According to ISO/IEC TR 18044: 2004, an incident means an undesirable or unexpected event (or a combination of such events) that could compromise the information interaction processes in a critically important infrastructure or threaten its information security and/or cyber resilience. Accordingly, the incident prediction means the identification process of vulnerable object interaction state of the critically important information infrastructure under the disturbances. According to the incident prediction results, it becomes possible to develop a profile of the profile of an observed object, containing information about the exploited vulnerability, the actions of the intruder and possible scenarios of a proactive counteraction against these attacking influences.
We propose a possible way of profiling the behavior of the key IT services and IT systems of a critically important information infrastructure under perturbation conditions. Here the dynamic profiles allow identifying the classes of the vulnerable states of the mentioned infrastructure. In this case, the recognition of the informative signs of the possible vulnerabilities is carried out in conditions of extremely large amounts of data monitoring. When selecting information, the dynamic weights of the recognition signs and the corresponding values of the profiling of the observed objects are determined; this can significantly reduce the response time to potential incidents and purposefully select the adequate measures to ensure the required cyber resilience [1, 4].
critically important infrastructure under the incompleteness and competing information *
on the state of the observed objects. This profiling method is based on the mathematical apparatus for iteratively diagnosing the potentially dangerous states of the complex dynamic systems using communication (Pr1), behavioral (Pr2) profiles, as well as profiles, providing the required cyber resilience (Pr3) of observed objects [2, 5]. It is significant that the profiling method, mentioned above, makes it possible to model the potential behavior of an intruder, during the implementation of threats to resilience (security) and make decisions about the organization of the special scenarios to ensure the required cyber resilience and prevent serious incidents with the transfer of the critical information infrastructure to an irreversible catastrophic state. 2
The problem of profiling the objects’ behavior of critical information infrastructure Unlike the well-known cyber resilience approaches, the proposed profiling method is implemented both at the stages of the primary processing of the monitoring results of critical information infrastructure objects and at the stages of the analyzing and summarizing a heterogeneous information concerning the functioning processes of the observed infrastructure and its individual elements (devices and resources). At the first stage (analytical description of processes Pr1,…, Prn of interaction of objects of critical information infrastructure G1) (Figure 1Ошибка! Источник ссылки не найден.) it is necessary to take into account the structural and functional characteristics of the observation objects, the composition and specificity of the system and application software, the characteristics of the operating system [3, 8]. This is necessary to form the sets of quantitative (B1) and qualitative (B2) signs, reflecting the options for the development of information technology impact situations on the objects of the critically important information infrastructure being protected. Based on the specifics and characteristics of disturbances in the functioning and composition of the feature set, at the third stage, a set of methods (active ( M GAc1t ) and / or G1
G1 passive ( M Pass ) and means ( Sr ) of monitoring the protected infrastructure G1 are formed. These methods and means should take into account the intruder impact type and their interconnection with a threat model of the protected infrastructure. At this stage, the degree of the interconnection between alternative groups of the negative sign impacts, the consequences (damage) of their manifestation are also determined, and a list of possible measures to ensure the required cyber resilience is developed. After the corresponding procedures of iterative diagnostics and primary processing of the obtained data are carried out, the intruder actions and the corresponding cyber resilience violation events are verified, and the profiles of the corresponding objects of the protected infrastructure are developed.
Thus, the effectiveness of ensuring the required cyber resilience of the protected infrastructure is ensured by diagnosing the potentially vulnerable states of the observed infrastructure, determining the type and criticality of vulnerability, and developing the plan of possible measures to ensure the required cyber resilience. The proposed approach of profiling the behavior of dynamic objects of the protected infrastructure required solving the problem of diagnosing complex dynamic cyber systems under the temporary observability absence of the corresponding interaction processes [6, 7].
system (both in structure and behavior), operating in the absence of temporal or partial observability of interaction with other infrastructure objects.
Here, the diagnosis task of the mentioned cyber systems is to determine the state of the object and the aggregate of monitored parameters, which can be used to judge the functional cyber resilience of the infrastructure object, i.e. to determine whether its current system configuration and application software is currently vulnerable, or whether the object has no distinguishable vulnerabilities. The desired solution involves the development of such diagnosis procedures, the content of which depends on the properties of the protected infrastructure, the priorities and diagnosis direction, as well as the conditions for its implementation. = 〈 ( ),
Let some protected critically important information infrastructure S=P<B, L> (Figure 1 and Figure 2) be consisted of a set of objects B=<B1, B2, B3>, where = 〈 ( ), ( ), … ,
( )〉 are many devices (routers) and web resources (servers), = 〈 ( +) , ( ) + , … , ( )〉 - set of users (data sources) of the mentioned infrastructure, ( ), … , ( )〉 - a set of an information, gathering and processing the means (nodal and network sensors of the cyber-attack detection system) associated with each other communication channels [12], represented by a connection matrix in the given units of measurement between points B1 and Bj(I, j =1,…n);
, , … , = ‖ , , … , … ‖ – the connection matrix between objects (lij≥0, with i≠j, lii=0, j=1,…n).
