 Appearance of a large number of archived files in places where they should not be;  Use of non-original configurations of DNS servers and registry;  Changes in the configuration of the operating system, including on mobile devices.

The use of indicators of compromise (IOCs) in most cases allows information security specialists and system administrators to detect signs of attacks, intrusions, or other potentially dangerous actions, but it is necessary to detect existing indicators of compromise in the system, which is often a problem.

Considering the reality of the threats described above, it is evident that scientific research enabling the timely and confident detection of deviations in information processes is relevant. The success of such research will allow for the identification of vectors of cyber attacks and actions to neutralize such attacks [6-7]. A promising direction for scientific research in this field is the use of entropy indicators to evaluate various parameters of information system cybersecurity. This is evidenced by a significant amount of research in this area [8-12]. Modeling early anomaly detection is a relevant problem for many areas of human activity [13, 14]. Several approaches have been proposed and studied to solve this problem, which to varying degrees allow for the identification of anomalies and incidents of the information security in information systems [15, 16]. One of the main tasks in solving this problem is timely detection of system compromise indicators and warning of potential abuses in order to provide for prompt response measures.

Many authors of modern research assume that we have a standard situation with known accompanying circumstances, and under these idealized conditions, we can propose a new approach, a new or improved method, a modified algorithm, etc. This fully applies to sliding windows and their width. This technology has been applied for a long time, intensively and productively. However, authors usually start from the fact of a given width of the sliding window or do not focus on this parameter at all. The problem of determining an acceptable, and even more so, an optimal or at least justified value of its width is discussed very rarely by researchers.

The aim of this study is to determine the size of a sliding window at which a cyber attack vector or any cybersecurity anomaly can be reliably detected. The main tasks of researching and detecting anomalies in the operation of information systems are as follows:  not to miss the fact of an attack;  recognize the beginning of an attack at an early stage;  accurately recognize the attack and distinguish it from a typical event;  minimize the number of errors made in identifying the attack;  minimize the consequences of incorrect identification of the attack;  teach the system to distinguish an attack from a standard event at an early stage, and so on.

In many cases, a comprehensive application of different approaches in scientific research is effective. In the situation of detecting attacks, it can be useful to use methods and algorithms that belong to the following directions:  data recovery methods taking into account anomalies that arise;  image recognition methods;  machine learning methods;  time series analysis methods - determining similarity measures of series, comparing trends, and other aspects of this research direction;  statistical research based on various types of scales: fixed, interval, using membership functions, and so on.

To successfully and adequately apply the mentioned approaches simultaneously, it is necessary to take into account the features of multi-attribute choice and multi-criteria optimization. In addition, for the successful complex application of different approaches to the task of determining the beginning of an attack, it is necessary to consider the features of decision-making under fuzzy conditions.

The research conducted by the authors of this work on behavior traffic analysis using entropy values allows for the application of an expert approach to identify and classify different system operation conditions that cause changes in entropy. Visual analysis performed by the authors revealed that a highly skilled expert can distinguish and classify about 15 types of events. However, it is impossible to involve experts in solving this problem in everyday life. Therefore, it is logical to formalize this problem, involve high-level expert knowledge in its solution, and provide automated or automatic incident detection. To further investigate and refine the problem of identifying impacts on information security, heuristics will be introduced.

Heuristic E1. Based on the research of the entropy change graph, which reflects the behavior of the message source, it is possible to identify an attack with high accuracy.

Heuristic E2. To fully identify an attack on the system, several attack indicators must be present. The necessary conditions for an attack are a deep drop in entropy level and a significant increase in entropy level. However, if these two indicators are not related to each other, these indicators are insufficient to consider them individually as mandatory entropy indicators. It is obvious but necessary to formalize the behavior identification model with the following heuristic.

