<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">caht</journal-id><journal-title-group><journal-title xml:lang="ru">Научный вестник МГТУ ГА</journal-title><trans-title-group xml:lang="en"><trans-title>Civil Aviation High Technologies</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">2079-0619</issn><issn pub-type="epub">2542-0119</issn><publisher><publisher-name>Moscow State Technical University of Civil Aviation (MSTU CA)</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.26467/2079-0619-2026-29-3-59-70</article-id><article-id custom-type="elpub" pub-id-type="custom">caht-2781</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>ТРАНСПОРТНЫЕ СИСТЕМЫ</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>TRANSPORTATION SYSTEMS</subject></subj-group></article-categories><title-group><article-title>Защита корпоративных информационных систем авиапредприятий от атак нулевого дня: подход к обнаружению вторжений на основе глубокого неконтролируемого обучения</article-title><trans-title-group xml:lang="en"><trans-title>Protection of corporate information systems of aviation enterprises from zero-day attacks: an intrusion detection approach based on deep unsupervised learning</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Машошин</surname><given-names>Н. О.</given-names></name><name name-style="western" xml:lang="en"><surname>Mashoshin</surname><given-names>N. O.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Машошин Никита Олегович, инженер по машинному обучению; аспирант кафедры основ радиотехники и защиты информации МГТУ ГА,  </p><p>Москва.</p></bio><bio xml:lang="en"><p>Nikita O. Mashoshin, Machine Learning Engineer; Postgraduate Student of the Radio Engineering Fundamentals and Information Security Chair, Moscow State Technical University of Civil Aviation, </p><p>Moscow.</p></bio><email xlink:type="simple">nikita.mashoshin@yandex.ru</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Кулешов</surname><given-names>А. А.</given-names></name><name name-style="western" xml:lang="en"><surname>Kuleshov</surname><given-names>A. A.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Кулешов Александр Анатольевич, доктор технических наук, заместитель генерального директора по гражданской авиатехнике,</p><p>г. Ступино.</p></bio><bio xml:lang="en"><p>Alexander A. Kuleshov, Doctor of Technical Sciences, Deputy General Director for Civil Aviation Products,</p><p>Stupino.</p></bio><email xlink:type="simple">kaa.aerosila@mail.ru</email><xref ref-type="aff" rid="aff-2"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>ООО «СофтТелематика»</institution><country>Россия</country></aff><aff xml:lang="en"><institution>SoftTelematika LLC</institution><country>Russian Federation</country></aff></aff-alternatives><aff-alternatives id="aff-2"><aff xml:lang="ru"><institution>АО «Научно-производственное предприятие «Аэросила»</institution><country>Россия</country></aff><aff xml:lang="en"><institution>Scientific-Production Enterprise “Aerosila”, JSC</institution><country>Russian Federation</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2026</year></pub-date><pub-date pub-type="epub"><day>09</day><month>07</month><year>2026</year></pub-date><volume>29</volume><issue>3</issue><fpage>59</fpage><lpage>70</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Машошин Н.О., Кулешов А.А., 2026</copyright-statement><copyright-year>2026</copyright-year><copyright-holder xml:lang="ru">Машошин Н.О., Кулешов А.А.</copyright-holder><copyright-holder xml:lang="en">Mashoshin N.O., Kuleshov A.A.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://avia.mstuca.ru/jour/article/view/2781">https://avia.mstuca.ru/jour/article/view/2781</self-uri><abstract><p>В работе рассматривается актуальная задача обнаружения атак нулевого дня в корпоративных информационных системах авиапредприятий, относящихся к объектам критической информационной инфраструктуры. Показано, что традиционные сигнатурные средства защиты, включая классические системы обнаружения вторжений (IDS), обладают фундаментальной ограниченной эффективностью в условиях ранее неизвестных и целенаправленных кибервоздействий, что подтверждается реальными инцидентами в авиационном секторе. Поиск эффективных средств детектирования атак нулевого дня, а также