IDENTIFICATION OF THE PREPARATION OF A CYBER-ATTACK
DOI 10.24411/2072-8735-2018-10112
Alexey N. Nazarov,
V. A. Trapeznikov Institute of Control Sciences of RAS,
Moscow, Russia,
Keywords: cyber-attack, digital traces, attacking object, risk object, security function, model, fuzzy sets, membership function, linguistic variable, cluster, monitoring, Hadoop, web-space, identification, criterion, gadget, device, attacker, databases, threats, vulnerabilities, standard, destabilizing factors.
The complexity of counteracting cyber-attacks is due primarily to their high technology. Therefore, only the use of intelligent means and systems of counteraction can be a real protection against malicious intrusion. It can be considered that the life cycle of a cyber-attack consists of its preparation by an attacker and its implementation by an attacker. Given the complexity and variety of information and communication technology operations, protocols, of particular interest is the practical task of determining the identifying features or digital traces of the initiators of a cyberattack-terminal endings (gadgets, devices) and their owners with personal individual user features at the stage of preparation or design of a cyber-attack. In this regard, the formal formulation of the scientific problem of developing new approaches to the synthesis of models and methods of collection, processing and structuring of information necessary for the implementation of the technology of identification of physical devices and their users based on the analysis of traces left by them in the information space is relevant. The article offers a formal statement of the scientific problem and new approaches to the synthesis of models and methods of collection, processing and structuring of information necessary for the implementation of the technology of identification of physical devices and their users based on the analysis of traces left by them in the information space.
Information about author:
Alexey N. Nazarov, Professor, Doctor of Technical Sciences, Laboratory № 79, V. A. Trapeznikov Institute of Control Sciences of RAS, Expert ITU, Moscow, Russia
Для цитирования:
Назаров А.Н. Идентификация подготовки кибер-атаки // T-Comm: Телекоммуникации и транспорт. 2018. Том 12. №6. С. 69-76. For citation:
Nazarov A.N. (2018). Identification of the preparation of a cyber-attack. T-Comm, vol. 12, no.6, pр. 69-76.
I. Introduction
The highest rates of use of Internet technologies in various fields of human activity, impose new requirements for information security of risk objects. Cyber-attacks can cause huge material and financial damage. At the same time, the success of modern !T solutions for various subject areas that arc important for humanity is beyond doubt. The complexity of counteracting cyber-attacks is due, first of all, to their high technology. Therefore, only the use of intelligent means and systems f 11 of counteraction can be a real protection against malicious intrusion.
We can assume that the life cycle of a cyber-attack consists of its preparation by an attacker and its implementation by an attacker.
Common sense dictates that the right way to countering cyber-attacks is their elimination on the stage of their preparation, conception, or summing up — the early stages.
Cyber-attacks, as complex processes, are based on the latest information and communication technologies and preparation for the beginning of their effects is accompanied by mandatory technological operations in the web-space between the interacting objects, such as: connection establishment, verification ofchecksums, etc. Such technological operations are the elements of information and communication technologies. Such technologies, of course, were not developed for the bad guys preparing attacks against the objects of risk. Rut, unfortunately, the hacker community regularly reports about new vulnerabilities in the protocols and elements of information and communication technologies for the organization of cyber attacks against risk objects.
The possibility of organizing a global monitoring of the selected risk objects in ihe web-space was studied, for example, in [2, 3].
Given the complexity and variety of information and communication technology operations, protocols, of particular interest is the practical task of determining the identifying features or digital traces of the initiators of a eyber attackterminal endings {gadgets, devices) and their owners with personal individual user features at the stage of preparation or design of a cyber-attack.
Currently, there is no clear definition of the term "digital footprint", it is more journalistic reception (see, for example, [51). The proposed definition is a set of information about the user's visits and contribution during the stay in the digital space. May include information obtained from the Internet, mobile Internet, web-space and television". Therefore, it is possible [7] constructive, clarifying criticism of the formulation of this term.
In this regard, the formal formulation of the scientific problem of developing new approaches to the synthesis of models and methods of collection, processing and structuring of information necessary for the implementation of the technology of identification of physical dcvices and their users based on the analysis of traces left by them in the information space is relevant.
[i Statement of tiie research task
For an arbitrary risk object of the information and telecommunications system undergoing a cyber-attack, in general, there exists [8-10J a complete (in the cause-effect sense! system (list) of the security functions (see Table I, Fig. I and Table 2).
