As a manuscript

POLITOV Mikhail Sergeevich EXPERIMENTAL AND ANALYTICAL METHOD FOR ASSESSING AND PREDICTING THE LEVEL OF SECURITY OF INFORMATION SYSTEMS ON THE BASIS OF A TIME SERIES MODEL Specialty 05.13.19 – Methods and systems of information security, information security

dissertations for the degree of candidate of technical sciences

The work was carried out at the State Educational Institution of Higher Professional Education "Chelyabinsk State University" at the Department of Computational Mechanics and Information Technologies head dr tech. sciences, prof.

MELNIKOV Andrey Vitalievich Official opponents Dr. tech. sciences, prof.

MIRONOV Valery Viktorovich, prof. cafe of Automated Control Systems of the Ufa State Aviation Technical University, Ph.D. tech. Sci., KRUSHNY Valery Vasilievich, Head. cafe automated information and computer systems of the Snezhinsk State Academy of Physics and Technology Makeev"

The defense will take place on March 26, 2010 at 10:00 am at a meeting of the dissertation council D-212.288. at the Ufa State Aviation Technical University at the address: 450000, Ufa, st. K. Marx,

The dissertation can be found in the university library

Scientific secretary of the dissertation council dr tech. sciences, prof. S. S. Valeev GENERAL CHARACTERISTICS Relevance topics A modern information system (IS), which is in production operation, includes the functions of protecting the information processed in it and preventing unauthorized access to it. However, the dynamics of changes in security violations information systems indicates the presence of a number of unsolved problems in the field of information security IP, including in the design and operation of security tools.

At the design stage of the IS information security system, it is necessary to determine the required level of system security, and at the testing stage, evaluate the security parameters of the audited system and compare them with the initial security task. To assess the security of a system at the testing stage, it is necessary to use an effective analysis algorithm, but today there are no standardized methods for objective analysis of IS security. In each particular case, the algorithms of auditors' actions may differ significantly, which, in turn, may lead to significant discrepancies in the results of the assessment and inadequate response to existing threats.

Currently practiced security research methods involve the use of both active and passive testing of the security system. Active testing of the protection system consists in emulating the actions of a potential attacker to overcome the protection mechanisms.

Passive testing involves analyzing the configuration of the operating system and applications against patterns using checklists. Testing can be performed directly by an expert, or using specialized software. This raises the problem of choosing and completeness of the analysis algorithm, as well as comparing the results of the evaluation.

To evaluate and analyze the results of testing various IS configurations, some unit of measure, abstracted from the specific properties of IS, is required, with which you can measure the overall level of security of these IS.

Analysis modern methods solving the problems under consideration showed that a number of different approaches are used. We can highlight the works of S. Kao, L.F. Cranor, P. Mela, K. Scarfone and A. Romanovsky on the problem of assessing the level of security, S.A. Petrenko, S.V. Simonov on the construction of economically sound information security systems, A.V. Melnikova on the problems of information systems security analysis, I.V. Kotenko on the development of intelligent methods for analyzing the vulnerabilities of a corporate computer network, V.I. Vasilyeva, V.I. Gorodetsky, O.B. Makarevich, I.D. Medvedovsky, Yu.S. Solomonova, A.A. Shelupanov and others on the design of intelligent information security systems. However, the issues of objective analysis of the level of IS security and its forecasting in these works are considered insufficiently deep.

Object of study Safety and security of data processed in computer information systems.

Subject of study Methods and models for assessing the level of security of computer information systems.

Objective Increasing the reliability of assessing the level of security of information systems based on the accumulated databases of their vulnerabilities and time series models.

Research tasks Based on the goal of the work, the following list of tasks to be solved was determined:

1. Perform an analysis of existing approaches and methods for assessing the level of security of information systems.

2. Develop a model for evaluating the security level of complex information systems with respect to a given entry point.

3. Develop a method for predicting the level of security of information systems based on reliable knowledge about the system.

4. Develop a structural and functional model of information system vulnerability to create a unified database of vulnerabilities.

