The Method of Allocation of the Security Functions in Neutralized Threats to Critical Information Systems Igor V. Butusov Alexander A. Romanov Research Department Research Department Concern SYSTEMPROM, JSC Concern SYSTEMPROM, JSC Moscow, Russia Moscow, Russia butusigor@yandex.ru ralexhome@yandex.ru Abstract – It is shown that the optimality of the feature sets of neutralization in conditions of strong uncertainty, that the the protection levels of the information security system for undoubted advantages and the recognition makes it difficult to automated systems not yet proves the optimality of these sets to use statistical (probabilistic) approach. neutralize threats to information security. The proposed method of adaptation of the information security system to escape threats by Urgent becomes the task of developing the methodology distributing the security functions to escape many threats on the for the allocation of security functions for neutralized threats in levels of protection. Justified a hypothesis about the identity of the conditions of strong uncertainty. system evaluation criteria security threats and neutralizing their protection features. The estimates of security and threats to II. STATEMENT OF THE PROBLEM information security, the weighted cost of neutralizing the threats, considered the correctness of the implementation of security A. Model of information security system functions. Evaluation of the effectiveness of the security functions generated based on a cost average number of neutralized threats, Let be MOD  {UR}, {UG}, {MZ }, {KR}, {TR}  – a preventable risk, the extent of the power of attorney and СЗИ compatibility. Quantitative estimates of the values of the model of the system of information protection. performance criteria represented by continuous functions. The input parameters are fixed at the time of the assessment of Here uru  UR – levels of protection in the system of individual criteria of the efficiency of the security functions. information protection, u  1, U , U – the number of levels of Defined decision rule and the threshold of semantic preference in the allocation of security functions for neutralized threats to protection; ug n  UG – many pressing threats to information information security. Semantic preference threshold is used to select the functions of protection, the most effectively neutralizing security for critical information systems, n  1, N , N – the threat to levels of protection in the structure of information количество актуальных угроз; security system as a whole. The methodology used in the design, U development and maintenance of security systems. MZ  {mz k }   MZ u  {mz k K u , u } , где MZ u – a subset u 1 Keywords – information security, security functions, threats, performance criteria, performance evaluation, semantic threshold of the functionality of protection level of protection uru  UR , preferences, degree preference, evaluation level, protection level, decision rule k  K u – a subset of the indexes k  1, K security features at this level,  K u  K ,  K u   ; u u I. INTRODUCTION Rational sets of security features are formed using type- krj  KR, j  1, J , many criteria for evaluating the setting, structural and business process models of information security systems (e.g. [1-4]) and appropriately documented [5]. effectiveness of the security features; The optimality of the feature sets of the security levels of trmz  TR – many of the requirements to the security: ku the underlying system input-output, hardware, operating доп доп  {rsk mz , st mz } , where rsk mz max system, network, database management system, application trmz – the permissible level ku ku ku ku software. still no evidence on the optimality of the sets of max security features of these levels are involved in neutralizing of risk from the threat is credible, st mz – the maximum ku specific threats. allowable costs for the security function (for a class of Security functions that are distributed throughout the functionally similar protection features).. threats of information security needs to ensure their effective 27 1, если rc  rн ;  B. The threat to information security  A~i ( mz )   r  r , если если rс  rн k с Threat