Development of a two-stage method of fuzzy clustering of information security events in the cyber security monitoring system of economic activities subjects

Abstract

The work is aimed at improving the efficiency of managing the cyber security of economic entities (EDS) by organizing effective cyber security (CS) monitoring, taking into account such features of its process as the heterogeneity of sources of initial data for monitoring CB, their presentation in different data formats, their inaccuracy, in many respects uncertainty and noise, as well as a large number of information security (IS) events processed by heterogeneous components of the EDMS KB monitoring system. The paper proposes a comprehensive two-stage method for fuzzy clustering of IS events, considering the assessment of the criticality of IS events and the functionality of the monitoring system of KB EDMS. At the first stage, the IS event clustering model is used in the EDMS KB monitoring system based on the fuzzy c-means method. This model allows clustering a set of IS events into 3 fuzzy clusters: a fuzzy cluster of IS events that are IS incidents, a fuzzy cluster of IS events that are not IS incidents, and a fuzzy cluster of IS events that require additional analysis. At the second stage, to refine the results of IS event clustering obtained at the first stage, the IS event clustering model is used in the EDMS KB monitoring system based on the method of extracting α-kernels of fuzzy clusters. This model allows you to manually select the thresholds for the degree of belonging of IS events to fuzzy clusters, considering additional information and features of processing IS events in the IS monitoring system of a particular EDMS. The paper provides an assessment of the performance of the developed two-stage method of fuzzy clustering of IS events in the monitoring system of KB EDMS using a specific example. The proposed approach makes it possible to increase the efficiency of ERMS IS monitoring and reduce the period of time required to decide on the management of IS EDMS due to the complex consideration of the features of processing IS events in the IS monitoring system of a particular EDMS.