INVESTIGATION OF SELF-ORGANIZING KOHONEN MAP TO DETECT NETWORK ATTACKS OF R2L CATEGORY

Abstract

In this work, the possibility of self-organizing Kohonen map to detect network attacks of R2L category is investigated. To detect attacks of the R2L category according to the following network classes: Ftp_write; Guess_passwd; Imap; Multihop; Phf; Spy; Warezclient and Warezmaster proposed a self-organizing Kohonen map of configuration 41-1-X-9, where 41 – the number of neurons of the first layer (network traffic parameters based on the use of the NSLKDD database); 1 – number of hidden layers (Kohonen layer); X – number of hidden neurons; 9 – number of neurons of the resulting layer. To detect network attacks of the R2L category, the software model “SOM_R2L” was created using the Python language, which is based on the implementation of the proposed configuration of the self-organizing Kohonen map and the use of its algorithm. On the created software model “SOM_R2L”, accuracy studies were conducted on different maps (5×5, 10×10, 20×20, 30×30) with a different number of examples for each class (5, 10, 15, 20) for different numbers of epochs of study (20, 40, 60, 80, 100, 200). The optimal configuration of the self-organizing Kohonen map was determined: 10×10, which was studied for 40 epochs on a sample of 900 examples (10 examples per class). On the created software model “SOM_R2L”, a study of the quality parameters of detection of attacks of the R2L category was carried out. The values of errors of the second kind are determined for the following network attack classes of R2L: Ftp_write – 1,11 %; Guess_passwd – 17,78 %; Imap – 1,11 %; Multihop – 4,44 %; Phf – 0 %; Spy – 1,11 %; Warezclient – 2,22 %; Warezmaster – 14,44 %; Normal – 5,56 %.