Methodology for forming the input vector of observed network activity variables

Abstract

This paper presents a methodology for constructing the input vector of observed network activity variables for cyberattack detection and prediction systems. The proposed approach involves a step-by-step formation of the vector, beginning with the collection of raw traffic parameters, followed by their normalization, smoothing within sliding time windows, and temporal alignment. The methodology includes the integration of parameters from all functional feature blocks, enabling model adaptation to various types of attacks. As a result, the input vector is fully compatible with probabilistic models exhibiting Markov properties and is capable of capturing both instantaneous fluctuations and long-term behavioral trends in network traffic. The proposed approach enhances anomaly detection accuracy and reduces false positives by enabling flexible adjustment of the vector’s structure in accordance with the threat profile dynamics