. e. the features of a cyber-attack (cyber threat, anomaly, vulnerability).And it is necessary to transform the incoming uncategorized training matrix (OUT) into a categorized one and to design, in a training mode, a clear division of the features space of detection into the classes of detection 0 m CT m 1,M, = where M is the power of the alphabet of classes.
Technically, it appears difficult to implement the following tasks in ASDCA: 1) to calculate the asymptotic estimate of the number of blind coverings for integer matrix of the object's features; 2) to calculate the asymptotic estimate of accepted and maximum values of conjunctions of Boolean function that can be applied to the synthesis of schematic-technical solutions of the ASDCA hardware for MCCS.
Let us consider the task of designing LPDCA based on the principle of "nonoccurrence" of sets of acceptable values of the features of cyber-attacks (cyber threats, anomalies, vulnerabilities).
Let us define: Q -total number of cyber threats to MCCS; a s B -set of numbers of cyber threats, implemented by an attacking side for achieving p a -target of the cyber-attack; a s NP -an acceptable set of discrete features (of threat, anomaly, cyber-attack, etc.) in the In order to solve the system (2), the parameters An alternative way to improve correctness of the performance of the algorithm is the path of selection of the system of reliable reference sets for the object detection (anomalies, threats, vulnerabilities, or cyberattacks).For example, to choose a sample in such a way so that the condition It should be mentioned at this point that at present the most aggressive method to test the effectiveness of SPI of MCCS against various cyber-attacks or attempts of unauthorized access (UAA) is the penetration tests, during which the side performing the role of the attacker can use all modern arsenal of means and ways of overcoming the cyber defense mechanisms of MCCS.The obtained results are subjected to comprehensive analysis that eventually improves the SPI of MCCS, eliminates vulnerabilities and replenishes the knowledge base on threats, anomalies in the systems' performance.
Let us define as MC -combination of all EC which were obtained by the totality of features from { } for example, the matrix of features, available in the ASDCA repository, will look like this Thus, a set of objects to be tested, belonging in a class, is specified by the binary features {1001…-01}.The dash points to the uncertainty of a feature in OUT.
Each algorithm used for detection in MCCS of cyber-attacks, threats, anomalies or vulnerabilities of MCCS, within a class, is specified as -АL.).σ = σ σ The situation corresponding to property 1 occurs rarely in ASDCA.Therefore, to apply groups of features, which the property 1 refers to, is impossible in SDCA of MCCS.Property 2 characterizes only a certain subset of OUT in the considered classes of objects.The situation described by property 3 involves the use of all the objects from CT. Thus when the class CT is considered in ASDCA without an association with another class, it can be assumed that the groups of features within the range of property 3 will be more informative.Then in situation 3, the argument in favor of the object a ss belonging in the class can be the values of the features of the group that are missing in all the objects belonging in class CT.
In the models described in the works [20,24], the methodology of designing EC i DOP σ for a specific class of cyber-attacks, threats, anomalies or vulnerabilities of MCCS is based on the synthesis of coverage matrices i DOP , σ which is formed by the OUT descriptions for CT.The use of such models [24,27] allows reducing to some extent the computational costs in the work of the algorithms, for example, when inequality | CT | | CT | < is performed, particularly when there is a large number of classes of cyber-attacks, threats, anomalies or vulnerabilities to MCCS - ℜ During the study, the results of which are described in the work [27], it was justified that the most economical was the variant to use the algorithm for calculating the conjunctions for coverage of the class of a corresponding object (cyber threat, vulnerability or attack).
Then the distinctive (characteristic) function of the CT class will be presented in the form of a function of algebra of logic (Boolean function) KL F , which equals zero (0) on the information descriptions of object an Thus, obtaining LPDCA and sets of EC for the modelled class of objects (cyber threats, anomalies or cyber-attacks) is reduced to the following: 1) we set the distinctive function; 2) we find DNF (or ADNF) that implements this function; 3) we find acceptable (maximal) conjunction ℜ that defines the belonging of the object in the class under consideration.
Since EC and OUT are limited in quantity, the following rules of training were used in ASDCA.Let there exists a priori categorized training matrix in the form of OUT is where N, n is the number of features of detection (for example, of an attack) and tests, respectively.It is necessary to modify a training matrix for OUT under the condition of minimizing the number of features, its columns and rows, in accordance with the following rules of training: I(s ) 1 (P P log P ); H is the number of events that characterize the belonging of the OUT implementations to the combination of features for EC of the considered class of objects (anomalies, threats, cyber-attacks) and the number of events that characterize the affiliation of the OUT implementations to the combination of features for EK of a "foreign" class of objects, respectively; b t , ζ ζ -upper and lower control tolerances for a feature; ( j)   m,i ∆ -selected mean value of the i feature in the vectors of OUT of the basic class of object; i ax I(s ) -informational content of the feature within the limits of the class of an object; Gthe number of gradations of the feature of an object; i Pthe probability of the i-th gradation of the feature; i,ct Pthe likelihood of the occurrence of the i-th gradation of the feature in the class of objects CT.
Thus, the algorithm of training ASDCA is in an iterative procedure of finding DNF for the distinctive function of the object of detection by the feature matrix (3) and minimizing the number of features, the columns and rows of the OUT matrix (4) to its limit value, which includes acceptable (maximal) conjunction that defines the belonging of the object in the studied class of anomalies, threats and cyber-attacks.

