Моделирование информационных атак и оценки защищенности объектов риска Текст научной статьи по специальности «Компьютерные и информационные науки»

MODELING OF INFORMATION ATTACKS, AND SECURITY RISK ASSESSMENT FACILITIES

Alexey N. Nazarov,

Expert ITU, Professor, Moscow Institute of Physics and Technology State University, Moscow, Russia, a.nazarov06@bk.ru

Nguyen Xuan Tien,

graduate student, Moscow Institute of Physics and Technology State University, Moscow, Russia, tienxuannguyen86@gmail.com

Tran Minh Hai,

graduate student, Moscow Institute of Physics and Technology State University, Moscow, Russia,

minhhai.kq80@gmail.com

Keywords: security function, logic model, probabilistic model, risk, criterion, monitoring, Hadoop, cloud c omputing, automation, software programming module, algorithm, object, daemon, cluster, target, requirements.

On the basis of logical-probabilistic approach developed logical-probabilistic models of information security assessment of the object of attack. The models are based on the current level of knowledge to counter attacks and allow the information to take into account technological features, especially the functioning of the object of attack, regulations and any requirements. The properties of the obtained models in the grades of the new security functions. Improved reachability condition acceptable security level of the object of attack. formulates logic and probabilistic risk assessment criteria of information security object of attack. Proposed procedure for assessing price risks. Showing the direction of automation assess the level of risk on the basis of intelligent fuzzy logic and neural networks for web development environment for cloud computing in cluster Hadoop. Formulated the main system requirements for intelligent automated system monitoring daemon TaskTraker and others in cluster Hadoop.

Common approaches to the construction and study of the risk of any attack, especially in relation to objects Next Generation Network (NGN) systems, information and telecommunication systems and networks (ITSN) developed within the logical-probabilistic approach [1, 2] and tested for a variety of practical examples [3-10]. Found interesting properties bot attack risk [11-14] studied risk model [4] and received by the extreme values of the risk [15].

This special urgency, issues of security and guaranteed assesment required or acceptable level of information security for different classes of users of services ITSN, NGN. Especially with the integration of various resources and information security in the multiprotocol ITSN and the lack of methodological basis for the formation of evidence of compliance to various regulatory legal acts, the requirements of regulators, regulated security policies.

Thus, methodological issues for evaluating the acceptable level of information security need to be further developed, which determines the relevance of this article.

Для цитирования:

Назаров АН., Нгуен Суан Тиен, Чан Минь Хай. Моделирование информационных атак и оценки защищенности объектов риска // T-Comm: Телекоммуникации и транспорт. - 2016. - Том 10. - №8. - С. 69-78.

For citation:

Nazarov A.N., Nguyen Xuan Tien, Tran Minh Hai. Modeling of information attacks, and security risk assessment facilities. T-Comm. 2016. Vol. 10. No.8, рр. 69-78.

1. Introduction

Common approaches to the construction and study of the risk of any attack, especially in relation to objects Next Generation Network (NGN) systems, information and telecommunication systems and networks (1TSN) developed within the logical-probabilistic approach [!, 2] and tested for a variety of practical examples [3-10]. Found interesting properties bot attack risk 111-14] studied risk model [4] and received by the extreme values of the risk [15].

H. Measures and means of information security objects

It is known [16], the following measures and means of information security:

The legal (legislative) action.

The organizational (administrative) measures of protection.

Software measures.

Means of protection from unauthorized access.

Means of identification and authentication.

Means of access control.

Means of the control and integrity of software and information resources.

Means of operational control and event logging.

Cryptographic protection of information.

System management of information security.

Monitoring the effectiveness of the protection system.

Physical measures and protection of information and telecommunication systems and networks.

The specific requirements of the object to the measures of protection arc determined by the results of special studies of technical means, taking into account the established categories of protected object depending on the degree of confidentiality of information processed and accommodation conditions.

Various attacks require different technology solutions to ensure information security of objects of attacks. As the number of attacks and their modifications amounts to more than five digits, the approaches developed different classifications of information security, covering a group of attacks.

Results of the analysis tables in [16] show that the current classification of subject area of information security in the Russian telecommunications examples do not have a conceptual completeness. So, the most important for special consumers requirements for cryptographic protection of information not explicitly linked to the requirements for reliability. Not investigated the mutual influence of various destabilizing factors. The table in [16] shows the summary of various subject areas unrelated. Therefore, we need new fundamental results for the formulation of the scientific problem to counter attacks on objects of ITSN, and for the analysis and synthesis of the ways and means of preventing the destabilizing impact of information.

111. Risk of attack. Functions of security

Destabilizing factors 111 (DF) - the immediate cause of one or more phenomena, events, a consequence of the onset of which may be a violation of the integrity, stability, and others. Negative consequences for the ITSN, Among DF should also include the destabilizing effects, which, if successful, may be the cause of human rights of users content services in various subject areas. The destabilizing factors for a particular object of attack, of course have their own specifics. DF occur in technology, communications, network structure of society, and others.

The risk of an object subjected ITSN information attack by the enemy, consists of two components [11: the probability of failure of counter attack against him (hereinafter - the failure of the object) or the probability of a successful attack and assessment (e.g., financial, material, time to repair the damage, and others.) Scale effects (damage) of a successful attack.

The results of studies to assess the damage of a successful attack are given in [1]. For any object of risk in general, there are [2,3] in the full sense of the eausa! system (list) security functions (Tablel), which performance scheme and the results obtained are shown in Fig, 1 and Table 2. Outcomes form a complete group of incompatible events [ 1 [.

x i

x г

Xl

X j

Xs

Xe

Xs

И1 И2 И 3 и<

И 7

X 7 Xa

1

X 10

И:

И в

Иэ

И б

И 10

Figure 1. The causal diagram of the security functions X] and results of attack //¡w/]0.

w

Table 1

Security Functions

Designation of security functions Appointment of security functions

X\ Preventing the occurrence of conditions conducive to the generation of (occurrence) destabilizing factors (DF)

x2 Warning immediate manifestations of destabilizing factors

X, Detection manifested destabilizing factors

a4 Prevention of exposure to risk in the manifested and revealed destabilizing factors

Prevention of exposure to risk on the manifest, but the undetected destabilizing factors

A6 Detecting the impact of destabilizing factors on the subject of risk

A7 Localization (restriction) found the impact of destabilizing factors on the subject of risk

Localization of undetected exposure to risk by destabilizing factors

a9 Dealing with the consequences of the localized impact of the detected object on the destabilizing factors risk

A'io Dealing with the consequences of undetected localized exposure to risk by destabilizing factors

Table 2

Final events in Fig. 1

Defence Provided

Defence Broken

и9,и10 Defence Destroyed

From Fig. 1, it follows that the logic function (L-function, L-polynomial) the risk of an attack on the object A of ITSN is

LY = M] s/H2s/...s/Mm = YAvYj, «7 = 10, where

YA=H7vff&vlf9vHl0 -logic function successful attack, and

Yj = v K2 vMj v M4 v if5 v -

(1)

(2)

logic function object success or failure of the risk of attack [17].

