Research of the Neural Network Module for Detecting Anomalies in Network Traffic Yurii Klotsa, Vira Titova a, Natalia Petliak a, Viktor Cheshun a and Abdel-Badeeh M. Salemb a Khmelnitsky National University, Institutska str.,11, Khmelnitsky, 29000, Ukraine b Ain Shams University, El-Khalyfa El-Mamoun Street Abbasya, Cairo, Egypt Abstract The aim of this article was to study, develop and apply neural network methods to analyze traffic of local area network for detection of the anomalies in network traffic. The theoretical significance of the presented material is coverage of the problem of research and development of methods of computational intelligence, namely artificial neural networks to detect intrusions in networks. In particular, a method of detecting anomalies was created on the base of a Kohonen self-organizing map, the introduction of which into the structure of the existing attack detection system allows to increase the accuracy of detecting anomalies in network traffic by 35-40% compared to other existing methods. The practical significance of the results is the possibility of applying the developed method to detect intrusions and anomalies in modern corporate networks and the possibility of building a real-time detection system based on it, as well as solving of other tasks of data mining such as classification or clustering of suspect events in network traffic. Keywords 1 Network security, detection methods of network intrusion, data protection, intrusion detection systems, neural networks. 1. Introduction The rapid development of computer networks and information technologies causes a number of problems related to the security of network resources, which require new approaches. Currently, the issue of building intrusion detection systems is an important direction in the field of information technologies. There are many researches on the detection and classification of intrusions using a variety of methods, which include traditional approaches based on compliance with signature patterns and adaptive models using data mining techniques. Most of these works have been done long ago, and some of them have a limited aspect in the covering form of only a specific subject area, namely, the detection of overuses or anomalies. This work aims to develop a neural network module for detecting anomalies in network traffic, its implementation and verification of its operation on test and real data. The article has the following structure. The second section provides a comparative analysis of intrusion detection methods. The third section substantiates the choice of an artificial neural network as a method of computational intelligence to solve the problems of detecting anomalies. The fourth section is devoted to the description of the structure and methods of functioning the popular intrusion detection system. The fifth section describes the neural network module for detecting anomalies in network traffic, which is an implementation of the neural network method. IntelITSIS’2022: 3rd International Workshop on Intelligent Information Technologies and Systems of Information Security, March 23–25, 2022, Khmelnytskyi, Ukraine EMAIL: klots@khmnu.edu.ua (Y. Klots); titovav@khmnu.edu.ua (V. Titova); npetlyak@khmnu.edu.ua (N. Petliak); cheshunvictor@gmail.com (V. Cheshun); abmsalem@yahoo.com (A.-B. M. Salem) ORCID: 0000-0002-3914-0989 (Y. Klots); 0000-0001-8668-4834 (V. Titova); 0000-0001-5971-4428 (N. Petliak); 0000-0002-3935-2068 (V. Cheshun); 0000-0003-0268-6539 (A.-B. M. Salem) © 2022 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) Sections number six and seven contain a description and results of the module operation on test and real data sets. 2. Comparative analysis of methods of detecting intrusions The common classification of intrusion detection systems by intrusion detection methods includes anomaly detection systems and overuse detection systems [1, 2]. Figure 1 shows the scheme of network anomaly detection [3–5] based on network traffic indicators. The general algorithm for detecting network anomalies can be described as follows. Network traffic, presented as a set of network packets generally fragmented at the IP level, is the data for analysis. The collected data serve as a source for the formation of the necessary information for further analysis. Thus, the obtained data can be aggregated for a certain interval and normalized in order to set the feature attributes of the general form, which will be required when constructing the current activity profile. The created set of features is compared with a set of characteristics of the normal operation of the object (user or system) by pattern of normal behavior. If there is a significant discrepancy between the compared