Development of a Model of a Cyber Threats Detection System With Support and Update of Attack Detection Rules

The article addresses the issue of data protection in information and communication systems amid the growing volume of traffic and the increasing number of cyber threats, necessitating improvements in the effectiveness of intrusion detection and prevention systems. Various types of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), their advantages, and disadvantages are considered. The methods of threat detection are analyzed, including signature-based methods, anomaly detection methods, and machine learning-based methods. Special attention is paid to methods of attack detection based on traffic content. The effectiveness of various commercial and open-source solutions, such as Snort and Suricata, is compared in terms of their architecture, performance, and accuracy. The main proposal is to enhance the Suricata system with an additional module called the Intelligent Threat Detector (ITD), which is based on machine learning methods. The ITD module is integrated into the main Suricata module and performs deep traffic analysis and anomaly detection. This approach helps reduce the load on the detection system, improving the processing performance of incoming traffic and ensuring a high level of security. The proposed solution provides a multi-level approach to network protection, where initial filtering is carried out by Suricata, and deep analysis is performed by ITD. The system can intercept network packets for information analysis, building processing functions based on selected data to determine the possibility of intrusion. Additionally, the integration of the ITD module allows the system to adapt to new and unknown threats in real time, as the module continuously learns from new data, ensuring continuous improvement in detection accuracy and response to threats. Placing the system behind the firewall helps reduce the load on the detection system, ensuring efficient use of multiprocessor system resources and reducing false positives.