Recall that [l| under the security function will be to understand the set of homogeneous functionally activities regularly carried out in ITSN various means and methods to create, maintain, and provide the conditions necessary to objectively reliable information security.

The output of each of the security functions or it is the outcome is a random event and may lake two values - success or failure. As in [1] suppose that the binary logical vari-ableXj.j- Hn, n- 10 is equal to 1 (see "I" in Fig. I) with a

probability P: if execution of the second function of protection

has led to failure of the object of risk and is equal to 0 (see "0" in Fig. 1) with probability Qj-1 - p, otherwise.

From Fig. 1 and |2, 17] follow relations, taking into account the "bridge circuit" causality:

(3)

if. A',; H2 X\X2;M, X,X2X}XA; H4 X,X2 XjXA XVXS Xt>X7Xq;

"s '^i <^2 X, X, A', X^X^X^;

M6 X,X,X3YS;

111 XtA', X^Xt A'jA'J X^X-fX^', Ms XlA', X^XA A, A, A'flABAlll; /A, \', X~X^ .Xi XftXyi

12 3 4 3 3 6 %'}

Assume that a binary logical variable M = 1 + m is equal to

1 with probability PMj if not come outcome (outcome failure),

and is equal to 0 with a probability QM ; = \-PM j otherwise.

Similarly, [2] we find that the probability of the risk (P-function, P-polynomial)

PY — PM | + PM2QM | +PM3OMiQM2 +...

... + PMmQMyQM2 ■ ■ • QM,n_| = pX + PA ,

where

i-1

m-

1=2 j=l probability of success of the object risk,

10 /-!

'.1

2>я,П Q*1)

(4)

(5)

i=7 j-\

probability of success of attack.

General view of the LP-functions ( 1 ), (5) of successful attack with (3), their properties, their practical applicability and importance obtained and research in a number of studies [2-12, 16, 17]. At the moment, the success of the applicability of security functions is shown by the example of automation solutions to counter hot-attacks [11-13]. Security Functions for the specific objects of risk are developed and studied as the attacker, and the security service of the object of risk. Each party pursues the opposite goal. Security functions are developed and implemented each of the parties on the basis of the above measures and means of information security facilities.

The object of the risk is considered sufficiently protected [1,2] when considering the possibility of potential barriers to overcome probability of a successful attack (the probability of the risk, the probability of failure or the risk of insecurity object) is less than the allowable value, i.e.

achiev ability condition, (6)

where Pj - the probability of a successful attack confrontation {protected by the probability of failure of the attack, probability of success risk object) the object of the risk.

Estimation of protection of specific objects p] using the conditions of achievability (6) is usually carried out at a given value received P^_non > as a ru'e' empirically. However, such a

situation becomes intolerable, because currently there is a high dynamic modifications attacks and spreading their negative impacts. And to properly obtain the values Pa-hou necessary to develop new guidelines that take into account the rapid pace of

p3 - ' ~ Рл-доп

improvement of attacks.

In general, the value shall be calculated on the basis of existing or achieved level of information security of the object of attack. This level is caused by the presence of existing knowledge and solutions to counter the attacks on the subject of risk. In other words, it should be calculated on the basis of known security functions.

Therefore, further research is necessary to formalize LP functions success risk object on the basis of the known security functions and to clarify the condition of achievability <6),

IV. LP-functions object success risk.

Clarification of the condition of achievability

Barriers or boundaries of protection issued by the security service to counter the negative impacts of DF object risk known to perform certain security functions, impeding the implementation of the attack on the subject of risk. At the same time, technologically, one barrier can perform a number of security functions. Barrier may serve to protect against the risk of different objects.

For the purposes of confrontation attack (6) the need to ensure

low p]

This should be done at the current time known

итв итв ИИЗВ

1 * ? '111 ' m *

when the currently known security functionsx(!3B -robject risk. These events and well-known security functions fully comply with the scheme of causality shown in Fig. 1 and the relations (3).

From Fig, 1 and (2), (3) it follows that

- изв

уЮВ _ иИЗВ vHH3B v MH3B v

v И

изв

v ИРВ V И.

изв

(8)

where 117j

m изв _ yi/îfi ~л\ '

итв=хювхюв1

и ИЗВ _ хизв х ИЗВ х ИЗВ х ИЗВ

и

изв = хизв vtm[-tm vnw

'Ж

[хГ

v А"

ИЗВ ,, ИЗВ

PÏ

А -ИЗВ

=РИ

изв.

Z.W1

¡-I

ИЗВ

¡=2

пи;

j=\

ИЗВ =

ИЗВ

ИЗВ +

2

- (| - оГ ¡1 - Q?3B Ыпво1пв + (l - Qlm II - Qlm )<

.QfBQ^3BQ^B+[1 - Qlm II - Qim )-

•[^(i-^Mi-^Ki-^)]-

+ [\-Q(ml~QÎnB) (l -ft™te™-Substituting (9) and (7) into (6) we obtain

pï > pi -i A-H3B

a new kind of conditions reachable.

(10)

"A-JIOH •

methods and means. In other words, the probability of success risk object (4) under certain security functions

pi-H3B=1~pZ-m (7)

it should be greater, close to 1.

We denote the corresponding binary logic variables

w = 10 final events that can occur

771138 TP M iB yU3B • A A -j At) ,

MM3B -XH3Bxm fifBxmn v XH3BXMB).

