DEVELOPMENT OF ADAPTIVE EXPERT SYSTEM OF INFORMATION SECURITY USING A PROCEDURE OF CLUSTERING THE ATTRIBUTES OF ANOMALIES AND CYBER ATTACKS V

Over the last decades one of the most urgent problems of society has been information security (IS) and its component – cyber security (CS), on which, in particular, is dependent the functioning of all modern computer systems (CoS) in industry, energy, communication, transport, etc. As the experience of recent years demonstrates, cybercriminals are increasingly using unique, not yet known for the IT-industry, malware, vulnerabilities and ways of cyber-attacks. Resisting a constant growth in the quantity and complexity of destructive effects on CoS is possible, using in particular adaptive intelligent systems of recognition of cyber threats (SIRCT). The term “adaptation” for SIRCT may be interpreted as a process of purposeful change of the structure of algorithm or system parameters in order to improve the efficiency of its functioning. The relevance of the work is in the creation and examination of adaptive expert system (AES) of recognition of complicated anomalies and cyber-attacks. The system under design is based on the models and intelligent technologies of learning and makes it possible to increase the probability of detecting sophisticated targeted cyber-attacks.


Introduction
Over the last decades one of the most urgent problems of society has been information security (IS) and its component -cyber security (CS), on which, in particular, is dependent the functioning of all modern computer systems (CoS) in industry, energy, communication, transport, etc.As the experience of recent years demonstrates, cybercriminals are increasingly using unique, not yet known for the IT-industry, malware, vulnerabilities and ways of cyber-attacks.Resisting a constant growth in the quantity and complexity of destructive effects on CoS is possible, using in particular adaptive intelligent systems of recognition of cyber threats (SIRCT).The term "adaptation" for SIRCT may be interpreted as a process of purposeful change of the structure of algorithm or system parameters in order to improve the efficiency of its functioning.
The relevance of the work is in the creation and examination of adaptive expert system (AES) of recognition of complicated anomalies and cyber-attacks.The system under design is based on the models and intelligent technologies of learning and makes it possible to increase the probability of detecting sophisticated targeted cyber-attacks.

Literature review and problem statement
The growing interest to investigating the topics of CS and IS has lead in the last decade to a surge of research into de-

T . P e t r e n k o
Senior Lecturer* Е-mail: mail_taras@ukr.net

S . Z a i t s e v
Doctor of Technical Science, Associate Professor** Е-mail: serza1979@gmail.com

V . B a z y l e v y c h
PhD, Associate Professor* Е-mail: bazvlamar@gmail.com*Department of Cybersecurity and Mathematical Simulation*** **Department of Information and Computer Systems*** ***Chernihiv National University of Technology Shevchenka str., 95, Chernihiv, Ukraine, 14027
Many authors point out prospects of research related to the use in the CS tasks of different intelligent systems and technologies (IST).In particular, it is proposed to use the potential of the following systems: expert (ES) [15,16]; decision making support [17,18], adaptive [19,20].Such systems are still under development, and, unfortunately, the majority of papers on this topic do not include consideration of the question of evaluation of errors of the third kind, which may arise when the SIRCT models do not take into account certain recognition procedures.In addition, it should be noted that the procedure for splitting the set (space) of attributes that are considered in SIRCT is not the same for different CoS, dictated by the specifics of their performance and functional tasks.
Numerous discussions and publications [16,17,19,21,22], dealing with designing the criteria for splitting the set of attributes and evaluation of effectiveness, ES with CS, as well as the use of a variety of methods in SIRCT point to the fact that there is a need to create a model for the identification of information indicator of functional performance (IIFP) of AES learning, which takes into account the known statistical and deterministic optimization parameters when clustering the attributes of illegal activity of cyber-criminals in CoS.

The aim and tasks of the study
The aim of the work is to design a model for determining information indicator of functional performance of training ES with CS.The model takes into account the known statistical and distance clustering parameters for attributes of cyber threats, anomalies and cyber attacks, as well as errors of the third kind during procedure of ES machine learning.
To achieve the aim, the following tasks are to be solved: -to develop a structural scheme of adaptive expert system (AES) with CS; -to design a model for evaluation of functional effectiveness of the process of machine training of adaptive expert system of information security, which is based on the entropic and information-distance criterion of Kullback-Leibler when clustering the attributes of threats, anomalies and cyber attacks in CoS; -to conduct AES testing and determine rational number of clusters in the space of attributes of anomalies or cyber attacks for CoS.

