Features of the Practical Implementation of the Method for Managing Observations of the State of Monitored Objects in Intrusion Detection Systems

Abstract

This article discusses the possibility of generalizing the existing methods of optimization of observations to the problems of resource management of intrusion detection systems. The aim of this work is to study the applied aspects of the application of the surveillance optimization method, which increases the efficiency of using the resources of intrusion detection systems. The set goal of the work was achieved through the following tasks: (1) on the basis of experimental data, the development of a dynamic model of the controlled object and the observation model was carried out; and (2) numerical modeling of the solution to the problem of optimizing observations of the state of monitored objects in the intrusion detection system was carried out. As a result of this research, modern approaches to the management of resources of intrusion detection systems have been analyzed. A practical study of the possibility of using the mathematical apparatus for optimizing observations in relation to the problems of resource management of intrusion detection systems has been carried out. The most important scientific findings are as follows: (1) model of the dynamics of the controlled object; (2) model for monitoring the state of controlled objects; and (3) procedure for optimizing the plan for monitoring the state of monitored objects in intrusion detection systems. The significance of the results obtained is confirmed by a numerical experiment, within the framework of which a relative gain in the accuracy of assessing the state of controlled objects of 99.9% was obtained in comparison with a uniform observation plan.

1. Introduction

In modern society, the role of information technology is constantly growing, as it makes our lives more convenient. These technologies have become firmly established not only in our everyday life but also in almost all spheres of human activity: economic, managerial, social, industrial, scientific, etc. However, along with undeniable advantages, these technologies bring new problems locally and globally. The number of crimes in the field of information technology is growing rapidly [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25]. Cyberattacks carry a wide range of malicious impacts from the most harmless, such as displaying a banner or playing a sound signal on a local machine, to stealing the confidential data of millions of people. This makes the problem of ensuring information security extremely important [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25]. There are many software and hardware tools for ensuring the cybersecurity of information systems, an important place among which is occupied by intrusion detection systems (IDS) [2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25]. In modern literature, much attention is paid to the principles of functioning of such systems. In the most general form, intrusion detection systems can be divided into two classes: signature-based intrusion detection systems (SIDS) and anomaly-based intrusion detection systems (AIDS).

The operation of SIDS is based on comparing the current state of a controlled object, for example, a local computer or a network segment, with some sample (signature) of a previously known attack [2,6,7,8,9]. Such signatures are sequences of commands, actions that were previously identified as an intrusion. Traditional SIDS inspect network packets and attempt to match them against a signature database that is generated by the IDS developer based on analysis of known intrusions into information systems. Of course, such databases are constantly updated with new signatures, but their major drawback is the ability to detect only known intrusions. They are immune to new, unknown types of attacks.

AIDS have become very popular due to their ability to detect so-called zero-day attacks, i.e., attacks for which signatures cannot be extracted [2,10,11,12,13,14,15,16,17,18,19,20,21,22,23]. These are new types of attacks or attacks using polymorphic technologies, encryption, etc. In AIDS, a “normal” model of information system behavior is formed. Any unacceptable deviation between the behavior of the controlled object and the “normal” model is regarded as an anomaly, which can be interpreted as an intrusion.

Intrusion detection methods in AIDS can be divided into three main groups: methods based on statistics, knowledge-based methods, and machine learning-based methods.

Methods based on statistics include the collection of statistical data and the construction of a model of the “normal” behavior of the information system [2,15,16].

Knowledge-based methods use information about installed software, current protocols, allowed TCP ports, and so on [2,17,18].

Machine learning methods involve the use of complex neural network algorithms, clustering, genetic algorithms, etc. [2,4,19,20,21,22,23].

In AIDS, the Kalman filter can be used to detect anomalies [24,25]. The article [24] states that new types of attacks have been appearing recently, and traditional approaches of detecting them using methods based on statistics are not always effective. The same article presents a method for detecting anomalies based on the use of the Kalman filter. This method proved to be much more effective than traditional methods. The article [25] provides an effective method for using Kalman filtering in hierarchically distributed intrusion detection systems. Thus, the use of the Kalman filter in intrusion detection systems is relevant and promising, since this approach corresponds well to the logic of the problem being solved. The Kalman filtering algorithm shows good results in the presence of a large amount of a priori data about the filtered process. Based on these data, the so-called “reference trajectory” is constructed, which is already used in the a posteriori block. This is consistent with the principles of intrusion detection systems based on statistics, for which a model of “normal” behavior is built based on statistical observations, which is later used to identify abnormal behavior. However, it is much easier to identify anomalies after filtering the information process, since this eliminates the influence of random factors.