Let the values of the monitoring data collection time (Tcol), the recording time (T0) (the action с6) and the processing of the monitoring data be known, with the с6 ∈ с6. The cyber attack detection systems allow receiving as a source of multiple packet streams of the i-th node of the protected infrastructure (b1N) with intensities = { , , … , } and generate a set of packets i infrastructure node (b1N) with = { , , … , }. object according to the “request-response” principle with subsequent response processing) and passive (based on the analysis of network traffic parameters in the listening mode of the selected interface) data collection are implemented.
In general, the data processing system using active monitoring methods (i = 1, ..., m)
can be represented by the seven arrays
( ) = { ( ), ( ), ( ),
( )
, ( ), ( ),
( )},
(
( )} – the set of t time values of the protected infrastructure object observation; ( ), … , ( ) signals) of scan sessions, conducted as regards the infrastructure object; }, ∈ is the set of parameter values (input ( )} , ∈ is the set of values of passive traffic scanning (output signals) identifying the state of some infrastructure object; ( )}, ∈ is the statespace of the protected infra = { ( ) ( ), ( ) ( ), … ,
( ) structure object during monitoring;
F(c) - transition operator, reflecting the mechanism of changing the object state of the protected infrastructure under the action of internal and external cyber-attacks; Φ(с) is the output operator, describing the mechanism for generating the output signal as a response of the protected infrastructure object to internal and external disturbances; ( ) = { ( ), ( ), … , }, ∈ is a set of the values, formed by the results of
( ) monitoring and establishing the truth values of passive scanning of the object of the protected infrastructure.
of devices and users of the protected infrastructure, when conducting the passive monitoring sessions t ∈ [ti, ti +△i), i=1, m), we will present in the form of a chain of mappings
R〈χB(
Bt(
t
where x(.)(t) - states of devices, users and controlled detection systems КА;
R<x(.), x(.)>R〈x〈.〉, x〈.〉〉 – connections between states;
〈 (
Operators implement mappings: ( ): ( ) × ( ) × 1 ( )
( ) → ( ): ( )
×
( )
× 1
( )( ) →
( )
(
of time tT by a set of variables
( ), ∈ , changing under the influence of cyber intruder attacks and the internal disturbances caused, for example, by component vulnerabilities of the system and/or application software.
Thus, with restrictions on the selected method of processing observations u(t)Uadd, on the intensity of the processed information flows (1(t)2), on the amount of stored information about users and devices of the protected infrastructure (V1V(t)V2), on the total time of collecting information about infrastructure users ∈ доп. and devices ( ∑ =1 ( сб.)) need to find: ─ Functional of state identification and control by the complex dynamic systems in the absence of time observability or partial observability of objects of the protected infrastructure :TPrsVPrd, ф:PrdT, :PrdTmon, k:TPrdset, :TTmon, i:TmonPrdset; ─ Management law of the network (node) cyber-attack sensor, which would provide the total time spent on collecting the monitoring data of the protected infrastructure objects, not exceeding the directive value with restrictions on the acceptance region of management programs and a possible list of actions to ensure the required cyber resilience.
∗( ) = ( )∈{ ( )}(∑ =1 ( ( ), сб) ≤ ∑ ), { ( )} = ( )|( ≤
∈{ }
( ) ≤ )∩ ( ≤ ( ) ≤ )∩ ( ≤ ≤ ).
(
of proactively countering the cyber-attacks of the intruder and ensuring the required
cyber resilience should assess the situation at t=t0, determined by the dependencies
between the states of the information sources and the sensors of the cyber-attack system.
At the final time moment, the dependencies between the states become different,
therefore the process of achieving the goal is described as a change in the dependencies
( ), ( )( ) <∙> ( )( ) ( ), ( )( ) <∙> ( )( )
(
In fact, B(
achievement of the goal (̂req < ̂ < ̂enough) = PV, where ̂ = ̂ + ̂pass + ̂act + ̂RV, ≥ ̂req, and when deciding among the possible solutions it should be chosen the one most preferred choice.
choose such chains from them that satisfy the condition (
of decision rules, reflecting the connections between the states B(
Selection of observation parameters In the technical diagnostics of the critically important information infrastructure, it is very important to describe the object in the system of signs that has a greater diagnostic value. The use of the non-informative features not only turns out to be useless, but also reduces the efficiency of the diagnostic process itself, disturbing with recognition. We assume that the diagnostic sign value is determined by the information significance that is added by the sign into the observation object state system [9, 13].
