http://dataart.com/ Rigorous Semantics and Refinement for Business Processes . . . . . . . . . . . . .

Klaus-Dieter Schewe Smart Learning Environments: a Shift of Paradigm . . . . . . . . . . . . . . . . . . . .

David Esteban Tutorial Systematic Business Process Modeling in a Nutshell . . . . . . . . . . . . . . . . . . .

Heinrich C. Mayr Part I: Main ICTERI Papers Teaching ICT and Using ICT in Education On the Results of a Study of the Willingness and the Readiness to Use Dynamic Mathematics Software by Future Math Teachers . . . . . . . . . . . . . .

Elena Semenikhina and Marina Drushlyak Model-Based Software System Development Knowledge-Based Approach to Effectiveness Estimation of Post Object-Oriented Technologies in Software Maintenance . . . . . . . . . . . . . . . .

Mykola Tkachuk, Kostiantyn Nagornyi and Rustam Gamzayev Provably Correct Graph Transformations with Small-tALC . . . . . . . . . . . . .

Nadezhda Baklanova, Jon Hael Brenas, Rachid Echahed, Christian Percebois, Martin Strecker and Hanh Nhi Tran A Study of Bi-Objective Models for Decision Support in Software Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Vira Liubchenko 1 3 4 5 21 35 51 62 78 94 Method of Evaluating the Success of Software Project Implementation Based on Analysis of Specification Using Neuronet Information Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Tetiana Hovorushchenko and Andriy Krasiy Machine Intelligence, Knowledge Engineering and Management for ICT Calculation Method for a Computer’s Diagnostics of Cardiovascular Diseases Based on Canonical Decompositions of Random Sequences . . . . . 108

Igor P. Atamanyuk and Yuriy P. Kondratenko Synthesis of Time Series Forecasting Scheme Based on Forecasting Models System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Fedir Geche, Vladyslav Kotsovsky, Anatoliy Batyuk, Sandra Geche and Mykhaylo Vashkeba C-Clause Calculi and Refutation Search in First-Order Classical Logic . . . 137

Alexander Lyaletski Principles of Intellectual Control and Classification Optimization in Conditions of Technological Processes of Beneficiation Complexes . . . . . . . 153

Andrey Kupin and Anton Senko ICT in Industrial Applications A Composite Indicator of K-society Measurement . . . . . . . . . . . . . . . . . . . . . 161

Kseniia Ilchenko and Ivan Pyshnograiev Part II: ICTERI Workshop Papers ITER Workshop Papers Risk Assessment of Use of the Dnieper Cascade Hydropower Plants . . . . . 204

Andriy Skrypnyk and Olha Holiachuk Behavioral Aspects of Financial Anomalies in Ukraine . . . . . . . . . . . . . . . . . 214

Tetiana Paientko The Formation of the Deposit Portfolio in Macroeconomic Instability . . . . 225

Andriy Skrypnyk and Maryna Nehrey Dynamic Model of Double Electronic Vickrey Auction . . . . . . . . . . . . . . . . . 236

Vitaliy Kobets, Valeria Yatsenko and Maksim Poltoratskiy The Multidimensional Data Model of Integrated Accounting Needed for Compiling Management Reports Based on Calculation EBITDA Indicator 276

Viktoria Yatsenko MRDL Workshop Papers The Hybrid Service Model of Electronic Resources Access in the Cloud-Based Learning Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Mariya Shyshkina Methods and Technologies for the Quality Monitoring of Electronic Educational Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Hennadiy Kravtsov SMSV Workshop Papers Realisation of ”Black Boxes” Using Machines . . . . . . . . . . . . . . . . . . . . . . . . . 326

Grygoriy Zholtkevych An Interleaving Reduction for Reachability Checking in Symbolic Modeling 338 Alexander Letichevsky, Oleksandr Letychevskyi and Vladimir Peschanenko Abstracting an Operational Semantics to Finite Automata . . . . . . . . . . . . . 354 Nadezhda Baklanova, Wilmer Ricciotti, Jan-Georg Smaus and Martin Strecker The Static Analysis of Linear Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Michael Lvov and Yulia Tarasich Defining Finitely Supported Mathematics over Sets with Atoms . . . . . . . . . 382

Andrei Alexandru and Gabriel Ciobanu On a Strong Notion of Viability for Switched Systems . . . . . . . . . . . . . . . . . 396

Ievgen Ivanov Natural Computing Modelling of the Polynomial Space Turing Machines . 408

Bogdan Aman and Gabriel Ciobanu TheRMIT Workshop Papers Rigorous Semantics and Refinement for Business ⋆ Processes (Abstract)

Klaus-Dieter Schewe1,2 1 Software Competence Center Hagenberg, Austria, kd.schewe@scch.at 2 Johannes-Kepler-University Linz, Austria, kd.schewe@cdcc.faw.jku.at ICTERI Key Terms. Mathematical Model, Methodology, Formal Method, Process, Integration For the modelling of business processes it is necessary to integrate models for control flow, messaging, event handling, interaction, data management, and exception handling. In principle, all common business process models such as BPMN [ 14 ], YAWL [ 13 ], ARIS [ 11 ] or S-BPM [ 6 ] follow such an approach. Though it is claimed that the models have already reached a high level of maturity, they still lack rigorous semantics as pointed out in [ 1, 5, 15 ]. Furthermore, quite a few aspects such as data management, interaction and exception handling have only been dealt with superficially as pointed out in [ 12 ].