ug n we describe the vector н . ug n ug n  { p  p  uch ug n ug n ug n ug n ug n , uch , rsk } [6], где p – ug n Here rн – the ranking of potential attacks, r - the rating evaluation of the possibility of a threat ug n , uch – the с ug n durability protection features. We believe that any threat exists, damage from realization of threats ug n , rsk – the risk from the security function such that r  r : ugi mz | r  r – с н k с н implementation of threats ug n . any threat neutralised at least one security feature. C. Formation of information security system IV. PERFORMANCE CRITERIA SECURITY Required to form the structure of information security FUNCTIONS system by distributing mz ku  MZ many pressing threats to On the sets of actual threats ug n  UG and security information security ug n  UG : functions mz k  MZ determined attitude MU . In the General M СЗИ   M n  {mz k 1 | max poss ( mz k 1 , ug n ); ..., case  MU (ug n , mz k )  [0,1] – evaluation of the possibility of k  K1 n neutralizing the security function mz k current threats ug n . mz ku | max poss ( mz ku , ug n );..., k K u Evaluation of the effectiveness of the security features is going to be calculated according to the criteria presented below mz ku | max poss ( mz ku , ug n ). k KU [4, 6, 8]. We believe that the quantitative estimation of the criteria values representable by continuous functions and Здесь mz ku | max poss ( mz ku , ug n ) – security functions monotonically vary depending on the input parameters. The k K u input parameters are fixed at the time of the assessment of mz ku index k K u the selected protection level uru  UR to individual criteria of the efficiency of the security functions. provide maximum ability to neutralize actual threats A. Cost (criterion kr1 ) ug n  UG . 1) The Cost of security functions. Quantitative assessment criteria can be calculated according to the formula III. HYPOTHESIS 1 kr1  , A. Identity criteria b1   stmz   We believe that actual threats to information security are 1   k   characterized by the properties inherent protection features, and   a1   evaluated on the same criteria, but choosing the worst score for     where 0  st mz  st max neutralizing their protection features. l mz k , a1 , b1 – the configurable settings. As k max B. Justification a parameter a1 it is recommended to select a value st mz – the ku Potential attacks are evaluated as a whole according to the maximum allowable costs for the protection feature. same scheme as the risk of the presence of vulnerabilities, but 2) The Cost of neutralizing actual threats. Denote with some differences, for example, of several scenarios of attack is chosen by worst, with the most potential [7]. It is by mz ku ( kr1 ) the value of the criterion kr1 for security believed that it is a function of the level of motivation of the attacker, his skill and available resources. Motivation affects features mz ku . Then the value ug n ( kr1 ) criteria kr1 for threats allocated to time attack and possibly attract resources and ug n defined as follows: recruitment attackers. Then, the degree of  A~i ( mz ) neutralize the threat ugi ug n ( kr1 )  max { min {mz ku ( kr1 ) |  MU (ug n , mz ku )  0}} k u k K u security function mz you can define as follows: k Here min {mz ku ( kr1 ) |  MU (ug n , mz ku )  0} – the minimum k K u value of the criterion kr1 for mz ku , neutralizing the threat ug n level uru  UR , ug n ( kr1 ) – the maximum value of the 28 neutralizing current threats and available security features. At 1 each level of protection selected security functions with kr3  b3 , minimum cost, and to neutralize threats at all levels of system   rsk mzmax   protection is considered the worst option is used – the security 1   ku   function with the maximum value.   a3      доп B. Average rating (criterion kr2 ) where a3 , b3 – custom settings. Option a3  rsk mz takes the ku 1) Weighted average number of threats value of permissible level of risk from the threat is credible. neutralized. Quantitative evaluation criteria for security Assume that the actual threat neutralized at least one features is going to be calculated by the formula: security feature. 