Structural scheme of adaptive expert system of information security
Construction of structural model of AES with IS is a part of a large-scale process of intelligent analysis and data processing in SIRCT.
To provide for highly reliable data processing in CoS under conditions of increasing number of destructive influences, in particular cyber attacks, it is necessary to find: where CO ad are the permissible parameters of the regulation of CoS; CM ad are the permissible for possible application methods and models for resisting threats and cyber attacks based on SIRCT; ME ad are the permissible for possible application means for prevention, detection and analysis of cyber attacks; L are the restrictions on the parameters that affect the efficiency of AES as a part of SIRCT (potentially vulnerable sections of CoS, the time period of cyber attacks activity, the cost of protection tools, etc.).Within the framework of IIT, which are used for training the CS systems, the main objective of AES is a result-oriented procedure of the transformation of fuzzy splitting of the sets of attributes of anomalies, threats and cyber attacks to a clear-cut breakdown of classes of the objects of recognition (OR) [23][24][25].This is achieved by using the iterative procedure, which allows optimization of the parameters of AES operation in the tasks of supporting high level of CoS IS.The training process takes place in two stages: -the first stage implies purposeful search for global maximum value of the objective function with many extrema for statistical representation of IIFP in the working area of the OR attributes; -the second stage allows determination and simultaneous renewal of optimal separate hypersurfaces [10,13,14,23,25], which were built in the binary space of recognition attributes (BSRA -RS) of anomalies, threats and cyber attacks.
Input fuzzy separation of implementations of the objects that are used during training are transformed into a clear division during optimization of testing permissible deviations on each class of anomalies, threats or cyber attacks [17,19,24,25].The result is a purposeful change in the values of RS in AES for the defined objects and construction of correct decisive rules by the multidimensional binary training matrix (MBTM).This allows, within the framework of IIT, combining the process of correction of the objects that are used for training (OUT) and the stage of learning itself.During the latter stage, the synthesis of correct decisive rules takes place.
A solution of the task on formation of the input symbol description of AES as a part of SIRCT is to create OUT, for example, in the form of a multidimensional learning matrix of attributes (MLMA) -learning matrix: In this case, it is necessary to solve the following tasks: 1) to form a glossary of attributes for each class of anomalies, cyber threats and attacks, as well as alphabet of classes in terms of OR; 2) to determine minimum level of representative training matrix for OUT; 3) to determine the normalized permissible deviations for RS.
As the primary attributes, one can use parameters which are read out of certain sensors or the experimental data obtained directly, for example, in the course of implementation of penetration tests in CoS.
As the secondary attributes to recognize anomalies, threats and cyber attacks, one can use a variety of statistical characteristics, for example, vectors of realization of a certain class {lm } is formed at the first stage by the developer of the system with involvement of specialists on IS.
At the second stage of the alphabet synthesis, using AES, the input data processing continues using the methods of clustering of the RS attributes.
As was previously demonstrated in articles [10,14,19], in the case of immutability in the glossary of attributes of OR and increase in the capacity of the alphabet, a change in the asymptotic characteristic of AES is possible.Accordingly, this factor may significantly affect functional effectiveness of the procedure of training similar systems.This, in particular, is due to the increasing degree of intersection of the classes of threats, anomalies and cyber attacks that are subject to recognition (later -objects of recognition or OR).
Let us formulate the following formalized statement of the problem of information synthesis of the AES elements.CT will take the following form: In matrix (2) we adopted the following denotations: line of matrix -implementation of the "view" of OR N is the number of attributes of OR; column -stochastic training sample where n is the volume of the sample.Fig. 1 demonstrates the process of formation of the structure of the training matrix, which in stages includes vectors of implementations ct CT , respectively.To build such a matrix, it is necessary to define only meaningful properties of OR, which unequivocally distinguish one automatically found threat, anomaly or cyber attack within the class from another one.It is clear that for each AES, the classification of OR may be different.Howev-er, most of OR contain such properties as, for example, the type of vulnerability, protocol by which the vulnerability may be used, a channel of implementation within this protocol, the type of object, a path to the object, etc., Table 1.

