CC BY
97
Cloud of Science. 2018. Vol. 5. No. 3 http:/ / cloudofscience.ru
Model of adaptive information security system of a computer-based data transmission network
L. M. Gruzdeva
Russian Transport University (MUT) 9, bld. 9, Obrastsova str., Moscow, 127994, Russia
e-mail: [email protected]
Abstract. The problem of increasing the capacity of a corporate data transmission network in the context of the impact of information security threats has been formalized as a task of constructing an adaptive information security system that is capable of providing the highest possible capacity level at a reliable detection of and maximum efficient counteraction to threats. A protection system model, which includes detection and counteraction levels whose facilities are promptly initiated in the most vulnerable nodes of the network, has been developed. In practice, this will shorten information threat detection time through elimination of traditional signal processing logics, as well as provide maximum possible counteraction to threats without a significant increase in the average packet delay time in the network.
Keywords: corporate data transmission network, information security system, information security, information threats.
1. Introduction
Despite measures taken to ensure information security (IS) of the resources of government agencies, large companies, small commercial organizations, etc., corporate data transmission networks (CDTN) still remain vulnerable to cyberattacks from external and internal intruders. Effective design, operation and upgrade of corporate networks in the context of the impact of information attacks are impossible without assessing performance quality indicators, with the network capacity being one of them [1-3].
The review of corporate network study activities and practical experience allows us to state a sharp decrease in the network capacity in the context of the impact of information attacks [4]. The decreased network capacity is associated with insufficient security due to the following reasons: broad use of open data transmission protocols; involvement of users of various categories in the data processing process and the use of dictionary passwords by these users; sensitive data storage in open/ public domains, etc. (Fig. 1, 2) [5].
31% 50% 56% 69% 75% 81%
36% 100% 82% 91% 91% 100%
56% 78% 56% 33% 100% 89%
40% 87% 33% 60% 67% 82%
55% 82% 45% 36% 64% 82%
Unrestricted File Uploud The use of dictionary passwords Sensitive data storage in open/ public domains DBMS access interfaces are accessible to any Internet user l Vulnerabilities of system and application software related to the lack of updates Broad use of open data transmission protocols
Figure 1. Most widespread the vulnerabilities on a network perimeter, discovered at the analysis of security (stake of the systems)
2017 36% 57%
30% 60% 70% 90% 100%
82% 82% 91% 100% 100%
50% 88% 88% 100% 83%
33% 67% 889i 92% 67%
I Vulnerable versions software Sensitive data storage in open I Inadequate protection of privileged accounts The use of dictionary passwords
Lacks of defence of official protocols and network levels, leading to the interception and redirection of traffic
Figure 2. Most widespread the vulnerabilities, discovered at the analysis of security of intranet (stake of the systems)
The most common method, used by cybercriminals for cyberattacks, including those for gaining financial benefits, assumes the application of malicious software (MS), whose
share in 2017 reached 39% (Fig. 3) [6]. Criminals often combined this method with other methods, e. g., with social engineering or exploitation of web-vulnerabilities. In the first quarter of 2018, the share of MS-based attacks was 63% (+27% as compared to the similar period of 2017, Fig. 3) [7].
Figure 3. Methods, used by cybercriminals for cyberattacks
Advanced information security systems (ISS) [8, 9] solve this problem to some extent by partial blocking of harmful traffic; however, ensuring high detection probability and delays associated with counteractions, lead to a significant spending of network resources, which is ultimately accompanied by a decreased system capacity. Increasing the reliability of detection and identifying information attacks as well as developing methods and means to reduce their impact on the CDTN performance is so far and, obviously, will remain one of the urgent tasks for the nearest future.
2. Statement of the problem
Let there a set of corporate data transmission network objects {Oj, O2, ..., OK} be given. Fig. 4 illustrates a structural scheme of the CDTN. Communication lines are absolutely reliable, noise-proof and consist of a duplex data channel; switching nodes (routers of CDTN segments) have an infinite memory; traffic consists of packets of the same priority and forms a Poisson stream; packet processing time at nodes is defined by the exponential distribution law.
