Building of an effective cyber defense system should be based on proactive Security Information and Event Management (SIEM) [ 1 ]. The use of SIEM in the protection circuit allows for effective proactive management of cyber incidents, based on automated mechanisms that use information about events that have already occurred in the system, predict future events that will occur in it, and adapt system protection parameters to its current status.

A cyber incident is an event or a series of adverse events that bear signs of a possible cyberattack, which threaten the security of electronic communications systems, process control systems, create a possibility of violation of the normal operation of such systems, including failure and/or blocking of the system and/or unauthorized management of its resources, and endanger the security of electronic information resources [ 2 ].

The architecture and functional model of the proactive SIEM were considered in [ 1 ]. According to the tasks performed by this system (collection, processing, and analysis of security events coming to it from many disparate distributed sources), the basis of its operation includes the following mechanisms: normalization, filtering, classification, aggregation, correlation, prioritization, and analysis of events and cyber incidents and their consequences, as well as generation of various reports, messages and visual presentation of data for prompt and informed decision-making [ 1 ]. The methodology of rational selection of SIEM for the construction of SOC (Security Operation Center) is given in [ 3 ].

In some sources [ 4, 5 ] these mechanisms are considered as stages of the general process, which is called the correlation process. It has a special place in the SIEM, as its purpose is to detect cyberattacks, malicious activity, security policy violations, and others [ 6 ]. This purpose is achieved by addressing a wide range of tasks that it covers: identifying potential relationships between disparate security information; grouping low-level events into higher-level events; detecting potential incidents based on analysis of the behavior of various infrastructure objects, and others.

Technologically, as part of the SIEM, the correlation method includes a sequence of actions on the data, which aims to identify, in a certain way, signs of deletion, integration, and linking of processed information, as well as establishing its causality and priority [ 4, 5 ]. These features are called correlation features.

To achieve these objectives, at different stages of the correlation process, a wide variety of methods are used [ 7, 8, 9, 10, 11 ], such as: the method based on finite machine states (finite state machines), which is used to identify dangerous states of the system; rule-oriented method, which is based on rules that have clear syntax and semantics; the method of reasoning based on precedents; Bayesian network method, which is used at the stage of multi-step event correlation, loss analysis, and prioritization; artificial neural networks, which are also used for event correlation, loss analysis, and prioritization, and others.

Analysis shows that the most common method is the rule-oriented method, but due to the fact that it is based on classical production rules, which do not always give the expected result in terms of incomplete and inaccurate information about cyber incidents, its application is not always effective.

Therefore, the task of developing models and methods for recognizing cyber incidents in conditions of incompleteness or inaccuracy of information about them is relevant.

The aim of the work is to develop a model and rule-oriented method of detecting cyber incidents by SIEM based on fuzzy inference.

Statement of the problem of cyber incident detection by SIEM Let

Any cyber incident is characterized by a set of information features, on the basis of which, in turn, it can be recognized.

O  oi  i  1, n 

the set of information features of cyber incidents that occur in  the system and  are C   C j C j  o j1, o j2 ,, o jm , j  1, J ,

  with a cyber incident C j . represented by the

set where information signs are associated Then the model of cyber incident recognition can be represented by a tuple [ 12 ]: M  K , Oi , R, C , where K is a feature classifier; oi  O  is a set of the observed features; R  R  i is a set of cyber incidents recognition rules; C – a cyber incident.

The process of recognizing cyber incidents is carried out based on rules (usually, production rules):

R1 : (K,Oi ), R2 : (K,Oi ), , Rl : (K,Oi )  C .

However, in traditional production systems, the rules are classic products that do not fully meet the conditions of incompleteness and inaccuracy of information about cyber incidents that occur during operation of information and telecommunications systems. As a rule, for this purpose, methods, and models of fuzzy set theory on fuzzy inference are used [ 13 ]. 3

The method of solving the problem

Based on above-listed considerations, model (1) can be developed and presented as follows:

MF  KF , Oi , RF , C where KF is a fuzzy classifier, RF  RFi  is a set of fuzzy cyber incident recognition rules:

RF1 : (K,Ov ), RF2 : (K,Ov ), , RFl : (K,Ov )  C .

On the other hand, based on the works [ 15, 16 ], the problem of recognizing cyber incidents can be considered as a problem of their identification, the solution of which is to find a mapping:

O*  o1*, o2*, , on*   c j  C  c1,c2 , , cm , (1) (2) (3)

Range of change of signs of cyber incidents where O*  is a set of signs a cyber incident; aoiset of possible cyber incidents.  oi , oi  , i  1, n, and the original value of the identification result k   k, k  are considered known. Accordingly, oi oi  is the lower (upper) value of the cyber incidence parameters, oi , i  1, n, k, k  is the lower (upper) value of the identification result k.

