Analysis of approaches to minimize false results in the process of detecting anomalies by cyber defense systems

Abstract

In the context of researching the problem of detecting unknown (new) cyberattacks on information and communication systems (ICS), the feasibility of an anomaly detection approach, which demonstrates the greatest potential among alternative methods, is substantiated. The types of errors that occur during anomaly detection using the most common methods, as well as the causes of their occurrence, are examined: low data quality and incompleteness, concept drift, class imbalance, and contextual exploitation factors. A comparative analysis of approaches aimed at reducing the number of false results in the process of anomaly detection by cybersecurity systems is presented, and their advantages and disadvantages are described. A domain-oriented scheme for assessing the threat of anomalies is proposed: an event is analyzed according to a relevant domain (memory, file system, network, access, database) with predefined feature pools. Three components are evaluated: the predictive consistency of the event chain (the discrepancy between the expected and actual trajectory), contextual consistency based on the "subject-action-object" architecture, and changes in the ICS state before and after the anomaly. The combination of predictive, semantic, and system state information makes it possible to reasonably distinguish technical failures from targeted attacks and reduce the probability of false conclusions in scenarios involving unknown cyberattacks. Additionally, a contextual history of suspicious events is maintained to track potential cyberattacks distributed over time. The proposed scheme is considered a basis for formalizing criteria, algorithms for selecting domains and their corresponding features, decision-making rules, and verification procedures aimed at the development of intelligent cybersecurity systems for critically important ICS