Development of an Information Security System Based on Modeling Distributed Computer Network Vulnerability Indicators of an Informatization Object
Abstract
A methodology for development for distributed computer network (DCN) information security system (IS) for an informatization object (OBI) was proposed. It was proposed to use mathematical modeling at the first stage of the methodology. In particular, a mathematical model was presented based on the use of the apparatus of probability theory to calculate the vulnerability coefficient. This coefficient allows one to assess the level of information security of the OBI network. Criteria for assessing the acceptable and critical level of risks for information security were proposed as well. At the second stage of the methodology development of the IS DCN system, methods of simulation and virtualization of the components of the IS DCN were used. In the course of experimental studies, a model of a protected DCN has been built. In the experimental model, network devices and DCN IS components were emulated on virtual machines (VMs). The DCN resources were reproduced using the Proxmox VE virtualization system. IPS Suricata was deployed on RCS hosts running PVE. Splunk was used as SIEM. It has been shown that the proposed methodology for the formation of the IS system for DCN and the model of the vulnerability coefficient makes it possible to obtain a quantitative assessment of the levels of vulnerability of DCN OBI.References
REFERENCES
Evans, M., He, Y., Maglaras, L., & Janicke, H. (2019). HEART-IS: A novel technique for evaluating human error-related information security incidents. Computers & Security, 80, 74-89.
Pérez-González, D., Preciado, S. T., & Solana-Gonzalez, P. (2019). Organizational practices as antecedents of the information security management performance: An empirical investigation. Information Technology & People, 32(5), 1262-1275.
Schlette, D., Caselli, M., & Pernul, G. (2021). A comparative study on cyber threat intelligence: the security incident response perspective. IEEE Communications Surveys & Tutorials, 23(4), 2525-2556.
Zegzhda, D. P., Lavrova, D. S., & Pavlenko, E. Y. (2020). Management of a dynamic infrastructure of complex systems under conditions of directed cyber attacks. Journal of Computer and Systems Sciences International, 59(3), 358-370.
Ahmetoglu, H., & Das, R. (2022). A comprehensive review on detection of cyber-attacks: Data sets, methods, challenges, and future research directions. Internet of Things, 100615.
An, P., Wang, Z., & Zhang, C. (2022). Ensemble unsupervised autoencoders and Gaussian mixture model for cyberattack detection. Information Processing & Management, 59(2), 102844.
Aribisala, A., Khan, M. S., & Husari, G. (2021, October). Machine Learning Algorithms and Their Applications in Classifying Cyber-Attacks On a Smart Grid Network. In 2021 IEEE 12th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON) (pp. 0063-0069). IEEE.
Angelini, M., Blasilli, G., Catarci, T., Lenti, S., & Santucci, G. (2018).
Vulnus: Visual vulnerability analysis for network security. IEEE transactions on visualization and computer graphics, 25(1), 183-192.
Yeboah-Ofori A, Islam S. Cyber Security Threat Modeling for Supply Chain Organizational Environments. Future Internet. 2019; 11(3):63. https://doi.org/10.3390/fi11030063
Tanwar, R., Choudhury, T., Zamani, M., & Gupta, S. (Eds.). (2020).
Information Security and Optimization. CRC Press.
Almohri, H. M., Watson, L. T., Yao, D., & Ou, X. (2015). Security optimization of dynamic networks with probabilistic graph modeling and linear programming. IEEE Transactions on Dependable and Secure Computing, 13(4), 474-487.
Bouyeddou, B., Harrou, F., Kadri, B., & Sun, Y. (2021). Detecting network cyber-attacks using an integrated statistical approach. Cluster Computing, 24(2), 1435-1453.
Utzerath, J., & Dennis, R. (2021). Numbers and statistics: data and cyber breaches under the General Data Protection Regulation. International Cybersecurity Law Review, 2(2), 339-348.
Schatz D., Bashroush R. Economic valuation for information security investment: a systematic literature review //Information Systems Frontiers. – 2017. – Т. 19. – №. 5. – С. 1205-1228. (2017) DOI https://doi.org/10.1007/s10796-016-9648-8
Gordon L. A. et al. The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities //Journal of Accounting and PREPARATION OF PAPERS FOR IJET
Public Policy. – 2006. – Т. 25. – №. 5. – С. 503-530. (2006) DOI https://doi.org/10.1016/j.jaccpubpol.2006.07.005
Gordon L. A., Loeb M. P., Lucyshyn W. Sharing information on computer systems security: An economic analysis //Journal of Accounting and Public Policy. – 2003. – Т. 22. – №. 6. – С. 461-485. (2003) DOI https://doi.org/10.1016/j.jaccpubpol.2003.09.001
Qin W., Jianming Z. H. U. Research on the game of information security investment based on the Gordon-Loeb model //Journal on Communications. – 2018. – Т. 39. – №. 2. – С. 174. (2018) DOI: 10.11959 / j.issn.1000-436x.2018027
David, D. P., Mermoud, A., & Gillard, S. (2021). Cyber-Security Investment in the Context of Disruptive Technologies: Extension of the Gordon-Loeb Model. arXiv preprint arXiv:2112.04310.
Averyanova, Y., Sushchenko, O., Ostroumov, I., Kuzmenko, N., Zaliskyi, M., Solomentsev, O., ... & Tserne, E. (2021). UAS cyber security hazards analysis and approach to qualitative assessment. In Data Science and Security (pp. 258-265). Springer, Singapore.
19. Gunes, B., Kayisoglu, G., & Bolat, P. (2021). Cyber security risk assessment for seaports: A case study of a container port. Computers & Security, 103, 102196.