A significant reserve for improving the quality indicators of filtering the dynamic trajectory of controlled objects is the optimization of the control of observation processes. At present, there is a well-developed mathematical apparatus for the optimal control of observations, which is used in practice in navigation systems, radar, and information-measuring systems [26,27,28]. However, at present, there are many technical problems for which this mathematical apparatus could also be successfully used, for example, in communication network monitoring systems, intrusion detection systems, etc. Therefore, within the framework of this article, we will consider the features of applying the classical theory of observation management in AIDS.

There are currently two main directions in the theory of observation management [28]. The first of them is related to the use of static and regression models of the processes being evaluated. The second direction is related to the optimization of observation management in dynamic systems. Dynamic optimization problems of measuring processes are interpreted as problems of controlling the accuracy of Kalman filtration. This interpretation is the most general, since it includes simpler cases corresponding to the theory of planning regression experiments. The noted generality lies in the possibility of including in the dynamic model of the experiment such factors as: the stochastic nature of the information process, the correlation of observation errors, restrictions on the intensity of measurements, as well as a number of other factors, which are either impossible or difficult to account for within the regression model. The more general nature of the planning tasks determines the complexity of their solution in the initial statements. This is explained by the complexity of the model of the observed process described in the case of continuous time by a system of stochastic differential equations. There are several approaches to solving such problems.

The first of them treats the initial optimization problem as a problem of controlling directly the accuracy of the Kalman filter. The accuracy characteristics of the Kalman filter are determined by the a posteriori covariance matrix of estimation errors and described by a nonlinear matrix differential equation (the Riccati equation). This equation defines a “fictitious” dynamic system for which various optimization problems can be formulated [28]. The terminal-type quality criteria are used here. This approach is based on the application of the Pontryagin maximum principle, which provides, according to [28], necessary and sufficient optimality conditions. However, the application of this approach to the synthesis of optimal laws for controlling observations encounters a number of difficulties. This is due to the fact that in order to determine the optimal control functions, it is necessary to solve a matrix nonlinear two-point boundary value problem [28]. Due to the nonlinearity of the Riccati equation, as well as the large dimension of the covariance matrix of estimation errors, the solution of this problem is problematic and requires the use of rather complex numerical methods that do not always have a sufficient degree of convergence.

The second approach [28] is based on the analytical properties of the Riccati equation, the use of which allows for an equivalent transition from the initial nonlinear optimization problems to control problems of a linear dynamic system in phase variables, which is a projection of the so-called Hamiltonian system onto a vector space [28]. For each specific problem and the terminal optimality criterion, the type of projection is determined, that is, the number of Hamiltonian variables sufficient to form the initial criterion. This approach is also based on the application of the Pontryagin maximum principle. It makes it possible to obtain numerical algorithms for constructing optimal observation control laws that have monotonic convergence and allow to build consistently improving measurement strategies.

Of great practical interest is the second approach, which allows us to obtain constructive results when solving problems of optimizing observations. It is this approach that is used in the framework of the studies described in this article.

As part of this research, it is assumed that the intrusion detection system monitors the state of several controlled objects included in the telecommunications network. It is assumed that the Kalman filter is used in the system to improve the quality of the assessment of the state of objects. It should be noted that this article does not consider the issues of filtering and searching for anomalies in the behavior of objects, since they have been researched quite extensively to date. It seems relevant to study the possibility of using the mathematical apparatus for optimizing observations in relation to the tasks of resource management of IDS.

The mathematical formulation of the problem described above is provided in the second section. The general algorithm for solving this problem is also considered there. Later in the article, in the third section, the results of mathematical modeling are presented, confirming the effectiveness of the proposed method of optimizing AIDS resources. The fourth section contains a discussion of the results obtained in the framework of this work. The fifth section summarizes the results and makes a general conclusion.