The program of the search of the minimally needed numbers of features of detection for different classes of cyber-attacks
In the course of the research, a program was designed for evaluation of the complexity of the search algorithm of the minimally needed number of features for different classes of cyber-attacks, threats, anomalies and threats, Threat Analyzer, Fig. 1-3.
The form 1 sets analyzed classes of attacks and anomalies, Fig. 1.The form 2 shows the calculation results for training matrices in the form of OUT, taking into account the information content of each of the 3-21 features.The form 3 visualizes the results of calculation in the form of histograms, as well as the evaluation of the complexity of the algorithm of forming OUT depending on the class of an attack (anomaly, threat), Fig. 3.
The modelling allowed drawing the conclusion that the objects belonging in different classes of anomalies, threats or cyber-attacks are often difficult to separate from each other.A rather large number of features (for certain classes of cyber-attacks, up to 50 %) have the information weight almost equaling zero.In the case of using a set of features for the formation of the OUT, it is advisable to reject the requirement of its futility.This is done in order to increase the speed of the algorithm.
For example, in the case of an increase in the number of features from 3 to 6, the average number of checks per object ranged from 150 to 800, respectively.The use of representative sets with length of 3-4 features in the matrices of OUT made it possible to achieve maximum efficiency of the performance of the algorithm of detection for the majority of the known anomalies, cyberattacks and threats.In the situation when the features of the class of an object (e. g., cyber-attack) were positioned according to the decreasing information content (I), for every object there was a combination of features with greater information content and then the information content of the group decreased smoothly, Fig. 4. Thus the less meaningful features (PS<60 %) were not included in OUT.
The following feature of the matrix forming the OUT was identified.The information content of the control set formed by the two features, characteristic for different classes of attacks, such as Dos/DDos, U2R, R2L, may describe the object of detection better than each of the features and the EC class separately.And the level of detection of cyber attacks, for which the training matrices of OUT were compiled, ranged from 25 % to 30 % for 2 features, 85-87 % for 3-4 features, 92-98 % for 5-9 features, Fig. 5. Thus the OUT, described by a fragment of 2-3 features, belonging in different classes of objects, better described the studied class than each of the features separately.For example, in the tasks of assessing the impact of a cyber-attack on the systems of satellite navigation of MCCS of the transport, the most informative was the following group of features: 1) signal level (because the GPS signal at the Earth's surface is around 163 dB .Wt., at the same time the signals of simulators tend to be higher, which may indicate the attack); 2) the same level of signal from different satellites (signals of the different GPS satellites tend to differ significantly).The features -noise and the satellites' numbers were less informative, although a joint application in the OUT of total described features in terms of combined information content did not lose to more significant feature -the level of signal.
The research compared the effectiveness of the proposed model based on the criterion of average number of rules for training, Table 1.
The information about the features of detection of the objects (cyber-attacks) was received from the data from various sources (sensors) of MCCS software and hardware.In particular, the reports were considered about the attacks generated by the integrated antivirus technologies, log files were analyzed, as well as dumps of RAM and PC, hard drives' reports, system entry logs, databases, queries, and so forth.The part of features of the attacks was admitted according to [28,29].Note: * -according to data [1,2,15,24,28,29]; ** -features and their information content according to data [28,29]; *** -according to data [1,2,16,24]; **** -according to data [6,8,15,19,24] Fig. 3.The interface of the program Threat Analyzer, form 3 To test the effectiveness of the proposed model, a series of experiments for main attacks was conducted, shown in Table 1.The example of test results for attacks on SCADA systems is shown in Fig. 6.
It was experimentally found that, compared to the methods of consecutive exhaustive search of features and statistical algorithms of states, the proposed model allows: -reducing the number of necessary rules of object detection within a class by 2.5-12 times (depending on the class of objects − anomalies, cyber-attacks, threats); -reducing by 7-9 % the time of detection of anomalies and cyber-attacks.
In the test mode of training ASDCA, the rational number of steps of training OUT for the proposed model amounted to w 3000 ≈ for the known classes of objects and w 3500...4500 ≈ for more sophisticated cyber-attacks and anomalies.

