Morphological Method for Detecting Abnormal Server States

The paper proposes a computationally simple algorithm for detecting outliers and anomalies based on morphological analysis of the internal structure of multidimensional data. An important advantage of the method is the possibility of simultaneous work with qualitative and quantitative signs. It is also distinguished from its analogues by the simplicity of presentation and interpretation of the results. The values’ confidence range of the studied objects is approximated by combining the values’ confidence ranges of qualitatively homogeneous objects (clusters). The belonging of objects to one cluster is determined by the causal relationships between the features characteristic of the subject area. The method is based on the construction of a finite probability space and each element of binary vector is uniquely assigned to the objects of the sample. Based on the Chebyshev inequality, low-power clusters are taken as emissions. Objects that do not belong to the aggregate confidence area are taken as anomalies. Comparison mechanisms based on the Hamming distance have developed: 1) cluster and cluster; 2) cluster and object; 3) object and object. To demonstrate the effectiveness of the method a software module for detecting abnormal server states based on the Linux operating system has been developed. It can also be used as an auxiliary in professional intrusion detection systems.

1. Levtsov V. Anatomiya targetirovannoj ataki [The anatomy of a targeted attack], available at: https://www.kaspersky.ru/blog/targeted-attack-anatomy/4388 (accessed 28.06.2023).

2. Lavrentyev A. MLAD: obnaruzhenie anomalij metodami mashinnogo obucheniya [MLAD: Anomaly detection by machine learning methods], available at: https://icscert.kaspersky.ru/publications/reports/2018/01/16/mlad-machine-learning-foranomaly-detection (accessed 28.06.2023).

3. Ukaz Prezidenta Rossijskoj Federacii ot 30.03.2022 № 166 ”O merah po obespecheniyu tekhnologicheskoj nezavisimosti i bezopasnosti kriticheskoj informacionnoj infrastruktury Rossijskoj Federacii” [Decree of the President of the Russian Federation No. 166 dated 30.03.2022 ”On Measures to ensure the Technological Independence and security of the Critical Information Infrastructure of the Russian Federation”], available at: http://publication.pravo.gov.ru/Document/View/0001202203300001 (accessed 28.06.2023).

4. GOST R ISO 16269-4-2017 ”Statisticheskie metody. Statisticheskoe predstavlenie dannyh. CHast’ 4. Vyyavlenie i obrabotka vybrosovi” [ISO 16269-4-2017 ”Statistical methods. Statistical data presentation. Part 4. Detection and treatment of outliers”]. Moscow, Standartinform, 2017. 53 p.

5. D’yakonov A. G., Golovina A. M. Vyyavlenie anomalij v rabote mekhanizmov metodami mashinnogo obucheniya [Anomaly detection in mechanisms using machine learning]. Analitika i upravlenie dannymi v oblastyah s intensivnym ispol’zovaniem dannyh, 2017, pp. 469-476.

6. Han J., Kamber M., Pei J. Data Mining: Concepts and Techniques. Morgan Kaufmann, 2011. 740 p.

7. Tan P.-N., Steinbach M., Karpatne A., Kumar V. Introduction to Data Mining. Pearson, 2019. 839 p.

8. Kharchenko E. A. Morfologicheskij podhod k prinyatiyu obosnovannyh reshenij po ekspertnym suzhdeniyam [The morphological approach to making reasonable decisions based on expert judgements]. Vestnik TvGU. Seriya: Prikladnaya Matematika, 2019, no. 2, pp. 42-56. https://doi.org/10.26456/vtpmk531

9. Kharchenko E. A. Algoritm morfologicheskogo metoda ekspertnyh ocenok dlya resheniya zadachi prognozirovaniya [Algorithm of the morphological method of expert estimates for solving the forecasting problem]. Computer tools in education, 2023, no. 2, pp. 5-20. https://doi.org/10.32603/2071-2340-2023-2-5-20.