комплексных целенаправленных воздействий (APT) остается актуальным, поскольку их скрытность и уникальность сводят к минимуму эффективность сигнатурных методов обнаружения. В данной работе предложена нейросетевая модель обнаружения вторжений, ориентированная на применение в центрах обеспечения безопасности (SOC) авиапредприятий и основанная на методах глубокого неконтролируемого обучения. Модель реализована в виде глубокого автоэнкодера, обучаемого исключительно на легитимном сетевом трафике, что позволяет формировать устойчивое представление нормального поведения системы и выявлять статистические отклонения без предварительного знания сигнатур атак. Экспериментальная валидация проведена на наборе данных CICIDS2018 с использованием метрик F1-score, ROC-AUC, precision и recall. Предложенный подход продемонстрировал F1-меру 0,81 и ROC-AUC 0,844, превысив показатели классических алгоритмов неконтролируемого обнаружения аномалий (Isolation Forest и One-Class SVM). Полученные результаты подтверждают применимость разработанной модели в качестве проактивного аналитического компонента гибридных систем обнаружения вторжений и ее потенциал для повышения киберустойчивости информационных систем авиационного сектора. Модель может быть интегрирована в существующие SOC-платформы авиапредприятий для дополнения сигнатурного анализа поведенческим контекстом.</p></abstract><trans-abstract xml:lang="en"><p>The paper considers the urgent task of detecting zero-day attacks in corporate information systems of aviation enterprises classified as critical information infrastructure (CII). It is shown that traditional signature-based protection tools, including classical intrusion detection systems (IDS), have fundamentally limited effectiveness in conditions of previously unknown and targeted cyberattacks, which is confirmed by real incidents in the aviation sector. The search for effective methods of detecting zero-day attacks, as well as advanced persistent threats (APT) remains an urgent task, since their secrecy and uniqueness minimize the effectiveness of signature-based detection methods. In this paper a neural-network intrusion detection model is proposed, focused on application in aviation security operation centers (SOC) of aviation enterprises and based on deep unsupervised learning methods. The model is implemented in the form of a deep autoencoder trained exclusively on legitimate network traffic, which makes it possible to form a stable representation of normal behavior of the system and identify statistical deviations without prior knowledge of attack signatures. Experimental validation was performed on the CICIDS2018 dataset using the metrics F1-score, ROC-AUC, precision, and recall. The proposed approach demonstrated the F1-measure of 0.81 and a ROC-AUC of 0.844, exceeding the performance of classical unsupervised algorithms for uncontrolled anomaly detection (Isolation Forest and OneClass SVM). The results obtained confirm the applicability of the developed model as a proactive analytical component of hybrid intrusion detection systems and its potential to increase the cyber resilience of aviation-sector information systems. The model can be integrated into existing SOC platforms of aviation enterprises to complement signature-based analysis with a behavioral context. </p></trans-abstract><kwd-group xml:lang="ru"><kwd>кибербезопасность</kwd><kwd>авиапредприятие</kwd><kwd>атака нулевого дня</kwd><kwd>обучение без учителя</kwd><kwd>глубокое обучение</kwd><kwd>автоэнкодер</kwd><kwd>обнаружение аномалий</kwd><kwd>SOC</kwd><kwd>ICAO</kwd></kwd-group><kwd-group xml:lang="en"><kwd>cybersecurity</kwd><kwd>aviation enterprise</kwd><kwd>zero-day attack</kwd><kwd>unsupervised learning</kwd><kwd>deep learning</kwd><kwd>autoencoder</kwd><kwd>anomaly detection</kwd><kwd>SOC</kwd><kwd>ICAO</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Аврамчиков В.М., Тимохович А.С., Рожнов И.П. Цифровая трансформация в авиационной отрасли: возможности и перспективы [Электронный ресурс] // Вестник Евразийской науки. 2024. Т. 16, № 3. 13 с. URL: https://esj.today/PDF/04ECVN324.pdf (дата обращения: 23.11.2025).