1 2) The risk from the threat is credible. The amount kr2  , b2 of risk from the implementation of the threats rate the   | UG |  sm mzku   1   k  following      a 2  ug n ( kr3 )  min { max {mz ku ( kr3 ) |  MU (ug n , mz ku )  0}} . u k K u where UGk  {ug n |  MU (ug n , mz ku )  0} – many threats, The levels of protection selected security function, which can neutralized security function mz ku , prevent maximum damage from the threat is credible. In General, the levels of protection accepted the option of causing N the minimum of damage from the threat is credible.    MU (ug n , mz ku ) – the sum of the scores of mzku sm n 1 D. Power of attorney (criterion kr4 ) possibilities of neutralizing the threats security function a2 , b2 1) The level of proxy protection features. The level – custom settings. As a parameter a2 you must select the of proxy kr4  sd mz security function can be determined k max (| UGk |  sm mzku ) – the maximum difference between the using the results of [6]. ku number of threats and amount of estimated capabilities to 2) The level of proxy security function against the neutralize threats security function mz ku level u . escape threats is calculated as 2) Weighted average number of protection features, neutralizing the current threat. Quantitative ug n ( kr4 )  min { max {mz ku ( kr4 ) |  MU (ug n , mz ku )  0}} . u k K u evaluation criteria for threats is going to be calculated by the formula: For protection levels, a preference function of protection with a maximum rating of degree a power of attorney. In ug n ( kr2 )  min { max {mz ku ( kr2 ) |  MU (ug n , mz ku )  0}} . General, the levels of protection at the neutralization of threats u k K u are characterized by the use of the least-trusted security The levels of protection selected security functions with the features. maximum grade weighted average number of neutralized threats. To assess the neutralization of threats at all levels of E. Compatibility (criterion kr5 ) protection considered the option of application security functions with a minimum weighted average rating number of 1) Compatibility security features. On a variety neutralized threats. mz ku  MZ we define the relation SV as follows: C. Preventable risk (criterion kr3 )  SV ( mz к , mz j )  [0,1] – degree of compatibility mz k with 1) The risk of vaccine-preventable security mz j . The opposite may be true: mz j may not be compatible function. The risk from implementation of threats were with mziu . Compatibility mz k with other security features on previously identified as rsk n  p n  uch n . Then ug ug ug max the criterion kr5 defined as follows:  max n 1 rsk  (1   MU (ug n , mz ku )) - the maximum N ug n rsk mz ku 1 risk from the implementation of threats that were not kr5  b5 , neutralized by the security function mz ku on the level of  1  (| SVk |  sm SV )  mz k  protection u , and the criterion value kr3 for mz ku you can    a5  define the following: 29 where SVk  {mz j |  SV ( mz k , mz j )  0} – many security krj  KR  MR~ ( mzk , krj ) – evaluation of security functions K mzk for private performance criterion krj . functions, compatible with mz k , smmz    SV ( mz k , mzi ) – SV k i 1 Attitude will be presented in a matrix form: ~ the sum of the degrees of compatibility mzi with mz k , a5 , b5 – MR ||  MR~ (mzk , krj ) ||, k  1, K , j  1, J . configurable. 2) Assessment of security threats. Next on the set 2) Assessment of the degree of compatibility of the criteria KR and current threats UG will form a relationship ~ security functions in relation to neutralized KG –  KG~ : KR  UG  [0,1] . For all krj  KR and all threats: ug n  UG  KG~ ( krj , ug n ) – threat assessment ug n according ug n ( kr5 )  min { max {mz ku ( kr5 ) |  MU (ug n , mz ku )  0}} . u k K u to the criterion krj determined by the necessity of neutralizing Levels of protection apply security function with the the threat ug n protection feature mzk . maximum grade the degree of compatibility. The structure of the information security system in the neutralization of threats In matrix form the relation takes the form ~ are characterized by the least compatible of the levels of KG ||  MG~ ( mz j , krn ) ||, j  1, J , n  1, N . protection. 