The organization of data processing centers based on a Distributed Information System (DIS) provides an opportunity to significantly expand the functionality of the specified network services and increase the flexibility of the corresponding architecture depending on the requirements for optimization, reorganization and scaling of the general infrastructure, which determines the prevalence of the specified approach today. However, it should be noted that at the same time, the toolkit of a potential attacker is also expanding, which can be used in the implementation of unauthorized access to the service of the data processing center, with the subsequent task of significant material and reputational damage to the owners of the service [ 1 5 ]. This indicates the high urgency of solving the task of developing a holistic methodology for protecting network services from external threats, in accordance with the concept of a Security Information and Event Management System (SIEM), the generalized scheme of which is presented in fig. 1. This technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The development and optimization of SIEM system architecture is a complex task, the solution of which includes the definition of the following key components, according to which the following groups of target indicators can be obtained:

1. Peculiarities of identifying signs of a cyber attack by the SIEM system: typical samples from the library of the training set or high-level signs.

2. The object of the cyber attack: the hardware platform of the SIEM complex, network protocols of the service, the operating system, software applications and blocks of customer data stored on the service platform.

3. The purpose of the cyber attack: unauthorized access, illegal copying of data or making changes, disruption of the stable operation of the information network, external control by an unauthorized user.

4. The method of monitoring the actions of a potential attacker using the SIEM system: machine analysis of software code samples, the order of execution of procedures, the life cycle of a cyber attack.

The identification of features of the organization of software code samples, behavior and the life cycle of a cyber attack, both at the level of typical components and at the level of high-level features, is most effectively implemented through the use of machine analysis based on neural network algorithms [ 2-11 ], and deep learning neural network algorithms (DL-ANN: Deep Learning Artificial Neural Networks) in particular.

Within the framework of this study, an analysis of relevant scientific publications was conducted and it was noted that neural network algorithms that can be used in the construction of algorithms for machine analysis of software code samples in order to identify signs of cyber attacks should be divided into the following groups according to the organization of the architecture: • a neural network of the autoencoder type, which can be extended to a multilevel autoencoder type architecture for the selection of high-level features [ 2, 3 ] which can be extended to a neural network architecture of deep learning such as a multilayer autoencoder; • deep belief neural networks (DBN), considered as generative graph models [ 4, 5 ]; • recurrent neural networks (RNN), on the basis of which machine analysis with sets of event sequences is effectively carried out [ 6, 7 ];

• convolutional neural networks (CNN), used to highlight typical code patterns; within the framework of this task, it should be noted that the choice of CNN provides an opportunity to reduce the load on the computing resource of the general complex of machine analysis [ 8, 9 ]; • recursive neural networks (RvNN), based on the recursive application of one set of weights to a structured data set [ 10, 11 ].

At the same time, it is necessary to build appropriate mathematical models, propose quantitative indicators of the effectiveness of neural network algorithms, determine the extrema of the objective functions, and correlate the obtained results with statistical data in order to assess the performance of neural network algorithms accurately. This is considered as an unresolved part of the general research.

Thus, the aim of this work is to develop a methodology for optimizing SIEM system neural network algorithms, which can be effectively used within the framework of the organization of the distributed network infrastructure scheme in data processing center. 2. Principles of adaptation of deep learning neural network architecture for cyber attack detection

The research is based on the construction of an adequate mathematical model of the machine analysis procedure for the purpose of detecting a cyber attack on the DIS infrastructure. Thus, includes the need to calculate such target indicators as the accuracy of the classification of program code patterns and the order of execution of procedures, the total load on the components that determine the computing resource, RAM and information storage of the hardware platform of the corresponding service, as well as time processing of the flow of input data in accordance with the actual task of working in real time (Fig. 2). In order to justify the costs of the event collection and correlation system, it is necessary that the data not only was entered into the consolidated storage for their further analysis by the fact of the incident, but also processed.

It is obvious that the tools of the given system will significantly speed up the incident analysis process. However, the main task of cybersecurity system is timely detection, prompt response and prevention of threats. For this, it is necessary to draw up the rules of correlation by drawing the risks relevant for the company, as well as constant updating of the rules by specialists.

At the same time, deep learning neural network architecture require to learn the attack model from historical threat data and use the trained models to detect intrusions for unknown cyber threats. Thus, machine learning-driven solutions used to detect rare or anomalous patterns can improve detection of new cyber threats and zero-day vulnerabilities.

DLNN solutions collect and correlate alerts, allowing analysts to gain more insight into a security incident or attack and free up more time for more important investigations. Accordingly, these systems analyze large volumes of data coming from multiple sources, monitor suspicious behavior, automatically respond to potential attacks, and eliminate them, detect threats, notify about them, then investigate and remediate them. Robust analytics are critical to understanding threats and make it easy for experts to find threats that might otherwise go unnoticed, and provide visibility into their timeline.

