Analytical attack modeling and security assessment based on the common vulnerability scoring system

The paper analyzes an approach to the analytical attack modeling and security assessment on the base of the Common Vulnerability Scoring System (CVSS) format, considering different modifications that appeared in the new version of the CVSS specification. The common approach to the analytical attack modeling and security assessment was suggested by the authors earlier. The paper outlines disadvantages of previous CVSS version that influenced negatively on the results of the attack modeling and security assessment. Differences between new and previous CVSS versions are analyzed. Modifications of the approach to the analytical attack modeling and security assessment that follow from the CVSS modifications are suggested. Advantages of the modified approach are described. Case study that illustrates enhanced approach is provided

Автоматизированное определение активов и оценка их критичности для анализа защищенности информационных систем

Цель исследования заключается в разработке методики автоматизированного выделения активов информационной системы и сравнительной оценки уровня их критичности для последующей оценки защищенности анализируемой целевой инфраструктуры. Под активами в данном случае понимаются все информационно-технологические объекты целевой инфраструктуры. Размеры, разнородность, сложность взаимосвязей, распределенность и динамичность современных информационных систем затрудняют определение целевой инфраструктуры и критичности информационно-технологических активов для ее корректного функционирования. Автоматизированное и адаптивное определение состава информационно-технологических активов и связей между ними на основе выделения статичных и динамичных объектов изначально неопределенной инфраструктуры является достаточно сложной задачей. Ее предлагается решить за счет построения актуальной динамической модели отношений объектов целевой инфраструктуры с использованием разработанной методики, которая реализует подход на основе корреляции событий, происходящих в системе. Разработанная методика основана на статистическом анализе эмпирических данных о событиях в системе. Методика позволяет выделить основные типы объектов инфраструктуры, их характеристики и иерархию, основанную на частоте использования объектов, и, как следствие, отражающую их относительную критичность для функционирования системы. Для этого в работе вводятся показатели, характеризующие принадлежность свойств одному типу, совместное использование свойств, а также показатели динамичности, характеризующие вариативность свойств относительно друг друга. Результирующая модель используется для сравнительной оценки уровня критичности типов объектов системы. В работе описываются используемые входные данные и модели, а также методика определения типов и сравнения критичности активов системы. Приведены эксперименты, показывающие работоспособность методики на примере анализа журналов безопасности операционной системы Windows

Federated Learning for Intrusion Detection in the Critical Infrastructures: Vertically Partitioned Data Use Case

One of the challenges in the Internet of Things systems is the security of the critical data, for example, data used for intrusion detection. The paper research construction of an intrusion detection system that ensures the confidentiality of critical data at a given level of intrusion detection accuracy. For this goal, federated learning is used to train an intrusion detection model. Federated learning is a computational model for distributed machine learning that allows different collaborating entities to train one global model without sharing data. This paper considers the case when entities have data that are different in attributes. Authors believe that it is a common situation for the critical systems constructed using Internet of Things (IoT) technology, when industrial objects are monitored by different sets of sensors. To evaluate the applicability of the federated learning for this case, the authors developed an approach and an architecture of the intrusion detection system for vertically partitioned data that consider the principles of federated learning and conducted the series of experiments. To model vertically partitioned data, the authors used the Secure Water Treatment (SWaT) data set that describes the functioning of the water treatment facility. The conducted experiments demonstrate that the accuracy of the intrusion detection model trained using federated learning is compared with the accuracy of the intrusion detection model trained using the centralized machine learning model. However, the computational efficiency of the learning and inference process is currently extremely low. It is explained by the application of homomorphic encryption for input data protection from different data owners or data sources. This defines the necessity to elaborate techniques for generating attributes that could model horizontally partitioned data even for the cases when the collaborating entities share datasets that differ in their attributes

Attacker Behaviour Forecasting Using Methods of Intelligent Data Analysis: A Comparative Review and Prospects

Early detection of the security incidents and correct forecasting of the attack development is the basis for the efficient and timely response to cyber threats. The development of the attack depends on future steps available to the attackers, their goals, and their motivation—that is, the attacker “profile” that defines the malefactor behaviour in the system. Usually, the “attacker profile” is a set of attacker’s attributes—both inner such as motives and skills, and external such as existing financial support and tools used. The definition of the attacker’s profile allows determining the type of the malefactor and the complexity of the countermeasures, and may significantly simplify the attacker attribution process when investigating security incidents. The goal of the paper is to analyze existing techniques of the attacker’s behaviour, the attacker’ profile specifications, and their application for the forecasting of the attack future steps. The implemented analysis allowed outlining the main advantages and limitations of the approaches to attack forecasting and attacker’s profile constructing, existing challenges, and prospects in the area. The approach for attack forecasting implementation is suggested that specifies further research steps and is the basis for the development of an attacker behaviour forecasting technique

Determination of System Weaknesses Based on the Analysis of Vulnerability Indexes and the Source Code of Exploits

