A. A. Talalaev, I. P. Tishchenko, V. P. Fralenko, V. M. Khachumov

In the present work experimental researches on working out of the abnormal network activity monitoring module based on artificial neural networks (ANN) are executed. The information about the developed ways and algorithms of allocation of informative signs of network attacks is resulted. The implementation includes: algorithms of allocation of network and not network signs of attacks; feedforward ANN module; module that uses the Euclid-Mahalanobis distance, supplementing; a subsystem of preservation of informative signs and the utility «teach», intended for neural network component training. The set of informative signs of network attacks is defined by database KDD-99 (Knowledge Discovery and Data Mining), used as a source of expert knowledge for neural network component training. General mechanism of network attacks revealing with Neuronet module looks as follows: 1. Snort system captures packet. 2. On group of rules of Snort system using module Neuronet the call of Neuronet module is made to determine of character of the come package. 3. Neuronet module parses the package for allocation of informative network and not network signs. 4. Allocated informative signs move on ANN recognition. 5. The neural network analyzes the data and returns into the Neuronet module information about package accessory to one of classes of network attacks or a class «norm». 6. Neuronet module returns to the Snort system a value that characterizing a package as "abnormal" / «not abnormal». 7. Snort system produces a screening package or passes it on to destination. Testing results of monitoring module on the real network traffic flow on cluster are presented. Based on feedforward ANN and Euclid-Mahalanobis distance developed classifier shows high quality situations recognition and can be used as a part of various program complexes for increase of network safety level.