Fig. 1. Scheme of work with a multidimensional information space of attributes for AES as a part of SIRCT
All of the possible values of each property of OR are possible to encode either in binary form [10,19,20,23] or by using non-negative integers [7,21,22], where zero corresponds to an uncertain value of the property of OR.This allows us to take account of the missing, new or not yet predicted values of the OR property.More detailed results of research into the procedures of forming BSRA and binary training matrices (OUT) are represented in papers [23][24][25].
Table 1 An example of the formation of matrix of attributes The attributes of cyber attacks are detected in a large volume of measured information, such as logs, data monitoring, etc.This, in turn, requires increasing the speed of information processing in SDI.Combining the data in compact clusters, it is possible to carry out the analysis of typical representatives of each cluster and make decisions about whether these data are an attribute of attack or not.Then this solution is transferred to all representatives of the examined cluster.This approach significantly reduces the volumes of information required for a successful attack classification (OUT).
Using the models for intelligent learning technologies (MILT), we will present IIFP of training AES as follows: where CE m are the IIFP procedures of machine training of AES as a part of SIRCT; IS are the permissible values of the CoS parameters.Table 2 presents a list of the main data sources for AES and information that is subject to preliminary processing and analysis.Fig. 2 demonstrates a functional scheme of AES as a part of SIRCT for CoS.For clarity, the scheme shows basic functional units and information flows, in particular, curly yellow arrows display relationships between functional modules of AES while normal arrows indicate control commands.Curly blue arrows show connections between the components of SIRCT and AES.
In the course of training AES and the formation of KB, the system's performance is regulated by a specialist on IS, who, in accordance with the recommendations of AES, forms the control commands (control commands) - Let us consider the procedure of functioning of AES as a SIRCT element in the mode of learning by a priori categorized training matrix (CTM).When a controlled process of learning is affected by stochastic factors rf(t) and arbitrary initial conditions of the formation of implementations of the functional state of CoS, in particular under conditions of cyber attacks, in the module of preliminary data processing (MPDP) there occurs the formation of classifying scale displaying the current implementation ss (j) .This procedure aims at forming element ( ) lm , whose coordinates is the nor- malized results of monitoring of the CS state.In addition, MPDP checks statistical stability and uniformity of the training samples.It is based on the corresponding statistical criteria and minimal volume n min of the representative learning sample.At the output of MPDP, a classified fuzzy learning matrix is formed, which is supplied to the input of the module of formation of binary vectors of recognition (MFBVR).
MFBVR performs binearization of vectors-implementations of the classes of OR by comparing the current attributes with their respective testing permissible deviations {ca K,i }, which are contained in a database (DB) and determined based on the methods of multifractal analysis, the Hurst indicator, movable window, etc. [4,9,16,19,22].Depending on the set mode, MFBVR creates a multidimensional binary vector (MBV), which is the parameter-implementation of the view of OR in AES.Each coordinate of MBV at algorith-mic implementation of AES can be represented as a single predicate equal to "1" if the value of OR attribute belongs to the set of testing permissible deviations and is equal to "0" if it does not.As a result, we will form in MFBVR a binary training matrix (BTM) - which consists of structured stochastic vectors-implementations of the representation of corresponding threat of anomalies or cyber attack:

Fig. 2. Structural scheme of AES as a part of SIRCT
BTM is also used to assess the testing permissible deviations in the process of recognition (system of test/control permissible deviations -SCPD).SCPD as well as parameters that determine levels of the sample {cl m } of coordinates of binary reference vectors of classes of OR, are entered into MFBVR from a database (DB).
In the mode of training AES, at the output of MFBVR during the period τ вd , MBTM is created, which arrives at the input of the module "ES learning" (MLES).We will note that the formation of MBTM is performed by certain, predetermined in advance, confidence level [19,21,[23][24][25].
At the output of MLES, in the knowledge base (KB) there enters the vector of optimal parameters (VOP) of AES performance: where O is the mapping of openness of the set, or, in the case of implementation of the procedure of recognition -a number of implementations of OR).VOP provides for max value of IIFP of the AES learning in the permissible area of its determination.While testing AES, namely at the moment t From the first output of MTES, IS analyst through the "Module of queries" (MQES) has a possibility to receive suspicions hy m about membership of the corresponding state of CoS to the class 0 m CT and, accordingly, to design adequate measures for responding to the arising threat, anomaly in behavior or a cyber attack.
In the cluster analysis mode (CA) of in-coming data to AES, and for solving the task of automating the procedure of forming the inbound classified learning matrix (ICLM or OUT), from MFBVR to the first input of MCA (module "cluster analysis" -MCA), a non-classified learning matrix (NLM) -{ct (j) } is supplied.NLM consists of implementations of all classes of OR and the appropriate alphabet.