</mixed-citation><mixed-citation xml:lang="en">Avramchikov, V.M., Timokhovich, A.S., Rozhnov, I.P. (2024). Digital transformation in the aviation industry: opportunities and prospects. The Eurasian Scientific Journal, vol. 16, no. 3, 13 p. Available at: https://esj.today/PDF/04ECVN324.pdf  (accessed: 23.11.2025). (in Russian)</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Scarfone K., Mell P. Guide to intrusion detection and prevention systems (IDPS): NIST Special Publication 800-94. Gaithersburg: National Institute of Standards and Technology, 2007. 127 p.</mixed-citation><mixed-citation xml:lang="en">Scarfone, K., Mell, P. (2007). Guide to intrusion detection and prevention systems (IDPS): NIST Special Publication 800-94. Gaithersburg: National Institute of Standards and Technology, 127 p.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Ahmed M., Mahmood A.N., Hu J. A survey of network anomaly detection techniques // Journal of Network and Computer Applications. 2016. Vol. 60. Pp. 19–31. DOI: 10.1016/j.jnca.2015.11.016</mixed-citation><mixed-citation xml:lang="en">Ahmed, M., Mahmood, A.N., Hu, J. (2016). A survey of network anomaly detection techniques. Journal of Network and Computer Applications, vol. 60, pp. 19–31. DOI: 10.1016/j.jnca.2015.11.016</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Buczak A.L., Guven E. A survey of data mining and machine learning methods for cyber security intrusion detection [Электронный ресурс] // Communications Surveys &amp; Tutorials. 2016. Vol. 18, no. 2. Pp. 1153–1176. DOI: 10.1109/COMST.2015.2494502 (дата обращения: 23.11.2025).</mixed-citation><mixed-citation xml:lang="en">Buczak, A.L., Guven, E. (2016). A survey of data mining and machine learning methods for cyber security intrusion detection. Communications Surveys &amp; Tutorials, vol. 18, no. 2, pp. 1153–1176. DOI: 10.1109/COMST.2015.2494502 (accessed: 23.11.2025).</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Chalapathy R., Chawla S. Deep learning for anomaly detection: A survey [Электронный ресурс] // ACM Computing Surveys. 2019. 50 p. DOI: 10.48550/arXiv.1901.03407 (дата обращения: 23.11.2025).</mixed-citation><mixed-citation xml:lang="en">Chalapathy, R., Chawla, S. (2021). Deep learning for anomaly detection: A survey. ACM Computing Surveys, vol. 54, no 2, 50 p. DOI: 10.48550/arXiv.1901.03407 (accessed: 23.11.2025).</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Pang G. Deep learning for anomaly detection: A review / G. Pang, C. Shen, L. Cao, A. van den Hengel [Электронный ресурс] // ACM Computing Surveys. 2020. 36 p. DOI: 10.1145/3439950 (дата обращения: 23.11.2025).</mixed-citation><mixed-citation xml:lang="en">Pang, G., Shen, C., Cao, L., van den Hengel, A. (2020). Deep learning for anomaly detection: A review. ACM Computing Surveys, 36 p. DOI: 10.1145/3439950 (accessed: 23.11.2025).</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Ruff L. Deep one-class classification / L. Ruff, R.A. Vandermeulen, N. Görnitz, L. Deecke // Proceedings of the 35th International Conference on Machine Learning (ICML), 2018. Vol. 80. Pp. 4393–4402.</mixed-citation><mixed-citation xml:lang="en">Ruff, L., Vandermeulen, R., Görnitz, N., Deecke, L. (2018). Deep one-class classification. In: Proceedings of the 35th International Conference on Machine Learning (ICML), vol. 80, pp. 4393–4402.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Zhou C., Paffenroth R. Robust deep autoencoders for unsupervised anomaly detection // Proceedings of the 23rd ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD), 2017. Pp. 665–674. DOI: 10.1145/3097983.3098052</mixed-citation><mixed-citation xml:lang="en">Zhou, C., Paffenroth, R. (2017). Robust deep autoencoders for unsupervised anomaly detection. In: Proceedings of the 23rd ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD), pp. 665–674. DOI: 10.1145/3097983.3098052</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Mirsky Y. Kitsune: an ensemble of autoencoders for online network intrusion detection / Y. Mirsky, T. Doitshman, Y. Elovici, A. Shabtai [Электронный ресурс] // Network and Distributed Systems Security (NDSS) Symposium 2018, 15 p. DOI: 10.14722/ndss.2018.23204 (дата обращения: 23.11.2025).</mixed-citation><mixed-citation xml:lang="en">Mirsky, Y., Doitshman, T., Elovici, Y., Shabtai, A. (2018). Kitsune: an ensemble of  autoencoders for online network intrusion detection. In: Network and Distributed Systems Security (NDSS) Symposium, 15 p. DOI: 10.14722/ndss.2018.23204 (accessed: 23.11.2025).