Let there be a system Pr, which is in one of n possible states Pri(i=1,2,…,n).
ferent states of the protected infrastructure at discrete instants of time are represented by a set of standards (profiles), while the choice of the number of profiles is determined by the study objectives. Recognition of the Pr system states is carried out by monitoring the system associated with it - the system of signs. We will call the survey result, expressed in one of two symbols or a binary number (0 and 1), a simple attribute.
system having one of two possible states. If kj is a simple sign, then its two states will be denoted by kj - the sign presence, - the sign absence. A simple sign may indicate the presence or absence of the measured PST in a certain interval; it may also have a qualitative character (positive or negative test result, etc.) [11, 12].
The two-digit sign (m=2)) has two possible states. The states of the two-digit sign kj are denoted by
and . Let, for example, the sign kj be related to the measurement of PST x, for which two diagnostic intervals are established: x10 and x›0. Then corresponds to x10, and denotes x›10. These states are alternative because only
one of them is realized. = , = .
If the survey detect that the sign kj has the value , for this object, then this value will be called the implementation of the sign kj. Denoting it by ∗, we will have ∗ = .for the diagnosis Pri we take ( ∗) = ( ) =
( )
( )
(
) – profile probability Pri provided that the sign kj received the value ; P(Pri)– is the prior profile probability.
The value ( )was met in works on information theory under the name “infor
mation value”. From the point of view of information theory, the quantity ( ) is information on the state Pri, which the state of the sign possesses. The diagnostic weight of a particular implementation of a sign does not yet give an idea of the diagnostic value of the examination for this sign. Thus, during a survey on a simple sign, it may turn out that its value does not have a diagnostic weight, whereas its absence is extremely important for establishing the profile of the object of the protected infrastructure.
( ) = ∑ = ( ) ( )
The diagnostic survey value takes into account all possible implementations of a sign and represents the amount expectation of information contributed by individual implementations. Since the value of ( ) refers to only one profile Pri, we will call it the private diagnostic survey value based on kj sign. ( ) determines the independent diagnostic survey value. It is situation characteristic when the survey is conducted first or when the results of other surveys are unknown. Write ( ) in a form convenient for further calculations ( ) = ∑ = ( )
( )] [ ( ) The generated attribute space allowed identifying and classifying the symptoms of the potentially vulnerable states of the protected infrastructure, determine the network traffic parameters used for communication and behavioral profiling of the protected infrastructure objects with atypical interaction macroparameters.
4
We will distinguish three different object states of the protected infrastructure (profiles), caused by the attacking effects of violators: Pr1 is a profile, characterizing a vulnerable condition due to an unknown zero-day vulnerability; Pr2 is a profile, characterizing the vulnerable state, due to the configuration of protection means; Pr3 is a profile, characterizing a vulnerable condition, due to an impact on a known vulnerability. Profiling is carried out, according to the nine simple non-specific features: byte-frequency for TCP (k1), byte-frequency for UDP (k2), hash value (k3), hash-value based on offset byte (k4), based on the first 4 bytes repeated in packets (k5), the hash value for pairs of the first 16 bytes of the first 4 packets (k6), the length of the first four packets in one direction (k7), the nibble number of the first packet from the server to the client (k8), duplicate pairs of bytes (k9) [14, 15].