parameters, the network anomaly is recorded. Figure 1: Detection scheme of network anomalies The above-described algorithm may contain several variants for the realization of checking subsystem for the compliance of the pattern of normal behavior. The procedure of comparison with the threshold value is the simplest of them, when the accumulated results describing the current network activity are compared with an expertly set numerical plank. In this approach, the case of exceeding the values of the parameters of the specified limit is a sign of a network anomaly. It is worth noting that construction of a pattern of normal behavior is a time-consuming task and not always feasible. In practice it turns out that not every abnormal behavior is an intrusion. For example, a network administrator can use adjustment of utilities such as ping, traceroute, mtr to diagnose a network environment. Actions of this kind do not pursue any illegal intent, but anomaly detection systems recognize this activity as anomalous network activity. Detection of overuse allows you to identify unauthorized actions, if they are accurately reported in the form of intrusion patterns. Intrusion pattern is a set of actions, which explicitly describe a specific attack. Using them for the identified object we can receive a clear answer about affiliation of this pattern to this attack. As in the detection scheme of network anomalies, a network traffic is the primary data for analysis while detecting overuse. Selected attributes and fields of network packets are transmitted to the module, which searches for and verifies compliance with the rules of input data and indicates a threat in the event of a positive interaction of one of the rules. Figure 2 shows the scheme for detecting overuse in network traffic. Figure 2: Detection scheme of network overuse The key problem in creating any system of overuse detection is the issue of effective design of the rule setting mechanism. It is clear that the creation of an exhaustive base of rules for detecting various attacks is impossible due to several factors. One of these factors is that the description of different variations of attacking actions has a negative effect on system performance. And since even insignificant changes in the attack lead to the impossibility of its detection by methods based on overuse, the rules should be universal and cover as many known modifications of network intrusions. Summing up, we should note that methods of overuse detecting are an effective tool for detecting known types of intrusions, but their applicability to new attacks, as well as to modifications of known attacks is ineffective. “A Survey of Network Attack Detection Research” [6] of Abas Aboras, Mohammed Kamal Hadi is a classic work in the field of overuse detecting. On the base of the analysis of modern methods of intrusion detecting, we can conclude that all of them are not perfect and do not provide high efficiency in counteracting intrusions in computer networks. Anomaly detection methods are more effective in counteracting modified and previously unknown intrusions, but this group of methods has the following features: • there are a large number of possible solutions, which requires significant time to solve the problem by a complete search of all available variants; • input data can be changed in the process of solving the problem, and while changing at least one value, you need to sort all the available variants from the beginning; • it is difficult to represent input data in the form of numerical data, and therefore the solution of the problem cannot be reduced to numerical calculations. Thus, the problem of detection of anomalies is a difficult task. The use of traditional mathematical methods for its solution is impractical, so based on the features of the above-mentioned problem it is necessary to develop intelligent methods to solve this important problem. 3. Substantiation of the intelligent method for solving the problem of anomaly detection To choose the method, an analysis of a large list of works was carried out, including [7–25], which allowed to clarify the proposed taxonomies and schemes of known methods of detecting network intrusions. Among all the methods, special attention, in our opinion, deserves the methods of computational intelligence, namely artificial neural networks. An artificial neural network is a set of processing elements of neurons interconnected by synapses and converting a set of input values into a set of desired output values. Neural networks are used in a wide range of applications: image recognition, management theory, cryptography, data compression. Neural networks have the ability to learn from patterns and generalize from noisy and incomplete data. The coefficients associated with synaptic weights are adjusted in the learning process. A brief overview of several models of neural networks is presented in this article, namely, multilayer feedforward networks, radial-basis networks, recurrent networks and self-organizing maps. There are several methods for learning neural networks. 