IIS PF
IIS PF
IIS PF
LAN
WS PF
WS PF
WS PF
LAN
WS PF
WS PF
WS PF
LAN
S PF
S PF
Means of managing a fragment of CDTN A main fragment of CDTN
ISS of fragment of CDTN
Dedicated channels
A common transmission medium Data transmission medium
X
WS PF
WS PF
WS PF
LAN
WS PF
WS PF
WS PF
ISS of fragment
S
PF
LAN
PF
M e a n s o f m a n a g i n g a fr a g m e n t A remote fragment of CDTN
A remote fragment of CDTN
A remote fr a g m e n t o f CDTN
S
Figure 4. Structural scheme of the CDTN, where WS (workstation), PF (protection facilities), Local Area Network (LAN), Internet Information Services (IIS), Server (S)
It is required to ensure maximum possible CDTN capacity at a reliable detection and maximum effective counteraction to information security threats (information threats): O(n) ^ max;
PD (t) = 9i(Pi(t), P2 (t),. ., PN (t)) ^ max;
Pfa (t) = 92(Pi(t), P2(t),. ., Pn(t)) ^ max; (1)
Qc (t) = 93 (q (t), q (t),.. ., qK (t)) ^ max;
rjiD rj^C ^ rjiA
where O(n) — CDTN capacity; N — number of detection hardware (N > K); PD (t) — probability of detecting IS threats; (t) — probability of a «false alarm» (FA) occurrence; K — number of countermeasures; Qc (t) — probability of counteraction to information threats; TD = %4(tD, t2\ ..., t'D) — IS threat detection time; TD =p5(t1D, t^,..., tD) — time for taking counteractions to IS threats; TA — allowable time consumption for providing protection (%, %, %, %, % ) — types of corresponding functional dependencies).
The solution of the problem (1) involves the development of logic diagrams for reliable detection of information threats as well as the development of a distributed threat
counteraction system model. An adaptive information security system should be understood as a set of protection methods and facilities for a given number of corporate network objects, which requires minimum time for detecting an information attack at a simultaneous minimization of its consequences. The objective of the measures taken is to reduce the probability of a total infection of a corporate data network, mitigate consequences of such impacts and, thus, ensure the required CDTN capacity level.
3. Adaptive information security systems model
To solve this problem, an ISS was developed, whose functioning is convenient to be viewed on a structural model for detecting and countering information attacks to the CDTN resources (Fig. 5). Let's separate a high-level architecture of the information security system.
Information attacks
| Detection level
fd, fd3 fdj fd4
v (X.(t\X,!t\. -*..rtv>l
z f. A deciding unit
L '"Hr Y = (v,. v,... .ViO
1' Counteraction level ||
fc, | fc2 1 fc3 | fck
CDTN
Counteraction to threats
Figure 5. Structural model for detecting and countering information attacks to the CDTN resources
Detection level is a set of facilities of detecting information threats FD = [FDl, FD2,..., FDn}. Each element of the set FD has the following characteristics: p (t), i = 1, N — probability of detecting information threats; p (t), i = 1, N — probability of "false alarm" occurrence; tD, i = 1,N — IS threat detection time that allows reaching maximum probability of detecting IS threats, i. e. pmax = lim pi(t).
At the detecting hardware output, signal Xi (t), i = 1, N is generated, which takes either 1 (information threat has been detected), or 0 (information threat has not been detect-
ed). Signal Xi (t) by signal occurrence probability distribution densities — f (Xt (t)) (IS threat exists) and fn (Xi (t)) (no IS threat):
While forming the detection level, the following conditions must be met:
1) ensure the possibility of combined operation of integrated detecting facilities;
2) ensure optimum operation time for detecting information security threats;
3) ensure given probability of information threat detection;
4) decrease the average frequency of "false alarms".
The study of detection level algorithms, which are based on traditional logic diagrams, has showed that easy signal processing and generation of a common decision on the presence or absence of information threats are the main advantage of these algorithms. A serious drawback of these algorithms is the ignorance of individual peculiarities and characteristics of each individual detecting facility, which does not allow achieving the best correlation between the probability of detection and frequency of generation of a "false alarm" at the detection level as a whole.
Paper [10] suggests a detection level operational logic that is based on the «critical area of threats» (CAT) notion. The advantage of this logic is the consideration of possible mutual influence of various detecting facilities, since CAT is configured based on probabilistic characteristics of the detection level, rather than its individual protection facilities.
A deciding unit implements the following logic: based on the detection level readings (X (t), X2(t), ..., XN(t)) a decision on the presence/ absence of information security threats is made:
If Z = 1, the control action (y1, y2, ..., yk), is generated, otherwise the algorithm ends.