2. Materials and Methods

2.1. Formulation of the Problem

To develop an AIDS resource management algorithm, it is necessary to complete the following tasks: to develop a model of the dynamics (state) of the set of observed objects; set the observation model; and set the conditions of the optimization problem, i.e., determine the constraints and select the quality criterion.

When solving this problem, it is necessary to synthesize an adequate dynamic model of the information process.

The coordinates of the state vector can be various parameters of the controlled object, such as processor load, RAM usage, file system access, traffic intensity, energy consumption, etc. [25,29].

It is obvious that these and many other parameters of controlled objects are random variables. The random nature of these values may be due to both internal factors related to the processes occurring inside the object of observation, and external. For example, the random response time to an echo request (RTT delay) may be related to both server load (internal factor) and connection speed and channel load throughout from the client to the server. Within the framework of the model, it is advisable to associate internal random factors with formative noise. External random influences affecting the result of measuring the parameters of the controlled object are taken into account in the observation model in the form of observation noise. It should be noted that within the framework of this ap-proach, the formative and noise observations should be Gaussian, which does not corre-spond to the real characteristics of information processes, therefore it is necessary to apply the Gaussian approximation method. This stage should be preceded by a full-scale ex-periment that allows you to identify the real statistical characteristics of the information random process and the observation process.

After constructing state and observation models, the classical apparatus for managing observations can be used to solve the problem. The optimization problem is based on the terminal quality criterion and involves the implementation of an iterative procedure for synthesizing the observation plan [27,28].

In the theory of control of observations, a differential equation of the following form is used as a dynamic model describing the state of a controlled object [27,28]:

$$x_i{}^{\prime }=S_i{x}_i+G_i{q}_i, i=1,2,\dots , x_i(t_0{}_i)=x_{i0},$$

(1)

$x_i=x_i(t)\in R^{n_i}$—the state vector of the $i$-th object; here and below entry ${•}^{\prime }$ means the operation of differentiation with respect to time $t$, i.e., applied to (1)—$x_i{}^{\prime }=\raisebox{1ex}{$d{x}_i(t)$}\!\left/ \!\raisebox{-1ex}{$dt$}\right.$; x_i0—Gaussian vector, for which $M[x_{i0}]=x^{\ast }{}_{i0}$, ($M[•]$ means the mathematical expectation operation), $M[(x_{i0}-x^{\ast }{}_{i0}){(x_{i0}-x^{\ast }{}_{i0})}^T]=D_{i0}$ (operator ${(•)}^T$ means transpose); $t_0{}_i$—monitoring start time $i$-th object; $G_i=G_i(t)\in R^{n_i\times v_i};$ $q_i=q_i(t)\in R^{v_i}$—white noise for which $M[q_i(t)]=0$, $M[q_i(t)q_i{}^T(t-\mathsf{\mu })]=N_{iq}\mathsf{\delta }(\mathsf{\mu })$, $\mathsf{\delta }(\mathsf{\mu })$—delta function; $N_{iq}\in R^{v_i\times v_i}$—diagonal matrix.

The observation model is described by the following relationship:

$$u={\displaystyle \sum _{i=1}^I\begin{array}{l}\\ \end{array}}{\mathsf{\gamma }}_i(C_i{x}_i+g_i), t\in [0,t_f],$$

(2)

$u=u(t)\in R^z$; ${\mathsf{\gamma }}_i={\mathsf{\gamma }}_i(t)$—control function for $i$-th controlled object; $C_i=C_i(t)\in R^{z\times n_i}$—matrix that specifies the composition of controlled parameters $i$-th object; $g_i=g_i(t)\in R^{z_i}$—is white Gaussian noise, $M[g_i(t)]=0$, $M[g_i(t)g_i{(t-\mathsf{\mu })}^T]=N_{ig}\delta (\mathsf{\mu })$; $N_{ig}\in R^{z_i\times z_i}$—diagonal matrix; $I$—number of monitored objects in a time interval $[0,t_f]$.