Heuristic E3. An attack is accompanied by a large range of entropy reduction at the beginning of the attack and a large increase in entropy at the end of the attack. In the future, it is also advisable to introduce heuristics for capturing the entire passage of the attack. Obviously, after determining the width of the sliding window, it is possible to automatically analyze the behavior of the function that reflects the level of entropy. It should also be noted that a risk-oriented approach allows for the classification of events that indicate the degree of risk of threat realization. Different scales can be used to classify events. In this work, we will introduce a five-level scale for classifying levels of impact on the system: 1  the informative level of impact  2  the low level of impact; 3  the moderate impact level;  4  the high or dangerous level of impact;  5  the critical level of impact.

Expert decision-making technologies can be applied at different stages of research and practical situation modeling [17, 18]. The study of entropy behavior and determination of the sliding window width using expert methods can serve as both an element of a broader study and a goal in itself. The authors of this study propose several options for expert determination of the window width, taking into account the limited capabilities of involving high-level experts to solve this problem.

Firstly, expert survey can be organized to determine the values of the sliding window width, both in individual expert survey and group expert survey. Secondly, to determine the window width in which the information about the attack is guaranteed to be present, a series of studies can be conducted in which the beginning and end of the attack are reliably recorded by expert means. As a result of the analysis of such a survey, the window width is determined based on statistical analysis of the data obtained from the experts. It should be noted that the width of the sliding window is an important parameter that significantly affects the speed and quality of attack research. This value may relate to different aspects of the study, so it is necessary to distinguish between different quantities with this name. The width of the sliding window should be considered in several aspects, including:  when studying trends in entropy changes;  when detecting anomalous function values;  for guaranteed event localization.

In such cases, precise approximation of the anomaly is not necessary, but using additional computer resources such as time and memory is also not sensible. When studying the behavior of a function that describes changes in entropy, we will distinguish at least several factors:  the number of events in the sliding window;  the diversity of different types of events in the window;  the range of entropy changes in the window.

Definition 1. We define a Window for Attack Detection (WAD) as the number of recorded events during which the beginning of an attack, the maximum entropy change, and the end of the attack can be reliably identified. The width of WAD is denoted by S1 .

Definition 2. A window for detecting standard events (WDSE) is defined as the number of recorded events during which the beginning, minimum/maximum entropy, and completion of the event can be determined. The width of WDSE is denoted by S 2 .

It is logical to assert that the size of the sliding window should be measured by the number of events recorded in the log in all cases. Such a coordinate system was adopted and successfully applied in a series of computational experiments. Based on visual observations, in all practical situations, it is obvious that the following relation always holds: ( 1 ) ( 3 ) ( 4 ) ( 5 )

It should also be noted that the use of a properly defined window allows for achieving a whole range of results. In order to ensure further automatic investigation of the behavior of the function that describes the entropy value in the system, it is necessary to investigate:  detecting peculiarities of the function graph behavior during attacks;  identifying common attack characteristics reflected in the graph;  finding the boundaries of the attack start and end, etc.

It should be noted that, with regard to relation ( 1 ), if the sliding window size is correctly defined, it is possible to correctly select and effectively apply the relevant mathematical tools.

It is evident that an attack can be studied by analyzing trends in behavior, particularly through the analysis of time series, which have been studied in works [19-21]. Trends are described using linear, logarithmic, power, and other equations, which have been investigated in works [22-24]. The authors proposed an approach that allows detecting a rapid change in trend behavior already in the early stages of its appearance. The validity of this approach has been verified and confirmed through a series of computational experiments.

Let a sequence of events be defined and recorded in a log, the number of which is equal to t. We will denote the set of these events by T , and represent the sequence of the events using indices i  T  1,..., t. ( 2 )

To clarify the decision-making situation, ensure transparency in further modeling, and refine the mathematical model to be constructed, it is necessary to formulate another heuristic. The introduction of such a heuristic is associated with the fact that in practical decision-making situations, thousands of events need to be researched and analyzed.

Heuristic E4: Each discrete element ( 2 ) corresponds to dozens or hundreds of events in specific cases, which in our mathematical model are indivisible and can be modeled by discrete elements ( 2 ).

Taking into account heuristic E4, we will denote the entropy value for each event by ai , i T .