Currently the problem of monitoring the security of information systems is highly relevant. One of the important security monitoring tasks is to automate the process of determination of the system weaknesses for their further elimination. The paper considers the techniques for analysis of vulnerability indexes and exploit source code, as well as their subsequent classification. The suggested approach uses open security sources and incorporates two techniques, depending on the available security data. The first technique is based on the analysis of publicly available vulnerability indexes of the Common Vulnerability Scoring System for vulnerability classification by weaknesses. The second one complements the first one in case if there are exploits but there are no associated vulnerabilities and therefore the indexes for classification are absent. It is based on the analysis of the exploit source code for the features, i.e. indexes, using graph models. The extracted indexes are further used for weakness determination using the first technique. The paper provides the experiments demonstrating an effectiveness and potential of the developed techniques. The obtained results and the methods for their enhancement are discussed

Construction and Analysis of Integral User-Oriented Trustworthiness Metrics

Trustworthiness metrics help users to understand information system’s or a device’s security, safety, privacy, resilience, and reliability level. These metrics have different types and natures. The challenge consists of the integration of these metrics into one clear, scalable, sensitive, and reasonable metric representing overall trustworthiness level, useful for understanding if the users can trust the system or for the comparison of the devices and information systems. In this research, the authors propose a novel algorithm for calculation of an integral trustworthiness risk score that is scalable to any number of metrics, considers their criticality, and does not perform averaging in a case when all metrics are of equal importance. The obtained trustworthiness risk score could be further transformed to trustworthiness level. The authors analyze the resulting integral metric sensitivity and demonstrate its advantages on the series of experiments

Automation of Asset Inventory for Cyber Security: Investigation of Event Correlation-Based Technique

Asset inventory is one of the essential steps in cyber security analysis and management. It is required for security risk identification. Current information systems are large-scale, heterogeneous, and dynamic. This complicates manual inventory of the assets as it requires a lot of time and human resources. At the same time, an asset inventory should be continuously repeated because continuous modifications of system objects and topology lead to changes in the cyber security situation. Thus, a technique for automated identification of system assets and connections between them is required. The paper proposes a technique for automated inventory of assets and connections between them in different organizations. The developed technique is constructed based on event correlation methods, namely linking the system events to each other. The essence of the technique consists of the investigation of event characteristics and identifying the characteristics that arise solely together. This allows determining system assets via assigning event characteristics to specific asset types. The security risks depend on the criticality of the assets; thus, a discussion of automated calculation of the outlined assets’ criticality is provided. Outlined system objects and topology can be further used for restoring possible attack paths and security assessment. The applicability of the developed technique to reveal object properties and types is demonstrated in the experiments

Automation of Asset Inventory for Cyber Security: Investigation of Event Correlation-Based Technique

Asset inventory is one of the essential steps in cyber security analysis and management. It is required for security risk identification. Current information systems are large-scale, heterogeneous, and dynamic. This complicates manual inventory of the assets as it requires a lot of time and human resources. At the same time, an asset inventory should be continuously repeated because continuous modifications of system objects and topology lead to changes in the cyber security situation. Thus, a technique for automated identification of system assets and connections between them is required. The paper proposes a technique for automated inventory of assets and connections between them in different organizations. The developed technique is constructed based on event correlation methods, namely linking the system events to each other. The essence of the technique consists of the investigation of event characteristics and identifying the characteristics that arise solely together. This allows determining system assets via assigning event characteristics to specific asset types. The security risks depend on the criticality of the assets; thus, a discussion of automated calculation of the outlined assets’ criticality is provided. Outlined system objects and topology can be further used for restoring possible attack paths and security assessment. The applicability of the developed technique to reveal object properties and types is demonstrated in the experiments

Dynamic Security Assessment Of Computer Networks In Siem-Systems

The paper suggests an approach to the security assessment of computer networks. The approach is based on attack graphs and intended for Security Information and Events Management systems (SIEM-systems). Key feature of the approach consists in the application of the multilevel security metrics taxonomy. The taxonomy allows definition of the system profile according to the input data used for the metrics calculation and techniques of security metrics calculation. This allows specification of the security assessment in near real time, identification of previous and future attacker steps, identification of attackers goals and characteristics. A security assessment system prototype is implemented for the suggested approach. Analysis of its operation is conducted for several attack scenarios

Synthesis and Analysis of the Fixed-Point Hodgkin–Huxley Neuron Model

In many tasks related to realistic neurons and neural network simulation, the performance of desktop computers is nowhere near enough. To overcome this obstacle, researchers are developing FPGA-based simulators that naturally use fixed-point arithmetic. In these implementations, little attention is usually paid to the choice of numerical method for the discretization of the continuous neuron model. In our study, the implementation accuracy of a neuron described by simplified Hodgkin–Huxley equations in fixed-point arithmetic is under investigation. The principle of constructing a fixed-point neuron model with various numerical methods is described. Interspike diagrams and refractory period analysis are used for the experimental study of the synthesized discrete maps of the simplified Hodgkin–Huxley neuron model. We show that the explicit midpoint method is much better suited to simulate the neuron dynamics on an FPGA than the explicit Euler method which is in common use