12 algorithms of their learning are presented in [7]. The method of backward propagated error is one of the best known and most widely used algorithms for learning multilayer feedforward neural networks. This algorithm is a gradient descent with minimization of mean squared error at each iteration of its execution. A multilayer neural network with two hidden layers and an outgoing layer consisting of three neurons is used to detect attacks in [8, 9]. The classifier was learned to recognize two types of attacks and a normal connection. An algorithm of backward propagated error is used in both works to learn the neural network. Another work that uses the same database is [10]. It shows the architecture of a multilevel neural network, in which each of the three levels is a separate multilayer perceptron, the distributing layer of which consists of 30 neurons. The classification of the connection is refined at each level. Whether a connection is an attack or a normal connection is determined at the first level. The second and third levels are responsible for classification according to the class and subclass of the attack. The ability to obtain the required degree of details in the classification of the connection is a feature of this approach. A three-layer neural network was used in [11] as a binary classifier of network connections. The training set that is a network traffic, received by the network scanner, numbered about 10,000 connections, 3,000 of which were simulated attacks. Although the training took 26.13 hours, the results of the experiments showed a high level of recognition correctness. The works [12, 13] are devoted to the detection of anomalies using neural networks based on data taken from the system audit log and log files of individual applications. Sets of the most common commands and frequency of their use were applied in [14] to set the profile of each user. [15] also used system information, including the amount of system resources, system time, etc. Radial-basis neural networks are a class of neural networks based on the calculated distance from the entering vector to the centers of neurons of the hidden layer. Radial-basis neural networks require fewer computing resources and time for learning because they have a simpler structure compared to multilayer neural networks, that why they are ideal for tasks with a large sample size. The work [16] gives a review of works with application of radial-basis neural networks to problems of detection of attacks. Self-organizing maps, or Kohonen maps, are single-layer feedforward neural networks whose outgoing layer is an n-dimensional lattice (usually n = 2 or n = 3). After training such networks group entering vectors with similar characteristics into separate clusters. [17, 18] propose to use self-organizing maps to detect anomalies. For this purpose, data was collected describing the legitimate behaviour of users and including the characteristics of system calls within the computer network. Self-organizing maps are used in [19-20] to process and cluster data about network traffic. In [21-23] new approaches for DNS tunneling botnet detection, which considers all the features and architectural characteristics of botnets are presented. The described methods of working with self-organized neural networks show a great increase in the accuracy of detecting anomalies in the analysis of computer data networks, they also help in compiling the topology of the computer network and finding errors in existing networks. The main difference of the method of self-organized maps is that it eliminates the need to learn the neural network on a pre-prepared data set [26]. This method is suitable for solving the tasks in the work. So, to implement an intelligent method of detecting anomalies, we decided to take a self-organized Kohonen map. The implementation of the maps is a neural network module connected in real time to the Snort intrusion detection system. 