To investigate the patterns of behavior of the values of the sequence ( 3 ), we will define WDSE, for example, in the interval of   1, t / 2.

For each i-th discrete element, to which the next block of events, i  T , of the form ( 2 ) corresponds, we will determine the values of the ratio between the current and the next discrete element

In situations where entropy values may be zero, some sufficiently small values   0 may be added to the denominator in formula ( 4 )

bij  ai / ai j where j  1,..., .

bij  ai / ai j    where j  1,..., .

It should be noted that the introduction of specific values of the variable   0 is also a heuristic, but in this work, there is no need to investigate the dependence of experiments on the size of this variable. Therefore, we will not focus on the influence of the value of   0 on the convergence of the procedure and the features of the computational experiment. The following two heuristics are fair:

Heuristic E5. It is obvious that the presence of values within the window width ( 4 ) of the type ( 3 ), which are significantly larger than the values in the series ( 3 ), can serve as indicators of a trend change when there is a sharp decrease in entropy. The formal aspect of this heuristic will be presented below, along with the further exposition of the research logic and the descriptive computational experiments.

Heuristic E6. In the opposite case to Heuristic E5, the presence of values of the type ( 5 ) that are significantly smaller than the inverse values in the series ( 3 ) are indicators of a trend change when there is a sharp increase in entropy. Finally, a heuristic for decision-making can be formulated for this situation.

Heuristic E7. The presence of several values of the type ( 5 ) that are described by heuristics E5 and E6 is a criterion for a sharp trend change. There may be at least two approaches for algorithmically determining the indicators that reflect the behavior of different event log fragments in an integral form:  multiplicative approach;  additive approach.

Let's introduce notation for the window size, the dependency of which we will investigate in determining further criteria. Taking into account Heuristic E4, we will denote by v  2 the window size based on which we need to calculate the criteria values that reflect the presence or absence of attacks on the information system. To investigate the behavior of an information system that reflects the dynamics of entropy values at each moment in time, let us introduce the following criterion function:

v1   i1 ai  av , якщо av1  av QM t, v    v1

 i1 ai / av , якщо av1  av

An additive approach can also be applied to investigate the behavior of a function that reflects the dynamics of entropy values at each moment in time. In this case, the behavior of such a function can be introduced and investigated:

For each level of impact classification scale from to , boundary values of the criteria QM 1,..., QM 5 can be determined. It would be useful to supplement the decision-making situation we are investigating with an additional heuristic that will contribute to the refinement and formalization of our research situation.

Heuristic E8: The extreme values of the criterion function ( 6 ) for the standard (normal, stable, etc.) operation of the information system and the extreme values of the function ( 6 ) for the attack differ significantly in magnitude. Variations of the values of v  2, and t  1, 2,... will allow the researcher to determine the combinations of function values and arguments, or intervals of such values, that best correspond to the conditions of situation classification and the probability of an attack on the information system. ( 6 ) ( 7 ) iv11 ai  av , якщо av1  av Q A t, v    v1

i1 ai  av , якщо av1  av

In this case, the behavior of criteria of the form ( 6 ) and ( 7 ) differs from each other. Therefore, there is an opportunity for the integrated use of these tools to improve early detection methods of cyber attacks or other impacts on the information system. Based on the conducted research, which was a combination of expert methods and calculations based on formulas ( 6 )-( 7 ), critical values of the function K were determined, at which the situation reflected in values ( 3 ) can be classified with a high degree of certainty as belonging to one of the variants of the impact risk of 1,..., 5 .

It should be noted that the application of the proposed approaches indirectly solves the problem of the sliding window size. Clearly, the indicators of the situation classification are the values of functions ( 6 )-( 7 ). Depending on the value of the parameter, which can be interpreted as the window size, the functions ( 6 )-( 7 ) take on certain values. Based on the magnitude of these values, one can draw conclusions about the degree of danger of impacts on the information system, i.e. about the classification of the decision-making situation into one of the classes 1 5 introduced by us.