CTM -{ }
o m ct , formed at each step of clustering of input data in AES, are delivered to the second input of the module MLES.Accordingly, this module is responsible for the process of assessment by IIFP the quality of the conducted clustering procedure and sends to the second input of MCA the values of parameters of clustering {is k } [14,19].
Thus, the stage of CA of input data in AES and MILT is a part of the algorithm of operation of AES as part of SIRCT.
An important feature of AES with IS of CoS is the ability to predict the change in its functional efficiency in the process of recognition of OR, as well as to determine the moment when there is a need to re-train the system, for example, in cases when there are new, previously non-categorized, types of threats and cyber attacks.In this case, the first input of the module of prediction (MP) receives the current statistical data ST m,n that are processed by MTES.These data characterize statistical properties of binary examination matrix of class The considered structure of AES is different from the existing ones by broad functional capabilities and allows dealing with complicated tasks of ensuring reliable cyber protection of CoS both with created KB for the known classes of OR and in the course of machine learning, in the case there are new, previously unknown, classed of cyber attacks.

A model for evaluation of functional effectiveness of the process of machine learning of adaptive expert system of information security
In the process of development of AES as a part of SIRCT, there is always a question about the assessment of functional efficiency of the process of machine learning.In particular, this makes it possible to define the maximum asymptotic reliability of decisions taken during testing of AES when detecting certain classes of threats, anomalies and cyber attacks.For the intelligent technology of AES learning, it is possible to use different criteria that satisfy certain properties of the information measures (IM) [13,14,19].
For AES as a part of SIRCT, we propose to apply as informational measures entropic measure [13] and the criterion of Kullback-Leibler [14].
Entropy may be considered as a measure of the "structuring" of some state SS i or a measure of the distance of structure of one state from another one.Then the stochastic process (SP) in CoS, which characterizes state of the systems and functions in the interval of time from τ 0 to Т, is described by a vector of variables of the IS state: where he, hl(τ) are the "noises" of a general nature; SX(τ) is the vector of variable CoS states, for example, as a result of a cyber attack or implementation of other threat.An observation of the magnitude SS i (τ) is carried out in time periods t = t + D i 0 j , = j 0,n, with discretization step ∆>0.
Let us assign cluster in accordance with each of the selected state of CoS (for alternative assumptions hy={hy 1 , …, hy m } that are a full group of events and physically interpret state of the system): M {l (ss) ss | ss UK ,l (ss) ZR}, (7) where Θ i M l (ss) is the function of the number of instances of the cluster, which determines multiplicity of element of the system ∈ sig ss UK ; UK sig is the set, the power of which is equal to the maximum level of the signal, characteristic of the object's attribute.
Let us generalize basic stages of recognition procedures in AES: 1. Define characteristic attributes for each OR. 2. Compile for each node of CoS a full group of states of the system -hy={hy 1 ,…,hy m }, to which the original specifications Θ i M will correspond.3. Determine the evaluation of probability distribution i SS P , characteristic for states of the system, which it experienced as a result of a cyber attack.
4. Calculate the change in entropy of all subsystems of CoS by formula: where L j is is the total number of occurrence of signals specif- ic to the j-th state of the system; L is the control "window" [13,14].(10)