At the same time, the researchers indicate the advantages of using the DL-ANN architecture within the specified task, the adaptation features of which can be defined to the following categories (Fig. 3): 1. Productivity of machine analysis, which includes increasing the accuracy of pattern selection, tools for selecting high-level features, as well as effective work with large data sets, the relevance of which increases with the exponential growth of the bandwidth of information channels and the volume of information storage.

2. Increasing the load on the computing resource, as well as the RAM resource and information storage of the machine analysis complex, which may be unacceptable according to the limitations of the hardware complex. 3. An increase in the time of processing input data, which may be unacceptable in accordance with peak loads when processing input data under real-time operating conditions, as well as the time of learning neural network algorithms on the training sample.

Thus, the task of optimizing algorithms based on the neural network architecture of deep learning for the detection of cyber attack patterns, within the framework of the study, is solved by determining the global maxima of the objective functions of the accuracy of machine analysis, the global minima of the load on the computing resource and the resource of the hardware platform, as well as the global minimum of the input flow processing time data when working in real-time mode under the conditions of hardware platform resource limitation. In order to determine the quantitative indicators of the accuracy of the identification and classification of cyberattack patterns, according to the statistical are introduced:     as the number of true positives (TP) results of machine analysis; as the number of true negatives (TN) results of machine analysis; as the number of false positives (FP) results of machine analysis; as the number of false negatives (FN) of machine analysis results. results of the study in relation to the total number of objects of analysis , the following designations cyber attack patterns indicators can be introduced: In addition, for the convenience of building a mathematical apparatus, additional statistical   and and as the total number of true and false classification results; as the total number of negative and positive classification results.

Based on the specified static indicators, the objective functions of the accuracy of program code pattern classification can be calculated as (AL: Accuracy Level) and (PL: Precision Level):

[ = = , де [ = = + +

In accordance with the specified objective functions of the accuracy of classification, an assessment of the performance of the application of neural network algorithms can be carried out while limiting the allowable processing time of the input stream of a fixed data volume for identical computing resources and memory resources of the hardware platform. (1) 3. Evaluation of the performance of neural network algorithms according to the target indicators of accuracy of machine analysis

In order to evaluate the performance of the application of neural network algorithms in accordance with the target indicators of the accuracy of machine analysis, it is proposed to conduct research for neural network architectures, which are considered relevant in solving the problem of identifying and classifying cyber attack patterns nowadays. At the same time, it is proposed to compare classical neural network architectures, which are characterized by a minimal load on the hardware resource of the machine analysis system, with neural network architectures of deep learning [ 4 -7, 10-13 ] .

At the first stage, based on a set of statistical analysis indicators { , , , } presented in studies [ 2, 3 ], it is proposed to determine the ranges of values for the above objective functions { }and { }for the architecture of the autoencoder and multi-level autoencoder according to equation (1).

The calculation results are shown in fig. 3. It demonstrates that the specified neural network architecture shows mediocre performance values.

When moving from a standard autoencoder (values of the objective functions 0 and 0 ) to a deep learning neural network of the multi-layered autoencoder (values of the objective functions + and + ), the accuracy of the analysis does not increase, but the spread of values significantly decreases, which makes it possible to fix the target indicators at the maximum possible level of this model of values. The reliability of the application of the deep learning architecture is based on the comparison of the values obtained at the output of each layer, which corresponds to a separate autoencoder, with the next layer.

In turn, neural network algorithms based on DBN architecture are based on the composition of basic neural networks and classification layers. Within the framework of the SIEM system , the specified approach is used to highlight high-level features of the software code at the level of deobfuscation.

In addition to the basic architecture (values of the objective functions and ), the research paper presents modeling results for DBN with a linear regression function (LR: Linear Regression). It is the value of the objective functions and and the elements of the architecture of the probabilistic neural network (PNN) are the values of the objective functions and , respectively [ 12, 13 ]. As the simulation results show, neural network algorithms based on the DBN architecture with LR layers provide maximum accuracy in both indicators ( ∈ [97%, 98%] and ~98%, respectively) with minimal spread ( ∆ ~2%and ∆ ~1%, respectively).

The last group of neural network architectures, which was considered in this paper, includes such architectures as CNNs using a long chain of short-term memory elements (LSTM - Long Short-Term Memory) which includes the next values:  the value of the objective functions and , RNN , where the problem of short-term memory is also solved through the use of the LSTM scheme , the value of the objective functions and , RvNN with internal memory, which makes it possible to perform machine analysis of code sequences of arbitrary length, which increases performance systems when working with large arrays, the values of the objective functions and , as well as neural network algorithms based on the restricted Boltzmann machine ( Restricted Boltzmann Machines , RBM ) are the values of the objective functions and .