5. Develop a software prototype of the system dynamic analysis security of a corporate computer network using heuristic vulnerability analysis techniques.

Research methods system analysis, set theory, fuzzy logic theory methods, probability theory, time series theory - to develop the concept of building information systems with a predetermined level of security.

The main scientific results submitted for defense 1. A model for evaluating the level of security of complex information systems relative to a given entry point.

2. Method for predicting the level of security of information systems based on reliable knowledge about the system and time series models.

3. Structural-functional and set-theoretic model of IS vulnerability.

4. Implementation of a software prototype of a system for dynamic security analysis of a corporate computer network using heuristic vulnerability analysis techniques.

Scientific novelty results 1. A model for evaluating the security of complex information systems based on the division of the entire system into subsystems - blocks with their own characteristics of the level of vulnerability is proposed. Within the framework of the proposed concept, it becomes possible to create systems with predetermined security characteristics, which, in turn, increases the reliability of the system in the long term.

2. A method for assessing the level of IS security is proposed, which, unlike existing expert assessments, makes it possible to predict more reliable results based on the databases of information system vulnerabilities accumulated by the world community using a time series model.

3. Structurally proposed - functional model vulnerabilities using the set-theoretic approach, which allows you to describe each vulnerability parametrically, systematize and structure the available data on vulnerabilities in order to create appropriate bases for automated audit systems.

Validity and reliability of the results of the dissertation The validity of the results obtained in the dissertation work is due to the correct application of the mathematical apparatus, proven scientific provisions and research methods, and the coordination of new results with known theoretical provisions.

The reliability of the obtained results and conclusions is confirmed by numerical methods and experimentally, the results of approbation of the developed software prototype for analyzing the security of a corporate computer network.

Practical significance results Practical value the results obtained in the dissertation is to develop:

a formalized procedure for analyzing the security of complex systems based on the logical division of the entire information system into subsystems-blocks with their own characteristics of the level of security;

structural-functional (SFMU/VSFM) and set-theoretical vulnerability models, which allow parametrically describing each vulnerability, which, in turn, makes it possible to systematize and structure the available data on all vulnerabilities;

methods and algorithms (including heuristic ones) for the operation of an automated system for analyzing the security of a corporate computer network, which have confirmed high efficiency in testing the developed software package in real conditions;

results dissertation work in the form of methods, algorithms, techniques and software are implemented in the corporate computer network of the Chelyabinsk state university and IT Enigma LLC.

Approbation of work The main scientific and practical results of the dissertation work were reported and discussed at a number of the following conferences:

All-Russian Scientific Conference "Mathematics, Mechanics, Informatics", Chelyabinsk, 2004, 2006;

7th and 9th International Scientific Conference "Computer Science and Information Technologies" (CSIT), Ufa, 2005, 2007;

International scientific-practical conference of students, graduate students and young scientists, Yekaterinburg, 2006;

10th All-Russian scientific and practical conference "Problems of information security of the state, society and personality".

Publications The results of the performed research are reflected in 8 publications: in 6 scientific articles, in 2 editions from the list of periodicals recommended by the Higher Attestation Commission of the Russian Sobrnadzor, in 2 abstracts of reports in the materials of international and Russian conferences.

Structure and scope of work The dissertation consists of an introduction, four chapters, a conclusion, a bibliographic list of 126 titles and a glossary, in total on 143 sheets.

The paper substantiates the relevance of the topic of the dissertation research, formulates the goal and tasks work, defined scientific novelty And practical significance defended results.

The paper analyzes the state of problems of automating the audit of the security level of information systems and increasing the objectivity of the examination itself. The concept of security of information systems is defined and the analysis of the main threats affecting this property is carried out. The key features of modern information systems that have a direct impact on such characteristics as reliability and security are identified. The main standards and normative documents coordinating the actions of experts in the field of information security are defined. The classification of modern means of protection, as well as their advantages and disadvantages, is given. Conducted research and international experience in the field of information security are analyzed and summarized. The modern implementation of the security analysis process, its stages, their strengths and weaknesses, the automated audit tools used with their pluses and minuses are considered in detail.