Table 1. Security Functions
Designation of security functions Appointment of security functions
Preventing the occurrence of conditions conducive to the generation of (occurrence) destabilizing factors (DF)
X 2 Warning immediate manifestations of destabilizing factors
Xi Detection manifested destabilizing factors
XA Prevention of exposure lo risk in (he manifested and revealed destabilizing factors
Prevention of exposure to risk on the manifest, but the undetected destabilizing factors
Detecting the impact of destabilizing factors oil the subject of risk
Localization (restriction) found ihe impact of destabilizing factors on the object of risk
Localization of undetected exposure to risk by destabilizing factors
Dealing with ihe consequences of the localized impact of the detected object on the destabilizing factors risk
^10 Dealing with the consequences of undetected localized exposure to risk by destabilizing factors
Figure I. The causal diagram of the security functions Xi^X10 and results of attack 0.
Table 2. Final events of attack Et -£\ 0 in Fig. !
E^E6 Defence Provided
Defence Broken
E9,E1 o Defence Destroyed
Each security {unction in general is a condition for suppressing an attack. The system of security functions allows, on a universal methodical basis, to unite and supplement the methods, means, technologies of information security from various subject areas that do not intersect in their physical and natural essence, including normative legal acts.
In [2,4,11] the methods of cyber-attack risk assessment are developed, formalized on the logical-probabilistic basis of the protection function <Fig.I > and the success (failure) function of the risk object on the basis of known protection functions and the conditions for the success of the opposition to the attack (reachability).
As can be seen from Fig. I to be successful, an attacker must know all or part of the existing security functions of the risk object and identify a successful scenario of the cyber- attack process that will ensure the failure of the security functions of the risk object, leading to the success of the cyber- attack.
Therefore, the activity of an attacker at the stage of preparation of a cyber-attack is associated with the definition of the security functions of the object of risk. But the security functions are created on the basis of the characteristics, parameters of the object of risk. So the attacker with his physical devices, gadgets and auxiliary hardware and software and/or with the help of other individuals (assistants) with their physical devices and auxiliary hardware and software will try to remotely study, examine the formalized characteristics and, above all, information arrays and information and communication technologies used by the risk object. Such collective actions of an attacker are very typical for modem distributed bot-attacks, using a huge number of devices, computers, estimated by hundreds of thousands [12], involving third parties in illegal activities, willingly or unwittingly helping the attacker himself.
Within the meaning of the security function ^-prevention of the conditions generating a negative impact of destabilizing factors in the overall structure (see Fig, 1) the risk of a cyber-attack. It is responsible, among other things, for solving the problem of identification of many physical devices and attackers, in General, collectively preparing a specific cyber-attack, based on the analysis of signs of preparation of such an attack or traces let) by physical devices of attackers [13].
In General, without limiting the generality of reasoning, we will consider the entire set of individuals involved in the preparation of a cyber-attack (an attacker with third parties) with their physical devices an attacking object in the information web-spaee. Moreover, this definition reflects the technological meaning of modern distributed, network bot-attacks [12, 14].
Thus, to implement the possibility of identifying the attacking object of information space on the basis of the analysis of its traces in the web-space, it is necessary to develop methodological approaches to the formalization of the identification of the activity of the attacking object in preparation for a cyber-attack against the risk object in the web-space, aimed at determining the
parameters, characteristics of the risk object, its technological features, functionality, information support used by it, its security functions and on their basis to develop a scientific approach to the creation of new models of the security function Xj.
III. THE MEASURE OF SUCCESS IDENTIFICATION
OF TRAINING TRACK CYBER ATTACKING OBJECT
The process of preparing an attacker using physical devices to cyber-attack A in the web-space against the selected risk object Y begins in some sense long before the immediate start of the attack. An attacker with the help of physical means and third parties develops an attack plan, collects the necessary information, acquires additional funds and prepares resources for the attack. In the process of preparing an attack, physical means, third parties and the attacker himself leave signs or traces in the information web-space. The process of preparing an attack lakes a certain amount of time — ATpA .
During this time t\TpA, it is necessary to detect traces of an attacking object with a high probability, which clearly prove the fact of preparing a cyber attack by an attacker.
The tracc of the attacking object will be considered very likely or reliably detected when the following relation is executed
PD-PA(t < ^pa) > 1 ~ PND-PA-
(1)
-the condition of success of identification of the trace ofthe attacking object, where PA(r < ATpA) - the probability of successful detection of the trace of the attacking object, PjHo-pA' the probability of non-detection of this trace, t- the time interval of monitoring this trace.
In the sense of the condition of success of identification of a trace (1) it is necessary to provide small value P^d-pa ■ This should be provided at the current time by known methods and means of monitoring and identification of attacking objects in the web-space.