4. The structure and methods of operation of the intrusion detection system Snort is a network intrusion detection (IDS) and intrusion prevention (IPS) system with open- source code that can perform packet logging and real-time traffic analysis on IP networks, combining signature matching capabilities, protocol inspection tools, and anomaly detection mechanisms. Snort was created by Martin Roesch in 1998 and quickly gained popularity as a free intrusion detection system that allows you independently and effortlessly to write rules for detecting attacks. In essence, the Snort signature description language has become de facto standard for many intrusion detection systems that have used it in their functioning. According to the monitoring method, the Snort intrusion detection system can be host-based and network-based, depending on the configuration parameters. It usually protects a certain segment of the local network from external attacks from the Internet. The Snort system provides protocol analysis, content search, and it is widely used for active blocking or passive detecting a range of attacks and soundings. Snort is based on five modes: • Sniffer packets: this mode is responsible for capturing data transmitted over network to the decoder. This is done using the DAQ (Data AcQuisition) library. This sniffer can be inline, passive or read network data from a pre-prepared file; • Packet decoder: this mode parses headers of captured packets, parses packets themselves, searches for anomalies and deviations from RFC, analyzes TCP flags, excludes certain protocols from further analysis and so on. This decoder focuses on TCP/IP stack; • Preprocessors: if a decoder parses the traffic at the 2nd and 3rd levels of the reference model, the preprocessors are designed for more detailed analysis and normalization of protocols at the 3rd, 4th and 7th levels. Among the most popular preprocessors there are frag3 (work with fragmented traffic), stream5 (reconstruction of TCP streams), http_inspect (normalization of HTTP traffic), DCE / RPC2, sfPortscan (used to detect port scans) and various decoders for Telnet, FTP, SMTP, SIP, SSL, SSH, IMAP, etc. Some developers write their own preprocessors (for example, for industrial protocols) and add them to their own intrusion detection systems (IDS), built with Snort; • Intrusion detection mode: this mode consists of two parts. The rule constructor collects many different decision rules (attack signatures) into a single set, optimized for further use by the inspection subsystem of captured and processed traffic in search of certain violations; • Output mode: Snort can generate (write or display) a corresponding message upon detection of an attack in various formats: file, syslog, ASCII, PCAP, Unified2 (binary format for accelerated and easy processing). It should be noted that despite the planned updates of the Snort system, the functionality of the program does not change and is based on two main principles. Elementary analysis – comparison of parameters of incoming network packets, arranged on the rules of Snort system. Signature analysis – parsing of packets coming to the listening socket of the system and finding a certain sequence of bytes. Figure 3: Snort system structure Elementary analysis is based on the parsing and verification of the header of incoming network packets, analysis of data included in this network packet. This method is less laborious in terms of network resources of the Snort system. According to the data obtained by parsing the header of the network packet (IP address of sender/ recipient, port of sender/recipient) and comparing them with Snort's own base of rules, the system is able to detect an attempt to attack the network. Signature analysis means the analysis of data contained in the network packet. This method is a more effective way to identify hazards, but at the same time more laborious in terms of computing resources. However, none of the analyses is highly effective in detecting anomalies. That`s why, it seems promising to create new methods of detecting attacks that eliminate the shortcomings of these methods. It is also necessary to develop a system that combines the advantages of new techniques that will allow more effective detection of attacks in computer networks, ensuring high accuracy of attack detection and low computational complexity of the algorithms used to analyze network traffic data. 5. Description of the neural network module The main goal is to change the existing Snort structure, shown in Fig. 3, and integrate an additional module into it, which will lead to the new structure, shown in Fig. 4. The proposed adaptive module works in parallel with the Snort rule set. Substantiation of integration of adaptive module in parallel with the rule set is that Snort rule set detects only known destructive traffic. The module may detect an unknown variant of destructive traffic or reduce the number of false operations. This will reduce the number of false-positive alarms, and improve detection accuracy. The preprocessor will transmit network traffic into the neural network module and the Snort rule set, and they will both work in