The first concern regarding rigorous semantics has been discussed in detail by B¨orger in [ 2 ] for BPMN, which led to an intensive investigation of BPMN semantics on the grounds of Abstract State Machines (ASMs, [ 4 ]), in particular for OR-synchronisation [ 3 ]. The monograph by Kossak et al. defines a rigorous semantics for a large subset of BPMN leaving out some ill-defined concepts [ 8 ].

The second concern can be addressed by means of horizontal refinement. On grounds of ASMs necessary subtle distinctions and extensions to the control flow model such as counters, priorities, freezing, etc. can be easily integrated in a smooth way [ 12 ]. Conservative extensions covering messaging can be adopted from S-BPM [ 6 ], while events in BPMN have been handled in [ 7 ]. For the event model it is necessary and sufficient to specify what kind of events are to be observed, which can be captured on the grounds of monitored locations in ASMs, and which event conditions are to be integrated into the model. Extensions concerning actor modelling, i.e. the specification of responsibilities for the execution of activities (roles), as well as rules governing rights and obligations lead to the integration of deontic constraints [ 10 ], some of which can be exploited to simplify the control flow [ 9 ]. In this way subtle distinctions regarding decision-making responsibilities in BPM can be captured. ⋆ The research reported in this paper was supported by the Austrian Forschungsfo¨rderungsgesellschaft (FFG) for the Bridge Early Stage project “Advanced Adaptivity and Exception Handling in Formal Business Process Models” (adaBPM) under contract 842437.

In the talk a glimpse of the rigorous, ASM-based semantics for business processes is presented. The focus is on the control flow with specific emphasis on priority handling. This is followed by a discussion of horizontal refinement focusing on the introduction of disruptive events and associated exception handling. A simplified example capturing the effects of external change to a running process is used for illustration. Smart Learning Environments: a Shift of Paradigm

David Esteban1 1 TECHFORCE, Vía Augusta, 2bis planta 5ª E-08006 Barcelona, Spain Abstract. The incorporation of Information and Communication Technologies (ICT) as a supporting mechanism in educational processes has already been proved as an important driver in reinforcing both teaching and learning. The extensive development of Learning Management Systems (LMS), software platforms aimed at supporting and articulating e-learning, education courses and training programs, is already backed by a relevant ICT industry, with significant market penetration. The emergence of the new concept of Smart Learning Environments (SLEs) is shifting the main focus of LMSs on courseware towards a more efficient and effective approach focused on teaching and learning processes, thus in the students themselves and in the teachers as key players. The evolving concept of SLEs encompasses blending educational technologies with appropriate considerations and guidance developed by pedagogical and educational neuroscience domains, thus opening up room for interesting scientific and technological challenges. Systematic Business Process Modeling in a Nutshell

Heinrich C. Mayr1 1Alpen-Adria-Universität Klagenfurt, Universitätsstrasse 65-67 Klagenfurt, 9020, Austria

Heinrich.Mayr@aau.at Abstract. In-depth business process management is crucial for any institution and enterprise in a competitive world. Although this insight is by no means new, the daily practice draws another picture: Certainly, many enterprises have defined their overall strategy including IT issues at least roughly, and, based here on, have documented their business processes somehow. Rarely however, do they manage their business processes comprehensively in the sense of covering analysis, design, measurement, continuous optimization, and IT support.

The key prerequisite for allowing such comprehensive handling of business processes is to describe these processes transparently and completely, using a modeling language that is appropriate for the particular context including all stakeholders concerned.

The aims of this tutorial, therefore, are threefold: (1) the participants will learn about the fundamentals of business processes and their contexts; (2) the key features of popular business process modeling languages like Adonis and BPMN; and (3) guidelines for selecting an appropriate modeling approach including the customization to the given environment.

Intended audience: Practitioners and researchers who are interested in a systematic approach to business process management, and have basic knowledge in modeling and information systems engineering.

Keywords. Business process fundamental, business process context, business process modeling language, selection of the modeling approach, customization Key Terms. Process, ProcessPattern, Technology, Methodology, Model Using ICT in Training Scientific Personnel in Ukraine:

Status and Perspectives

Aleksandr Spivakovsky, Maksim Vinnik and Yulia Tarasich Kherson State University, 27, 40 rokiv Zhovtnya St., 73000 Kherson, Ukraine {Spivakovsky, Vinnik, YuTarasich}@kspu.edu Abstract. Today an enormous amount of problems in building a system of efficient education and science is on the discussion agenda in Ukraine. A decrease in the number of scientists in the country has been observed in the last 15 years. At the same time, the amount of postgraduate students and people aiming at obtaining their doctorate is increasing. Notably, similar indicators are also observed in the majority of post-soviet countries. One complicating factor is that the system of scientific personnel training in Ukraine is very restrictive and closed. The proportion of research results published using a free access scheme to the overall bulk of publications is still very small, in particular if compared to the level of ICT development. Therefore, a major part of the publications still remains inaccessible from the outside. In this study we investigate the openness and accessibility of the preparation of the academic staff in Ukraine. As a result we come up with a proposal of requirements to the ICT infrastructure in this area.