The evaluation of the success of identifying traces of specific physical devices of attackers in the web-space using the condition (1) can be carried out at a given value P&d-pa' obtained, for example, by experienced or expert ways, as the "worst" in some sense in relation to a particular risk object. However, these paths are acceptable for many known classes of cyber-attacks. But now there is a high dynamics of modifications of cyber-attacks and expanding the range of their negative impacts. And for the correct acquisition of values it is necessary to develop new methodological recommendations, taking into account the rapid pace of improvement of technological features of modern cyber-attacks,
hi General, the value P^o-pa should be calculated based on the existing or achieved level of identification (identifiability) of the trace of the attacking object and the physical devices used by it. This level is due to the presence of available knowledge and solutions to detect traces of attacking objects to prepare a cyber-attack against the risk object. In other words, the level P^-tr should be calculated on the basis of developed, modified, in part of the traces of attacking objects, the security function Xx.
On the other hand, with a properly developed security function Xi, the probability Pq-PA (t < ATPA) of success of identification of the trace (I) of the attacking object should be large, close to one.
An attacking object, preparing a cyber-attack. should use the known vulnerabilities of the risk object. Because the object of
risk is pari of functioning information and communication systems on the web, its informational support consists of typical, standardized data elements and, especially, databases (DB).
To create new models of identification of traces of an attacking object, it is necessary to analyze modern threats to information security and vulnerabilities of information support of the risk object in the web-space.
IV. INFORMATION SECURITY THREATS
AND WAYS OF INFORMATION LEAKAGE
OF THE RISK OBJECT
The definition of the threat of information security of the risk object according to COST R 56545-2015 is a set of conditions and factors that create a potential or real existing risk of information security violation.
The threat to information security [15] is understood to be any object, event or person presenting a certain danger to the information system of the risk object. Threats can be intentional (direct theft, intentional modification of information), accidental (errors in calculations, accidental deletion of the file), natural (flood, hurricane, lightning, etc.) or man-made (voltage surges, fires, accidents in the systems of public utilities, etc.) [16, 17].
Based on the analysis of the features of the formation and characteristics of information assets of the risk object (1ARO), classification of information, the requirements of IARO user requests, the main threats to information security of a typical information resource-databases (DB) are 118]:
- disclosure of confidential information (unauthorized access, copying of data, duplication of data, theft of information),
- compromising information (making unauthorized changes to data sets and databases),
- unauthorized exchange of information,
- refusal of information (non-recognition by the recipient or sender of the facts of receipt or sending of information, respectively),
- denial of service (lack ofaccess to information).
Fundamentally possible ways of information leakage in the
risk object can be:
- direct theft of media and documents,
- copying confidential information,
- unauthorized connection to the user's personal workstation (terminal) and illegal use of the information access device,
- unauthorized use of special software to access confidential data. The attacker develops an attack scenario. The implementation of the attack process is accompanied by events (manifestations) of this attack. Events can be expected (predictable) or unexpected (unpredictable).
Of particular importance, the issues of ensuring information security of the IARO in the General case the gain currently in connection w ith the active use of cloud computing technologies when you build the data storage systems (DSS) for IARO. The additional information security risks associated with the" movement " of business processes, software and information support to the cloud, make it necessary to improve the availability and reliability of data storage through the development of new security models, involving, in particular, the delegation to a separate proxy server authority to identify, upload, process and remotely verify the validity and immutability of data in the cloud, as well as checking whether the data is stored from an external source without loading all the data [19].
The development of methodological aspects of the identification of the attacking object trace in pragmatic terms should be based on the existing standards of the subject area.
IV. VULNERABILITIES OF THE RISK OBJECT
According to GOST R 56545-2015 - "vulnerability" - is a lack (weakness) of software (software and hardware) tools or information system as a whole, which can be used to implement threats to information security.
Any vulnerability of the object of risk of the information and telecommunication system can be represented in the form of an image, which includes a set of certain characteristics (elements describing this vulnerability), formed by certain rules [20].
Description of the vulnerability of the risk object is information about the identified (detected) vulnerability. The rules for describing the vulnerability of the risk object are a set of provisions governing the structure and content of the vulnerability description [21].
According to [21] the images of vulnerability arc divided into the images of known vulnerabilities, zero day exploits and images of the new ly identified vulnerabilities.
A known vulnerability is a vulnerability published in public sources that describes appropriate information security measures, fixes, and updates.
A zero-day vulnerability is a vulnerability that becomes known until the developer releases a component of the risk object with appropriate information security measures, bug fixes, or appropriate updates [20].
For the first time, the identified vulnerability is a vulnerability not published in public sources [211.
Each type of images of the vulnerability of the object of risk is inherent in both General and specific characteristics (elements) that you can bring to the table. An example of a Table 3 is presented below.