Compute information distances between clusters
8. Choose according to the voting procedure [13,14,19,26] the state of the system, for which the weight coefficient is larger: The magnitude of normalized entropic IIFP, with regard to a priori probability of approving the hypotheses for the OR recognition, we will represent as follows: p hy hy log p hy hy , (12) where p(hy l ) is the a priori probability of approval of assumption (hypothesis) hy l ; p(hy m /hy l ) is the a posteriori probability of approval of assumption hy m , provided that the variant hy l was chosen; M=2 is the number of considered assumptions in the process of recognition.
The following expression allows us to determine IIFP of training AES with IS:   (13) where AU cr is the procedure of the first validation; AU cr is the procedure of the second validation; ( ) ( ) AU cr is the procedure of the third validation; mis3 cr are the errors of the third kind when approving the decision for the ls-th step of AES learning; cr is the radius of hyperspheric containers [13,14,19].
Provision of sustainable functioning of reliable processing of information in CoS in a random point in time under the influence of a cyber attack is achieved through the implementation of representation: where SS res is the set of permitted states of CoS; CA={CA 0 , CA 1 ,…,CA N } is the set of implementation of cyber attacks.A functionality that determines generalized indicator of effectiveness of resisting cyber attacks takes account of the indicator of effectiveness of recognition, as well as characterizes stability of functioning of CoS, will be represented: IE=F[(SCA,CE),(SS, T s , VIL),(CO,CM,ME)], (15) where SCA are the scenarios for cyber attacks; CE is the criterion of effectiveness of recognition of OR; a set of parameters of CoS: T s are the periods of time for performing functional tasks in CoS; VIL are the vulnerabilities of CoS; a set of parameters for resisting the threats and cyber attacks: CO are the parameters of regulation of CoS; CM are the methods of resisting threats and cyber attacks in CoS; ME are the means of prevention, detection, analysis and active counteraction to cyber attacks.
To determine how the Kullback-Leibler information measure depends on the AES parameters for the variant of applying control commands, which are based on three alternatives (a case when a decision is made about dynamics of the change in the IE parameter), we will introduce the following hypothesis: 1) the basic working hypothesis which (base)g 1 hy : : an attribute (attributes) rc i of OR (RS) and the IE indicator is within a normal CoS state; 2) hypothesis g 2 hy -an attribute (attributes) i rc of OR (RS) and the indicator IE allows drawing a conclusion that the values of indicator IE are lower than the norm; 3) hypothesis Given previous calculations, for the AES solution, which allows three alternatives, we received the following characteristics, Table 3.
We will assume that: characteristics m mis3 are unlikely, which is why they can be disregarded.We also assume: Calculate full probabilities ( ) ls t,m P and ( ) ls f ,m P with regard to assumptions ( 16) Then, on the basis of the Bernoulli-Laplace principle [13,14] for the three adopted hypotheses, we obtain the following result: The decisive rule defines the assignment of the vector of parameters of implementation of the known or unknown scripts of cyber attacks CT m SCA for the m-th object and ct-th class to one of the known OR classes j CT m RS at the j-th step of the work of cyber protection tools.According to the Bayesian criterion, the decisive rule takes the following form: P RS is the probability of assigning AES of OR (threats, anomalies, or cyber attacks) to the class of the known OR

RS .
Table 3 Characteristics of the accuracy of recognition in AES for the three accepted alternatives Based on the Bayesian criterion, we also determine an average "price" of risk of making a decision in AES on the assignment of vector of parameters of the unknown OR to the class k CT m RS : :

RS .
For the case when AES runs a comparative analysis of two BTM, the decisive rule using the Bayesian criterion can be written down as the following ratio: Therefore, the derived expressions ( 18), (21), which take into account the modified entropic criterion and the Kullback-Leibler measure is a functional of the decisions made in the course of recognition of respective OR.In addition, expression (18) takes into account the known statistical and deterministic (distance) criteria of optimization of the procedure of clustering the attributes of OR at the preceding stage of operation of SIRCT that are capable of learning.

