<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">bsuir</journal-id><journal-title-group><journal-title xml:lang="ru">Доклады БГУИР</journal-title><trans-title-group xml:lang="en"><trans-title>Doklady BGUIR</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1729-7648</issn><issn pub-type="epub">2708-0382</issn><publisher><publisher-name>БГУИР</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.35596/1729-7648-2025-23-4-77-84</article-id><article-id custom-type="elpub" pub-id-type="custom">bsuir-4185</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>Статьи</subject></subj-group></article-categories><title-group><article-title>Архитектура прототипа системы обнаружения аномалий сетевого трафика на основе машинного обучения и визуальной аналитики</article-title><trans-title-group xml:lang="en"><trans-title>Architecture of a Prototype System for Network Traffic Anomaly Detection Based on Machine Learning and Visual Analytics</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Ван</surname><given-names>С.</given-names></name><name name-style="western" xml:lang="en"><surname>Wang</surname><given-names>X.</given-names></name></name-alternatives><bio xml:lang="ru"><p>магистрант каф. защиты информации и эргономики </p><p>Минск </p></bio><bio xml:lang="en"><p>Master’s Student at the Information Security Department </p></bio><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Сайманов</surname><given-names>И. М.</given-names></name><name name-style="western" xml:lang="en"><surname>Saymanov</surname><given-names>I. M.</given-names></name></name-alternatives><bio xml:lang="ru"><p>канд. техн. наук, доц., доц. каф. информационной безопасности </p><p>Ташкент </p></bio><bio xml:lang="en"><p>Cand. Sci. (Tech.), Associate Professor, Associate Professor at the Information Security Department </p><p>Tashkent </p></bio><xref ref-type="aff" rid="aff-2"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Кабулов</surname><given-names>А. В.</given-names></name><name name-style="western" xml:lang="en"><surname>Kabulov</surname><given-names>A. V.</given-names></name></name-alternatives><bio xml:lang="ru"><p>д-р техн. наук, проф., проф. каф. информационной безопасности </p><p>Ташкент </p></bio><bio xml:lang="en"><p>Dr. Sci. (Tech.), Professor, Professor at the Information Security Department</p><p>Tashkent </p></bio><xref ref-type="aff" rid="aff-2"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Прудник</surname><given-names>А. М.</given-names></name><name name-style="western" xml:lang="en"><surname>Prudnik</surname><given-names>A. M.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Прудник Александр Михайлович, канд. техн. наук, доц., доц. каф. инженерной психологии и эргономики </p><p>220013, Минск, ул. П. Бровки, 6 </p><p>Тел.: +375 17 293-85-24 </p></bio><bio xml:lang="en"><p>Prudnik Aleksander Mikhailovich, Cand. Sci. (Tech.), Associate Professor, Associate Professor at the Engineering Psychology and Ergonomics Department </p><p>220013, Minsk, P. Brovki St., 6 </p><p>Tel.: +375 17 293-85-24 </p></bio><email xlink:type="simple">aleksander.prudnik@bsuir.by</email><xref ref-type="aff" rid="aff-3"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Белорусский государственный университет информатики и радиоэлектроники (БГУИР)</institution></aff><aff xml:lang="en"><institution>Belarusian State University of Informatics and Radioelectronics (BSUIR)</institution></aff></aff-alternatives><aff-alternatives id="aff-2"><aff xml:lang="ru"><institution>Национальный университет Узбекистана имени Мирзо Улугбека (НУУ)</institution></aff><aff xml:lang="en"><institution>National University of Uzbekistan named after Mirzo Ulugbek (NUU)</institution></aff></aff-alternatives><aff-alternatives id="aff-3"><aff xml:lang="ru"><institution>Белорусский государственный университет информатики и радиоэлектроники</institution></aff><aff xml:lang="en"><institution>Belarusian State University of Informatics and Radioelectronics (BSUIR)</institution></aff></aff-alternatives><pub-date pub-type="collection"><year>2025</year></pub-date><pub-date pub-type="epub"><day>03</day><month>09</month><year>2025</year></pub-date><volume>23</volume><issue>4</issue><fpage>77</fpage><lpage>84</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Ван С., Сайманов И.М., Кабулов А.В., Прудник А.М., 2025</copyright-statement><copyright-year>2025</copyright-year><copyright-holder xml:lang="ru">Ван С., Сайманов И.М., Кабулов А.В., Прудник А.М.</copyright-holder><copyright-holder xml:lang="en">Wang X., Saymanov I.M., Kabulov A.V., Prudnik A.M.