Table 3. Elements of different types of vulnerability images
№ Characteristics of the image of vulnerability Element inherent to the image of a know n vulnerability E lenient inherent to the zero-day vulnerability image The element inherent in the image of the newly discovered vulnerability
1. Location of detection (detection) of vulnerability in the risk object + + +
2. Method of detection (detection) of vulnerability + + +
3. The name of the vulnerability 4- + -
n. Recommendations to address the vulnerability or to exclude the possibility of its use + - -
Before proceeding to the models of identification, identification and evaluation of vulnerability images, it should be clarified that the risk object consists of levels [22,23 ]:
- application software level responsible for user interaction;
- database management system level ( DBMS) responsible for storing and processing data of the risk object;
- operating system ( OS) is responsible for the maintenance of the DBMS and application software;
- the network layer responsible for the interaction of the nodes of the risk object.
Each level of the risk object is correlated with different types (classes) of vulnerabilities. To identity vulnerabilities, it is necessary to develop models for identifying, identifying and assessing vulnerabilities.
The main sources of risk object vulnerabilities are [22, 23 j:
- errors in the development (design) of the risk object (for example, errors in the SOFTWARE);
- errors in the implementation of the risk object (risk object administrator errors) (for example, incorrect configuration or SOFTWARE configuration, not an effective security policy concept, etc.);
- errors when using the risk object (user errors) (e.g. weak passwords, security policy violation, etc.).
The process of identifying the image of the detected vulnerability of the risk object, which has specific characteristics (elements), is carried out by means ofa procedure of its comparison with images of known vulnerabilities and zero-day vulnerabilities stored in the vulnerability database. A formalized description of known vulnerabilities and zero-day vulnerabilities is provided in the form of passports thai contain information about speciiic characteristics (elements) ofa specific vulnerability. To accurately identify an image ofa detected vulnerability, it must contain information about the name and SOFTWARE version of the risk object in which the vulnerability was discovered, the identifier, the name and the class of the detected vulnerability. Based on the above information, the security analysis tool correlates the image of the detected vulnerability to one of the types of vulnerability images.
For a qualitative assessment, the identified vulnerability image, in turn, should contain information about the identifier and type of the risk object's fault, at which the vulnerability was discovered, the location of the vulnerability in the risk object, and the method of vulnerability detection. The process of evaluation of the image of the vulnerability ends in the development of recommendations to eliminate vulnerabilities or to exclude the possibility of its use. In cases where an image of a newly identified vulnerability has been detected, the security analysis tool places information about it in the vulnerability database with the formation of a new zero-day vulnerability passport.
With the release of a developer of the object of risk measures, information security, necessary updates, and fix weaknesses, a zero day exploit goes into the status known vulnerabilities.
V. TYPICAL FEATURES OF FORMATION
AND CHARACTERISTICS OF DATABASES
OF RISK OBJECT
Depending on the subject area of operation of the risk object, its functionality and other specific properties, its database contains information about its documents, information arrays [15].
The basic quality characteristics of the database are: completeness, accuracy, relevance, depth of retrospective data, load time information in the database and the user requests necessary information. Information of the risk object is divided into open (public) information, confidential information and information for internal use.
Public information includes information intended to be published in the media, on the website of the risk object, information of an advertising nature, as well as other information that is recognized as publicly available in accordance with national legislation and can be made public. The open information of the risk object, in particular, include: various open and library collections, official publications; database of published documentation; information resources ofthe website of the risk object; regulatory and legal documents; reference and other information; links to information files and documents of other organizations, contracts and agreements; news and press releases [ 15].
Access to this information is not limited and, first of all, there are requirements to ensure the reliability and safety of data, protection of information from destruction and modification.
Statement of the problem of coverage - all scenarios for the success of cyber-attack (penetration) to cover (interrupt) with a minimum number of edges:
The confidential information of the object of risk, as a rule, include [15]:
- materials of applications of users of the risk object for the prov ision of information or other services;
-personal data of employees at risk;
- accounting data, information on wages of employees of the risk object;
- archive of applications;
-warehouse documentation;
- incoming and outgoing correspondence;
—contracts with third parlies;
- information, disclosure of which is prohibited by regulatory legal documents of the departmental affiliation of the risk object.
The requirements for the protection of confidential information during its processing, transfer, storage and destruction must comply with the requirements of national legislation.
Access to confidential information should be regulated by the relevant regulatory legal documents of the object of risk and be carried out on a special list (permit) on the basis of relevant employment contracts or agreements and in amounts not exceeding the minimum required for the performance of his duties (job or functional) [15].