VH3B 77 // 3B 77 H3B

•■H " K >

M H3B~x H3B x H3B x 113B x H3B 6 '1 2 3 ' 5 '

and the probability of successful risk object (4) based on the circuit of Fig. 1 can be calculated as in [1] using the B-polynomial for known security functions according to the following formula [ 17]

V. A method of modifying the known security functions based on their grades. Example of protection against internet attacks

The causal completeness of the 11,2J security functions is an important properly of logical-probabilistic approach. But the attack will be improved. Cybercriinitials will look for and use new, previously unknown DF. Accordingly, the security function may become obsolete, ignore the new DF. Leaving methodological issues modifications attacks for another study, we note that under the protection of the specific object of the attack on the risk each of the security functions can be modified (relined). For example, can change the encryption algorithm, change the settings of the firewall, it can be adopted a new legal act, etc.

Such changes are methodologically quite easily and flexibly taken into account by introducing a gradation of security functions [2, 17].

By analogy with the foregoing, we assume that the binary logical variable X "ol!, y = 1: n, n=10 corresponding to the r-th

gradation of j-th known security functions is equal to 1 with a probability p'l°B, if, because of her, execution of y'-th known

security functions has led to failure risk object, and with a probability equal to 0 otherwise.

A good example of the introduction of new grades is a new feature to prevent Internet attacks, formed on the basis of national centers to respond to computer incidents. These centers are established in each country. They are designed to monitor, combat malicious Internet attacks and dissemination of information on such attacks to ail interested organizations.

To expand the functionality X^3B, xf IB, x"JB, it is possible the introduction of new grades of these security functions, putting them in line the new indexed binary logical variables according to the table 4 [ 17].

New grading permit formally introduce new components in the L-funclion (8) success risk object the following method:

ylllBvllOB „ уИЗВ ч/ у НОВ у НОВ у НОН у нов л\ ~л\ VA1I 12 II 12

V, НОВ у НОВ II 12 ' уИЗВмИОВ уИЗВ у нов

хИЗВ -ИОВ _ ХИЗВ v х

НОВ 51 ■

(И) (12) (13)

Substituting (11) - (13) to (8) get a new L-function success risk object against the Internet attack.

w

Table 4

New gradation, extending the functionality of the known security functions of Internet attacks

Designation of the new graduation security functions Appointment of the new graduation security functions

vHOB 43! Preventing an environment conducive to the generation (emergence) of Internet-based attacks on the subject of risk based oil information from the Centers Computer Emergency Response

у нов л\2 Collect information about internet attacks, based on information from the Centers Computer Emergency Response

у HOB Finding manifestations of Internet attacks based on information from the Centers Computer Emergency Response

у НОВ Preventing exposure to the risk of undetected object of Internet attacks based on information from the Centers Computer Emergency Response

F,aeh group of gradation for xfiB is a group of mutually exclusive events, so we can use Bayes' formula |2, 17].

^QBlx>nB\ P(X"°BHxjnB/X'P'B) • 04)

\ jr t J ' fifJ

r— 1

With the help of (14) specifies the expression (9) for the lipo lynomial and the formula (10) for a new type of conditions reachable. Formula (14) can be used lor iterative learning in the model (9) on the statistical data to clarify the current value of risk.

Consider the features of the organization of algorithmic software to calculate the results of statistical data processing in the process object of risk.

VI. RISK ASSESSMENT CRITERIA OF INFORMATION

SECURITY OBJECT ATTACK. PRICE RISK

The logical condition (8) for the success of the object of risk against the attack A (L-critcria) can be written as follows:

YII3B

'A '

which is performed at least one of the following conditions 117] X™ 1,

x!mxi'w i

YInisxamx!rmX>m y ИЗВ y iiw y?inB X>пв

уИЗВ у ИЗВ у ИЗВ Л6 Л1 лч

XИЗВуИЗВ JÎИЗВуИЗВ 12 3 4

уИЗВ y Hiß уичв ,

ль лs

Y ИЗВУИЗВ X ИЗВ х'ПВ

Y и м xinB

gmBjçim

(15)

1.

Accordingly, the probability condition for the success of the object of risk against the attack A (P-criteria) is

pi = 1, or, subject to (9)

A-HIB v '

QH3B + (, _ дизв ^изв+(, _ Qms J, _ дизв ^извдюв. ^QmBQM3BQH3B^ J,

, ¡an

Q"3Bk-Q?Brk-Q?3D) [i-Q?

* (i - qi™ Кшхш 4 - efB ï - sfг )•

«б)

In general, the LP-criteria allow to assess the actions of the attacker, which attacks the object of risk and has a certain knowledge about the barriers used in ITSN, peculiarities of the security functions, as well as the existing vulnerabilities in them. Formally it would be written as an attacker known models (8) and (9) and some information about the security functions x(lin * X1, ™, n = 10. Then the value of the residual

<17>

where the value p\ obtained as a result of statistical data processing, characterizes the condition reachable objective (10) and quality of the "armor" of barriers that implement security functions of the object of risk |17J.

We introduce a new indicator AV'-y ( = YjYj .

From (17), (18) that if, when the LP-criteria (15), (16), carried out at least one of the conditions (criterion of exhaustion of reserve risk the stability of the object)

it indicates the presence of the stability margin of the object to the risk of attack A by the attacker [17].

Accordingly, it is necessary to put an extra attacker resource in the improvement of the attack on the object of risk.

Methodically price risk can be estimated using the following formula:

CYjjQfj , if carrying out criteria (15), (16), 1 CYj0n • C, if not carrying out the criteria (15), (16), where CYjjqu - the cost of risk tolerance [1], C - a term that

depends on many factors specific attack, the choice of values which is an independent problem.

Interest is the development of recommendations for monitoring the risk of objects, especially in the web space

VII. MONITORING WEB-SPACE BASED ON HADOOP

Monitoring of objects in the wcb-space involves regular, performed by a given program monitoring Internet sites (IP-addresses of users of the global network of sites, and others.), their information and other resources, services, both for companies and for individuals, allowing to allocate state these objects and processes occurring in them under the influence of Internet activities across the Earth. Depending on the objective function in the web-monitoring and evaluation is made and functional activ-

CY =

ity values of the Internet ecosystem, and, secondly, the conditions for the determination of corrective actions in cases where targets are problem-oriented conditions are not met.

Hadoop as the technology of distributed processing large amounts of data in the web-environment is rapidly becoming an important tool, the ability for a wide range of programmers [! 8].

In this regard, monitored environment Hadoop we mean an organized monitoring of the selected objects in the web-space (domain) using the capabilities of Hadoop.