Control functions ${\mathsf{\gamma }}_i(t)$ and matrices $C_i$ satisfy the following restrictions:

$$\begin{array}{l}{\mathsf{\gamma }}_i(t)\in L=\left\{0,1\right\}, {\displaystyle \sum _{i=1}^I{\mathsf{\gamma }}_i(t)\in L},\\ {\displaystyle \underset{0}{\overset{t_0}{\int }} {\displaystyle \sum _{i=1}^I{\mathsf{\gamma }}_i(t)dt=t_s\le t_f}}, C_i(t)\in {\overline{C}}_i(t).\end{array}$$

(3)

Constraints (3) determine the range of tasks to be solved, i.e., the following calculations correspond to the conditions for the operation of AIDS with a time division of computing resources: at the same time, it can control only one object.

The observation plan is described by the following expression:

$$\{{\mathrm{P}}_i,i=\overline{1,I}\}=P,$$

(4)

$$P_i=\{{\mathsf{\gamma }}_i\in L,C_i\in \overline{C_i}\}.$$

Models (1) and (2) correspond to the Kalman filtering algorithm, which is described by the following analytical relations:

$$\begin{array}{l}{x}^{\ast }{{}_i}^{\prime }=S_i{x}^{\ast }{}_i+{\mathsf{\gamma }}_i{D}_i{C}_i{}^T{N}_{{}_{i}g}{}^{-1}[u-C_i{x}^{\ast }{}_i],\\ x^{\ast }(t_0{}_i)=x^{\ast }{}_{i0},\end{array}$$

(5)

$$\begin{array}{l}{D}_i{}^{\prime }=S_i{D}_i+D_i{S}_i{}^T+Q_i-{\mathsf{\gamma }}_i{D}_i{K}_i{D}_i,\\ i=\overline{1,I}, t\in [t_0{}_i,t_f], t_0{}_i\in [0,t_f], \\ D_i\left(t_0{}_i\right)=D_{i0}, \end{array}$$

(6)

$$Q_i=G_i{N}_{iq}{G}^T; K_i=C_i{}^T{N}_{ig}{}^{-1}{C}_i.$$

The statement of the problem of optimization of observation processes in the framework of these studies is based on the use of the l-optimality criterion [23]:

$$l={\displaystyle \sum _{i=1}^I}{m}_i{}^T{D}_i(t_f)m_i\to \underset{P}{\min }, m_i\in R^{n_i}.$$

(7)

Criterion (7) minimizes the sum of errors in estimating the state of controlled objects at the final moment of time.

The optimization problem is to determine the optimal observation plan in terms of the l-optimality criterion (7). The use of the terminal criterion (7) within the framework of this problem is quite justified, given that the decision will be made on local time intervals.

Thus, the conditions of the optimization problem are formalized as follows: a generalized model of the dynamics of a set of controlled objects is described by Equation (1); the observation model for a set of controlled objects is described by the Formula (2); the observation plan (4) is determined by control functions that obey the constraints (3); and the quality criterion (7) minimizes the error in estimating the state vector at the final moment of the observation interval.

2.2. Method for Optimizing Resource Management Aids

When solving practical problems, the use of the Riccati Equation (6) is associated with a high computational costs due to nonlinearity and high dimensionality.

In [28], a method was proposed that allows us to proceed to the projection of the Hamiltonian system corresponding to (6) on the space of variables, which has the following form:

$$\begin{array}{l}{\mathsf{\alpha }}_i{}^{\prime }=-S_i{}^T{\mathsf{\alpha }}_i+{\mathsf{\gamma }}_i{K}_i{\mathsf{\beta }}_i,\\ {\mathsf{\beta }}_i{}^{\prime }=Q_i{\mathsf{\alpha }}_i+A_i{\mathsf{\beta }}_i,\end{array}$$

(8)

$${\mathsf{\beta }}_i={\mathsf{\beta }}_i(t)\in R^{n_i},{ \mathsf{\alpha }}_i={\mathsf{\alpha }}_i(t)\in R^{n_i},D_i{\mathsf{\alpha }}_i={\mathsf{\beta }}_i,\forall t,t\in [t_0{}_i,t_f].$$

In particular,

$$D_{i0}{\mathsf{\alpha }}_{i0}={\mathsf{\beta }}_{i0},i=\overline{1,I},$$

(9)

$${\mathsf{\alpha }}_{i0}={\mathsf{\alpha }}_i(t_0{}_i),{ \mathsf{\beta }}_{i0}={\mathsf{\beta }}_i(t_0{}_i).$$