To organize access to confidential information, enhanced means of, for example, two-factor authentication should be used, as well as mechanisms for logging events should be implemented that allow unambiguously identifying persons admitted to this information and their actions. Processing of confidential information is allowed only with the use of certified software and hardware, the operation of which is permitted by the management of the risk object [15].
The methods and means of transmission of confidential information shall ensure its transmission only to recipients with mandatory identification and confirmation of the sender's authorship and receipt (for example, by e-mail). When transferring confidential information in digital (electronic) form, it is necessary to encrypt it using cryptographic algorithms and encryption keys, and when it is transferred on information carriers, it is necessary to ensure the safety of these carriers during transportation.
The storage of confidential information should be carried out using means of control of the relevance and reliability of the data. The processes of destruction of coniidential information should ensure the impossibility of its subsequent recovery [ 15].
VI. ASPECTS OF SYNTHESIS OF THE MODEL
OF INTERESTS OF THE ATTACKING OBJECT
it follows from the above that the interaction between the elements of information support of the risk object is carried out by processes that are generally oriented to a tree-like, hierarchical structure. The elements of such a structure are different databases and other technological entities.
The theory of fuzzy sets allows to formalize and algorithmize such processes, taking into account technological features and specifics of functioning of the risk object.
Developing the approach of prof. Ryzhov A. [7J we will understand the digital interests of the attacking object as a set of linguistic variables [24] defined oil the logs of the device (for example, smartphone) of the attacker and third parties from the attacking object, sufficient to solve a specific problem. For example, the Activity in terms of "active", "medium activity", "not active"; the preference of the type of content in terms of "voice", "pictures", "videos"; Preference of the size of the content in terms of "large", "medium", "small"; the preferences of the time in terms of "morning", "afternoon", "evening", etc. A set of linguistic variables is defined by the task (that is, we will not care about the abstract completeness of the set of linguistic variables, but it will be important to understand how to construct them).
Formally, by analogy with [7|, we assume that an attacking object is described by a finite set of features A = {Alt ...,/!„}. Each Aq attribute is assigned a set of Uq of its" physical " values and a set of linguistic values (1 < q < rc) (that is, the attribute is a linguistic variable). Each such linguistic value of awq is assigned a membership function ¡¿awq (uq) ¡n the
universal set Uq (l < w < nq). The Uq sets are defined by the set of available data. Such data set (dataset) may be provided by the procedure established by law, including by Internet service providers. For example, provided by the company "Data processing Technologies" [7]. such dataset includes recording of alt actions with the smartphone (logs) of 800 users for 4 weeks, having the format <ID, transaction^ where the transaction has the format -^transaction start time, application, transaction end time>, where the application is the name of one of the applications installed on the user's smartphone, with which the work took place at the specified time. From such dataset we can extract various data (sets of Uq), for example, the average number of calls, the average number of phone use per day/ per w eek and above them (sets of Uq) build linguistic values that describe the features of Aq (1 < q < n).
Let us denote by (1 < / < N) the communication channels through which an attacking object prepares a cyber attack and which we are able to measure. It can be calls, SMS, chats, instant messengers, social networks, etc. units of measure - time (for calls), the number of characters (for SMS and instant messengers), time spent in app, etc. should be determined based on the specificity ofthe target of attack in relation to the risk object.
Let us denote in At some period of time for monitoring the list of potential attacking objects, "natural" for the task. This period of time should correspond to the time interval of preparation of the cyber attack - in the sense that criterion (1) is fulfilled.
We will consider this interval At equal to days [7| taking into account the human factor of the attacker and his assistants in
the attacking object. Divide the day into elementary units-minutes and denote in At (1 < j < 1440) the time interval corresponding to j minute.
Let's denote by vfj the number of units spent by the k -th attacking object on channel ion the j-th minute (1 < k < K). For time v¡j is zero or one, for other units (for example, symbols), it can be an average value for the time of typing.
VII. PARTITION OF A UNIVERSAL SET
It is important to understand the readiness of the attacking object to consume or process information about the risk object at a certain time of the day. Since the attacker and his assistants-people, they have to sleep, eat, rest, etc. I low much for a particular attacking object such meaningful intervals of time of day there? There is no common answer, so it is correct to choose such a number of natural intervals that will provide a better quality of covering the universal set [0, 1440]. The quality is determined by different indicators-below we will use, similarly [25], the imbalance of classes and the degree of indistinctness.