Hadoop was designed to work with Big Data in the webspace. And in this regard it has a number of unique features and abilities. It is appropriate to quote [18] "Formally speaking, Hadoop - Is a framework of open source, designed to create and run distributed applications that process large amounts of data,"

Hadoop runs on MapReduce technology developed by Google. MapReduce is a simple yet very powerful way to process and analyze very large data sets, and is particularly effective in quantities of several petabytes.

In [19J of the rather general prerequisites analyzed principles, approaches and technological procedures for organizing the monitoring. Methodological approaches to the creation of algorithms and software solutions in the environment of webprogramming Hadoop for a wide class of problems of monitoring sites in the web-space. For the first time developed a cluster topology Monitoring Hadoop, having common application is schematically shown in Fig. 2.

Seep nd a ry NanreNode_ м он wrpp нн г

Система

управления

(клиент]

N в гп е N □ dc_MO и и то рн иг .'OOT'aker ¿ИйНИЮрМИг

Data М с de^ выделен ке Те skTr а кег^в ы делен ие

С

JJ 11—i

Data Node инф модель t

TaskTraker_H нф_моде л ь

DataNode обследование "1

TaskTra кег_о (»следование

Data Node_cocro я ние Tas kTr a ke rf состоим ие

DataNode_H3MepeKMft Та skTra кег_изме рен и я

DataNode прогноз

Г

Та skTraVer^n ро гноэ

Figure 2. Monitoring Topology Cluster 1 ladoop

The research and algorithms of measurement attributes of monitoring facilities in the web-space to meet the requirements of unity of measurements. Developed the system requirements for the design of the monitoring cluster Hadoop [ 19].

VIII. ASSESSMENT OF THE STATE OF THE OBJECT

IN ITS MONITORING OF RISK

The use of neuro-fuzzy approach to the creation of various automation equipment and systems, as well as decision-making are now widely represented in the various fields of science and technology. For example, in [13, 14, 19, 20], sets out the scientific results achieved in the automation of counter malicious attacks on the Internet, including hot attack. In [22-24] studied aspects of intellectual synthesis system analysis and evaluation of the stability of the onboard computer systems to the destruc-

tive effects of electromagnetic pulses.

On the basis of neuro-fuzzy formalism created software tools to assess the state of various objects observation in different automation systems. It seems appropriate to develop approaches and guidelines for the use of this formalism to assess the state of the observed object in the web-space and identify its information model in the monitoring cluster Fladoop.

A. The requirements for intelligent system daemon TaskTraker

This daemon works with a demon DataNode taking into account the specifics of the monitoring and control systems monitoring object in the web-space [20].

In the environment developed Fladoop software daemon, which assesses the current status of the monitoring object, depending on the specifics of the monitoring and control systems monitoring object in the web-space. We are thinking that we have the solutions of establish a system of sensors that supply accurate and complete information about the dynamics of the attributes of the object monitoring.

Using the results of [20, 21 ] proposed the following hierarchy of intelligent system daemon TaskTraker as a set of software modules of the automated system (AS) on the evaluation of the monitoring object in the web-space. By analogy with [5] daemon includes the following functional modules: the system of fuzzy production rules that describe the job identifier taking into account expert assessments; neuro-fuzzy network, which is reflected in the structure of the system of fuzzy production rules; clear self-organizing neural network (NN) to solve the problems of classification and clustering input vectors. As noted in [20, 21] This hierarchy has the common use and therefore suitable for various objects based Monitoring Cluster Hadoop, shown in Fig, 2.

Basic system requirements for the AS TaskTraker monitoring object in the w eb-space, the presence of which is mandatory:

- Presentation of a priori experience of experts on webmonitoring of the selected object in the form of knowledge, described the system of production rules;

- The presence of base criterion for decision-making to change the attributes of the object monitoring;

- Fuzzy inference, w hich allows the experience of experts on web-monitoring of the selected object in the form of fuzzy production rules for initial setup information field (of intemeuronal connections) fuzzy neural network;

- Plug aggregate services and service processing unstructured information of the change object attributes monitor for later analysis;

- The ability of the NN to the classification and clustering;

- The ability of the NN to extract knowledge about the profile and mechanism of implementation of the attributes of the object monitoring changes in the web-space;

- The ability of the information field of the NN to the accumulation of experience in the process of teaching and learning.

The Hadoop environment should be developed software that meets the above requirements. In addition, the demon TaskTraker monitoring object in the web-space should be based on a service-oriented integration methods in terms of scalability of its functional features,

B. The mechanism of fuzzy inference

This mechanism is based on the representation of the experience of experts on web-monitoring system of fuzzy production rules of the form IF-THF.N, for example, [3-5];

Etj : IF *i IS Au AND ...xn IS A\„, THEN 5? IS B] ;

]~l2: IF *j IS A2] AND ...x„ IS A2n, THEN y IS B2 ;

ri*: IF ï, IS Ak] AND ... x„ IS Akn, THEN y IS Bk, where x; and y{ - fuzzy input and output variables respectively,

Ay andfi,-, j = \.....n, i = 1.....k , corresponding membership

function.

Combining features of the NN and the fuzzy inference is one of the most promising approaches to artificial intelligence systems. As was shown in [22-24], the system compensates the basic fuzzy logic "opacity" of the NN: In the knowledge and ability to explain the results of the intelligent system, i.e. complemented by the NN. Fuzzy formalism output operates in the absence of knowledge about the attributes of objects and monitor changes to the monitoring of any objects, which is important when new attributes appear with unknown dynamics.

For the functional demon TaskTraker monitoring object in the web-space is very important feature of such neuro-fuzzy networks as the ability to automatically generate a system of fuzzy production rules in the process of learning and self-extracting hidden patterns from data input training sample.

Algorithms for neural network training using the stochastic properties of the dynamics of changes of attributes of an object in the web-monitoring space must be based on a standard method to minimize the generalization error [21, 25], based on the minimization of a quadratic functional of the residual in the training set, finding extremum target gradient density function errors using the procedure of Robbins-Monro [ 10, 21,25, 26].

IX. THE HIERARHY OF LEVELS AND THE WORK

OF INTELLECTUAL SYSTEM DAEMON

TASKTRAKER

The ability of the NN on classification and clustering daemon is used to solve two main tasks:

1 ) the classification of the input vector, for example, the feature vector object attributes change monitoring;

2) expansion of the classification of the appearance at the input of the classifier not previously encountered a combination of signs of change attributes.