Let us represent criterion (7) in terms of (8) as

$$\widehat{l}={\displaystyle \sum _{i=1}^I}{m}_i{}^T{\mathsf{\beta }}_i(t_f)\to \underset{P}{\min },$$

(10)

provided that

$${\mathsf{\alpha }}_i(t_f)=m_i.$$

(11)

Thus, the conditions of the optimization problem include a set of fictitious dynamical systems described by two-point boundary value problems (TPBVP) (8), (9), (11), and a quality criterion (10). The algorithm for solving such problems is considered in detail in [28] and includes an iterative procedure of successive approximations. This procedure involves setting an initial observation plan, and its gradual refinement from one iteration to another until the change in value of the optimality criterion becomes insignificant. The observation plan synthesized in this way is considered to be approximately optimal (hereinafter optimal). The iterative procedure itself is not presented in this article; it can be found in detail in [28].

Observation planning is based on the following relations describing program functions ${\mathsf{\Lambda }}_i{}^{}(t)$ and matrices that determine the optimal composition of the measured parameters $C_i^{opt}(t)$:

$${\mathsf{\Lambda }}_i{}^{}(t)={\mathsf{\beta }}_i^T(t)K_i^{opt}{\mathsf{\beta }}_i(t),$$

(12)

$$K_i^{opt}(t)={\left(C_i^{opt}(t)\right)}^T{N}_{ig}^{-1}(t)C_i^{opt}(t),$$

(13)

$$C_i^{opt}(t)=\arg \underset{C_i\in \overline{C_i}}{\max }{\mathsf{\beta }}_i^T(t)K_i^{}(t){\mathsf{\beta }}_i(t).$$

(14)

The decision rule for constructing an observation plan is described by the formula

$$\begin{array}{l}{\gamma }_i{}^{opt}(t)=\left\{\begin{array}{l}1,{ \mathsf{\Lambda }}_i(t)\ge \mathsf{\epsilon },{ \mathsf{\Lambda }}_i(t)\ge {\mathsf{\Lambda }}_j(t),\\ 0,{ \mathsf{\Lambda }}_i(t)<{\mathsf{\epsilon }, \mathsf{\Lambda }}_i(t)<{\mathsf{\Lambda }}_j(t),\end{array}\right. \\ j=\overline{1,I}, j\ne i,\end{array}$$

(15)

$\mathsf{\epsilon }$—Lagrange multiplier associated with the limit on the total observation time for all objects $t_s\le t_f$.

The observation planning algorithm presented above makes it possible to carry out most of the calculations a priori, i.e., it is possible to calculate in advance the observation plan. To do this, it is necessary to obtain statistical data on the parameters of controlled objects, which are assumed to be unchanged. The result of security monitoring will be the determination of the real state in which the controlled object is located at the current time and the determination of the deviation from the “reference” trajectory: whether it is within acceptable limits or not. If not, then AIDS issues a message about a possible invasion.

3. Results

In order to implement the approach to AIDS resource management described above, it is first necessary to collect statistics on the “normal” behavior of each controlled object. Based on these statistics, the so-called “reference” trajectory of the “movement” of the observed object in time is built, while it is assumed that the object is not attacked during the study period. Then, based on the “reference” trajectory as well as data on the intensity of noise, an optimal observation plan is built.

Within the framework of this article, to simplify the computational experiment, only one parameter was used as the trajectory of the observed object: the intensity of network traffic, which changes over time.

To illustrate the process of collecting and evaluating the statistical characteristics of the observed objects, we will use the results of a full-scale experiment, which are shown in Figure 1.

During the experiment, software developed within the framework of these studies was used. The software tool makes it possible to determine the intensity of traffic passing through the network port of the observed object, calculate the experimental density of the distribution of traffic intensity at fixed points in time, and display them on the screen, as shown in Figure 1. These probability densities may be approximated by a Gaussian distribution.

To obtain an analytical expression describing the dynamics of the observed object within the framework of this work, it is proposed to divide the entire observation interval into local sections and solve the optimization problem separately for each section. In small areas, the instantaneous values of traffic intensity are well approximated by an exponential curve.