To do this, [7] we collect all the activities of all components of the attacking object for a certain time, that is, we calculate for each Atj the value vf = £f=1 where vfj =1 if the k-th component of the attacking object used the ¿-th communication channel in time At, and — 0 if the k-th component of the attacking object had no activity in the time interval Atj. To divide the time of day, choose a "typical" attacking object (for example, the cluster center after the clustering of attacking objects) and clustering the obtained objects Vj (1 < j < 1440) with the standard C-means algorithm for a different number of clusters and calculate the quality of clustering
VIII. AN EXAMPLE OF AN APPROACH
TO CLUSTERING AN ATTACKING OBJECT
The experiments carried out by the authors [7] showed the best results for the time interval of 15 minutes in the case of determining the individual's preferences for news content in the home sector (see table 4), which is quite reasonable. Therefore, it seems appropriate to use this approach to time aggregation (l<j<95) for the ease of preparation of a cyber- attack based on news information.
As can be seen from table 4, optimal from the point of view of the imbalance of classes in the case of determination of preferences of individual news content in the home sector is split into 3 classes, which can be interpreted as "morning", "working hours" and "evening" (cluster centers 22.84787803, 54.46499606, 78.82015172). The usage time clustering for the three clusters is shown in fig.,2, according to [7].
Table 4. Quality characteristics of time-to-use clustering
(based on the materials [7])
Number of clusters Degree of fuzziness Class imbalance
2 0.17368421 0.230382367079
3 0.29473684 0.199661103355
4 0.32631579 0.389432788809
5 0,33684211 0.488659684614
Fig. 2. Clustering time-of-use for the three clusters [7]
Similarly, we can determine, for example, the activity of eaeh attacking object:
1. Calculate the average value of units spent per day for eaeh attacking object, taking into account its components.
2. We conduct the clustering attacking objects.
3. We interpret the clusters obtained.
IX. DESCRIPTION AND CLASSIFICATION OF
DIGITAL TRACES OF THE ATTACKING OBJECT
If we are interested in the description of the attacking object in terms of "Active / Not active", "Interested in the receipt of finance on the accounts of the risk object in the morning/ afternoon/evening", "Interested in video about visiting the risk object", etc.. then, using similar reasoning and availability of data, we can build such descriptions. These descriptions (linguistic variables, constructed on universal sets obtained from datasei) by analogy with f7] will be called primary. Based on the received primary descriptions, following the recommendations of prof. Ryzhov A.P. [26] wc can classify attacking objects using a fuzzy classifier and obtain secondary descriptions. Note that we can do this w ith minimal uncertainty for a large number of cases [26].
Such formal descriptions are the formalization of digital traces of the attacking object. The architecture of the system of building digital traces for the interests of determining the preferences of the individual of news content in the home sector is presented in [7].
From the above, the following sequence of technological operations for formalizing digital traces of the attacking object is proposed.
1. Based on the monitoring results and the primary measurements (transactions) determined on the logs of the attacker's and third-party devices from the attacking object, we form a set of digital interests of the attacking object in the form of a set of linguistic variables built on universal sets.
2. Based on the results of the processing of the experimental data, we obtain an estimate of the activity of all components of the attacking object for a certain time, over all communication channels. Define the time-division of the day, typical for the digital interests of attacking objects.
3. For the chosen lime-of-day partition, select the "typical" attacking object for a different number of clusters and calculate the quality of clustering.
4. We form the primary descriptions of the attacking object in selected terms, which are linguistic variables, constructed on universal sets (see the above p. 1).
5. Based on the primary descriptions obtained, we classify the attacking objects using a fuzzy classifier and obtain
secondary descriptions, which are digital tracks with minimal uncertainty for a large number of eases [26].
Formalization of digital traces of the attacking object can be used to identify the personalization of the use of various services used in preparation for cyber-attack (for example, advisory, from hacker forums).
Technologically, the identification of the attacking object of the information space based on the analysis of its traces in the web space should be carried out in the monitoring system in the cloud cluster. In [3, 27], from fairly general premises, methodical approaches were developed to create algorithms and software solutions in the lladoop web programming environment for a wide class of tasks for monitoring objects in the web space. The topology of the Hadoop monitoring cluster has been developed for the first time, which has common application. The research and proposed algorithms for measuring the attributes of monitoring objects in the web space, taking into account the requirements for the uniformity of measurements. The system requirements for the design of the lladoop monitoring cluster have been developed. The existing reserve for the lladoop monitoring cluster can be further developed on the basis of the above approaches, including the formalization of digital traces of the attacking object.
X. CONCLUSION
The notion of an attacking object in the web space is formulated. The concept reflects the technological essence of modem distributed network bot-attacks and extends to the entire set of individuals involved in the preparation of a cyber-attack (an attacker with his assistants) with their physical devices.