Key Terms: ICT Infrastructure, Research.

''If it's not on the Web, it doesn't exist at all''

Sarah Stevens-Rayburn & Ellen N. Bouton, 1997 1 Introduction The main catalyst for socio-economic development of a state potential is the ability to create, collect, and effectively manage knowledge that is comes out from the best scholarly research practices. The countries which have made it to their development strategy and implemented the effective interaction with the business enjoy TOP ratings in the World rankings. In the age of information technologies, it takes one not years, but rather days to bear the bell of scientific research and excel the competitors. The companies which are the first in the market are more likely to benefit from a positive effect caused by the introduction of new knowledge. Globalization is adjusting the cooperation between science and industry. More and more funds are invested in scientific research and development to capture the leadership in the market. A modern country's development is stimulated by the transition from a resource-based economy to hi-tech. There is an opportunity to create “intellectual dollars” without any resource, but people. The results of intellectual work become a hard currency. For example, Japan, though it had no natural resources, managed to become the leader in world's economy. The monetary value of the biggest hi-tech (IT) companies is at a scale of the budgets of some developed countries (Apple – $ 711 billion, Microsoft – $ 349 billion, Google – $ 365 billion).

The Open Science (OS) movement gains popularity in the world of clerisy, aiming to make research results and source data accessible to public at all levels. However, there is a conflict between the desire of scientists to have access to shared resources and make profit by using these resources [ 1 ]. In recent years, many governments try to impose the policy of openness regarding scientific knowledge, especially, if it is funded with public money. One way is the enforcement of providing open access to the results of all research projects performed at public expense. An indicative example is the US, which grant annually about $ 60 billion for research. In 2008, the US Congress imposed the obligation to grant free access in a year after the first publication to all the research papers based on the studies conducted by the National Institute for Health (which receives circa the half of the total public funding for science). Similar measures are now considered by many other countries.

Today, a lot of research in Ukraine is devoted to the problems of higher education and, in particular, the use of ICT for training students, creating information and communication environments in the universities, etc. However, in the scholarly literature insufficient attention is paid to the development of information and communication models of interaction with ІCT in academic staff training. Moreover, today we are talking about the need for openness and accessibility of scientific activity, whereas a substantial part of the scholarly output never reaches its reader within and even more outside the professional academic community. This problem is particularly acute in the post-soviet countries. Regionalism of entire areas in science, convention, low connection with contemporary scientific trends, low level of foreign language knowledge by scientists, lack of self-developing scientific community, low competition with other countries, lack of motivation, poor funding, brain drain, and a number of other factors result in the continuing archaism of scientific brainpower training in Ukraine.

Scientometrics is rapidly developing nowadays. Using information technology allows creating new services for the development of scientific and research activity. Many global companies invest billions of dollars in services to support research activity, thereby creating a serious market not for the research results but for the research process support. Herewith the trend shifts toward commercial projects. The examples of such companies are Apple, Microsoft, Google, Elsevier, Thomson Reuters, not to mention many others. The most outstanding services with rapidly growing impact are Google Scholar, Scopus, Orcid, Academia.edu, Research Gate, Mendeley, arXiv.org, cs2n, Epernicus, Myexperiment, Network.nature, Sciencecommunity. These services contribute to satisfying the needs of the scientific community. In fact, these positively influence scientific and technical progress and create a new paradigm of scientific research. A big number of the recently created scientometric services allow assessing the relevance of the research results by a scientist, the number of his publications, citations, storage, etc. Having these measurements at hand opens up new opportunities and prospects. Our time is characterized by the high rates of the accumulation of new knowledge, in particular in А С

E B

D Fig. 3. The RBD of the fault-tolerant system On the basis of developed binary SAM of the fault-tolerant system, which consists of set of formal parameters (Fig. 4), SV components and failure condition (Fig. 5), the tree of modification rules of state vector (Fig. 6), which is the input to the software module ASNA, the graph states and transitions was obtained in the automatic mode (Fig. 7). Fig .5. State vector components and failure condition

Basing on the obtained graph of states and transitions the software module ASNA formed mathematical model of the system as a system of Chapmen - Kolmogorov differential equations. After its solving the probability of being in every possible state was obtained. Probability of system being in operable state is 0.9894, and the probability of failure is equal to:

Qf = 1 - 0,9894 = 0,01061 λA

ABC

DE λE λD λB λC

λD BCDE λE

λA ACD λC

λE λA ABD

λE λD λB ABCE λC λE λC λB λB λA λB λA ABC λC λD

CDE λD λC

BDE ADE λE λB λA λD λA ABE λB λE ABD λD DE λD

λE λA

BCD λB ACD λA λD λB

BCE ACE λC λB λA λC λD λE CE

BE AE λC λB λA CD λC λE

E λE

SF

On the basis of the graph of states and transitions according to developed algorithm, it was determined that after simultaneous failure of modules E and D the system fails in general. Next, other two combinations which also lead to failure of the whole system are ACE and BCE. Thus, these three combinations make the MCS. The next stage was the determining of the values of the probability of each of these combinations. Substituting logical expression of MCS DE: ((V4 = 0) AND (V5 = 0)) instead of failure condition the MCS value of probability simultaneous failure of combination of modules E and D was obtained, which is QDE = 0,009. Similarly, substituting logical expression of MCS ACE and BCE instead of failure condition we get: QACE = 0,00084; and QBCE = 0.00084. The calculated MCS is shown in Table. 1. Validation of the developed method. To validate the developed method it was implemented the a fault tree building for the system (Fig. 8) according to the approach [ 8 ] and the values of the probability of failures for each MCS were calculated. It was considered that the results obtained by fault tree are accurate and they were compared with results which are shown in Fig.8. Fault tree Table 1.

The validation was performed using specialized software suite RAM Commander by ALD Service. For RBD the fault tree was set up (Fig. 8) and MCS were obtained by tools of RAM Commander and are shown in Fig. 9.

The comparison shows that the calculated values of MCS, which were obtained from fault tree using software suite RAM Commander coincide with the values obtained from the graph of states and transitions with the split failure state using binary SAM. The developed approach (Fig. 2) allows us to get the MCS in automatic mode without fault tree construction.

Expanding the Functionality of the Program ASNA for the

Safety Analysis of CTSCA

For building complex models, which are focused on determination of the reliability and safety indexes it is most advisable to take as a basis the graph of states and transitions with split state of catastrophic failure and method for its automated construction using binary SAM. However, the biggest problem for the designer, in this case, is the construction of the binary SAM because its formation requires from the developer not only the deep knowledge of the nuances of functionality of designed CTSCA but also thorough knowledge about techniques of construction the formalized graph of states and transitions that is the whole direction in complex systems designing.

Therefore, the next urgent task is to automate the construction of binary SAM-based graphical representation of the system as a RBD. This will speed up the development of SAM, reduce the time cost in degree and obtain both reliability and safety indexes. Principles of this automation were laid in works [ 12, 15 ]. At the same time, we note that this approach narrows the class of the analyzed systems because it does not allow us to analyze complex technical systems that are described by queuing systems, flowcharts, etc. behavior algorithm.

According to approach [ 12 ] the visualization software for RBD of technical system, which makes it possible the automatic construction of graphic images of flow diagram of technical systems and the formation of conditions of their functioning and failure, was developed. Using the developed software the information about the system is transmitted as input to the ASNA software for further calculations of reliability indexes accordingly to the number of elements in the node, the number of renewals and maintenance crews, time range, intensity of failures and recoveries for each of elements of analyzed system.

In order to extend the functionality of the ASNA software for safety analysis of CTSCA it is needed to combine binary SAM methodology with the approach [ 12 ]. It is necessary to modify the SAM as follows:  Every element input in the RBD is accompanied by the creation the next set of SV components, the number of elements corresponds to the number of components: Item1, Item2, … ,Itemi,… → V11, V21, … , Vi1, …  

The initial value of each component is equal to one: Vi1=1; Type of connection of RBD elements (serial, parallel, combined) is given by the inoperable condition If the limited number of renewals of system is planned, for each item is added another SV component – counter of repairs:

→ V12, V22, … , Vi2, …

The initial value of each component is equal to zero: Vi2=0 If the number of renewals is unlimited, the additional component isn’t added; Each RBD element is assigned to line of binary SAM as follows:

Event Condition FCIT FCPAT MRSV Failure of module і Vi1=1 i 1 Vi1=0 If the system is renewable, in addition to each RBD element, another line is assigned to binary SAM as follows:

Event Condition FCIT FCPAT MRSV Repair of module і (Vi1=0) AND µi 1 Vi1=1 (Vi2<RCi) Vi2= Vi2+1  Parametres of each element (failure rate - i, the intensity of repair - i, the number of repairs - RCi etc.) is transmitted to set of formal parametres;  Limited values of each RBD element repair, the number of repair crews, repair priority are transmitted to set of formal parametres;  Inoperable conditions are transmitted to SAM and serves to filter the operablebodied and inoperable states.