Counteraction level is a combination of facilities for combatting information security threats FC = {FC1, FC1, ..., FCK}, each of which can be initiated upon detection of a
threat. Elements of the set FC have the following characteristics: q (t), j = 1,K — prob-
1 at information threat has been detected,
0 otherwise.
ability of countering information threats; tCC, j = 1, K — counteraction time to reach maximum probability of countering IS threats, i. e. q 7ax = lim qi (t).
J tJ
Fig. 6 illustrates a schematic logic for initiating countermeasures to IS threats in an open corporate network.
Figure 6. Schematic logic for initiating countermeasures in an open corporate network
Let's consider an open corporate network model comprising of a source of packets (node0) and a queueing system (QS) K
M/ M/ m1/ ro, M/ M/ m2/ ro,... M/ M/ mK / ro. Generally, an open queueing network (QN) is set by a stochastic routing matrix PR =|| pij ||, where pij — is the probability of
sending a packet from the i - th node to the j - th node, and ^K=0 py = 1 = 0, K. The
average packet delay time in the network is one of its basic capacity parameters.
For context specificity, let's define the K - th node as a protected resource of an
open queueing network. In each i - th node (i = 1, K -1), a counter facility that is capable with the probability u to counteract information security threats. This system includes
only 2(K-1) -1 counter facility initiation options, and the number thereof is numerically equal to the binary number:
where y, - •
Y = (yi, y2,-> yK-1 )2 [0, if the countermeasure is not initiated at the i -th node, 11, if the countermeasure is initiated at the i - th node.
Let's imagine that a network runs a random process of spreading a malicious software, intended either for implementing IS threats to information processed in the network, or for a hidden misuse of resources or other impact that hampers normal operation of the network. In this case, the queueing network (QN) may be in one of discrete state {s0, s1,..., sK}. Transition from state si to state s. occurs with the probability p and means that malicious software of the i - th node has infected the j - th node (i, j = 0, K).
Suppose that the queueing network is initially in the state s0, i. e. a malicious software is in the zero node (source of packets), whereas other nodes remain uninfected. As a result of a random a malicious software propagation process, susceptible nodes become infected.
The sequence of calculating the probability of counteraction to simple single nonreturn IS threats is as follows.
1. Plot matrix Q based on the elements of matrix PR by introducing absorbing states
S and s^ into it (a malicious software may leave the system without infecting the K_
th node).
( 1 0 0 ... 0 ^
Q -
Pl0 Pll Pl2 ••• Plk
P20 P21 P22 ••• P2 k
0 0
0
1
(2)
2. If there are no counter facilities in the system, then go to Step 3. Otherwise, based on the Y number, introduce an IS threat counter facility in (2). Let's consider that the counteraction means a malicious software outbreak to the 0-th node.
( i n n n A
Q -
l
P10
0
P11
0
Pl2
P,0 + U, (1 - P,c) (1 - U )Pll (1 - u,)Pi2
0
0
0
0
P1K
(1 - U ) PK 1
where u (i -1, K -1) — probability of a malicious software counteraction.
3. Set the probability distribution vector at the zero step:
e = (0, Pel* P02? Pol)-
4. Find the probability of distribution of the states at the n-th step using the formula: q(n) = e ■ Qn. Let's consider that a malicious software propagation process is completed at step n, if p(n) = p2(n) =... = pK_x(n) = 0. The probability of the protected resource destruction is pY = pK (n), and the probability of counteraction is QC (t) = p0 (n). The end of the sequence.
Simulation results. To implement this logic, an imitation simulation of a malicious software propagation process in a network with seven nodes was carried out. While processing data on all available options for initiating a counter facility 2(7-1) -1 = 63, the following was revealed: in the existing network without a counter facility, the probability of infection is p0 = 0.550; if a counter facility (u = 0.9) is initiated in each node of the network, the probability is p63 = 0.112; and the average packet delay time T in the network has increased by « 30%; if a counter facility is initiated only in the first, second and third nodes of the network, the probability is p56 = 0.176 and T has increased by « 8%.
The sequence of calculating the probability of counteraction to simple single returnable IS threats is as follows.
1. Plot matrix Q based on the elements of matrix PR by introducing absorbing states sK into it (attack will continue until the K - th node is infected).