As the simulation results demonstrates, neural network algorithms based on the RNN architecture with the LSTM scheme provide maximum accuracy in both indicators ( ~96%and ~96%, respectively) with minimal spread ( ∆ ~1%and ∆ ~1%, respectively).

The main advantage of the particular scheme is the flexibility of convolutional operators in reducing the number of parameters. As a result, the CNN-LSTM network is becoming deeper. Such networks provide superior performance by simulating signals in temporal information and provide highly efficient threat level detection of suspicious events using a long chain of short-term memory cells. The final classification layer of the CNN-LSTM architecture is a fully connected layer that provides a final decision on the threat level within a certain period of time for each new SIEM instance.

In this way, the proposed approach can be adapted for a wide range of tasks in the field of organization, configuration and optimization of the SIEM scheme through the assessment of the accuracy of machine analysis in the selection and classification of cyber attack patterns according to a specific task (threat level, volume of incoming data flow and available computing resource and the memory resource of the hardware platform of the service). 4. A comprehensive technique for evaluating the performance of neural network algorithms

In order to build a universal methodology for evaluating the performance of machine analysis with the aim of further adapting it according to specific tasks, the above target functions of the accuracy of determining and classifying cyber attack patterns should be supplemented with such categories as the ratio of false results and the ratio of correct detection results ( and , respectively) and the completeness indicator : and on the basis of the objective functions indicator can be determined as: , and in turn, the F1 -classification accuracy

Thus, the task of optimizing the complex of machine analysis based on neural network algorithms for the detection and classification of cyber attack patterns can be reduced to the task of finding the global extremum of the objective function, as suggested above. At the same time, in accordance with the specific task of the organization of the SIEM system, one of the accuracy functions of the set , , and 1is considered as a target function, and for the others, together with the indicator of the number of false classification results or the indicator of the number of true classification results , permissible limits are introduced:  permissible limits of the number of false or true pattern classification results as ∈ [0%; ]or ∈ [ ; 100%], respectively, where the values of and are chosen in accordance with the requirements determined at the level of the SIEM -system organization depending on the task;  permissible limits of the classification accuracy function ∈ [ ; 100%], where the value is chosen in accordance with the requirements determined at the level of the SIEM -system organization, depending on the task;  permissible limits of the classification accuracy function ∈ [ ; 100%], where the value is chosen in accordance with the requirements determined at the level of the SIEM -system organization, depending on the task;  permissible limits of the classification accuracy function ∈ [ ; 100%], where the value is chosen in accordance with the requirements determined at the level of the SIEM -system organization, depending on the task;  permissible limits of the F 1 classification accuracy indicator F1 ∈ [ F1 ; 100%], where the value F1 is chosen in accordance with the requirements determined at the level of the SIEM -system organization, depending on the task.

According to the proposed approach, the arguments of the objective function and the functions that determine the permissible limits set by the researcher will be the following categories:  a set of parameters defining the neural network architecture;  a set of parameters that determine the selection of the activation function;  set parameters that determine the peculiarities of neural network training and preparation of the training sample.

The specified technique allows to generalize the currently relevant approaches to optimizing machine analysis in order to detect cyberattacks on the components of the infrastructure of the data processing center, represented as DIS , and can be used in the future to solve a wide range of tasks related to the organization, configuration, reorganization, scaling and optimization of the SIEM -system.

In conclusion, there was presented a strategy based on neural network algorithms to raise the data center protection against distributed cyber attacks in this paper. As a result of the work carried out, the peculiarities of building mathematical models, which are used for the evaluation and optimization of neural network algorithms for the selection and classification of cyber attack patterns, in particular algorithms based on the neural network architecture of deep learning, were analyzed.

At the same time, within the framework of this study: • a generalized scheme for detecting external threats at the level of the information security event management system was developed;

• approaches for adapting the neural network architecture of deep learning to identify cyber attack patterns are proposed;

• the ranges of accuracy of detection of cyber attack patterns when using autoencoder neural networks, multi-level autoencoder, deep belief neural networks, convolutional neural networks, recurrent neural networks, recursive neural networks and restricted Boltzmann machine are determined; • the toolkit for evaluating the performance of the application of neural network algorithms has been expanded through the introduction of a set of machine analysis accuracy indicators, which act as target functions and permissible limits defined at the quantitative level.

It is shown that the presented mathematical model is generalized and when the mathematical apparatus is expanded, it provides an opportunity to organize, configure, reorganize, scale and optimize the SIEM system at an automatic level for a wide range of tasks that arise in the organization of data centers. 6. References