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://doklady.bsuir.by/jour/article/view/4185">https://doklady.bsuir.by/jour/article/view/4185</self-uri><abstract><p>Представлена архитектура прототипа системы для обнаружения аномалий сетевого трафика. Система основана на трехуровневой архитектуре с использованием веб-фреймворка Flask для создания RESTful API. Для обнаружения аномалий применяется алгоритм машинного обучения без учителя Isolation Forest (100 эстиматоров, фактор контаминации 0,05) из библиотеки scikit-learn, осуществляющий обработку данных, предварительно нормализованных с помощью StandardScaler, в одночасовых окнах. Результаты анализа, включающие многоуровневую классификацию серьезности аномалий (с нормализованными оценками в диапазоне 0–1, где значения более 0,8 соответствуют критическому уровню) и обеспечиваю­щие совместимость с SIEM-системами, интерактивно визуализируются посредством Chart.js. Рассмот­рены ключевые теоретические и практические вызовы, такие как качество данных, выбор признаков, масштабируемость (алгоритмическая сложность O(n log n)), оптимизация параметров и интерпрети­руемость результатов.</p></abstract><trans-abstract xml:lang="en"><p>The paper presents the architecture of a prototype system for detecting network traffic anomalies. The system is based on a three-tier architecture using the Flask web framework to create a RESTful API. Anomaly detection is implemented using the Isolation Forest unsupervised machine learning algorithm (100 estimators, contamination factor 0.05) from the scikit-learn library, which processes data pre-normalized using StandardScaler in one-hour windows. The analysis results, including a multi-level classification of anomaly severity (with norma­ lized scores in the range of 0–1, where values greater than 0.8 correspond to the critical level) and ensuring compatibility with SIEM systems, are interactively visualized using Chart.js. Key theoretical and practical challenges, such as data quality, feature selection, scalability (algorithmic complexity O(n log n)), parameter optimization, and interpretability of results, are discussed.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>обработка сетевого трафика</kwd><kwd>обнаружение аномалий</kwd><kwd>машинное обучение</kwd><kwd>алгоритм Isolation Forest</kwd><kwd>визуальная аналитика</kwd><kwd>архитектура системы</kwd><kwd>масштабируемость</kwd><kwd>интерпретируемость</kwd><kwd>качество данных</kwd></kwd-group><kwd-group xml:lang="en"><kwd>network traffic processing</kwd><kwd>anomaly detection</kwd><kwd>machine learning</kwd><kwd>Isolation Forest algorithm</kwd><kwd>visual analytics</kwd><kwd>system architecture</kwd><kwd>scalability</kwd><kwd>interpretability</kwd><kwd>data quality</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Sommer R., Paxson V. (2010) Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. IEEE Symposium on Security and Privacy. 305–316.</mixed-citation><mixed-citation xml:lang="en">Sommer R., Paxson V. (2010) Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. IEEE Symposium on Security and Privacy. 305–316.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">GarcΊa-Teodoro P., DΊaz-Verdejo J., Maciá-Fernández G., Vázquez E. (2009) Anomaly-Based Network Intrusion Detection: Techniques, Systems and Challenges. Computers &amp; Security. 28 (1–2), 18–28.</mixed-citation><mixed-citation xml:lang="en">GarcΊa-Teodoro P., DΊaz-Verdejo J., Maciá-Fernández G., Vázquez E. (2009) Anomaly-Based Network Intrusion Detection: Techniques, Systems and Challenges. Computers &amp; Security. 28 (1–2), 18–28.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Buczak A. L., Guven E. (2016) A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection. IEEE Communications Surveys &amp; Tutorials. 18 (2), 1153–1176.</mixed-citation><mixed-citation xml:lang="en">Buczak A. L., Guven E. (2016) A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection. IEEE Communications Surveys &amp; Tutorials. 18 (2), 1153–1176.</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Bhuyan M. H., Bhattacharyya D. K., Kalita J. K. (2014) Network Anomaly Detection: Methods, Systems and Tools. IEEE Communications Surveys &amp; Tutorials. 16 (1), 303–336.</mixed-citation><mixed-citation xml:lang="en">Bhuyan M. H., Bhattacharyya D. K., Kalita J. K. (2014) Network Anomaly Detection: Methods, Systems and Tools. IEEE Communications Surveys &amp; Tutorials. 16 (1), 303–336.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">D’Amico A., Whitley K. (2008) The Real Work of Computer Network Defense Analysts. VizSEC 2007 (Mathe­ matics and Visualization). 19–37.</mixed-citation><mixed-citation xml:lang="en">D’Amico A., Whitley K. (2008) The Real Work of Computer Network Defense Analysts. VizSEC 2007 (Mathe­ matics and Visualization). 19–37.</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Ring M., Wunderlich S., Grüdl D., Landes D., Hotho A. (2017) Flow-Based Benchmark Data Sets for Intrusion Detection. Proc. of the 16th European Conf. on Cyber Warfare and Security. 361–369.