Q =
f 0
Pl0
P20
Poi Pll P21
00
Po2 Pl2
P22
0
Po *
Plk P2 k
1
\
(3)
2. If there are no counter facilities in the system, then go to Step 3. Otherwise, based on the Y number, introduce an IS threat counter facility in (3). Let's consider that the counteraction means a malicious software outbreak to the (K + 1)-th node.
(
Q =
0
PlG
P Gl
Pll
P GK PlK
0 ï 0
(l - ui )PiO (l - ui )Pn
(l - ut ) Pk Ut
l
0 0 ...
0 0 ......
3. Set the probability distribution vector at the zero step:
e = (1, 0, 0,..., 0).
4. Find the probability of distribution of the states at the n - th step using the formula: q(n) = e • Qn. Let's consider that a malicious software propagation process is completed at step n, if pj(n) = p2(n) =... = pK-1(n) = 0. The probability of the protected resource destruction is pK (n), and the probability of counteraction is Qc (t) = pK+1 (n). The end of the sequence.
Simulation results. The imitation simulation showed that the implementation of a threat to IS with a malicious software in an open queueing network without a counter facility will be successful at Step 45. If a counter facility is initiated only in the first node of the network, the highest probability of combatting IS treats is reached Q (t) = p (22) = 0.546. (Table 1).
Table 1. Counteraction probabilities if a counter facility is initiated in one node
of an open network
Counteraction probability Counter facility initiation option number
Y = 32 Y = 16 Y = 8 Y = 4 Y = 2 Y = 1
Random process completion pitch
n = 22 n = 33 n = 40 n = 41 n = 34 n = 43
Qc (t) 0.546 0.405 0.498 0.408 0.435 0.398
The processing of the data on all countermeasure initiation options 2(7-1) -1 = 63 brought the following results: in the operating network, which does not include a counter facility, the probability of infection is p0 = 1.000; if a counter facility (u = 0.7) is initiated in each node of the network, the probability is p63 = 0.145 and the average packet delay time T in the network has increased by « 30%; if a counter facility is initiated only in the first, second and third nodes of the network, the probability is p60 = 0.158, and T has increased by « 10%.
Implementation of the counteraction level initiation logic allows maximum possible counteraction to information security threats and required level of the system capacity.
4. Adaptive ISS operation logic
Launch detection level facilities. Detection time t = 0.
Record signals from detecting facilities X (t), X (t),..., (t). If X(t), X (t),..., (t) = 0 then information threats are not detected (Z = 0) and counteracting facilities are not launched. Go to step 2. Otherwise: Z = 1. Define probabilistic characteristics:
PD(t) = 91(p1(t), p2(t),..., pN(t)) — probability of information threat detection by the detection level;
Pa (t) = 92(p (t), p2(t),. ., p^(t)) — probability of «false alarm» (q^, q2 — types of corresponding functional dependencies);
0(PD (t), PFA (t)) — reliability criterion.
If the reliability criterion is below the threshold value (0(P (t), PFA (t)) ) information security threats have not been detected and counteraction level facilities are not launched. Go to Step 2. Otherwise: Z = 1.
Define a stochastic route matrix PR (t) [11].
Launch the logic for determining the CDTN nodes, which require the initiation of counteracting facilities. Control action is generated YyK Y = (y1, y2, ..., yK).
Initiate the counteraction level in accordance with the control action Y. The end of the algorithm.
5. Conclusion
The implementation of the suggested model of organizing protective mechanisms in a corporate data network provides the required capacity level by choosing an algorithm for early and reliable detection of information threats and by promptly initiating available facilities for countering information security threats in the most vulnerable nodes of the corporate network.
References
[1] Olifer N., Olifer V. (2006) Computer Networks: Principles, Technologies and Protocols for Network Design. Hoboken. NY, John Wiley & Sons, Inc.
[2] Tanenbaum A. S., Wetherall D. J. (2011) Computer networks (5th ed.), Pearson Hall.
[3] Kurose J. F., Ross K. W. (2013) Computer networking: a top-down approach. (6th ed.). Addi-son-Wesley.