parallel for more accurate detection of destructive traffic. Figure 4: Snort system structure with developed neural network module The most important process of working with the models of machine learning is obtaining reliable data. Obtaining such data is itself a serious problem, as the availability of data sets is very low. On the one hand, many datasets are internal and cannot be used openly due to privacy issues, and on the other hand, datasets are highly anonymous and do not reflect current network trends or do not have certain statistical parameters, so the perfect dataset does not yet exist. Thus, researchers must use data sets that are often nonoptimal. As behavior and modes of the network change, as well as development of intrusion systems, there is a need to move from static and disposable datasets to more dynamic datasets that not only reflect traffic structure but are changeable, extensible, and reproducible. Intrusions are divided into three main groups for classification: • DOS: denial of service; • R2L: unauthorized access from a remote machine; • U2R: : unauthorized access to local root privileges. Input parameters must be prepared before they can be used in the machine learning algorithm. Some items can be easily found, others need to be found through experimentation and testing. Using all the features of the data set does not necessarily guarantee the best performance. This can increase computing costs as well as the frequency of errors in the system. This is due to the fact that some functions are redundant or useless for distinction of different classes of attacks. The main advantage of this training method is the introduction of attributes proposed by the expert, which help to understand the behavior of different types of attacks, including the basic characteristics of attack detection. Here is the main list of input parameters for learning (Table 1). Table 1 List of input network parameters Name Description duration Duration in seconds protocol_type Type of protocol (ТСР, UDP etc.) service Type of service (telnet, http etc.) flag Connection flag: error or norm scr_bytes Number of bytes from source to receiver dst_bytes Number of bytes from receiver to source land 1, if connection is on the same host or port wrong_fragments Number of incorrect fragments urgent Number of urgent packages count Number of connections to the host in the last two seconds srv_count Number of connections to the service in the last two seconds serror_rate Percentage of connections to SYN with errors diff_srv_rate Percentage of connections to various services srv_diff_hast_rate Percentage of connections to different hosts dst_host_srv_count Number of connections to the local host through remote access and the same service The basic principle of learning the neural network module: the network is learned for some time in the normal operation of the data transmission network. Some clusters are created meanwhile which fully characterize the network's normal operation when properly configured. The training utilizes competitive learning. When a training example is fed to the network, its Euclidean distance to all weight vectors is computed. The neuron whose weight vector is most similar to the input is called the best matching unit (BMU). The weights of the BMU and neurons close to it in the SOM grid are adjusted towards the input vector. The magnitude of the change decreases with time and with the grid- distance from the BMU. The update formula for a neuron v with weight vector Wv(s) is: 𝑊𝑊𝑣𝑣 (𝑠𝑠 + 1) = 𝑊𝑊𝑣𝑣 (𝑠𝑠) + 𝜃𝜃(𝑢𝑢, 𝑣𝑣, 𝑠𝑠) ∙ 𝛼𝛼(𝑠𝑠) ∙ �𝐷𝐷(𝑡𝑡) − 𝑊𝑊𝑣𝑣 (𝑠𝑠)�, (1) where 𝐷𝐷(𝑡𝑡) – is a target input data vector; 𝑊𝑊𝑣𝑣 − is the current weight vector of node; 𝜃𝜃(𝑢𝑢, 𝑣𝑣, 𝑠𝑠) – is a restraint due to distance from BMU, usually called the neighborhood function; 𝛼𝛼(𝑠𝑠) − is a learning restraint due to iteration progress. There are variants of detection of anomalies: • the network is learned on test data sets, contains a number of clusters. In the case of data containing an anomaly, the structure and number of clusters will begin to change; • transfer of new data for testing the trained network and its comparison, whether they suit for one of the formed clusters. In these cases, the anomalies can be identified by changing the number of existing clusters in the training model, the dynamics of change in the creation and coordination of neurons and the connections between them. It is also possible to detect anomalies in the deviation of the value of new measurements from the average value of existing neurons on which the network conducted training. It is quite problematic to perform dynamic counting methods in the methods of network activities. Neural network can change the number of neurons and the