Investigation of the network anomalies of the corporate network of Krasnoyarsk scientific center

The problem of securing the corporate network of a research organization is being solved. The urgency of support- ing preventive measures for protecting network resources for the organizations performing scientific support of high- tech production, conducting space researches and creating high-tech equipment is grounded, where the loss of confi- dential data with unauthorized external influence can lead to significant consequences. To solve the problem, it is sug- gested to analyze the anomalies of network traffic, which can indicate the occurrence of cyberthreats. The paper reviews the existing methods and software products designed to analyze anomalies. On their basis, we propose our own original software tool that allows automatic detection of anomalies and subsequent detailed analysis of network service logs according to the metrics chosen by the administrator. The software tool is designed as a web application integrated into the existing infrastructure of the corporate network of a scientific organization. The implementation of the web application showed topicality and relevance of the development of an anomaly detection system. To further expand the methods of protecting the corporate network, full-featured software has been developed (Autonomous Log Analysis System) that performs automatic analysis and aggregation of network services data and provides interactive means of visualizing results. The system has a convenient graphical interface that allows you to visually evaluate the statistics of detected anomalies. With the help of a software tool, the administrator can identify the most critical incidents and suppress them in the future, changing the configuration of active protection systems. The software contains tools for constructing diagrams that show the number of anomalies over time periods, their distribution by observable services, sources of threats. It shows data on active clients exposed to threats, frequency of requests for selected protocols, monitors the exceeding of thresholds. The application of the developed software allows the configuration of the first line of protection against network attacks, improves responsiveness and the effectiveness of intrusion prevention by detecting missed by standard means of protection of incidents.