The review revealed a number of contradictions and shortcomings in the designated area of ​​research. There are almost no analytical methods that allow assessing the level of security of the protected object at the design stage, when it is already clear what blocks the system will consist of. Most of the assessment methods used today are characterized by a high level of subjectivity, determined by an expert approach to assessing the level of security of an automated system. Unfortunately, dynamic algorithms for analyzing the current state of the level of protection of computer network resources at the stages of industrial operation have not yet received wide distribution. The key feature of these algorithms is that they are created by the system "on the fly" according to the identified properties of the analyzed object, which makes it possible to detect hitherto unknown vulnerabilities and conduct a deeper audit of computer systems with any configuration.

The paper analyzes three main methods of security assessment (general criteria assessment model, risk analysis, model based on quality criteria), considers their key features, identifies advantages and disadvantages, and proposes a new original approach to assessing the security level of information systems.

The disadvantages of all these techniques are a rather high level of abstraction, which in each specific case gives too much freedom in interpreting the prescribed steps of the analysis algorithm and their results.

The listed research methods involve the use of both active and passive testing of the protection system. Testing can be carried out by an expert independently or using specialized software. But here the problem of choosing and comparing the results of analysis arises. There is a need for some scale, abstracted from the specific properties of the system, within which the overall level of security will be measured.

One of the possible solutions to this problem is the original method of analytical evaluation and forecasting general level security based on the theory of time series. This method allows assessing the level of protection of individual elements of the information system.

The following definitions and assumptions have been introduced:

1. The life path of a software and hardware tool is evaluated in terms of the number of versions and modifications released by the manufacturer;

2. The number of versions is counted not according to the number of actually used versions, but based on the formal system of formation of the serial number of the version. This does not take into account the fact of the existence/absence of each individual.

3. Types and types of vulnerabilities are classified as follows:

Low - vulnerabilities such as "elevation of local privileges", but not to the local system;

Midle - vulnerabilities that interfere with the normal functioning of the system and lead to DoS, vulnerabilities that lead to the escalation of local privileges to local system;

High - vulnerabilities that allow an attacker to gain remote control over the system.

4. The level of security of the information system is evaluated in relation to the total number of vulnerabilities of each class to total system versions.

If the system has multiple target nodes, then the cumulative vulnerability is calculated as follows:

CISV VC = K1 ISV VC1 + K 2 ISV VC 2 +... + K i ISV VC i, where is the sequence number of the information subsystem;

i CISV is the cumulative vulnerability of the information system, calculated by VC vulnerabilities of a particular vulnerability class;

ISV i is the number of vulnerabilities of the i-th subsystem of each class of VC vulnerabilities;

Ki is the coefficient of share participation of the importance of each specific system in the overall importance of the entire IT infrastructure.

Measured in percentage.

To assess the overall vulnerability of the information system, we will use the logical schemes presented below:

I. Model of serial connection of system links (see Fig. 1):

CISV vc = MIN (ISV vc1, ISV vc 2) For n links in series connection:

n CISV vc = MIN (ISVi VC), i = 1 Target Intruder ISVVC1 ISVVC Figure 1 – Intruder-Target serial logic II. Model of parallel connection of system links (see Fig. 2):

CISV vc = MAX (ISV vc 1, ISV vc 2) For n system links in parallel:

n CISV vc = MAX (ISViVC) i = Target Intruder ISVVC ISVVC Figure 2 – Intruder-Target parallel logic scheme Practical approbation of the developed method was carried out on the example of the Apache web server (see Fig. 4).

Figure 4 - Vulnerability level for different versions of the Apache web server As you know, the change of major version numbers of a software product is associated with significant code changes and functional transformations. Within these versions, there is a refinement of the already incorporated functionality and bug fixes.

To predict the number of vulnerabilities in future versions of the Apache web server, time series theory was applied and the analysis of the obtained data was performed. As is known, a time series is a sequence of measurements performed at certain intervals of time. In our case, the version scale of the software product was considered as a time scale.