3) Weighted cost of neutralizing the threat. On the ~ ~ basis of relationships MR and KG you can form a V. THE ALLOCATION OF SECURITY FUNCTIONS FOR ~ relationship MG presented below:   NUMEROUS NEUTRALIZED THREATS ug1 ug 2 . . . ug N The allocation of security functions mzku  MZ to escape   ~ ( mz , ug )  A~ ( mz1 , ug 2 ) . . .  A~N ( mz1 , ug N )  mz1   A1 1 1  many threats to information security ug n  UG associated 2 mz    ~ ( mz , ug )  ~ ( mz , ug ) . . .  ~ ( mz , ug )  with the choice of decision rules for such distributions.  2  1 A 2 1 A 2 2 2 A N 2 N  ~ .  . . . . . . .  MG    A. The decision rule for the distribution .  . . . . . . .   According to the approach [6] is required to determine the .  . . . . . . .  threshold of semantic preference in the allocation of security    functions for neutralized threats to information security. mz K    A~ ( mz K , ug1 )  A~ ( mz K , ug 2 ) . . . A~N ( mz K , ug N )  1 2  The General rule is that to choose the highest value pr , The elements in the matrix we define as follows: but less   MR~ ( mz , kr )   KG~ ( kr , ug n ) 1  A~ ( mz , ug n )  kr , for all min i, j max mz [1  min {1, [(1   A~ ( mz )) p  (1   A~ ( mz )) ] }] . i j p p n   MR~ ( mz , kr ) kr ~ ~ ~ Here, A1 , A2 , ... , AN the fuzzy sets representing the degree of mzk  MZ , krj  KR , ug n  UG . neutralizing of threats ug n  UG , n  1, N , security function The amount   MR~ ( mz , kr ) is interpreted as a number of kr mzk . important criteria kr , characterizing the properties of mzk , The article applied is different from [9-12] and is known and  A~ ( mz k , ug n ) represents the weighted degree of from the scientific literature alternative intersection operation n 1 neutralisation of actual threats ug n security function mzk . A  A~B~ ( x )  1  min {1, [(1   A~ ( x )) p  (1   B ( x )) ] }, p  1 p p 4) The correctness of the implementation of security functions. Previously, when determining the value B. The source data  A~ ( mz ) were not made assumptions regarding the i k Identified a variety of protection features mzk  MZ , correctness of the implementation of the security functions. Now the values of criteria of efficiency of the security k  1, K , current threats ug n  UG , n  1, N , and the functions included in the computed values  A~ ( mz k , ug i ) . criteria of efficiency krj  KR , j  1, J , security features. i According to the adopted approach is formed matrix W 1) Evaluation of security functions. On the sets ~ MZ and criteria KR we define the relation MR –  MR~ : MZ  KR  [0,1] . For all mzk  MZ and all 30   A~1 ( mz1 , ug 1 )   A~2 ( mz1 , ug 2 ),...,  A~N 1 ( mz1 , ug N 1 )   A~N ( mz1 , ug N )  The proposed method of distribution of the security   features on the escape threats used in the design, development ~   A~1 ( mz 2 , ug 1 )   A~2 ( mz 2 , ug 2 ),...,  A~N 1 ( mz 2 , ug N 1 )   A~N ( mz 2 , ug N )  W   and maintenance of systems for the protection of automated ..........................................................  systems.   ~ ( mz K , ug 1 )   ~ ( mz K , ug 2 ),...,  ~ ( mz K , ug N 1 )   ~ ( mz K , ug N )  A1 A2 AN 1 AN  С. Semantic threshold preferences REFERENCES Semantic threshold preference functions on the escape threats is determined from the condition [1] Aslan M., Matrawy A. Could network view inconsistency affect 1 virtualized network security functions? In Proc. Of the 2017 IEEE pr  min max [1  min {1, [(1   A~ ( mz )) p  (1   A~ ( mz )) ] }], p  1 p p Conference on Communications and Network Security (CNS), IEEE, i, j mz i j 2017, pp. 510 – 512. DOI: 10.1109/CNS.2017.8228698 Semantic preference threshold is used to select the [2] Hyun S., Kim J. Kim H., Jeong J., Hares S., Dunbar L., Farrel A. Interface to Network Security Functions for Cloud-Based Security functions of protection, the most effectively neutralizing the Services. IEEE Communications Magazine, 2018, vol 56, N 1, pp. 171- threat ug n  UG to levels of protection in the structure of 178 DOI: 10.1109/MCOM.2018.1700662 information security system as a whole. [3] Kim S.-H., Eom J.-H., Chung T.-M. A study on optimization of security function for reducing vulnerabilities in SCADA. In Proceedings of the M nu  {mz ku |  ~ ( mz ku , ug n )  2012 International Conference on Cyber Security, Cyber Warfare and An Digital Forensic (CyberSec). 