connections between them at each iteration. In addition, some algorithms collect and remove a fixed number of neurons at each iteration. Also, change of the number of clusters is not a reliable indicator of threat detection. The change of the deviations from the values of the existing neurons, on which the network has allowed training, is one reliable option. An adaptive adjustment, which is similar to semi-automatic learning with a teacher, can be used in the given method as can be seen from the block-scheme. The algorithm from the block-scheme uses not one deviation but the average deviation between the best neurons for more complete detection. Also, the arithmetical mean of all deviations included in this cluster of neurons is calculated for each cluster. The nearest neuron from the neurons formed during the training is found for the new data sets submitted for the neural network module test and the distance between them is calculated. Next, this distance is compared with the standard deviation for the cluster, which includes this neuron. If the distance between the neuron and the data submitted for verification is greater than the average deviation of the cluster, this data set is considered abnormal. Figure 5: Block-scheme of the clustering method based on the self-organized Kohonen map. 6. Description and results of work on test data To check the capacity of the developed neural network module, it was tested on the data set CSE- CIC-IDS2018 of the Canadian Institute of Cybersecurity. The module conducts training on a training sample from this set, which contains 1011 records. Then that set is re-submitted to the neural network module to check the correct training. The trained module was applied to complete data from the same set which was used to construct the training sample. The results are shown in table 2. After all the tests and making sure that the training was correct, the module was used to analyze real samples. Python with a neural network library called Scikit-Learn was used as the implementing language for the neural network module. There are a large number of machine learning algorithms based on the learning algorithms with and without teacher. This library does not set input data, so the NumPy library downloads the input data. The Scikit- Learn library specializes in neural network analysis algorithms for clustering, dimensional reduction, and anomaly detection. The NetworkX library is used for visualization, if necessary. This library is designed to work with network structures and graphs. Data for the neural network module is processed from the Snort preprocessor module using the standard csv module. The data is transmitted as a non-normalized NumPy array. With the help of the Scikit-Learn library the array data is converted to a normalized form. Further work is carried out only with normalized data. An undirected graph for visualization is built on the base of the read data. Also empty graph will be built, in which neurons and the connection between them will be added. Then the clustering method is applied repeatedly, where one of the values is transmitted, which is a set of coordinates of a point in multidimensional space. Obtaining data from this point, the clustering method selects the closest neurons of the internal graph and, if they are not satisfactory, creates new neurons and connections. Table 2 The result of the neural network module on the test data set Variable Value Description l_time 1869.00 Training time in seconds te_l_time 39.5 Test time in seconds on the set that formed a training sample te_t_time 125.61 Validation time in seconds on the complete data set of test sample g_l_perc 69.5 Percentage of detected anomalies for the set which formed the training sample g_t_perc 78.4 Percentage of detected anomalies for the complete data set of test sample f_l_perc 0.00 Percentage of false operations for the set which formed the training sample f_t_perc 6.9 Percentage of false operations for the complete data set of test sample The clustering method periodically saves the image with visualization, which is used twice: first to display the data, then to display the neural network over the data. After training, all saved images are united in gif. Specified parameters for test data: - number of learning steps for SOM – 7000; - number of normal records in the training sample – 516; - number of anomalous records in the training sample – 495: - number of normal records in the test sample – 2152; - number of anomalous records in the test sample – 9698; - full size of the test sample – 11 850. 