[4] Monakhov Yu. M., Gruzdeva L. M. (2013) Teoreticheskoye i eksperimental'noye issledovaniye raspredelennykh telekommunikatsionnykh sistem v usloviyakh vozdeystviya vredonosnykh programm: monografiya. Vladimir, Izd-vo VlSU. [In Rus]
[5] Corp. Vulnerabilities (2018) https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/ Corporate-vulnerabilities-2018-rus.pdf [In Rus]
[6] Cybersecurity threatscape (2017) Retrieved from https://www.ptsecurity.com/upload/ corporate/ru-ru/analytics/Cybersecurity-threatscape-2017-rus.pdf [In Rus]
[7] Cybersecurity threatscape (2018) https://www.ptsecurity.com/upload/corporate/ru-ru/ analytics/Cybersecurity-threatscape-2018-Q1-rus.pdf [In Rus]
[8] Jacobs S. (2016) Engineering information security: The application of systems engineering concepts to achieve information assurance (2th ed.). John Wiley & Sons, Inc.
[9] Vacca J. (2017) Computer and information security handbook (3rd ed.) Morgan Kaufmann Inc.
[10] Gruzdeva L. M., Monakhov M. Yu. (2011) Automation and Remote Control, 72(5):1075-1079. doi: 10.1134/S0005117911050158.
[11] Vishnevsky V. M. (2003) Teoreticheskiye osnovy proyektirovaniya komp'yuternykh setey. Moscow, Technosphere. [In Rus]
Модель адаптивной системы защиты информации компьютерной сети передачи данных
Л. М. Груздева
Российский университет транспорта (МИИТ), 127994, Москва, ул. Образцова, 9 e-mail: [email protected]
Аннотация. Формализована задача повышения производительности корпоративной сети передачи данных в условиях воздействия угроз информационной безопасности, как задача построения адаптивной системы защиты информации, которая смогла бы обеспечить максимально возможный уровень производительности при достоверном обнаружении и максимально эффективном противодействии угрозам. Разработана модель системы защиты, включающая уровень обнаружения и уровень противодействия, средства которого оперативно инициируются в наиболее уязвимых узлах сети. Практическим результатом является сокращение времени обнаружения информационных угроз за счет отказа от традиционных алгоритмов логической обработки сигналов, а также максимально возможное противодействие без значительного увеличения средней задержки пакетов в сети.
Ключевые слова: корпоративная сеть передачи данных, система защиты информации, информационная безопасность, информационные угрозы.
Литература
[1] Олифер В., Олифер Н. Компьютерные сети. Принципы, технологии, протоколы: учебник для вузов. 5-е изд. — СПб. : Питер, 2016.
[2] Tanenbaum A. S., Wetherall D. J. Computer networks. — 5th ed. — Pearson Hall, 2011.
[3] Kurose J. F., Ross K. W. Computer networking: a top-down approach. 6th ed. by Pearson Education, Inc. publishing as Addison-Wesley, 2013.
[4] Монахов Ю. М., Груздева Л. М. Теоретическое и экспериментальное исследование распределенных телекоммуникационных систем в условиях воздействия вредоносных программ : монография. — Владимир : Изд-во ВлГУ, 2013.
[5] Positive Technologies. Уязвимости корпоративных информационных систем [Электронный документ] URL: https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/Corporate-vulnerabilities-2018-rus.pdf
[6] Positive Technologies. Актуальные киберугрозы — 2017: тренды и прогнозы [Электронный документ] URL: https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/Cybersecurity-threatscape-2017-rus.pdf
[7] Positive Technologies. Актуальные киберугрозы I кв. 2018 года [Электронный документ] URL: https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/Cybersecurity-threatscape-2018-Q1-rus.pdf
[8] Jacobs S. Engineering information security: The application of systems engineering concepts to achieve information assurance. — 2th ed. — John Wiley & Sons, Inc., 2016.
[9] Vacca J. Computer and information security handbook. — 3rd ed. — Morgan Kaufmann, 2017.
[10] Gruzdeva L. M., Monakhov M. Yu. Early detection algorithm for attacks against information resources of automatic manufacturing control systems // Automation and Remote Control. 2011. Vol. 72, No. 5. P. 1075-1079. doi: 10.1134/S0005117911050158.
[11] Вишневский В. М. Теоретические основы проектирования компьютерных сетей. — М. : Техносфера, 2003.
Автор:
Людмила Михайловна Груздева — кандидат технических наук, доцент кафедры «Информационно-математические технологии и информационное право», Российский университет
транспорта (МИИТ)