</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Javaid A. A deep learning approach for network intrusion detection system / A. Javaid, Q. Niyaz, W. Sun, M. Alam [Электронный ресурс] // 9th EAI International Conference on Bio-inspired Information and Communications Technologies. 2016. DOI: 10.4108/eai.3-122015.2262516 (дата обращения: 23.11.2025).</mixed-citation><mixed-citation xml:lang="en">Javaid, A., Niyaz, Q., Sun, W., Alam, M. (2016). A deep learning approach for network intrusion detection system. In: 9th EAI International Conference on Bio-inspired Information and Communications Technologies. DOI: 10.4108/eai.3-12-2015.2262516 (accessed: 23.11.2025).</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Shone N. A deep learning approach to network intrusion detection / N. Shone, T.N. Ngoc, V.D. Phai, Q. Shi [Электронный ресурс] // IEEE Transactions on Emerging Topics in Computational Intelligence. 2018. Vol. 2, no. 1. Pp. 41–50. DOI: 10.1109/TETCI.2017.2772792 (дата обращения: 23.11.2025).</mixed-citation><mixed-citation xml:lang="en">Shone, N., Ngoc, T.N., Phai, V.D., Shi, Q. (2018). A deep learning approach to network intrusion detection. In: IEEE transactions on emerging topics in computational  intelligence, vol. 2, no. 1, pp. 41–50. DOI: 10.1109/TETCI.2017.2772792 (accessed: 23.11.2025).</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Goldstein M., Uchida S. A comparative evaluation of unsupervised anomaly detection algorithms for multivariate data [Электронный ресурс] // PLoS ONE. 2016. Vol. 11, no. 4. ID: e0152173. DOI: 10.1371/journal.pone.0152173 (дата обращения: 23.11.2025).</mixed-citation><mixed-citation xml:lang="en">Goldstein, M., Uchida, S. (2016). A comparative evaluation of unsupervised anomaly detection algorithms for multivariate data. PLoS ONE, vol. 11, no. 4, ID: e0152173. DOI: 10.1371/journal.pone.0152173 (accessed: 23.11.2025).</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Sakurada M., Yairi T. Anomaly detection using autoencoders with nonlinear dimensionality reduction [Электронный ресурс] // Proceedings of the MLSDA 2014 2nd Workshop on Machine Learning for Sensory Data Analysis, 2014. Pp. 4–11. DOI: 10.1145/2689746.2689747 (дата обращения: 23.11.2025).</mixed-citation><mixed-citation xml:lang="en">Sakurada, M., Yairi, T. (2014). Anomaly detection using autoencoders with nonlinear dimensionality reduction. In: Proceedings of the MLSDA 2014 2nd Workshop on Machine Learning for Sensory Data Analysis, pp. 4–11. DOI: 10.1145/2689746.2689747 (accessed: 23.11.2025).</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Kumar A. A survey of CICIDS 2017 and CSE-CIC-IDS2018 datasets [Электронный ресурс] // AIP Conference Proceedings. 2024. Vol. 3085. ID: 050001. DOI: 10.1063/5.0222131 (дата обращения: 23.11.2025).</mixed-citation><mixed-citation xml:lang="en">Kumar, A. (2024). A survey of CICIDS 2017 and CSE-CIC-IDS2018 datasets. In: AIP Conference Proceedings, vol. 3085. ID: 050001. DOI: 10.1063/5.0222131 (accessed: 23.11.2025).</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Schölkopf B. Estimating the support of a high-dimensional distribution / B. Schölkopf, J.C. Platt, J. Shawe-Taylor, A.J. Smola, R.C. Williamson // Neural Computation. 2001. Vol. 13, no. 7. Pp. 1443–1471. DOI: 10.1162/089976601750264965</mixed-citation><mixed-citation xml:lang="en">Schölkopf, B., Platt, J.C., ShaweTaylor, J., Smola, A.J., Williamson, R.C. (2001). Estimating the support of a highdimensional distribution. Neural Computation, vol. 13, no. 7, pp. 1443–1471. DOI: 10.1162/089976601750264965</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Liu F.T., Ting K.M., Zhou Z.-H. Isolation Forest [Электронный ресурс] // 2008 Eighth IEEE International Conference on Data Mining (ICDM), 2008. Pp. 413–422. DOI: 10.1109/ICDM.2008.17 (дата обращения: 23.11.2025).</mixed-citation><mixed-citation xml:lang="en">Liu, F.T., Ting, K.M., Zhou, Z.-H. (2008). Isolation Forest. In: 2008 Eighth IEEE International Conference on Data Mining (ICDM), pp. 413–422. DOI: 10.1109/ICDM.2008.17 (accessed: 23.11.2025).</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