We used the classic time series model, which consists of four components:

trend - the general tendency of movement to increase or decrease;

cyclical component - fluctuations relative to the main trend of movement;

random component - deviations from the course of the response, determined by the trend, cyclical and seasonal components. This component is associated with measurement errors or the effects of random variables.

Figure 5 – Vulnerability of the second version of the Apache web server There are various regression analysis models that allow determining the functional dependence of the trend component. A method was chosen based on the selection of the maximum correspondence between the indicators of the mathematical model and the indicators of the simulated system. An analysis of the experience of such companies as General Motors and Kodak, when choosing an approximating model, made it possible to choose a power law as the basis for the trend component. Based on the typical elements of the process for the considered set of examples, the following type of trend function was chosen:

y (x) = b0 b1 x.

In the course of research, the following formulas for time series trends were obtained:

y (x) = 7.2218 0.9873x High y (x) = 16.5603 0.9807 x Middle y (x) = 3.5053 0.9887 x Low Fig. 6) it follows that the oscillation amplitude decays with time. To approximate the cyclic component, a function of the following form was chosen:

y (x) = b0 b1 x + d f x cos(c x + a)

x x y (x) = 7.2218 0.9873 0.4958 0.9983 cos(0.1021 x + 0.3689).

High x x y (x) = 16.5603 0.9807 + 1.5442 0.9955 cos(0.1022 x + 3.0289).

Middle (1) x x y (x) = 3.5053 0.9887 + 0.3313 0.9967 cos(0.1011 x + 2.9589).

Low The adequacy of the proposed mathematical dependencies to the initial data is substantiated on the basis of the Pearson criterion.

The verification of the hypothesis H 0 showed that the original time series correspond to the series constructed from functions (1) (see Fig. 7).

The following formula was used to calculate the Pearson statistics:

k (p emp p teor) = N i 2 i, p iteor i = where p iteor, p iemp is the probability that the vulnerability level falls into the i-th interval in the original and theoretical series;

N is the total number of version vulnerabilities in the original time series;

k is the number of points in the time series.

Figure 7 - Approximation of vulnerability curves based on the selected functions As a result, the following values ​​were obtained 2 (Table 1).

Table Vulnerability class High 10 Middle 37 Low 18 Since all 2 tables, therefore, the hypotheses H 0 are accepted at the lowest significance level = 0.01.

Thus, it is noted that for the significance level = 0.01 according to Pearson's criterion of agreement, the functional dependences presented by tabular initial data and theoretical (1) correspond to each other.

To predict future values, it is proposed to apply the obtained functions (1) taking into account the product version number.

The accuracy of the proposed method is estimated by comparing the mean absolute deviation of the function of the described method and the mean absolute deviation of the function based on the expert method. In the first approximation, expert evaluation can be represented either by a linear or a power function (see Fig. 7), reflecting the main trend of the process. The mean absolute deviation (MAD) is calculated using the following formula:

n y ~ y i i MAD = i = n where y i is the value of the time series calculated at the i-th point;

~ is the value of the series observed at the i-th point;

yi n - the number of points in the time series.

Table Vulnerability class Power function Linear Power-law bridge with a cyclic component High 0.5737 0.5250 0. MAD Middle 2.1398 1.5542 1. Low 0.5568 0.4630 0. As can be seen from Table 2, the method proposed in the paper makes it possible to obtain an estimate twice as accurate as the expert estimate.

The work compares the one described in the second chapter analytical method assessing and predicting the level of security with technological (experimental) methods for detecting vulnerabilities.

Using information about the current level of vulnerability of an information system, obtained by accessing international databases, as well as the developed method for predicting the level of vulnerability based on the theory of time series, it is possible to estimate how many vulnerabilities of each class will be present in it. Having an idea of ​​how many possible vulnerabilities a new version might have, and knowing how many have been discovered so far, we can determine the possible number of security threats that have not yet been identified using the following expression:

V = Vf – Vr, where Vf is the estimated number of vulnerabilities calculated using the method proposed in the paper;

Vr is the number of vulnerabilities found in the current version;

V is the number of potentially existing but not yet discovered vulnerabilities.