Adaptive expert system "Threat Analyzer"
In the course of the research we developed AES "Threat Analyzer ", Fig. 3-5.The AES user interface is intended for professionals on IS.Through the interface, analyst of the status of IS of CoS receives necessary information and reports the requested data to AES.Through the same interface, preliminary selection and analysis of the threats to IS is conducted by the attributes.AES uses the user interface to compile summary reports of the results of analysis of the IS state and suggested recommendations.
The expert's interface is designed to transfer the knowledge of experts on IS to KB, as well as to correct the knowledge and the rules for recognition of anomalies, threats or cyber attacks.Through the interface, a change in decisive modules for making decisions for different OR is carried out.This happens only if there were errors detected in the performance of EC.
For the development of interfaces and functional modules of AES, we used the Delphi language and programming environment.We chose the shell program CLIPS for the design of ES.
According to these tasks, the AES structure implemented the modules that make it possible: to automate the procedure of audit of CoS IS; to improve the procedure of recognition of the threats to IS in CoS; to receive expert information on the computers' status in the network; to scan the programs running on PC; to determine levels of IS of individual PCs in CoS; to facilitate work of the experts on IS; to use previously gained experience on evaluation of the state of IS; to assess current risks of UAA to the IS of an enterprise; to present recommendations on how to improve the level of protection of IS; to reduce the time for conducting inspections and audit of the status of CoS IS.
For knowledge representation in ES we used frame model for decision-making -direct logical conclusion.
The basis of EC is the assumption that the elements of a set of security features might not fully meet the IS requirements at an enterprise and, consequently, lead to an increase in the indicator of current information risks.A level of current risk is assigned, which is considered acceptable and does not require the use of expensive means to resist attempts of UAA in CoS.

Results of testing the adaptive expert system
The testing of AES "Threat Analyzer" was carried out for CoS of a few enterprises in the cities of Kyiv, Dnipro and Chernihiv (Ukraine).
Fig. 6 demonstrates the main results obtained in the course of simulation of indicator CE for the network classes of cyber attacks listed in Table 4.
The research revealed that for the "voting" model MILT by the representative sets of attributes of threats, anomalies and cyber attacks, it is sufficient to confine with the construction of representative sets of lengths to 5-7 attributes.Compared with the method of supporting vectors [1,4], MILT for a small number of the OR attributes (2-4) has a significant advantage in the indicator CE by 25-50 %, but is inferior by 20-55 % to the indicator CE, obtained for a hybrid neural network model [5,7].
Comparative analysis, Fig. 7, was carried out based on the data obtained during test trials of AES "Threat Analyzer" and the data contained in [7,9,13,14,20].Error values of the first The proposed approach of recognizing anomalies, threats and cyber attacks, based on MILT, makes it possible to increase the level of detection of network cyber attacks in CoS.Detection of different types of attacks when using AES reaches the probability of 77-99 % with an insignificant level of false action.In addition, the proposed method is not IS resource demanding and is capable of detecting unknown types of cyber attacks in CoS.As a result of the described experiment for the designed AES and the method of intelligent recognition of cyber attacks and anomalies [10,19], we obtained the following results: -for the DoS/DDoS attacks -for errors of the first kind (number of false actions) -10.2 %) and for errors of the second kind (number of undetected attacks) -2.86 %; -for the Probe attacks -for errors of the first kind -12.1 % and for errors of the second kind -3.15 %; -for the R2L attacks -for errors of the first kind -9.4 % and for errors of the second kind -2.75 %; -for the U2R attacks -for errors of the first kind -11.3 % and for errors of the second kind -3.5 %.
In the course of research we found an optimal number of clusters to determine max value of the IPFR indicator when training AES, which is equal to 3.
These results allow us to compare the developed model with those, examined previously in papers [7, 9, 13, 14, 20,  Scientific and practical research results in the form of AES "Threat Analyzer", were implemented at the State Enterprise "Design-Engineering Technological Bureau on Automation of Control Systems in the Railway Transport of Ukraine" of the Ministry of Infrastructure, as well as in information security services of several computing centers at industrial and transport enterprises in the cities of Kyiv, Dnipro, and Chernyhiv.
Implementation of the proposed AES made it possible to significantly change the approaches to the organization of work of a specialist on information security at the enterprises at which the test research was conducted, in particular, the status of cyber protection of CoS and information systems was greatly improved, as well as a vertically integrated system of IS was created.The proposed model of ES training was deliberately implemented with regard to a large amount of specialized data in the field of IS and cyber defence and, accordingly, it will require considerable time for systematization and transfer in the form of MBTM of the templates for threats, anomalies and cyber attacks with the subsequent introduction to AES.
The efficiency of application of the designed model will be the higher, the more informative attributes will be introduced to CTM, formed at every stage of clustering the AES input data.With a small amount of attributes in CTM, the effect of application of the model will be insignificant.Therefore, the prospects for further research are to improve knowledge base of the attributes in the form of their matrix representation, as well as to explore the model on a larger quantity of objects that are stored in databases and knowledge bases of AES.
The developed model, compared with the results obtained for the models represented in Table 4, provides for a significantly smaller number of required attributes to classify sophisticated targeted cyberattacks in CoS.
At the moment we are working to fill the knowledge base and to further test AES under real conditions of the CoS functioning.