Thus all components of SAM can be automatically formed. Generated data can be represented as a file that is sent to ASNA software module as input data. ASNA software module enables automated obtaining of the graph of states and transitions with split failure state. Basing on the graph of states and transitions ASNA software makes it possible to assess reliability. CutSetDefiner software, basing on the graph of states and transitions, can generate MCS and basing on MCS through software [ 16 ] we can automatically get the fault tree. 5

Conclusions 1. Split of critical failure state in graph of states and transitions, in contrast to the known approaches, allows estimation of reliability and safety indexes, that makes the impact of maintenance strategies on safety and reliability, impact of the fault tolerance on safety to be considered. This will increase the accuracy (certainty) of efficiency indexes estimation of complex technical systems for critical application. 2. Minimal cut sets obtaining on the basis of the graph of states and transitions allows taking into account the interrelations of accidents directly from the analysis of system states for identification weaknesses. It gives only reasonable means for providing fault tolerance that reasonably reduces the cost of improving the system. 3. Using binary structural-automatic model allows automated obtaining of split critical failure state and reducing time costs for building the graph of states and transitions. 4. Risk reduction factor was introduced for quantitatively assess of the efficiency of improving safety by improving reliability by introducing redundancy in critical elements of complex technical systems for critical application. 5. Fault tree building from the graph of states and transitions basing on minimal cut sets takes into account the behavior of complex system that is not available when using static and dynamic fault trees 6. The combination of binary structural-automatic model and method of automated constructing of graph of states and transitions basing on reliability block diagram makes it possible to automate the procedure of building structural-automatic model of fault-tolerant renewable complex technical systems for critical application and reduce time costs by more than degree. Scenario-Based Markovian Modeling of Web-System Availability Considering Attacks on Vulnerabilities Vyacheslav Kharchenko1, Yurij Ponochovny2, Artem Boyarchuk1 and Anatoliy

Gorbenko1 1 National Aerospace University KhAI, Kharkiv, Ukraine

V.Kharchenko@khai.edu 2 Poltava National Technical University named after Yurij Kondratyuk, Poltava, Ukraine pnch1@rambler.ru Abstract. In the paper we simulate web-system availability taking into account security aspects and different maintenance scenarios. As a case study we have developed two Markov’s models. These models simulate availability of a multitier web-system considering attacks on DNS vulnerabilities in additional to system failures due to hardware/software (HW/SW) faults. Proposed Markov’s model use attacks rate and criticality as initial simulation parameters. In the paper we demonstrate how to estimate these parameters using open vulnerability databases (e.g. National Vulnerability Database). We also define different vulnerability elimination (VE) scenarios and examine how they affect system availability.

Keywords: web-system availability, security, vulnerability, Markov’s models, scenario of vulnerability elimination

Key terms. MathematicalModeling, MathematicalModel, SoftwareSystems 1 Introduction

Efficient implementation and operation of multitier web-systems using COTS components depend on accuracy of security assessment and quality of attacks prevention and recovery activities. Security of web-system can be estimated by analyzing web-components vulnerabilities and predicting attacks affecting system availability and other security attributes. System availability and accessibility of the provided ser-vices depend on the used maintenance strategy. This strategy can implement various vulnerability prevention and elimination scenarios [ 1 ]. Thus, assessing web-systems availability taking into account both system failures due to HW/SW faults, and hacker attacks on components vulnerabilities is important.

To estimate system availability and security researchers develop various simulation models [ 1, 2 ]. Most of them are based on attack tree analysis [ 3,4 ], Markov’s [ 5,6 ] and semi-Markov’s chains [ 7,8 ] or use of Petri nets [ 9,10 ] as a mathematical apparatus. However, known models do not explicitly consider attacks on system vulnerabilities causing inaccessibility of the provided services (accessibility vulnerabilities) and do not take into account different security policies and vulnerability elimination strategies.

In the paper we analyze web-system availability considering failures caused by HW/SW faults as well as attacks on system vulnerabilities. With this purpose we propose and examine a set of Markov’s availability models implementing different scenarios of vulnerability elimination. This paper continues research described in [ 6 ] using scenario-based approach.

The rest of the paper is organized as follows. In the second section we suggest a set of scenarios to assess web-system availability taking into account different vulnerability elimination procedures. In the third section we discuss a technique of estimating input parameters of Markov’s models by use of information about software component vulnerabilities from the open vulnerability databases. The forth section presents a case study and the set of Markov’s models and also examines simulation results. 2 The Scenario-Based Modeling with Regards Elimination

Approach to to System

Web-System Vulnerabilities

Availability and their

Attacks on vulnerabilities of web-systems can be simulated using Markov’s models [ 5-7 ]. However, for that we should take into account that parameters of the vulnerabilities (numbers and types) are changed as a result of elimination and patching procedures.

In the Fig. 1 we propose a set of common state-transitional models capturing different attack and recovery scenarios. The scenarios are differed by a number of attacked vulnerabilities: one (a-f) or several (g); with (b-g) or without (a) vulnerability elimination; with vulnerability elimination after system been successfully attacked (b-d) or during (e,f) preventive maintenance actions.

We have marked model states as following: double circles correspond to up-states, single line marked circles correspond to maintenance states, thick line marked circles correspond to down-states after attacks.

The simplest scenario is shown in Fig. 1,а. After successful attack a web-system is recovered (e.g. rebooted) without vulnerability elimination. However not all attacks can be successful and lead to web system unavailability. This is why we consider two transitions from up-state S0: the first transition with the rate attack*Da leads to down (unavailable)-state Sd; the second one with the rate attack*(1-Da) returns back to upstate S0 (Da is a probability of attack to be successful).