In Figure 2, $u_1(t),u_2(t),u_3(t)$—instantaneous values of traffic intensity for the first, second, and third objects, respectively, $x_1(t),x_2(t),x_3(t)$—estimated parameters, show examples of such an approximation obtained using the expfit function of the Mathcad application package. Knowing the exponent parameters $x(t)=b{e}^{S t}+c$, the dynamics model of the observed object obtained using expfit can be written in the form

$$x_i{}^{\prime }=S_i{x}_i.$$

(16)

To simplify calculations, Model (16) does not contain shaping noise, since it has no physical meaning, and the entire random component is taken into account in the observation model. However, in the general case, shaping noise may be present, for example, when observing RTT (round-trip time) delays. Forming noise in this case will be due to data processing processes inside the monitored object, and observation noise will be due to processes occurring in network paths.

The observation model can be written as

$$u={\displaystyle \sum _{i=1}^I\begin{array}{l}\\ \end{array}}{\mathsf{\gamma }}_i(x_i+g_i).$$

(17)

When simulating the operation of the algorithm, the following restrictions were introduced:

$$\begin{array}{c}{n}_i=1,C_i(t)\equiv 1,G_i(t)\equiv 1,\\ m_i\equiv m,D_{i0}\equiv D_0.\end{array}$$

(18)

These restrictions were introduced in order to minimize the computational complexity of the problem, while maintaining the logic of its solution using the example of scalar models of state and observation.

All quantities given in the example are taken to be dimensionless for simplicity.

Equations (6) and (8), taking into account restrictions (18), respectively, take the form

$$D_i{}^{\prime }=2S_i{D}_i-2{\mathsf{\gamma }}_i{D}_i^2/N_{ig}, i=\overline{1,I},$$

(19)

$$\begin{array}{l}{\mathsf{\alpha }}_i{}^{\prime }=-S_i{\mathsf{\alpha }}_i+2{\mathsf{\gamma }}_i{\mathsf{\beta }}_i/N_{ig},\\ {\mathsf{\beta }}_i{}^{\prime }=S_i{\mathsf{\beta }}_i, i=\overline{1,I}, t\in [t_0{}_i,t_f].\end{array}$$

(20)

The quality criterion in the conditions of the example is described by the relation

$$\widehat{l}={\displaystyle \sum _{i=1}^I}m{\mathsf{\beta }}_i(t_f)\to \underset{P}{\min }.$$

(21)

Relation (12), taking into account (20), takes the form

$${\mathsf{\Lambda }}_i{}^{}(t)={[{\mathsf{\beta }}_i^{}]}^2/N_{ig}(t).$$

(22)

The simulation was carried out with the following initial data:

$$\begin{array}{c}{S}_1=1.003{,}^{}{S}_2=-0.258, S_3=-0.55,\\ N_{1g}=73.896 , N_{2g}=139.197, N_{3g}=91.7,\\ { \mathrm{D}}_0=1{,}^{}m=0.1{,}^{}{t}_f=20{,}^{}{t}_s=20.\end{array}$$

(23)

The values of the parameters S₁, S₂, S₃, N_1g, N_2g, and N_3g were determined on the basis of experimental data using the Mathcad program, and the remaining parameters were selected manually to ensure rapid convergence of the iterative procedure for synthesizing the observation plan.

In Figure 3, ${\mathsf{\gamma }}_1{\left(\mathrm{t}\right),\mathsf{\gamma }}_2{\left(\mathrm{t}\right),\mathsf{\gamma }}_3\left(\mathrm{t}\right)$—control functions for the first, second, and third objects, respectively—show the initial plan used at the first step of the iterative procedure for finding the optimal plan, which is considered in detail in [23].

Starting from the third step of the iterative procedure, there are practically no changes in program functions and, as a result, in the laws of control of observations. Therefore, the observation plan obtained at the third iteration can be considered optimal.

The structure of program functions at the third iteration is shown in Figure 4, ${\mathsf{\Lambda }}_1(t),{\mathsf{\Lambda }}_2(t),{\mathsf{\Lambda }}_3(t)$—program functions for the first, second, and third objects, respectively.