Let there be at the moment the full space parcels

X = {?[„..,xm} and the full space of the conclusions Y = {_V|. Fuzzy causal relationship Ï;-»>*/>

/= 1,.,.,/w, 7 = 1,...,« between the elements of these spaces can be represented as a matrix R with the elements r^ ,i - \,...,m , j = 1,...,«, and sending and opinions between them can be expressed as: B = A • R , where ■ - the operation of the composition, for example, max-min-composition.

According to [10,13,20-23] in the fuzzy inference fuzzy expert knowledge A B reflects the relation R = A —» B, which corresponds to the operation of fuzzy implication. Fuzzy relation R can be viewed as a fuzzy subset of Cartesian product A'xKof the full set X and conclusions Y, and the process of getting the fuzzy results B by sending the output A and knowledge A^>B — as the compositional rule of thumb B = A»R = A»{A-+ B).

From the practice of [ 10,13,20-23] we know that the level of accumulation of experience AS neuro-fuzzy classifier of feature vectors, the parameters change (dynamics attributes) the Monitoring object advisable to design a three-layer fuzzy NN (Fig. 3) with the ability to reduce (compress) the number of signs.

Figure 3. Scheme neuro-fuzzy classifier AS

Each input vector in the space can be associated with a formal fuzzy neuron (FN). The middle layer contains fuzzy FN performing the operation of inference (e.g., min) of the combinations of fuzzy statements (FS) of the first layer of the NN to form a system of classification of fuzzy conclusions.

The third layer NN is formed from fuzzy FN "OR" (the number of fuzzy conclusionsyj, j = 1,,,.,«) and generates a vector

of output fuzzy conclusions in accordance w ith the given expert system of fuzzy rules.

X. THE MAIN STAGES OF DESIGN OF INTELLIGENT

SYSTEM DAEMON TASKTRAKER

The ability to learn intelligent system is caused by redundancy the input information and hidden in these laws, expand and / or modifying, altering the information model of the object of monitoring and, as a consequence, itself neural network in the process of monitoring the functioning of the cluster.

Taking into account the results obtained in [23], the following design guidelines intellectual system TaskTraker demon in the form of the following sequence of steps [26].

1. The decision of the classification problem for the monitoring object the known values of attributes (characteristics, parameters) the monitoring object of feature vectors. Storing the information obtained in module fl-CIass-C of daemon TaskTraker.

2. Solution of the problem of clustering the monitoring object state changes on the grounds of such changes as the self-development of the classification of the expansion ofa variety of known values of attributes (characteristics, parameters) the monitoring object. Storing the information obtained in the solution in the module /J-Oluster-C-A of daemon DataNode.

3. Formation of a plurality of expert assessments for a deci-

sion on the corresponding values of attributes (characteristics, parameters) the monitoring object signs of change. Storing the information obtained in the module ,0,-3-0 of daemon DataNode.

4. Development of a program module (IIM-H-11-11) daemon TaskTraeker implements the fuzzy production rules on the results of the PI and P3.

5. Development of a program module (PM-HH-R) daemon TaskTraeker implementing the system of neuro-fuzzy classifier (signs of changing attributes - change the state of an object of monitoring).

6. Development of a program module (PM-B-C) daemon TaskTraeker that implements the solution of P2 in the form of crisp classifications based on self-learning adaptive system -clusterer (signs of changing attributes - change the state of an object of monitoring).

XI. REQUIREMENTS FOR THE INDICATORS OF

QUALITY OF FUNCTIONING OF THE DAEMON

TASKTRACKER

hi general, this daemon provides continuous processing of event data, as a rule, stochastic changes in object attributes monitoring coming from the sensor system monitoring object in the web-space. Since the assumed long-term (years) monitoring the functioning of the cluster as the target function can offer a maximum sustainability of the daemon TaskTraeker. The analytical form of objective function requires a separate development and research, including on the basis of the architecture of software modules and hardware monitoring cluster-specific management systems chosen subject area.

in general [26], we can offer the following limitations monitoring based on probability-time tactical and technical requirements for quality indicators of functioning daemon TaskTraeker:

- Probability: PCB\(<TMOn)>P¿fn, where t- random

time for processing of events monitoring; T^ 17 - permitted value of lime for processing of event monitoring; Pqb~ 'he

probability of timely processing of event monitoring; —

permitted value probability event monitoring;

— for Expediting: TAli < T^fj11 where TA¡¡ - the average

value of the time, T¿ffn - it permissible value;

- On the validity of Nq > max N^, Nu > maxN% and

seS seS

N A > max , where: Nç, Nu , — number of the analyzed

seS

scenarios of the behav ior of the object of monitoring, the number of new attribute values of the object of monitoring, the number of object attributes accounted monitoring respectively; S - a lot of options state (implementation, operation, and generation) of Monitoring,; Nq , Nfj, —the number of the analyzed scenarios of the behavior of the object of monitoring, the number of new attribute values of the object of monitoring, the number of object attributes accounted monitoring s -th slate respectively;

-Resource use: PPEC (r < Rffon )> where PPEC the probability of resource use in the processing of monitoring events, and Ppj?ç — ils permissible value, r- consume resources (hardware and software, configuration, virtual, and oth-

ers.) When processing the monitoring events, and its allowable value. Of the best practices [21| coneretization can

useP$?cn = 0,99 and Ra°n = 0,15 as well.

Depending on the requirements for the control system parameters specified above specific values. Probabilistic constraint can be transformed into quantile form and limit expediting - into the limit for other time points of /.

To estimate quantile function of stochastic performance monitoring object attributes in the web-space daemon Task-Trakcr recommended to include a software module that implements a bootstrap procedure, the features of which were studied in detail in [10, 20,27-29].

XII. CONCLUSION

To eliminate the gaps in the scientific fundamentals of evaluating security risks modern facilities and ITSN adequacy level of protection on the basis of logical-probabilistic approach developed new LP-model of risk assessment of the object of protection from malicious attacks ITSN. On the basis of LP-models and complete a variety of known security functions produced a new kind of conditions necessary level of reachability infosecurity object of risk in ITSN. When modifications are known security function provides a method of extending their functionality through the mechanism of gradations. In this case, the development of LP-models of risk assessment of the security object and clarify the conditions of the reachability by using Bayesian formalism, with the possibility of organizing an algorithmic iterative learning obtained in models of statistical data in order to clarify the current value of risk.