The criterion of success is the identification of the trail of preparing a cyber-attack by an attacking object, taking into account the probabilistic nature of the risk ofa cyber- attack and the time frame due to the preparatory activity of the attacking object. The order of an estimation of an admissible value of probability of success of identification of a trace of preparation of a cyber-attack is defined.
Proceeding from the analysis of standard requirements, technological features of formation and characteristics of information assets of the risk object, classification of information, user requirements, the main threats to information security of a typical information resource - databases were analyzed. Typical features of the formation and characteristics of databases of the risk object are systematized.
Analysis of the requirements of the current regulatory framework oil information security threats, information leakage paths, vulnerabilities of the risk object, as well as an overview of typical features of the formation and characteristics of the risk database allow us to conclude that the interaction between the elements of information provision of the risk object is carried out by processes oriented in general case into a tree-like, hierarchical structure. The theory of fuzzy sets allows to formalize and algorithm ize such processes, taking into account technological features ofthe object of risk.
The aspects of creating the model of interests ofthe attacking object are investigated. Applicability of theoretical results from the field of fuzzy sets in this ease is due to technological capabilities to understand the digital interests of the attacking object a set of linguistic variables defined on the log of the device
(for example, smartphone) of the attacker and third parties from the attacking object, sufficient lo solve a particular problem.
A set of linguistic variables is determined by the task. The proposed approach is not critical lo the abstract completeness of □ set of linguistic variables, but offers methodological recommendations for their construction.
Methodical features of clustering of the interests of the attacking object are illustrated with an example [7] of the results of processing experimental data for the ease of determining the individual's preferences for news content in the home sector.
To solve the task of identifying the attacking information space object based on the analysis of its traces in the web- space, a technological sequence of actions is proposed that forms the order of description and classification of digital traces of the attacking object.
New methodical approaches lo the formalization of the identification of the activity of the attacking object in preparation for the cyber-attack in relation to the risk object in the web space aimed at determining the parameters, characteristics of the risk object, its technological features, the information support it uses, its security functions are developed. These approaches are the scientific basis for the development of new models of security function X i in the overall structure of the risk of cyber-attack.
The proposed approaches are technologically feasible in the I ladoop monitoring cluster.
References
f. Nazarov A. (2017). Intellectual informal ion security on cloud basis. Collection of proceedings of the 111 interregional scientific-practical conference "Perspective directions of domestic information technologies". Crimea, Sevastopol, 10-23.09.2017. pp. 26-28.
2. Nazarov A. (2017). Syntez of security functions against cyber-attacks. T-Comm, vol. 11, no. 9. pp. 80-85.
3. Volkov D., Nazarov A. & Nazarov M, (2014,). A global threat - the dark web. Annual Collection of scientific works of International conference "Managing the development of large-scale systems" (MLSD'2014). Institute of control Sciences RAS. pp. 452-459,
4. Nazarov A. (2016) Assessment of security from in formal ion attacks. Telecommunications, no 5, pp. 23-33.
5. Slechk'm 1, Who owns our "digital footprint"?- lutp://jrnlst.ru/komu-prinad lezh it- n ash-ci frovoy -sled.
6. Digital footprint. Material from Wikipedia, the free cncvclopcdia-htt ps ://ru ,wi k i ped i a ,o rg/ w i k i/1 tn<|>po bo il c.iea,
7. Ryz.hov A. Sl Novikov P. (2017). On one model of digital habits. Intelligent Systems. Theory and applications. Vol. 21, Issue, 4, 2017, pp. 91-102.
8. Nazarov A. (2007). Estimation of information safety level of modern infocom muni cat ion networks on basis of logic-probability approach. Automation and Remote Control, July 2007. Vol. 68 Issue 7. 2007. pp. 1165-1176. USA, doi: 10.1134/S0005117907070053.
9. Nazarov A. (2010). Logical-and-probabifistic model for estinulling the level of in formal ion security of modem information and communication networks. Telecommunications and Radio Engineering. Vol. 69, no 16, pp. 14531463, USA, doi: 10.1615/TelecomRadEng.v6?j 16.60.
10. Nazarov A. & Syehcv K. (2011). Models and methods for calculating the indicators of quality of functioning of the equipment units and structural parameters of the network the next generation networks, 2th cdn, LLC Policom, Russia, Krasnoyarsk.
11. Nazarov A., Nguyen Xuan Tien, Trait Minh Hai (2016). Modeling of information attacks, and security risk assessment facilities. T-Comm, vol.10, no. 8, pp. 69-78.