Figure 8 - The process of combining assessments Knowing the value of the level of potentially existing V security threats (see.

Rice. 8), but without knowing their localization in the system (subsystems), the solution to the problem of providing protection looks uncertain. Thus, the problem arises of searching for and detecting weaknesses in the security system of an existing system, taking into account all the features of its configuration settings, the properties and characteristics of the installed hardware and software, as well as the places of possible intruder penetration (it is difficult to take this into account in analytical calculations). ). From this, it is concluded that some software and hardware platform is needed that has effective algorithms for analyzing the level of security, which contributes to the timely detection of new security threats. To create such a system, it is necessary to solve the problem of system analysis.

Vulnability (Vuln) Localization Method Operational Analysis Point (Location) (Access Point) (Location) (Exp) Algorithm Data IP (MAC Address) (Alg) (Data) Representation Port Data Protocol (fr.) (Port) (Protocol) (View) Service (Srv) Software Environment (Env) Function (Func) Parameter (Arg) 9), on the basis of which a four-stage technology for auditing the security of computer systems is proposed.

The first step (see Figure 10) is a port scan of the target system to determine possible penetration points through running network services.

At the second stage, fingerprints (Service-fingerprinting) are taken from the services running on open ports and ensure their subsequent identification up to the installed version number.

Figure 10 - The process of scanning an information system At the third stage, based on the information already collected on combinations of open ports, types and versions of running services, implementation features of available protocol stacks, the operating system is identified (OS fingerprinting) up to installed packages of complex updates and patches.

At the fourth stage, having already collected information, it becomes possible to search for network level vulnerabilities. At this stage, the identified services “listening” to the port and the operating system determined in the third step act as reference information.

In view of the foregoing, technologies and methods are proposed technical analysis, allowing to extract from the target system all the preliminary information necessary for a more detailed analysis of the system for its vulnerability, in connection with which the attack algorithm of an attacker on the target system is analyzed in detail.

A functional model of the vulnerability search and analysis system is proposed.

The paper deals with issues related to the development of a software prototype of a security system scanner (CISGuard). The concept of the software complex, its key features, such as universality, features of the scanning core, and functional features are considered. A detailed description of the quality and stages of scanning is given. The architecture of the entire system has been developed (see Fig. 11).

The key functions of the kernel are proposed.

Figure 11 - Architecture of the security analysis software package It is noted that despite the fact that CISGuard runs under Microsoft Windows, it checks all the vulnerabilities available to its capabilities, regardless of the software and hardware platforms of the nodes. The software complex works with vulnerabilities at different levels - from system to application.

The features of the scanning core include:

Full identification of services on random ports. Provides a vulnerability check for servers with a complex non-standard configuration, in the case when services have arbitrarily chosen ports.

A heuristic method for determining the types and names of servers (HTTP, FTP, SMTP, POP3, DNS, SSH) regardless of their response to standard requests. Used to determine the server's real name and checks to work correctly in cases where the WWW server configuration hides its real name or replaces it with another name.

Checking the weakness of password protection. Optimized password guessing for most services that require authentication, helping to detect weak passwords.

Web site content analysis. Analysis of all HTTP server scripts (first of all, user scripts) and search for various vulnerabilities in them: SQL injection, code injection, arbitrary program execution, file retrieval, cross site scripting (XSS), etc.

HTTP server structure analyzer. Allows you to search and analyze directories available for viewing and writing, making it possible to find weaknesses in the system configuration.

Carrying out checks for non-standard DoS attacks. Provides the ability to enable denial-of-service checks based on experience from previous attacks and hacking techniques.

Special mechanisms that reduce the likelihood of false alarms. In various types of checks, methods specially developed for them are used, which reduce the likelihood of erroneous identification of vulnerabilities.