Deb, R., & Roy, S. (2021). A Software Defined Network information security risk assessment based on Pythagorean fuzzy sets. Expert Systems with Applications, 183, 115383.
Xiong, W., Legrand, E., Åberg, O., & Lagerström, R. (2022). Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix. Software and Systems Modeling, 21(1), 157-177.
Zografopoulos, I., Ospina, J., Liu, X., & Konstantinou, C. (2021). Cyberphysical energy systems security: Threat modeling, risk assessment, resources, metrics, and case studies. IEEE Access, 9, 29775-29818.
George, P. G., & Renjith, V. R. (2021). Evolution of safety and security risk assessment methodologies towards the use of bayesian networks in process industries. Process Safety and Environmental Protection, 149, 758-775.
Koz'minyh, S. I. (2018). Matematicheskoe modelirovanie obespecheniya kompleksnoj bezopasnosti ob"ektov informatizacii kreditno-finansovoj sfery. Voprosy kiberbezopasnosti, (1 (25)), 54-63.
Lakhno, V., Akhmetov, B., Smirnov, O., Chubaievskyi, V., Khorolska, K., Bebeshko, B. Selection of a Rational Composition of İnformation Protection Means Using a Genetic Algorithm (2023) Lecture Notes on Data Engineering and Communications Technologies, 131, pp. 21-34.
Lakhno, V., Akhmetov, B., Mohylnyi, H., Blozva, A., Chubaievskyi, V., Kryvoruchko, O., Desiatko, A. Multi-criterial optimization composition of cyber security circuits based on genetic algorithm (2022) Journal of Theoretical and Applied Information Technology, 100 (7), pp. 1996-2006.
Olad'ko V.S. Model' vybora racional'nogo sostava sredstv zashchity v sisteme elektronnoj kommercii // Voprosy kiberbezopasnosti. 2016. № 1.
S. 17–23.
Prokushev, YA. E., Ponomarenko, S. V., & Ponomarenko, S. A. (2021). Modelirovanie processov proektirovaniya sistem zashchity informacii v gosudarstvennyh informacionnyh sistemah. Computational nanotechnology, (1), 26-37.
Lakhno, V., Mazaraki, A., Kasatkin, D., Kryvoruchko, O., Khorolska, K., Chubaievskyi, V. (2023). Models and Algorithms for Optimization of the Backup Equipment for the Intelligent Automated Control System Smart City. In: Ranganathan, G., Fernando, X., Rocha, Á. (eds) Inventive Communication and Computational Technologies. Lecture Notes in Networks and Systems, vol 383. Springer, Singapore. https://doi.org/10.1007/978-981-19-4960-9_57
Downloads
Published
Issue
Section
License
Copyright (c) 2023 International Journal of Electronics and Telecommunications
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
1. License
The non-commercial use of the article will be governed by the Creative Commons Attribution license as currently displayed on https://creativecommons.org/licenses/by/4.0/.
2. Author’s Warranties
The author warrants that the article is original, written by stated author/s, has not been published before, contains no unlawful statements, does not infringe the rights of others, is subject to copyright that is vested exclusively in the author and free of any third party rights, and that any necessary written permissions to quote from other sources have been obtained by the author/s. The undersigned also warrants that the manuscript (or its essential substance) has not been published other than as an abstract or doctorate thesis and has not been submitted for consideration elsewhere, for print, electronic or digital publication.
3. User Rights
Under the Creative Commons Attribution license, the author(s) and users are free to share (copy, distribute and transmit the contribution) under the following conditions: 1. they must attribute the contribution in the manner specified by the author or licensor, 2. they may alter, transform, or build upon this work, 3. they may use this contribution for commercial purposes.
4. Rights of Authors
Authors retain the following rights:
- copyright, and other proprietary rights relating to the article, such as patent rights,
- the right to use the substance of the article in own future works, including lectures and books,
- the right to reproduce the article for own purposes, provided the copies are not offered for sale,
- the right to self-archive the article
- the right to supervision over the integrity of the content of the work and its fair use.
5. Co-Authorship
If the article was prepared jointly with other authors, the signatory of this form warrants that he/she has been authorized by all co-authors to sign this agreement on their behalf, and agrees to inform his/her co-authors of the terms of this agreement.
6. Termination
This agreement can be terminated by the author or the Journal Owner upon two months’ notice where the other party has materially breached this agreement and failed to remedy such breach within a month of being given the terminating party’s notice requesting such breach to be remedied. No breach or violation of this agreement will cause this agreement or any license granted in it to terminate automatically or affect the definition of the Journal Owner. The author and the Journal Owner may agree to terminate this agreement at any time. This agreement or any license granted in it cannot be terminated otherwise than in accordance with this section 6. This License shall remain in effect throughout the term of copyright in the Work and may not be revoked without the express written consent of both parties.
7. Royalties
This agreement entitles the author to no royalties or other fees. To such extent as legally permissible, the author waives his or her right to collect royalties relative to the article in respect of any use of the article by the Journal Owner or its sublicensee.
8. Miscellaneous
The Journal Owner will publish the article (or have it published) in the Journal if the article’s editorial process is successfully completed and the Journal Owner or its sublicensee has become obligated to have the article published. Where such obligation depends on the payment of a fee, it shall not be deemed to exist until such time as that fee is paid. The Journal Owner may conform the article to a style of punctuation, spelling, capitalization and usage that it deems appropriate. The Journal Owner will be allowed to sublicense the rights that are licensed to it under this agreement. This agreement will be governed by the laws of Poland.
By signing this License, Author(s) warrant(s) that they have the full power to enter into this agreement. This License shall remain in effect throughout the term of copyright in the Work and may not be revoked without the express written consent of both parties.