2012, pp. 65-69. DOI: min ij max mzku min [  A~ ( mz ku , ug i ),  A~ ( mz ku , ug j )] 10.1109/CyberSec.2012.6246099. i j [4] Zakharenkov A. I., Butusov, I. V., Romanov A. A. The degree of – many features of protection mz ku , which can neutralize the confidence of software and hardware as a measure of quality import threat ug n on the level of protection uru  UR ; substitution. Voprosy kiberbezopasnosti [Cybersecurity issues]. 2017. N 4(22), pp. 2–9. DOI: 10.21681/2311-3456-2017-4-2-9. M n  {mz ku | max  A~ ( mz ku , ug n )} , u  1, U , n  1, N . Here [5] Barabanov A., Markov A. Modern Trends in The Regulatory k n Framework of the Information Security Compliance Assessment in Russia Based on Common Criteria. In Proceedings of the 8th M n – multiple protection features, effectively neutralizing International Conference on Security of Information and Networks (Sochi, Russian Federation, September 08-10, 2015). SIN '15. ACM ug n most of the threat levels uru  UR of protection . New York, NY, USA, 2015, pp. 30-33. DOI: 10.1145/2799979.2799980. The proposed method of adaptation of the system of [6] Butusov I.V., Nasekin P.A., Romanov A.A. Theoretical and semantic information security of automated systems to escape the aspects of the organization of a comprehensive system of protection of threats used in the design, development and maintenance of information systems. Voprosy kiberbezopasnosti [Cybersecurity issues]. security systems. 2016. N 1(14), pp. 9-16. DOI: 10.21681/2311-3456-2016-1-9-16. [7] Barabanov A., Markov A., Fadin A., Tsirlov V., Shakhalov I. Synthesis of Secure Software Development Controls. In Proceedings of the 8th VI. CONCLUSIONS International Conference on Security of Information and Networks (Sochi, Russian Federation, September 08-10, 2015). SIN ‘15. ACM The optimality of the feature sets of the protection levels New York, NY, USA, 2015, pp. 93-97 DOI: 10.1145/2799979.2799998. of the information security system for automated systems not [8] Fuzzy sets and theory of possibilities. The latest advances. By ed. Yager yet proves the optimality of these sets to neutralize threats to R.R. Pergamon, 1982, 633 p. information security. [9] Vorobiev E.G., Petrenko S.A., Kovaleva I.V., Abrosimov I.K. Analysis The proposed method of distribution of the security of computer security incidents using fuzzy logic. In Proceedings of the features on the escape threats to information security of 20th IEEE International Conference on Soft Computing and Measurements (24-26 May 2017, St. Petersburg, Russia). SCM 2017, automated systems, allowing to structure the information 2017, pp. 369 - 371. DOI: 10.1109/SCM.2017.7970587. security system by distributing the functions of protection for [10] Bykov A. Yu., Gurov A. V., Problem of choice of means of protection many neutralized threats in information security protection of information from attacks in automated systems with fuzzy parameters levels. the objective function. Engineering journal: science and innovations. Electronic scientific and technical periodical. 2012. N 1(1). Justified a hypothesis about the identity of the system DOI: 10.18698/2308-6033-2012-1-86 evaluation criteria security threats and neutralizing their [11] Andreev A. G., Kazakov G. V., Kuranov V. V. Method of assessing the protection features. strength of security functions protection of automated control system of the spacecraft mission. Engineering journal: science and innovation. Defined semantic threshold of preference in the allocation Electronic scientific and technical edition. 2017. N 7(67). of security functions for neutralized threats to information DOI: 10.18698/2308-6033-2017-7-1634 security, allowing you to select [12] Tamjidyamcholo A., Yamchello H.T.,Bin M.S., Gholipour R. Application of fuzzy set theory to evaluate the rate of aggregative risk in the security function, effectively neutralizing most of the information security. In Proc. of the 2013 International Conference on threat to levels of protection in the structure of information Research and Innovation in Information Systems (ICRIIS), IEEE, pp. security system as a whole. 410 – 415. DOI: 10.1109/ICRIIS.2013.6716745. 31