Formulated criteria for assessing the risk of a protected object of attack and suggested guidelines for evaluating the price risk of attack. For Monitoring Hadoop cluster topology developed and investigated the synthesis of guidelines and demons TaskTraker and DataNode responsible for the task of assessing the status of the object of observation and identification of its information model, taking into account the characteristics of cloud computing. The principles and approaches, based on neuro-fuzzy solutions that can be the basis for the design of intelligent monitoring systems of objects in the web-space.

The mechanisms of decision-making based on the formalization of a priori experience of experts in fuzzy database fuzzy production rules. Within the framework of solving the problems of classification and expansion of classification of input data about the characteristics of the dynamics of the object attributes monitoring investigated the possibility of neuro-fuzzy classifier in the form of a three-layer fuzzy Neural Network, consisting of the following levels:

- A system of fuzzy production rules describing the work identifier based on expert assessments;

- Neuro-fuzzy network, which is reflected in the structure of the system of fuzzy production rules;

- Self-leaming neural network is a clear solution for the problem of clustering (classification) of the input data from web-space.

And the lower level solves the problem of rapid identification attribute changes, and the lop - the accumulation of experience to detect the effects of such changes on the elements and nodes Of the monitoring object.

An approach to the synthesis of mathematical formalization demon TaskTraeker as a constrained optimization problem. Proposed restrictions in the form of inequalities, reflecting the specific cloud computing environment Hadoop.

PUBLICATIONS IN ENGLISH

Refer en ccs

1. Nazarov, A 2007, 'Estimation of information safety level of modern info-communication networks on basis of logic-probability approach'. Automation and Remote Control. July 2007, Volume 68 Issue 7, 2007, pp. 1165-1176, USA, doi: 10,1134/S0005117907070053.

2. Nazarov, A 2010, 'Logical-arid-probabilistic model tor estimating tire level of information security of modem information and communication networks', Telecommunications and Radio Engineering, Vol. 69, no 16, pp. 1453-1463, USA, doi: Ю.1615Л elecomRadEng.v69.il6.60,

3. Nazarov, A. & Klimanov, M. 2010, 'Estimating the informational security levef of a typical corporate network'. Automation and Remote Control . Volume 71 Issue 8,2010, pp. 1550-1561,

4. Nazarov. А. Л Klimanov, M 2009, 'Characteristic analysis оГ logic and probabilistic model of information security', paper presented in the Collection of proceedings of dfInternational Workshop on Distributed Computer and Communication Computer and Communication Networks (DCCN-2009), Sofia, Bulgaria. October 5-9, 2009, pp. 154-164. Published by Research and Development Company "Information and Networking Technologies". Russia, Moscow.

5. Nazarov. A. & Klimanov. M 2011, 'Assessing the level of security DNS-scrvers'. Documentary telecommunications, no 21, pp. 54-57.

6. Grudinov, S„ Komarov, A.& Nazarov, A 2012, The global system ofcoun-teraetion to illegal actions in cyberspace. Stage 1, the grant agreement Skolkovo number 87 from 02.11.2012, Russia, LLC Group-IB.

7. Nazarov, A. & Klimanov, A/2013. Paper presented in the annual Collection of scientific works of International conference Managing the development of large-scale systems" (Ml.SD'2014), Institute of control Sciences RAS, pp. 444-451.

8. Nazarov, A. (6 Komarov, A 2013 Intelligent analysis system cyber space on web-technologies', paper presented in the Collection of proceedings of the 7th Industry Conference "Information Society Technologies", Russia, Moscow Technical University of Communications and Informatics.

9. Nazarov. A. & Tureev. 52013 'Assessing the level of information security of'the computer network at the network attack', T-Comm, no. 10, pp. 78-80.

10. Nazarov. A. & Komarov. A 2013, 'Intelligent eybersecurily in space on WEB technologies', T-Comm, no, 10, pp. 81-84.

11. Nazarov. A. & Tureev, £2013 'Logic and probabilistic model ofinforma-tton security for risk assessment of the object under botnet attacks', paper presented in the Collection of proceedings of the International Conference "Distributed Computer and Communication Networks: Control, Computation, Communications (DCCN-2013), Moscow, Russia, October 07-10, 2013, pp. 276-283. Published by JSC TECHNOSP1 ¡ERA.

12. Komarov, A. c? Nazarov, A 2013, 'Functional requirements for a system to delect and counter the botncl attacks on corporate networks' / Technique of communication, series "Television Technique", pp. 140-15!.

13. Sachkov, I. Л Nazarov, A. 2014, 'Automation bot counter-attacks', T-Comm, vol, 8, no. 8, pp. 5-9.

14. Nazarov, A 2012 'Botnet tracking and global threat intelligence - behavior approaches to identifying distributed bolneis'. paper presented at the IEEE / Collection of proceedings of the Cybersecurily Summit ( WCS), 2012 Third

Worldwide, New Dehli, 30-31 Oct 2012. http://leeexplore.ieee.ona/xpl/ artlcleDe-tai Is.,jsp?amumber=6780878&new search=tnie&qucryTeNt=Botnet%20lracking%20 and%20global%20threat%20inte 11 ¡gence%20%20behavior%20appmaehes%20to% 20ideiui IV ing%20d islributed%20botnets.

15. Nazarov, A & Sychev, K 2011, Models and methods for calculating the indicators of quality of functioning of the equipment units and structural parameters of the network the next generation networks, 2th cdn, EEC Policom, Krasnoyarsk.

16. Nazarov. A 2013, 'Objects of the possibility of classification of information security PSTN logic-based probabilistic approach'. Network journal. Theory and Practice» BC/NW, no 2(23): 1 l.lhltp://network-journal.mpei.ac.ru'cgi-bin main.pl?l=ru&n=23&pa= I l&ar= I.

17. Nazarov A 2016, 'Assessment of security from information attacks', Telecommunications, no 5, pp. 23-33.

18. Chuck, ¿2012, lladoop in action, DMK Press, Moscow.

19. Volkov. D., Nazarov. A. <S Nazarov, M 2014, 'A global threat - the dark web', paper presented in the annual Collection of scientific works of International conference Managing the development of large-scale systems" (MESD'2014), Institute of control Sciences RAS, pp. 452-459,

20. Nazarov. A 2014 'On approaches to the development of an intelligent system for the analysis of attacks from the Internet', paper presented in ihe Collection of proceedings of the XI! all-Russian conference on control problems (EVERYTH1NG-2014), Institute of control Sciences RAS, pp. 9208-9215.