7. Description and results of work on real data To check the capacity of the neural network module, a traffic dump was recorded using software of the traffic analysis for Snort computer networks. The recording was based on real data for 60 seconds from the Internet and made a test sample of 936,840 lines. This test sample was divided into 2 parts. The first 200,000 lines of the test sample were selected for training. The remaining 736,840 records were selected for testing the neural network module. With the help of the visualization module graphic representations of self-organized map were constructed after 46,000 steps and after 109,000 learning steps, which are presented in Figure 6. The self-organizing maps were built from 200,000 lines of network traffic that were routed to the neural network module through the Snort system preprocessor module. The basic structure of the self-organized map according to the graphic display was formed on 46,000 steps. And the main differences after 46,000 and after 109,000 iterations were not observed. The disconnected location from the main plane in this case is justified by the presence of packets in the test set of network traffic that are not typical for the total mass. Test data is submitted through the Snort system preprocessor module. Then, in the normal operation mode, the conclusions of the neural network are compared with the values obtained as a result of the operation of the intrusion detection module of Snort system. The number of detected anomalies of the neural network module and the number of detected anomalies by the intrusion detection module of Snort system are shown in Table 3 after building a self-organized map. Checking was performed on a test set consisting of 736,840 lines. Figure 6: Self-organized map after 46,000 and after 109,000 learning steps Table 3 The results of the neural network module on real data Description IDS Snort Neural network module Number of processed records 736 840 736 840 The number of detected anomalies 14 19 8. Conclusions This article analyzes the intrusion detection systems. The general processing mechanism of network events is considered on the example of the Snort detection system. The purpose of the analysis was to clarify the main problems of these systems and the possibilities of solving them through the use of neural network technologies. An adaptive module has been proposed that works in parallel with the Snort system rule set. The integration of such a module in parallel with the set of rules of the Snort system is due to the fact that the set of rules of the Snort system detects only known destructive traffic from its data base. The neural network module has the ability to detect unknown or altered variants of destructive traffic, which, in its turn, improves detection accuracy. After learning modern systems of neural network technologies, it was decided to detect anomalies using clustering methods of "map-network activity". Within the neural network technologies, the clustering problem is solved with the use of self- organizing Kohonen maps. The algorithm of clustering of the self-organized Kohonen map was described and the working method of operation of the neural network module according to this algorithm was offered. Experiments with the developed model of the neural network module showed the ability to detect attempts to attack the network. To check the capacity of the module on real traffic the comparison of the results of the neural network module with the intrusion detection module of Snort system was performed. The scientific novelty of the work: • A clustering method based on self-organized neural networks has been developed, which increases the accuracy of detecting anomalies in network traffic by 35–40%. • The structure of the intrusion detection system was improved on the base of the developed method, which allows to increase accuracy compared to other systems, to recognize previously unknown attacks, and to update the attack database for additional training and configuration of detection modules. 9. References [1] Khraisat, A., Gondal, I., Vamplew, P. et al. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecur 2, 20 (2019). https://doi.org/10.1186/s42400-019-0038-7. [2] Sharma et al., Network Attacks and Intrusion Detection System. 