Graphically, the problem of identifying cyber incidents can be represented as follows (see Fig. 1):

Input Parameters (Signs of Cyber Incidents) o1 o2 y*D.  on

knowledge base (fuzzy rules)

Solution: Cyber Incident Class

C1 C2 y*D.  Cm y any computer with the same IP address has been successful, then this event must be addressed by a security officer.

o1 o2 o3 o4 o5 o6

ξα α ξс ξβ β

O1 O2 O3 O4 O5 O6

In turn, c1 and c2 indicate the type of event occurring in the system (Table 2).

marked signs of a cyber incident (Table 1).

Cyber incident с1 с2

c   c  , ,    o1,o2 ,o3,o4 ,o5 ,     o3, o4 , o5 , o6 . (4) (5) (6)

Value aA Value bA L H L L L H L aA aA bA L A bA L aA L Sign O1 O2 O3 O4 O5 O3 O4 O5 O6 O1 O2 O3 O4 O5 O3 O4 O5 O6 Sign Value

α H β H α aA β aA

A single scale of qualitative terms o1  o6 ,  ,  is used to estimate the values of linguistic variables: L - low; bA - below average; A - average; aA - above average; H high. Each of these terms is given by the corresponding membership function.

From a formal point of view, the problem of cyber incident identification based on fuzzy rules and fuzzy inference corresponds to the mathematical model of object identification with a discrete output [ 14, 15 ]. Thus, to identify a cyber incident c1 , the ratio is as follows:  с1 с   H    H      aA    aA   , (7) where

   H      H o1    H o2    L o3    L o4    aA o5 ,  

   H      bA o3    L o4    H o5    L o6 ;      aA      aA o1    aA o2    bA o3    L o4    A o5 ,      aA      bA o3    L o4    aA o5    L o6 ;

  and  с,  ,  , оi   are corresponding membership functions.

These fuzzy logical equations allow us to make a decision in favor of identification of a cyber incident based on the following algorithm:

Step 1. The values of the signs of cyber incidents are recorded O*  o1*, o2* , , o6*  .

Step 2. The values of membership functions parameter values oi* ,i  1, 6;k  L, bA, A, aA, H.  k oi*  are determined at fixed

Step 3. Based on logical equations (7), the values of membership functions  c j o1*,o2* ,,o6*  are calculated by the vector of attributes O*  o1*, o2 , , o6*  for all * types of cyber incidents c1 , c2 . Logical operations AND  and OR  on membership functions are replaced by operations min and max:  k o*   k o*  min  k o*  , k o*j  ;i  j,

i j  i  k o*   k o*   max  k o*  , k o*j  ;i  j, i j  i (8) (9) c* Step 4. Choice of solution j (the type of cyber incident) provided:  c j o1*,o2* ,,o6*   max  c j o1*, o2* , , o6* .

   (10) (11)

It should be noted that the adequacy of this model and the effectiveness of the method of detecting cyber incidents, which is based on the proposed model, respectively, are determined by the quality of membership functions, through which linguistic estimates are quantified. Due to the fact that these membership functions are determined by experts, the adequacy of the fuzzy knowledge base will depend entirely on the qualifications of experts.

However, it should be noted that as a result of SIEM operation, statistics on cyber incidents will be collected, which makes it possible to assess the adequacy of the proposed model and the method developed on its basis.

Thus, it is quite expedient to perform additional training (system settings). This, in turn, will allow the identification of cyber incidents that were not previously identified by the system during its operation.

Comparative analysis of the proposed method showed that, in comparison with existing methods (the method of reference vectors, neural networks, k-nearest neighbors, the method based on immune systems), it can increase the accuracyof cyber incident detection (11) by 2-15 % (Table 4).

P 

TP TP  FP , where P (precision) is the accuracy of cyber incident detection;

TP – the number of cyber incidents that are properly classified;

FP – the number of cyber incidents classified as a normal state of the system [ 17 ].

As a result of the conducted research, it is shown that the main role in a protection circuit of information and telecommunication system for proactive management of cyber incidents belongs to SIEM.

The results of the analysis indicate the feasibility of using a rule-oriented method to identify signs of deletion, aggregation, and linking of information processed, as well as to establish its causality and priority.

To increase the efficiency of the rule-oriented method of recognizing cyber incidents in conditions of incompleteness and inaccuracy of information about them, a model based on the theory of fuzzy sets and fuzzy inference is proposed. Based on the model, a rule-oriented method of cyber incident identification, based on mapping of the set of incident features to the set of possible classes of cyber incidents, and the algorithm for its implementation have been developed.

To implement the developed model and method, it is advisable to modify the structure of the SIEM-system by introducing an intelligent decision support subsystem, which should be based on the model of cyber incident identification based on fuzzy rules and fuzzy inference, where causal relationships of a cyber incident and its sighs are described by the expert in plain language and then formalized as a set of fuzzy logical rules.

The simulation results show that the proposed method allows us to increase the accuracy of cyber incident detection by 2-15%.

The obtained results can be used in practice for solving the problem of detecting cyber incidents by SIEM, which is part of the SOC software and hardware.