The second scenario (Fig. 1,b) illustrates vulnerability elimination during system recovery after successful attack. We assume that during recovery action it is possible to eliminate from 0 to all (nv) vulnerabilities. Hence, web-system may return from the down-state Sd to the initial state S0 without vulnerability elimination with the rate ′ a*(1-Dp), where Dp is a probability of successful recovery and vulnerability elimination, or may transit to the next up-state Su with the rate ′ a*Dp. ilty tuho lavo irae

b iw rem lvun t s te i i l i b a r e n l u v l a v o m e r e h t h t i W e v i t n e v e r p h t i W l a r e v e s on se s i k it ttcaa ilrab ith len W vu

S0

nv S0 S0 S0 S0 Sp S0 Sp

S0 Sd Sd Sd

Sd Sd Sd Sd Sd Sd Sd

nv-1 Su Su Su Su Sp Su

Sp Su Sd Sd Sd

Sd Sd

1 Su Su Su Su Sp Su

Sp Sd

Su

Sd Sd Sd Sd Sd Sd 0 Su Su Su Su Su Su a) b) c) Fig. 1. Graph models of scenarios of web-system availability considering different options of vulnerability elimination

The third scenario (Fig. 1,c) describes graduate vulnerability elimination only after successful attacks on these vulnerabilities. In this scenario the total number of vulnerabilities in the system may be unlimited nv → ∞.

The step by step vulnerability elimination is described by the next scenario (Fig. 1,d). In this case it is assumed that restart of web-system is possible without elimination of vulnerability which was attacked. 3 Estimation of Input Availability Models 3.1

Parameters for

Markov’s

Web-System

According with the fifth scenario (Fig. 1,e) vulnerabilities can be detected and eliminated from the system only during the periodic maintenance actions (i.e. security audits) only. After the successful attack a web-system is restarted or reboot without vulnerability elimination. Vulnerabilities can be detected and eliminated from the system only during periodic security audits. The probability of eliminating the i-th vulnerability is equal to αi, Σαi = 1.

The sixth scenario (Fig. 1,f) assumes that vulnerabilities can be detected and eliminated from the system both after successful attacks or during periodic security audits. The seventh scenario takes into account possibility of attacks on several vulnerabilities (Fig. 1,g). The scenario describes sequential chains of attacks on sever-al (four, in our example) services of a web-system. In this case an intruder continues to attack the next services. After successful attack a web-system can transit to a new upstate where vulnerabilities are eliminated from the system or can return back to the initial state by system restarting or rebooting.

Described set of scenarios is not complete. This set includes some basic scenarios. However, other scenarios can be developed considering different procedures of maintenance and vulnerability elimination or patching.

In this section we discuss how parameters of Markov’s models simulating websystem availability can be estimated using existing vulnerability databases like NVD.

The whole set of vulnerabilities stored in NVD can be downloaded as an XML file «NVD/CVE XML Feed with CVSS and CPE mappings (version 1.2)» [ 11,12 ]. Then we need to select those vulnerabilities of Web-system components (DNS-server, HTTPserver, application server, etc.) affecting system availability. It is can be done by analyzing vulnerabilities availability impact and vector of access using, for instance, common vulnerability scoring system (CVSS) [ 13 ] provided by NVD:

- Availability impact, A, which can be equal one of three fuzzy values “None” (N), “Partial” (P) and “Complete” (C); - Vector of access, value “Network” (N).

For example, Table 1 presents a subset of vulnerabilities detected during 2013 and causing unavailability of DNS (CVSS_vector – contains – AVμN, AμC и AμP; ns1:descript – contains – DNS (an example for analysis attacks on DNS) including their publishing dates and score. 3.2

Estimation of Attack Rates

In order to parameterizes state-transition models we need to evaluate a rate of the attacks exploiting system vulnerabilities.

This rate obviously depends on different factors including number of system vulnerabilities, their criticality, availability impact and vector of access. However, vulnerabilities define only the capability of a system to be attacked. On the other hand, unlike random system failures, vulnerabilities are exploited by various intended (hacker, computer criminals, industrial espionage, insiders, etc.) and unintended (viruses, worms, malware, etc.) threat agents.

name CVE-2013-0198 CVE-2013-2266 CVE-2013-2494 CVE-2013-1152 CVE-2013-2052 CVE-2013-2053 CVE-2013-2054 CVE-2013-4854 CVE-2013-4115 CVE-2013-5479 CVE-2013-5480

Motivation of intended threat agents is also depended on the system itself (its value and interest for the attacker). Last two factors are really difficult to define quantitatively. Thus, in the paper we propose to define the attack rate by the average per year frequency of vulnerability disclosure in the system components.

Criticality of attack is determined as an average value of basic CVSS estimation. We propose the following technique to estimate attack rate:

1) development of availability block diagram (ABD) of web-systems as a sequentially-parallel connection of components influencing on accessibility (similar to RBD); 2) extraction from NVD the vulnerability subsets for all components of ABD; 3) calculation of average per year frequency of vulnerability disclosure in these subsets;

4) determination of attack rate as the maximum of these frequencies of vulnerability disclosure;

5) calculation of attack criticality as an average value of basic CVSS estimation for selected set per year.