12. Nazarov A. (2012). Bolnet tracking and global threat intelligence - behavior approaches to identifying distributed bowels', paper presented at the flilili. Collection of proceedings of the Cybersecurity Summit (WCS), 2012 Third Worldwide, New Dehli, ' 30-31 Oct. 2012. http:/7ieee\plore. iece.org'X pl.'arti cleDetai ls.jsp?amumber-6780878&newsearch=true &t) ueryText=Botnel%20tracking%20and%20gl obal%20threat%20inie 11 igence%20-%20bchavior%20approaches%20to%20identilying%20distributed%20botnets.
13. Na/arov A, (2018), Identification of Ihe preparation of a cyber attack. Annual Collection of proceedings of the international bronch scientific and technical conference "Technologies of information societyMTUC1, March 14-15 2018.
14. Komarov A„ Nazarov A. (2013). The functional requirements for the deled ion system and anti-bolnel-attack oil corporate network. Communication technology, series "Technics of TV", 2013, pp. 140-151.
15. SirotiLik V. 2(017). Models and methods of construction of effective mechanisms of protection of patent database structures. Control Sciences, no, 5, pp. 43-51.
16. Kuznetsov N„ Ktilba V. (2006). Information security of organizational management systems. Theoretical basis, vol. 1-2, Science.
17. Kizza J. (2017). Guide to Computer Network Security, 569 p.. Springer, ISBN 978-3-319-55606-2.
18. Siroliuk V. (2012). Problems and tasks of ensuring information security of patent information resources. Patent infonnation today, no, 1, pp. 3-tO.
19. Wang H„ He D„ Tang S. (2016). Identity-Based Proxy-Oriented Data Uploading and Remote Data Integrity Checking in Public Cloud. IEEE Trans. Information Forensics and Security, Vol. 1:. no. 6, pp. 1165-1176.
20. Konovalenko S„ Korolev I, (2016), Identify ing vulnerabilities lo information systems. Innovation in science, no. 9(58), pp. 12-20.
21. Information protection. Vulnerabilities of information systems. Vulnerability description rules. Slate standard of the Russian Federation (COST R) 56545 2015, Standardinform.
22. Lukatskiy A. (2001). Intrusion detection, 624 p. BliX.
23. Information protection. Vulnerabilities of information systems. Vulnerability description rules. Classification of information systems vulnerabilities. Slate standard of the Russian Federation (GOS'i R) 56546 2015, Standardinform.
24. /.ade I.. (1976) The concept of a linguistic variable and ils application to making approximate decisions, 165 p., Mir.
25. Ryjov A., Zhtiravlev A., Vahov A., Krivtsov V. (2016). Aboul one approach lo ihe personalization of learning within computer-based training systems. Intelligent Systems. Theory and applications. Vol. 20, Issue 3, pp. 180-185.
26. Ryzhov A, (2005), On the quality of object classification based on fuzzy rules. Intelligent systems, Vol. 9, Issue 1-4, pp. 253-264.
27. Nazarov A„ Nazarov M„ Pamiuhin I), I'okrova S„ Sychev A. (2015), Automation of monitoring processes in web-hased neuroI'uzzy formalism. T-Comm, vol. 9, no. 8, pp. 26-33.
ИДЕНТИФИКАЦИЯ ПОДГОТОВКИ КИБЕР-АТАКИ
Назаров Алексей Николаевич, институт проблем управления им. В.А. Трапезникова, РАН, Москва, Россия, [email protected] Аннотация
Сложность противодействию кибер-атакам обусловлена, прежде всего, их высокой технологичностью. Поэтому только применение интеллектуальных средств и систем противодействия может быть реальной защитой от вредоносного вторжения. Можно считать, что жизненный цикл ки-бер-атаки состоит из её подготовки злоумышленником и её реализации злоумышленником. Учитывая сложность и многообразие инфокоммуни-кационных технологических операций, протоколов, чрезвычайный интерес приобретает практическая задача определения идентифицирующих признаков или цифровых следов инициаторов кибер-атаки - терминальных окончаний (гаджетов, девайсов) и их владельцев с персональными индивидуальными пользовательскими особенностями на стадии начала подготовки или замысла кибер-атаки. В этой связи актуальна формальная постановка научной задачи разработки новых подходов к синтезу моделей и методов сбора, обработки и структурирования информации, необходимой для реализации технологии идентификации физических устройств и их пользователей на основе анализа следов, оставляемых ими в информационном пространстве.
Ключевые слова: кибер-атака, цифровой след, атакующий объект, объект риска, функция защиты, модель, нечёткие множества, функция принадлежности, лингвистическая переменная, кластер, мониторинг, Hadoop, web-пространство, идентификация, критерий, гаджет, девайс, злоумышленник, базы данных, угрозы, уязвимости, стандарт, дестабилизирующие факторы.