21. Mikhailov. V.. Myrova. L.& Tsaregorodtsev, A 2012, Intelligent system of analysis and evaluation of onboard digital computer system's resistance lo destructive electromagnetic elTeeis'. Eleetrosvyaz, no. 8, pp. 36-39.

22. Voskobovleh, V„ Mikhailov, V., Myrova, L.& Tsaregorodtsev, A 2012, 'Systematic Approach to development of the Methodology of in focom mimical ion system's Analysis and Evaluation of Resistance to ¡destructive electromagnetic effects', EMC Technology, no. 1(40), pp. 51-58.

23. Mikhailov, V 2014. Development oi methods and models for analysis and evaluation of the sustainable functioning of onboard digital computer complexes in the conditions of inientional exposure of ultrashort electro magnetic radiation, doctoral thesis, JSC "Research Institute "Argon". Moscow.

24. Ovsyannikov. A.. Bayda. J.& Lavrent'ev V 2004, 'information the learning algorithms of neural networks'. Proceedings of BSTU. Ser. Phys.-Mai. Science and information, vol. XII. pp. 110-113.

25. Fomin, V. 1984 Kalman and adaptive filtering, Nauka. CH. ed. Elz.-Mat. lit, Moscow.

26. Nazarov. A., Nazarov. M.. Pantiuhin, D, Pokrova, S.. it Sychev, A 2015, 'Automation of monitoring processes in web-based neuro-fuzzy formalism» T-Comm, vol. 9, no. 8, pp. 26-33.

27. Vishnyakov. B. & Kibztin. A 2007, 'Application of the bootstrap method lor estimation of the quantile function'. Automatics and telemechanics, no. 11, pp. 46-60.

28. Gaev L.V. Random izearray evaluation of the results of simulation experiments / St. Petersburg, The proceedings of the Conference "IMMOD-2003", 2003, 5 p.

29. Galambos. 1* 1984, Asymptotic theory of extreme order statistics, Nauka, Moscow.

МОДЕЛИРОВАНИЕ ИНФОРМАЦИОННЫХ АТАК И ОЦЕНКИ ЗАЩИЩЕННОСТИ ОБЪЕКТОВ РИСКА

Назаров Алексей Николаевич, профессор, д.т.н., Московский физико-технический институт, Москва, Россия, a.nazarov06@bk.ru Нгуен Суан Тиен, аспирант, Московский физико-технический институт, Москва, Россия, tienxuannguyen86@gmail.com Чан Минь Хай, аспирант, Московский физико-технический институт, Москва, Россия, minhhai.kq80@gmail.com

Аннотация

Сегодня остро стоят вопросы обеспечения и оценки гарантированного, необходимого или допустимого уровня информационной безопасности для разных классов пользователей сервисов систем Next Generation Network (NGN). При интеграции различных средств и систем информационной безопасности и отсутствии методической основы формирования доказательной базы соответствия различным нормативно-правовым актам, требованиям регуляторов, регламентированным политикам безопасности. Конкретные требования к мерам объектовой защиты определяются по результатам специальных исследований технических средств с учетом установленной категории защищаемого объекта в зависимости от степени конфиденциальности обрабатываемой информации и условий размещения. Различные атаки требуют различных технологических решений по обеспечению информационной безопасности объектов атак. Поскольку количество атак и их модификаций исчисляется более, чем пятизначным числом, то разрабатываются различные классификации подходов обеспечения информационной безопасности, охватывающие группы атак. Методические вопросы оценки допустимого уровня информационной безопасности нуждаются в дальнейшей проработке, что предопределяет актуальность настоящей статьи. Общие подходы к построению и исследованию риска любой атаки, прежде всего в отношении объектов Next Generation Network (NGN) систем, информационно-телекоммуникационных систем и сетей (ИТКС) разработаны рамках логико-вероятностного подхода [1, 2] и проверены на различных практических примерах [3-10].

■

PUBLICATIONS IN ENGLISH

Обнаружены интересные свойства риска бот-атаки [11-15], исследованы модели риска [4] и получены экстремальные значения риска [6]. На основе логико-вероятностного подхода разработаны логико-вероятностные модели оценки информационной безопасности объекта атаки. Модели основаны на текущем уровне знаний, возможностей противодействия атакам и позволяют учитывать технологические особенности функционирования объекта атаки, существующие нормы и правила, а также любые требований. Исследованы свойства полученных моделей в классах новых функций безопасности. Уточнено состояния достижимости приемлемого уровня безопасности объекта атаки. Сформулированы логические и вероятностные критерии оценки риска информационной безопасности объекта атаки. Предложена процедура оценки ценовых рисков. Показаны направления автоматизации оценки уровня риска на основе интеллектуальных решений на основе нечеткой логики и нейронных сетей в среде веб-программирования для облачных вычислений в кластере Hadoop. Сформулированы основные требования к системе для интеллектуального автоматизированного системного мониторинга демона Та$кТгакег_состояние и другие в кластере Hadoop.

Ключевые слова: функция защиты, логическая модель, вероятностная модель, рисе, критерий, мониторинг, Hadoop, облачные вычисления, автоматизация, программный модуль, алгоритм, объект, демон, кластер,цель, требования.

Литература

1. Nazarov, A 2007, Estimation of information safety level of modern infocommunication networks on basis of logic-probability approach, Automation and Remote Control, July 2007, Vol. 68 Issue 7, 2007, pp. 1165-1176, USA, doi: I0.II34/S0005II7907070053.

2. Nazarov, A 20I0, Logical-and-probabilistic model for estimating the level of information security of modern information and communication networks, Telecommunications and Radio Engineering, Vol. 69, no I6, pp. I453-I463, USA, doi: I0.I6I5/TelecomRadEng.v69.iI6.60.

3. Nazarov, A. & Klimanov, M. 20I0, Estimating the informational security level of a typical corporate network, Automation and Remote Control, Vol. 7I Issue 8, 20I0, pp. I550-I56I.

4. Nazarov, A. & Klimanov, M 2009, Characteristic analysis of logic and probabilistic model of information security, paper presented in the Collection of proceedings of of International Workshop on Distributed Computer and Communication Computer and Communication Networks (DCCN-2009), Sofia, Bulgaria, October 5-9, 2009, pp. I54-I64. Published by Research and Development Company "Information and Networking Technologies", Moscow.