</mixed-citation><mixed-citation xml:lang="en">Ring M., Wunderlich S., Grüdl D., Landes D., Hotho A. (2017) Flow-Based Benchmark Data Sets for Intrusion Detection. Proc. of the 16th European Conf. on Cyber Warfare and Security. 361–369.</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Sharafaldin I., Lashkari A. H., Ghorbani A. A. (2018) Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. Proc. of the 4th International Conf. on Information Systems Security and Privacy. 108–116.</mixed-citation><mixed-citation xml:lang="en">Sharafaldin I., Lashkari A. H., Ghorbani A. A. (2018) Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. Proc. of the 4th International Conf. on Information Systems Security and Privacy. 108–116.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Cordero C. G., Vasilomanolakis E., Milanov N., Koch C., Hausheer D., Mühlhäuser M. (2015) An Overview of the Botnet Simulation Framework. IEEE Conf. on Communications and Network Security (CNS). 739–740.</mixed-citation><mixed-citation xml:lang="en">Cordero C. G., Vasilomanolakis E., Milanov N., Koch C., Hausheer D., Mühlhäuser M. (2015) An Overview of the Botnet Simulation Framework. IEEE Conf. on Communications and Network Security (CNS). 739–740.</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Liu F. T., Ting K. M., Zhou Z. H. (2012) Isolation-Based Anomaly Detection. ACM Transactions on Know­ ledge Discovery from Data. 6 (1), 1–39.</mixed-citation><mixed-citation xml:lang="en">Liu F. T., Ting K. M., Zhou Z. H. (2012) Isolation-Based Anomaly Detection. ACM Transactions on Know­ ledge Discovery from Data. 6 (1), 1–39.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Ding Z., Fei M. (2013) An Anomaly Detection Approach Based on Isolation Forest Algorithm for Streaming Data Using Sliding Window. IFAC Proceedings Volumes. 46 (20), 12–17.</mixed-citation><mixed-citation xml:lang="en">Ding Z., Fei M. (2013) An Anomaly Detection Approach Based on Isolation Forest Algorithm for Streaming Data Using Sliding Window. IFAC Proceedings Volumes. 46 (20), 12–17.</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Apruzzese G., Colajanni M., Ferretti L., Guido A., Marchetti M. (2018) On the Effectiveness of Machine and Deep Learning for Cyber Security. 2018 10th International Conference on Cyber Conflict (CyCon). 371–390. IEEE.</mixed-citation><mixed-citation xml:lang="en">Apruzzese G., Colajanni M., Ferretti L., Guido A., Marchetti M. (2018) On the Effectiveness of Machine and Deep Learning for Cyber Security. 2018 10th International Conference on Cyber Conflict (CyCon). 371–390. IEEE.</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Wang H., Bah M. J., Hammad M. (2019) Progress in Outlier Detection Techniques: A Survey. IEEE Access. 7, 107964–108000.</mixed-citation><mixed-citation xml:lang="en">Wang H., Bah M. J., Hammad M. (2019) Progress in Outlier Detection Techniques: A Survey. IEEE Access. 7, 107964–108000.</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Ribeiro M. T., Singh S., Guestrin C. (2016) “Why Should I Trust You?”: Explaining the Predictions of Any Classifier. Proc. of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mi­ ning. 1135–1144.</mixed-citation><mixed-citation xml:lang="en">Ribeiro M. T., Singh S., Guestrin C. (2016) “Why Should I Trust You?”: Explaining the Predictions of Any Classifier. Proc. of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mi­ ning. 1135–1144.</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Perdisci R., Ariu D., Fogla P., Giacinto G., Lee W. (2009) McPAD: A Multiple Classifier System for Accurate Payload-Based Anomaly Detection. Computer Networks. 53 (6), 864–881.</mixed-citation><mixed-citation xml:lang="en">Perdisci R., Ariu D., Fogla P., Giacinto G., Lee W. (2009) McPAD: A Multiple Classifier System for Accurate Payload-Based Anomaly Detection. Computer Networks. 53 (6), 864–881.</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Staheli D., Yu T., Crouser R. J., Damodaran S., Nam K., O’Gwynn D., et al. (2014) Visualization Evaluation for Cyber Security: Trends and Future Directions. VizSec ‘14: Proceedings of the Eleventh Workshop on Visua­ lization for Cyber Security. 49–56.</mixed-citation><mixed-citation xml:lang="en">Staheli D., Yu T., Crouser R. J., Damodaran S., Nam K., O’Gwynn D., et al. (2014) Visualization Evaluation for Cyber Security: Trends and Future Directions. VizSec ‘14: Proceedings of the Eleventh Workshop on Visua­ lization for Cyber Security. 49–56.</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Perdisci R., Lee W., Feamster N. (2010) Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. NSDI’10: Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation. 12.</mixed-citation><mixed-citation xml:lang="en">Perdisci R., Lee W., Feamster N. (2010) Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. NSDI’10: Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation. 12.</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