According with Table 1, average attack rate on DNS vulnerabilities causing unavailability could be estimated in 2013 as 1,26*10–3 1/h while the average criticality equals 6,75.

Route DNS

DHCP

Route mudns

ladns 4 Web-System Availability Elimination Scenarios

Models for Different Vulnerability 4.1 Initial Model and its Parameters

Let us examine a web-system based on three network services: DNS, DHCP and Routing. Reliability block diagram (RBD) and Markov’s model (the marked Markov’s chain) of the web-system are shown in Fig. 2.

Fig. 2. Reliability block diagram and Markov’s model of the web-system without considering system vulnerabilities

The RBD consists of three consequently connected components and failure of any components causes failure (unavailability) of the system. In this section we study two availability models taking into account attacks on DNS vulnerabilities and different maintenance operations including security audits [ 7 ]. The first model (MA-1) corresponds to scenario with vulnerability elimination during security audits only (Fig. 1,e). The second one (MA-2) implements scenario with vulnerability elimination after successful attack on a system and also during security audits (Fig. 1,f).

Initial values of model parameters are presented in Table 2. The models itself have been implemented as Matlab programs. 4.2

The Model MA-1

This model describes a web-system with attacks on DNS vulnerabilities and periodic maintenance activities (security audits) including detection and elimination of vulnerabilities without complication of code (ladns =const). mudns

ladns

Sn+1 j αj

q*muprof mureboot

S10 S11 nv–1 qnv–2*p

nv 1-∑αj S1 S2

S3 mudns

ladns mudhcp

ladhcp muroute laroute

Fig. 3. Marked Markov’s graph for МА-1

Marked Markov’s graph is shown on Fig. 3. As during these activities it is possible to detect and eliminate more than one vulnerability [1…nv], we use a special parameter αj which defines probability of detection of j-th (j  [1…nv]) vulnerabilities. Apparently, Σαj = 1, and values α1, α2,… αj,… αnv are distributes on discreet law. For calculation of geometrical distribution law αj was used with parametersμ р=α1=0.7 (probability of detection of the single vulnerability) and q=1–р=0.3 (Table 3).

Initially (state S0) web-system works considering failures and recovering of DNS, DHCP и Routing services (states S1- S3). After attack on DNS (transition to state S5 with the rate d1dns*laatdns) the system fails and can be recovered by restart without vulnerability elimination with rate mureboot. Periodically maintenance activities are performed (state S4) during which 0, 1,…nv vulnerabilities can be eliminated (transitions from state S4 to states S0, S4… Sn). These transitions are weighted using parameter αj*muprof. Further process is continued in the same way (states Sn…Sn+3). 1 0.998 0.996 t)0.994 ( A 0.992 1 )(t0.96 A0.95 3.5

4.5 2.5 t, hours

5 x 104 Fig. 4. Diagram of dependency of availability function for the model МА-1 on different probabilities α1 mureboot =0.05 mureboot =0.1 mureboot =0.5 mureboot =1 mureboot =2

2.5 t, hours 3.5 4.5

5 x 104 Fig. 5. Diagram of dependency of availability function for the model МА-1 on different recovery rate after attack on vulnerabilities, mureboot

The research results of availability function depending on parameters р=α1 and mureboot are shown on Fig. 4 and Fig. 5.

The greater value α1 causes more fast transition of the function A(t) to stationary state (Fig. 4). A value of mureboot influences on a value of availability function minimum, location of minimum on the time axis and time of transition to stationary state (Fig. 5). If mureboot=2 (1/hour) availability function minimum equals 0,9953 for t=17 hours; if mureboot=0.05 (1/hour) availability function minimum equals 0,9103 for t=119 hours.

The model МА-2

This model describes scenarios whish in addition to MA-1 assumes detection and elimination of vulnerabilities both during security audit and right after attack (without complication of code (ladns =const). Marked Markov’s graph is shown on Fig. 6. S0 S1 S2

S3 murecovery* *(1-d2p) murecovery* *d2p q*muprof

S10

an-1*muprof murecovery* *(1-d2p)

murecovery*

S11 *d2p d1dns*laatdns S6 S7 S8

S9

After attack on DNS and transition to state S5 with rate d1dns*laatdns system fails and can be recovered by restart without eliminating vulnerability with the rate (1– d2p)*murecovery or with elimination with the rate d2p*murecovery.