5. Назаров А.Н., Климанов М.М. Оценка уровня безопасности DNS-серверов // Документальная электросвязь, 20II.№ 2I. С. 54-57.

6. Грудинов С.А., Комаров А.А., Назаров А.Н. и др. CyberCop: Отчёт о НИР "Глобальная система противодействия неправомерным действиям в киберпространстве" (I-й этап, Соглашение по гранту Сколково № 87 от 02.II.20I2r. ), ООО "Группа Айби", исх. № 8 от 25.02.20I3. 285 с.

7. Назаров А.Н., Климанов М.М. Использование логико-вероятностного подхода при оценке риска DDOS атаки // Сборник ежегодных научных трудов Международной конференции "Управление развитием крупномасштабных систем" (MLSD'20I4), М.: ИПУ РАН. 20Иг. С. 444-45I.

8. Назаров А.Н., Комаров А.А. Интеллектуальная система анализа кибербезопасности в пространстве на web-технологиях / Доклад на 7-ой Отраслевой конференции "Технологии информационного общества". МТУСИ. 20.02.20I3 г.

9. Назаров А.Н., Туреев С.Ф. Оценка уровня информационной безопасности компьютерной сети при сетевой атаке // T^ornm:. Телекоммуникации и транспорт, 20I3. № I0. С. 78-80.

10. Назаров А.Н., Комаров А.А. Интеллектуальная система кибербезопасности в пространстве на WEB-технологиях // T^ornm:. Телекоммуникации и транспорт, 20I3. № I0. С. 8I-84.

11. A.Nazarov, S. Tureev. Logic and probabilistic model of information security for risk assessment of the object under botnet attacks // Proceedings of International Conference "Distributed Computer and Communication Networks: Control, Computation, Communications (DCCN-20I3), Moscow, Russia, October 07-I0, 20I3, pp. 276-283. Published by JSC TECHNOSPHERA.

12. Комаров А.А., Назаров А.Н. Функциональные требования к системе обнаружения и противодействия ботнет-атакам на корпоративные сети // Техника средств связи, серия "Техника телевидения", 20I3. С. I40-I5I.

13. Сачков И.К., Назаров А.Н. Автоматизация противодействия бот-атакам // T^ornm:. Телекоммуникации и транспорт, Т.8. 20I4. № 6. С. 5-9.

14. Nazarov, A 20I2 ?Botnet tracking and global threat intelligence - behavior approaches to identifying distributed botnets?, paper presented at the IEEE / Collection of proceedings of the Cybersecurity Summit (WCS), 20I2 Third Worldwide, New Dehli, 30-3I Oct. 20I2. http://ieeexplore.ieee.org/xpl/ articleDetails.jsp?arnumber=6780878&newsearch=true&queryText=Botnet%20tracking%20and%20global%20threat%20intelligence%20-%20behavior%20approaches%20to%20identifying%20distributed%20botnets.

15. Назаров А.Н., Сычев К.И. Модели и методы расчёта показателей качества функционирования узлового оборудования и структурно-сетевых параметров сетей связи следующего поколения. 2-е изд., перераб. и доп. Красноярск: Изд-во ООО "Поликом", 20II. 49I с.

16. Назаров А.Н. О возможности классификации объектов информационной безопасности сети общего пользования на основе логико-вероятностного подхода// Электронный журнал "Вычислительные сети. Теория и Практика ("Network journal. Theory and Practice") ВС/NW 20I3, № 2(23):II.Ihttp://network-journal.mpei.ac.ru/cgi-bin/main.pl?l=ru&n=23&pa=II&ar=I

17. Назаров А.Н. Оценка защищенности от информационных атак // Телекоммуникации, № 5. С. 23-33.

18. Чак Лэм. Hadoop в действии. М.: ДМК Пресс, 20I2. 424 с.

19. Волков Д.А., Назаров А.Н., Назаров М.А. Глобальная угроза - Теневой Интернет // Сборник ежегодных научных трудов Международной конференции "Управление развитием крупномасштабных систем" (MLSD'20I4), М.: ИПУ РАН. 20I4. С. 452-459.

20. Назаров А.Н. О подходах к созданию интеллектуальной системы анализа атак из Интернета//Сборник материалов XII Всероссийского совещания по проблемам управления (ВСПУ-20И), ИПУ РАН, 20I4. С. 9208-92I5.

21. Михайлов В.А., Мырова Л.О., Царегородцев А.В. Интеллектуальная система анализа и оценки устойчивости БЦВК к деструктивному воздействию ЭМИ // Электросвязь, № 8, 20I2. С. 36-39.

22. Воскобович В.В., Михайлов В.А., Мырова Л.О., Царегородцев А.В. Системный подход к созданию методологии анализа и оценки устойчивости к деструктивному воздействию ЭМИ // Технологии ЭМС. 20I2. № I(40). C5I-58.

23. Михайлов В.А. Разработка методов и моделей анализа и оценки устойчивого функционирования бортовых цифровых вычислительных комплексов в условиях преднамеренного воздействия сверхкоротких электромагнитных излучений, автореферат диссертация на соискание ученой степени доктора технический наук, ОАО "НИИ "Аргон", 20I4. 45 с.

24. Овсянников А.В., Байда Ю.А., Лаврентьев В.С. Информационные алгоритмы обучения нейронных сетей // Труды БГТУ.Сер. физ.-мат. Наук и инфор. Вып. XII. 2004. CII0-II3.

25. Фомин В.Н. Рекуррентное оценивание и адаптивная фильтрация. М.: Наука. Гл. ред. физ.-мат. лит., I984. 288 с.

26. Назаров А.Н. Назаров М.А., Пантюхин Д.В., Покрова С.В., Сычев А.К. Автоматизация процедур мониторинга в web-пространстве на основе нейро-нечеткого формализма // T^ornm:. Телекоммуникации и транспорт. Т.9. 20I5. № 8. С. 26-33.

27. Вишняков Б.В., Кибзун А.И. Применение метода бутстрепа для оценивания функции квантили // Автоматика и телемеханика, № II, 2007. С. 46-60.

28. Гаев Л.В. Рандомизированная оценка результатов имитационных экспериментов / Сборник докладов Конференции "ИММОД-2003", СПб., 2003. 5 с.

29. Галамбош Я. Асимптотическая теория экстремальных порядковых статистик. М.: Наука, I984.

7Т>