For the investigation of the methods described in this work, individual fragments of the event log were considered. The computational experiment was conducted on three fragments, all of which were unambiguously identified by the experts as reflecting the normal operation of the system. One fragment was also selected for which an attack was emulated.

It should be noted that to ensure the purity of the experiment, communication channels, external networks, etc., were disabled. Such measures were taken to ensure the absence of communication with sources from which a potential attack can be expected.

A whole range of decision-making situations were considered, where the entropy values, from the experts' point of view, confidently correspond to the normal functioning of the information system. Several fragments of this situation are presented in this work in figures 1-3. In addition, figure 4 will show a fragment that undoubtedly contains an attack on the information system, deliberately provoked by the experiment organizers. For example, among the hundreds of decision-making situations investigated, we will select some of the most characteristic situations. To illustrate the course of the computational experiment and the detection of a change in the behavior gradient of the function, we will consider information on entropy, which we will present in the form of tables 1-3. Let's present Table 1 as a graph - Figure 1, which visualizes the behavior of the information system in situations of cyber attacks or other incidents. Among the hundreds and thousands of decision-making situations that have been reflected in the event log, those that best reflect the normal functioning of the information system have been identified through expert analysis. The numerical indicators for three such typical situations of standard information system functioning are presented for illustration in Table 1, Table 2, and Table 3. Table 2 is visualized as Figure 2. Obviously, this graph differs from Figure 1, but it also represents indicators that correspond to normal functioning of the information system. Table 3 is represented in Figure 3. In the computational experiment, hundreds of fragments were analyzed, samples of which are presented in Figure 1, Figure 2, Figure 3.

Based on the results of the conducted experiment, it was shown that the method presented in this paper allows for identifying the beginning of an attack after only 4-5 discrete units ( 2 ). By applying additional criteria, the confidence in the presence of an attack or incident during event log analysis can be significantly increased. Additional criteria may include a decrease in entropy value, continued monitoring of the behavior of the function that reflects entropy, and so on.

Algorithms for computing potential threats through trend analysis, similar to the algorithms described by formulas ( 2 )-( 5 ), can be developed to expand the toolkit for researching attacks and incidents. Using precedents for analyzing the similarity measures of series and identifying patterns in the behavior of the function that describes the change in system entropy is also promising. In the future, automated tracking of trend behavior and identification of situations such as plateaus, sharp or smooth growth, and declines are planned. Support for decision-making regarding trend similarity will be provided by analyzing the range of entropy values within a justified window.

The behavior of the entropy change function can also be approximated using primitive shapes such as triangular functions [25-27]. In addition to the multiplicative and additive approaches proposed in this paper, neural networks [28, 29] can also be used for decision-making in this situation. In this case, the neural network identifies the nature of the functional dependency during normal operation of the information system and changes in dependencies during situations that experts identify as attacks. The neural network determines the type of functional dependence during normal system operation and changes in dependencies during situations that experts identify as attacks, thus identifying patterns in the behavior of entropy and the relationship between functions that reflect the dynamics of entropy change.

In order to increase confidence in the identification of the decision-making situation and the classification of the level of danger, several approaches can be simultaneously applied in a complex [30, 31]. To increase confidence in identifying situations and decision-making, multiple approaches can be simultaneously applied, necessitating the use of multi-criteria optimization methodology [32, 33]. 11.

The paper proposes a model for early detection of anomalies and incidents in information systems. A scheme for early detection of anomalies is proposed. Approaches to determining the window width in studying the operation of the information system are discussed. The algorithmic determination of trend change intensity is described. The computational experiment described in this paper demonstrates an example of detecting a change in the gradient of the criterion function's behavior. The application of research related to numerical series is a promising direction and has broad prospects when various methods are applied together. It should be noted that this paper describes an idealized situation for detecting an attack. After a series of additional studies and computational experiments, the approaches described can be applied to real decision-making situations.

Prospects for further research on detecting cyber-attacks, incidents, and anomalies in the functioning of information systems are also identified. It is clear that the subject of research can be significantly expanded in the future, as the detection of anomalies in the functioning of complex systems of various kinds is a popular direction for scientific research. 12. References