2nd International Conference on Intelligent Communication and Computational Techniques (ICCT), pp. 280-283, 2019. [3] Veeramreddy Jyothsna and Koneti Munivara Prasad J. Cohen (Ed.). Anomaly-Based Intrusion Detection System. Computer and Network Security, 2018. DOI: 10.5772/intechopen.82287 [4] Shikha Agrawal, Jitendra Agrawal. Survey on Anomaly Detection using Data Mining Techniques. Procedia Computer Science. Volume 60, 2015, Pages 708-713. https://doi.org/10.1016/j.procs.2015.08.220. [5] Mohiuddin Ahmed, Abdun Naser Mahmood, Jiankun Hu. A survey of network anomaly detection techniques. Journal of Network and Computer Applications. Volume 60, January 2016, Pages 19-31. https://doi.org/10.1016/j.jnca.2015.11.016. [6] Abas Aboras, Mohammed Kamal Hadi. A Survey of Network Attack Detection Research. International Journal of engineering Research & Technology (IJERT), Volume 10, Issue 08, 2021. [7] Mohammed Maithem, Dr.Ghadaa A. Al-sultany. Network intrusion detection system using deep neural networks. ICMAICT 2020. doi:10.1088/1742-6596/1804/1/012138 [8] Prajoy Podder, Subrato Bharati, M. Rubaiyat Hossain Mondal, Pinto Kumar Paul, Utku Kose. Artificial Neural Network for Cybersecurity: A Comprehensive Review. Journal of Information Assurance and Security, Volume: 16, Issue: 1, 2021, pp.010-023. [9] Sarker, I.H. Deep Cybersecurity: A Comprehensive Overview from Neural Network and Deep Learning Perspective. SN COMPUT. SCI. 2, 154 (2021). https://doi.org/10.1007/s42979-021- 00535-6. [10] Yousef Abuadlla, Omran Ben Taher, Hesham Elzentani. Flow Based Intrusion Detection System Using Multistage Neural Network. 2018. [11] Elike Hodo, Xavier Bellekens, Andrew Hamilton, Christos Tachtatzis, Robert Atkinson. Shallow and Deep Networks Intrusion Detection System: A Taxonomy and Survey. 2017. https://doi.org/10.48550/arXiv.1701.02145. [12] Sergio Hidalgo-Espinoza, Kevin Chamorro-Cupuerán and Oscar Chang-Tortolero. Intrusion detection in computer systems by using artificial neural networks with Deep Learning approaches. 10th International Conference on Advances in Computing and Information Technology (ACITY 2020), November 28~29, 2020, London, United Kingdom Volume Editors : David C. Wyld, Dhinaharan Nagamalai (Eds). DOI: 10.5121/csit.2020.101501. [13] Halenar, Igor & Juhásová, Bohuslava & Juhás, Martin & Martin, Nesticky. (2014). Application of Neural Networks in Computer Security. Procedia Engineering. 69. 1209-1215. 10.1016/j.proeng.2014.03.111. [14] Alia AbuGhazleh, Muder Almiani, Basel Magableh, and Abdul Razaque. Intelligent intrusion detection using radial basis function neural network. 2019 Sixth International Conference on Software Defined Systems (SDS). РР. 200-208. [15] Liu, Xuejun et al. Improved RBF Network Intrusion Detection Model Based on Edge Computing with Multi-algorithm Fusion. International Journal of Computers Communications & Control, [S.l.], v. 16, n. 4, july 2021. ISSN 1841-9844. [16] Sheth H., Shah B., Yagnik S. A survey on RBF Neural Network for Intrusion Detection System. Int. Journal of Engineering Research and Applications. 2014. vol. 4. Issue 12. pp. 17–22. [17] Y. Dong, R. Wang and J. He, Real-Time Network Intrusion Detection System Based on Deep Learning, 2019 IEEE 10th International Conference on Software Engineering and Service Science (ICSESS), 2019, pp. 1-4, doi: 10.1109/ICSESS47205.2019.9040718. [18] Farzan, Ali. Intrusion Detection System Using Self Organizing Map Algorithms. 2014. 3. 585. [19] Vita Santa Barletta, Danilo Caivano , Antonella Nannavecchia and Michele Scalera. A Kohonen SOM Architecture for Intrusion Detection on In-Vehicle Communication Networks. Appl. Sci. 2020, 10(15), 5062; https://doi.org/10.3390/app10155062. [20] Subarna Shakya, Bisho Raj Kaphle. Intrusion Detection System Using Back Propagation Algorithm and Compare its Performance with Self Organizing Map. Journal of Advanced College of Engineering and Management, Vol. 1, 2015. DOI:10.3126/jacem.v1i0.14930. [21] A. Nicheporuk, Y. Klots, O. Yashyna, S. Mostovyi, Y. Nicheporuk. Prediction of entering processes into the deadlock state. Indonesian Journal of Electrical Engineering and Computer Science, 2019, 14(3), pp. 1484–1492. [22] O. Savenko, S. Lysenko, A. Kryshchuk, Y. Klots. Botnet detection technique for corporate area network. Proceedings of the 2013 IEEE 7th International Conference on Intelligent Data Acquisition and Advanced Computing Systems, IDAACS 2013, 2013, 1, pp. 363–368, 6662707. [23] Yu.P. Klyots, Yu.G. Savchenko, V.N. Cheshun. Trouble-shooting without dictionary: A new approach to diagnosis of digital devices. Upravlyayushchie Sistemy i Mashiny, 2001, (3), pp. 36– 42. [24] Sergii Lysenko, Kira Bobrovnikova, Oleg Savenko, Roman Shchuka. A Cyberattacks Detection Technique Based on Evolutionary Algorithms. 11th International Conference on Dependable Systems, Services and Technologies (DESSERT), 2020. Vol.1. pp. 127-132. [25] B. Savenko, S. Lysenko, K. Bobrovnikova, O. Savenko, G. Markowsky. Detection DNS Tunneling Botnets. Proceedings of the 2021 IEEE 11th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), IDAACS’2021, Cracow, Poland, September 22-25, 2021. [26] Shangytbayeva, G.A., Akhmetov, B.S., Karpinski, M.P., Beysembekova, R.N., Ospanov, E.A. Research distributed attacks in computer networks. Biosciences Biotechnology Research Asia, 2015, 12(1), pp. 737–744.