In Figure 5, ${\mathsf{\gamma }}_1\left(t{),\mathsf{\gamma }}_2\right(t{),\mathsf{\gamma }}_3\left(t\right)$—control functions for the first, second, and third objects, respectively—show the optimal observation plan. It can be seen from the figure that in this area it is most important to observe the first and second objects from the point of view of the quality criterion. This is since during the iterative procedure, the program function for the second object did not affect the process of forming the observation plan. Observation of the second object can be provided in the next local interval. In the general case, it may happen that too little observation time is provided for an object on the global interval, which is undesirable. This can be avoided by forcibly including the minimum observation time interval for the object, the observation of which is not provided for by the plan synthesized because of the implementation of the iterative procedure for optimizing observations. It is obvious that such “inserts” will reduce the quality of filtration in terms of the accuracy of estimating the state of controlled objects; however, these studies were not carried out within the framework of this work. The accuracy gain was estimated exclusively based on the results of a comparison of the synthesized plan shown in Figure 5 and the uniform plan shown in Figure 3.

The absolute value of the quality criterion for the initial plan and for the optimal plan were obtained, respectively, $l^0=734.414$ and $l^3=9.915\times {10}^{-4}$.

The relative gain is exactly equal to

$$\mathsf{\Delta }=\frac{l^0-l^3}{l^0}\times 100\%\approx 99.9\%.$$

(24)

4. Discussion

The authors discussed the results of their research with the involvement of leading experts in the field of observation control theory, monitoring systems, and computer security.

At present, the mathematical apparatus of random processes is used in the description and solution of a large number of theoretical and practical problems in various fields of science and technology. An important place in this series is occupied by tasks described by dynamic models, which are used both in the humanities and in the natural and technical sciences. In technical sciences, such tasks include those related to estimating the motion parameters of moving objects by location and navigation systems, monitoring information systems, describing communication networks, controlling traffic flows, and many other applied tasks. Despite the fact that the mathematical apparatus for solving such problems has been researched quite extensively, the potential for its further development remains very high. New technical problems appear, in which classical approaches can be successfully applied. These tasks include optimization of IDS computing resources.

The scientific novelty of this research lies in the generalization of existing methods for optimizing observations and filtering for a class of practically important problems of optimal resource management of an intrusion detection system, in which these approaches have not been previously employed.

The practical implementation of the research results will help to significantly optimize the distribution of computing resources of the IDS information system, which uses the Kalman filter to filter data. Today, such systems are gradually gaining popularity [24,25]. The approach given in this article for the organization of observations in IDS using the Kalman filter is also of scientific interest.

The results of studies by other scientific groups confirm the effectiveness of using this approach to solving measurement control problems in systems for estimating motion parameters [26,27,28]. However, the use of the considered mathematical apparatus in optimizing IDS resources also made it possible to obtain high results, which confirmed the effectiveness of this approach.

At the same time, information security experts recommended a more in-depth study of the possibilities of using this approach. Real intrusion detection systems can monitor a large number of parameters: traffic intensity, RTT delays, CPU-cores load, CPU temperature, disk access intensity, number of running processes, RAM consumption, power consumption, etc. Many of them can be approximated by Gaussian processes and can be included in the state vector of the controlled object, and accordingly considered when planning AIDS resources.

5. Conclusions

Thus, the above example made it possible to illustrate the implementation of the proposed iterative procedure for the synthesis of the observation control law in intrusion detection systems, which allows selection of the optimal plan for monitoring the state of controlled objects based on a priori information about them.

The research presented in this article aimed to consider the most general applied aspects of the application of the surveillance optimization method, which increases the efficiency of using the resources of intrusion detection systems. The data and models provided in this article are intended to illustrate the applicability of the method to the simplest example. Even in this case, the task proved to be nontrivial. To implement this method in a real intrusion detection system, a full-scale field experiment is required, involving long-term statistical observation of the intrusion detection system, building a dynamic model of the “normal” behavior of the system based on many parameters, and modeling an abnormal situation. This is planned within the framework of subsequent studies.

It should also be noted that the method discussed in the article allows you to obtain only an a priori or reference observation plan, which needs to be adjusted in real time. The article [30] provides an example of the adaptation of the reference observation plan to the real conditions of the functioning of the network monitoring information system with dy-namic topology. In part, this approach may be applicable to intrusion detection infor-mation systems. However, the peculiarities of the functioning of AIDS require the devel-opment of a new method for adapting the reference plan of observations to the conditions of functioning in real time. This is also planned as part of further research.