Conclusions
1. We proposed a structural scheme of adaptive expert system of information security, capable of self-learning, which takes into account potential errors of the third kind, which may arise and accumulate in the course of training the system and splitting a space of attributes of the objects of recognition.
2. We designed a model of the information criterion of functional effectiveness, based on entropic and information-distance criteria of Kullback-Leibler when clustering the attributes of threats, anomalies and cyber attacks in CoS, that makes it possible to receive input fuzzy classified training matrix, which is used as an object of learning, as well as to build correct decisive rules for the recognition of cyber attacks.
3. The test examination of AES was conducted and it was found that the proposed model of ES training "Threat Analyzer" enabled us to achieve results of recognition of the common classes of cyber attacks at the level from 76.5 % to 99.1 %, which is at the level of recognition effectiveness by hybrid neural networks and genetic algorithms.We also found that the optimal number of clusters to determine the max value of IPFR when training AES and splitting a space of attributes of anomalies or cyber attacks for CoS is equal to 3.
1,n} for OUT, etc.An alphabet of classes of OR for AES o m Suppose that we know the alphabet of classes { } = o m CT | m 1,M and MBTM of OR which, accordingly, describes the m-th state, in which a CoS is.In this case, MBTM of OR for the class of recognition o m statistical parameters ST m , which are the members of the corresponding variational series, are accepted as the extremum of functional distribution * m ST .In the AES testing mode, that is, while direct decision-making that allow recognition of threats, anomalies and sophisticated cyber attacks, from MFBVR to the module "Test" (MTES) the test matrix { } Ο ( j) ct is entered.At the same time, in MFBVR out of KB they find optimal values of the testing permissible deviations { } vectors of the OR classes.This allows us to ensure equivalent conditions for the formation of learning and examination matrices.
is defined by the corresponding decisive rules obtained in the course of AES training.The second input of MP receives from KB a relevant statistical properties of the OR classes in the moment of the first training τ 1 of ES and has the property of invariance to the laws of probability distribution.The accuracy and reliability of prediction directly depends on the value of parameter the ES learning process in the moment of prediction t r .

7 .
Make decision in favor of the state, for which magnitude Θ Θ * i L DIS(M ,M ) is the lowest for each attribute RS i .At the same time, calculate weight coefficients of individual decisions: arg min DIS(M ,M ), (j 1, J).
of the first kind when approving the decision for the ls-th step of AES learning; the errors of the second kind when approving the decision for the ls-th step of AES learning;

g 3 hy
-indicator IE allows drawing a conclusion that the values of indicator IE are larger than the norm.According to the accepted assumptions, let us denote a posteriori hypotheses as: m 1 hy -the value of attribute (attributes) belongs to the range of permissible deviations (RPD) ca, m 2 hy -the value of attribute (attributes) is located to the left of RPD; m 3 hy -the value of attribute (attributes) is located to the right of RPD.
is the density of conditional probability of assigning AES of detected OR to the unknown class k CT m results of processing a predicate form of calculation of the number of episodes, when it is established that the implementation of OR does not belong to the container o number of episodes, when it is established that the implementations of OR belong to the container o number of false activites of AES in the process of detection of threats, anomalies or cyber attacks 5 second error of the first kind number of undetected threats, anomalies or cyber attacks in the process of AES performance 7 second error of the second kind may occur in case the model does not take into account certain elements of MILT 99 second error of the third kind detecting cyber attacks were tested compared to the network intrusion detection systems (SDI) AIDS -application based IDS, and the combined solutions IDS & IPS (Intrusion prevention system).

Fig. 3 .
Fig. 3. Bookmark for setting the rules of recognition and evaluation of anomalies, threats and cyber attacks

Fig. 5 .Fig. 6 .
Fig. 5. Bookmark for representation of results of the evaluation of the IS state for the basic components of CoS

Table 2
List of main data sources for AES