The results of availability function analysis depending on parameters d2p and laprof are shown on Fig. 7 and Fig. 8. The increasing of probability of vulnerability elimination d2 during maintenance activities causes more fast transition of the function A(t) to stationary state (Fig. 8). Changing the availability function depending on the rate of maintenance laprof is dual. On the one hand the rare maintenance activities are carried on the more minimum of availability function on non-stationary phase. On the other side the more often maintenance activities are carried on the faster the function transits to stationary state (Fig. 8). d2p =0 d2p =0.1 d2p =0.2 d2p =0.5 d2p =0.7 d2p =1 laprof =4.57e-2 laprof =4.57e-3 laprof =4.57e-4 laprof =4.57e-5 laprof =4.57e-6 1 0.998 0.996 0.994 )0.992 (t A 0.99 0.988 0.986 0.984

0 1 0.99 0.98 0.97 ) (tA0.96 0.95 0.94 0.93 t, hours

2.5 x 104 Fig. 7. Diagram of dependency of availability function for the model МА-2 on different probabilities of vulnerability elimination after attack d2p Fig. 8. Diagram of dependency of availability function for the model МА-2 on rate of maintenance laprof 4.4

Combining of the Models МА-1 and МА-2

The scenarios corresponding to the models MA-1 and MA-2 can be superposed to increase availability due to increasing of minimum and duration of system transition to the stationary state of availability function. To combine these two scenarios we have developed a set of Matlab programs. Filing of coefficient matrixes was done according with the same initial data (Table3). To solve systems of KolmogorovChapman’s differential equations the method ode15s for time span [0…20000] hours. The results of solving are shown on the Fig. 9. МA-2 model without attacks МA-1 combination of scenarios 1 0.998 0.996 0.994 0.992 ) t (A0.99 0.988 0.986 0.984

2 x 104

Fig. 9. Combining of the models MA-1 and MA-2 (solid line)

According to Fig. 9, the vulnerability elimination scenario MA-1 is better to use till tswitch =750 hours, after this time the scenario MA-2 ensures better availability. Hence at the beginning recovering a system after attack (without vulnerability elimination) is preferable. Then, taking into account increase of the number of failures caused by attacks other scenario (when vulnerabilities are detected and eliminated both after attacks and during maintenance) becomes preferable. It allows increasing the value of availability from 0.984 (MA-2) to 0.988 (MA-1) and decreasing time transition to stationary state from 20000 (MA-1) to 3000 (MA-2) hours. 5 Conclusions

We analyzed a set of web-system behavior scenarios in conditions of attacks on component vulnerabilities. Quantitative assessment and research of availability for such systems can be based on Markov’s models using statistic data about vulnerabilities contained in open databases and described sequence of evaluating of attacks rates and criticality.

We proposed and discussed two models of web-system availability considering attacks on DNS vulnerabilities and different scenarios of vulnerability elimination. There is possibility and reasonability of scenario changing taking into account values of availability function allowing increase minimum one at the non-stationary stage and decrease time of transition to stationary state. This approach allows selecting VE scenario to improve resilience of web-system.

The future research efforts may be concentrated on development of integrated strategies for maintenance and security policies selection taking into account physical, design and interaction faults, and implementation of dynamically reconfigurable weband cloud-systems with embedded monitor and solver to select the optimal strategy of maintenance.

Besides, other types of the vulnerabilities for confidentiality and integrity issues and more detailed model taking into account routing processes can be researched. References

A Alekseev, Aleksandr Aleksieieva, Marika Alexandru, Andrei Aman, Bogdan Antonyuk, Viktor Atamanyuk, Igor P.

B Baklanova, Nadezhda Basarab, Ruslan Batyuk, Anatoliy Boyarchuk, Artem Brenas, Jon Hael C Chauhan, Jyoti Ciobanu, Gabriel D Devetzoglou, Maria Anna Drozd, Alex Drozd, Miroslav Drushlyak, Marina E Echahed, Rachid Esteban, David F Fusani, Mario G Gamzayev, Rustam Geche, Fedir Geche, Sandra Goel, Anita Gorbenko, Anatoliy Gordieiev, Oleksandr H Holiachuk, Olha Hovorushchenko, Tetiana I Ilchenko, Kseniia Ivanov, Ievgen Ivanova, Olena K Kharchenko, Vyacheslav 51 51 382 408 476 108, 507 78, 354 196 121 566 78 35 382, 408 446 476 476 21 78 3 204 100 161 396 486 Kobets, Vitaliy Kolesnyk, Anastasiia Kondratenko, Yuriy P.

Kostolny, Jozef Kotsovsky, Vladyslav Krasiy, Andriy Kravtsov, Hennadiy Kupin, Andrey Kussul, Nataliia Kussul, Olga Kvassay, Miroslav L Lavreniuk, Mykola Letichevsky, Alexander Letychevskyi, Oleksandr Levashenko, Vitaly Liubchenko, Vira Lozova, Kateryna Lukianov, Ihor Lvov, Michael Lyaletski, Alexander M Malynyak, Ivan Mandziy, Bohdan Mayr, Heinrich C.

Medzhybovska, Nataliia Mesropyan, Karine Meyer, John-Jules Mulyak, Oleksandr N Nagornyi, Kostiantyn Nahorna, Tetiana Nehrey, Maryna Nytrebych, Oksana O Ozirkovskyy, Leonid P Paientko, Tetiana Percebois, Christian Peschanenko, Vladimir Poltoratskiy, Maksim Ponochovny, Yurij Puik, Erik Pyshnograiev, Ivan 196 338 338 535 94 51 284 366 137 498 550

4 188 252 172 462 62 51 225 419 214 78 338 236 566 172 161