The interface of the software package has been developed. An example of an authorized audit of target information systems is considered, which confirms the high efficiency of the proposed solutions.

In custody The work presents the main results obtained in the process of ongoing research and the final conclusions on the dissertation work.

Main conclusions and results 1. An analysis of existing approaches and methods for assessing the level of information systems security has been carried out. The analysis carried out revealed insufficient elaboration of the issues of obtaining reliable results of the analysis of the level of security and its forecasting.

2. A model has been developed for evaluating the security of complex information systems based on the expected entry points and dividing the entire system into subsystems - blocks with their own characteristics of the level of vulnerability. Within the framework of the proposed concept, it becomes possible to create systems with predetermined security characteristics, which, in turn, increases the reliability of the system in the long term.

3. A method has been developed for assessing the level of IS security, which, unlike existing expert assessments, makes it possible to predict more reliable results based on the databases of information systems vulnerabilities accumulated by the world society using a time series model.

4. A structural-functional vulnerability model has been developed using the set-theoretic approach, which makes it possible to describe each vulnerability parametrically, systematize and structure the available data on vulnerabilities in order to create appropriate bases for automated audit systems.

5. The architecture and prototype of a system for dynamic analysis of the security of computer networks with the use of heuristic vulnerability analysis techniques (CISGuard software package) have been developed. The advantages of the proposed complex include its open extensible architecture and the use of unified vulnerability databases. Practical results are obtained on the basis of authorized automated analysis of computer networks of a number of domestic enterprises, which testify to the effectiveness of the proposed methods and technologies for security analysis.

Main publications on the topic of the dissertation Publications in periodicals from the list of VAK:

1. Politov M. S., Melnikov A. V. Two-level security assessment of information systems // Vestn. Ufim. state aviation-technical university

Ser. Ex., Comput. technology and informatics. 2008. Vol. 10, No. 2 (27). pp. 210–214.

2. Politov, M. S. Full structural assessment of information systems security / M. S. Politov, A. V. Melnikov // Reports of the Tomsk State University of Control Systems and Radioelectronics. Tomsk: Tomsk. state University, 2008. Part 1, No. 2 (18). pp. 95–97.

Other publications:

3. Politov, M. S. Problems of analysis of information systems / M. S. Politov.

// Reports of the conference on computer science and information technology(CSIT). Ufa: Ufim. state aviation-technical un-t, 2005. V. 2. S. 216–218.

4. Politov M. S. Security analysis of information systems / M. S. Politov, A. V. Melnikov // Mathematics, Mechanics, Informatics: Dokl. Vseros. scientific

conf. Chelyabinsk: Chelyab. state un-t, 2006, pp. 107–108.

5. Politov, M. S. Multifactorial assessment of the level of security of information systems / M. S. Politov, A. V. Melnikov // Security of information space: materials of the international. scientific-practical. conf. Yekaterinburg: Ural. state University of Ways of Communication, 2006, p. 146.

6. Politov, M. S. Comprehensive assessment of the vulnerability of information systems / M. S. Politov // Reports of the conference on computer science and information technology (CSIT). Ufa - Krasnousolsk, 2007. Ufa: Ufim. state aviation-technical un-t, 2007. V. 2. S. 160–162.

POLITOV Mikhail Sergeevich EXPERIMENTAL-ANALYTICAL METHOD FOR ASSESSING AND PREDICTING THE LEVEL OF SECURITY OF INFORMATION SYSTEMS ON THE BASIS OF A TIME SERIES MODEL Specialty 05.13.19 – Methods and systems of information security, information security ABSTRACT of the dissertation for the degree of candidate of technical sciences Signed for printing _._.. Format 60x84 1/16.

Offset paper. Offset printing. Headset Times.

Conv. oven l. 1.0. Uch.-ed. l. 1.0.

Circulation 100 copies. Order.

Chelyabinsk State University 454001 Chelyabinsk, st. Br. Kashirinykh, Chelyabinsk State University Press 454001 Chelyabinsk, st. Molodogvardeytsev, 57b.