Discussion of the results of the model testing and prospects for the further research
The complexity of training ASDCA using the apparatus of logical functions and EC relates solely to the stage of obtaining DNF out of maximal conjunctions of distinctive function for each of the classes.
The effectiveness of the application of the designed model will increase as more informative features are included into a representative set of OUT and as more copies will join the original matrix of data characterizing a certain class of anomalies, attacks or cyber threats.With a small number of features in OUT, the effect of the model's implementation will be negligible.Thus, the prospects of further research are in the improvement of the knowledge base of features in the form of their matrix representation, as well as conducting of the research of the model on a larger number of objects stored in the ASDCA repository.
The designed model, if compared to the results obtained for the models, presented in Table 1, provides significantly less number of necessary features for categorization of threats, while reducing training time of adaptive SDCA.In addition, the developed program Threat Analyzer can automatically create dimensions of the training matrix of features of anomalies, cyber threats or cyber-attacks, without requiring the participation of experts.
Scientific and practical results of the research in the form of hardware and software applications and methodical materials have been implemented at the State Enterprise "Design and Construction Technological Bureau of Automating of Systems of Control of Railway Transport of Ukraine" of the Ministry of Infrastructure of Ukraine, as well as in the departments of information security of several computer centres of industrial and transport enterprises.
At present, based on the proposed model and the test results, a system of decision-making support and an expert system is being developed, able for adaption and self-learning in the process of solving complex tasks of providing cyber defense of MCCS.

Conclusions
As a result of the research: -the model of detection of cyber attacks, anomalies and threats to mission critical computer systems was designed, which is based on the application of training samples in the form of feature matrices and elementary classifiers for each of the modeled class; -the studies were carried out on minimizing the number of training samples from the informative features for the ASDCA being developed.It was found that for detection in training matrices of OUT it was sufficient to use representative sets of 3-4 features long.The effectiveness of detection of anomalies and cyber-attacks reached 98 %.The proposed model reduces the number of necessary rules for ASDCA by 2.5-12 times and reduces the time of detection of anomalies and cyber-attacks by 7-9 %.
..,s } form.The algorithm for calculating the value (ACV) of the significance of a feature for ASDCA can be presented as follows.Let us define the combination of subsets of of the features of OUT.We assume the subsets defined being the reference for ACV.Their total combination is Q.Ω Let us assign additional parameters: a ss po -the significance of the target of an attack (object) ai ss , i 1, 2,..., PA, = sa NP po -the significance of the object of the referent set a s NP Q. ∈Ω Let us calculate for each class of cyber-attacks on MCCS 1 l CT {CT ,...,CT }, ∈ the value of belonging a E(ss ,CT) of the object ass to the class CT, which has the form: the class with the highest value a E(ss ,CT).If there are many similar classes, then the algorithm refuses to detect further.To improve the correctness of the algorithm, it is necessary to solve a system of inequalities of the following type: ,CT ) E(ss ,CT ).
should be selected.In a situation when the system is incompatible, one must find the subsystem that is maximally compatible with it.Then determine the values ai ss po and sa NP po out of the solution of this subsystem.
valid.One can do it in the following way.Let us assume considered satisfying the requirements of the test, if for any OUT a a ss ,ss , ′ ′′ and belonging in different classes at that, the condition a a sa BN(ss ,ss , NP ) 0 = ′ ′′ holds true.Thus, our test is a combination (a group) of features, according to which only any two objects from different classes differ.
ℜ -interval of truth of elementary conjunction .ℜ When designing LPDCA, it should be noted that the definition of the set of EC boils down to finding acceptable and maximal conjunctions for a distinctive function of the class of object CT (i.e., cyber threat, anomalies, cyber-attack, etc.).And this function is a two-valued Boolean function that takes different values in OUT from cyber-attack in MCCS, is carried out on the basis of the results of calculation by elementary conjunctions -.
for CT F conjunction will match the class coverage.Maximal for CT F conjunction will correspond to blind coverage.The acceptable ℜ in the matrices of features of the objects will determine the belonging of a specific ob-In our case, the search for abbreviated disjunctive normal form of a function (ADNF) boils down to obtaining ADNF for CT F , which takes the value 0 on the sets from CT F B and the value of 1 on the rest of the sets Q CT E .Once the ADNF for CT F is received, the conjunctions , ℜ which do not have the property deleted out of it.For example, obtaining ADNF of the logical function is possible by way of transforming conjunctive function of the type 2,...,r , BN(ss ,ss , NP ) 0 if else .

Fig. 6 .
Fig. 6.Compared effectiveness of the proposed model for the detection of attacks on SCADA systems (N -the number of features; w -the number of training steps of ASDCA) Let us suppose that a series Z of measurements of the values of the controlled features in MCCS was performed, and we received the matrix of features:

Table 1
Average number of rules, matrices and training steps of ASDCA for detection of typical classes of cyber-attacks in MCCS