For example, the functional state is diagnosed at 414 of the 450 network nodes of
the protected infrastructure (having no known vulnerabilities), 10 of the 36 surveyed
nodes that were attacked by the intruders, were in the first vulnerable state, 12 in the
second, and 14 in the third [10, 16]. The results of profiling by the characteristics are
shown in Table 1. Let us note that the first profile is characterized by the presence of at
least two shaded squares (ones) in the first row and at least two white squares (zeros)
(
k1 k2 k3 K4 k5 k6 k7 k8 k9 1 1 1 1 1 0 0 0 0 1 1 N12 3 1 N22 3 1 N32 3 2 1 1 0 0 1 0 0 1 0 4 5 6 4 5 6 4 5 6 3 1 0 1 1 0 0 0 0 1 7 8 9 7 8 9 7 8 9 4 0 1 1 0 0 1 1 0 0 1 N42 3 1 N52 3 1 N62 3 Pr1 56 11 11 11 10 01 00 00 01 10 47 58 69 47 58 69 47 58 69 7 1 1 0 1 0 0 0 0 1 8 1 0 1 0 0 1 1 0 0 1 N72 3 1 N82 3 1 N92 3 9 0 1 1 0 0 1 1 0 0 4 5 6 4 5 6 4 5 6 10 1 1 1 0 0 1 1 0 0 7 8 9 7 8 9 7 8 9 1 0 0 1 0 1 1 0 1 0 1 N12 3 1 N22 3 1 N32 3 2 0 1 0 1 0 1 0 0 1 4 5 6 4 5 6 4 5 6 3 0 0 1 1 1 0 1 0 0 7 8 9 7 8 9 7 8 9 4 1 0 0 1 1 1 0 1 0 1 N42 3 1 N52 3 1 N62 3 5 0 0 1 0 1 1 0 0 1 4 5 6 4 5 6 4 5 6 Pr2 67 0 0 1 1 0 1 1 0 0 1 N72 3 1 N82 3 1 N92 3 0 1 0 1 1 1 0 1 0 7 8 9 7 8 9 7 8 9 8 1 0 0 1 1 1 0 1 0 4 5 6 4 5 6 4 5 6 9 0 1 0 1 1 0 0 0 1 7 8 9 7 8 9 7 8 9 10 1 0 0 1 1 1 1 0 0 1 N120 3 1 N121 3 1 N122 3 11 0 0 1 0 1 1 1 0 0 4 5 6 4 5 6 4 5 6 12 0 1 0 1 1 1 0 0 1 7 8 9 7 8 9 7 8 9 1 1 0 0 0 1 0 1 1 0 1 N12 3 1 N22 3 1 N32 3 2 0 1 0 0 0 1 0 1 1 4 5 6 4 5 6 4 5 6 3 1 0 0 1 0 0 1 1 1 7 8 9 7 8 9 7 8 9 4 0 0 1 0 1 0 1 0 1 1 N42 3 1 N52 3 1 N62 3 5 1 0 0 0 0 1 1 1 0 4 5 6 4 5 6 4 5 6 6 0 1 0 0 1 0 1 1 1 7 8 9 7 8 9 7 8 9 Pr3 78 0 0 1 0 1 0 1 1 1 1 N72 3 1 N82 3 1 N92 3 1 0 0 1 0 0 0 1 1 9 0 1 0 0 0 1 1 0 1 74 85 69 74 85 96 74 85 96 10 0 0 1 1 0 0 1 1 1 11 0 0 1 1 0 0 1 1 1 1 N120 3 1 N121 3 1 N122 3 12 0 1 0 0 1 0 0 1 1 4 5 6 4 5 6 4 5 6 13 0 0 1 1 0 0 1 1 0 7 8 9 7 8 9 7 8 9 14 1 0 0 0 0 1 1 0 1 0,678 0,678 0,83 0,082 0,009 0,006 0,136 0,235
… groups in the corresponding infrastructure, it is possible to conduct the selective monitoring, providing a significant reduction in the response time to potential incidents and ensuring the required cyber-resilience. 5
lection of the most informative features for describing the object of the mentioned infrastructure and the subsequent construction of the diagnostic process is extremely important. In many cases, this is due both to the difficulty of obtaining the information itself (the node (network) number sensors of the cyber-attack detection systems, as a rule, is limited), and with the limited time of diagnostic survey under cyber-attacks. Imagine the process of diagnostic survey as follows [13, 15]. A system can be with a certain probability in one of the previously unknown states. If the prior probabilities of the states P(Pri) can be obtained from a statistical data, then the system entropy is ( ) = − ∑ =1 ( ) 2 ( )
becomes known (for example, it turns out that the network object is in the state Pr1, then P(Pr1)=1, P(Pr1)=0(i=2,…n). After a complete diagnostic survey, the system entropy (uncertainty)
H(Pr/K)=0
(
nition is statistical in nature and it is necessary to know that the probability of one of the states is quite high (for example, P(Pr1)=0,95. For such situations, the residual system entropy (Pr/K)≠0.
where is the survey completeness coefficient, 01.
cesses should be close to 1. If the prior probabilities of the system states are unknown, then one can always give an upper assessment for the system entropy H(Pr)log2n, where n is the number of the system states.
obtained during a diagnostic survey is given and it is required to make an optimal process for its accumulation.
When making a diagnostic process, it is necessary to take into account the difficulty of obtaining relevant information. Let us call the optimality coefficient of the diagnostic survey based on kj for the profile Pri value is =
(
surveys obtains the required diagnostic value. In the general case, an optimal diagnostic process should ensure that the maximum value of the optimality coefficient of the entire survey is obtained (conditions for the diagnostic survey optimality).
To describe the interaction (information transfer) between the objects of the protected infrastructure in time, dynamic communication profiles are used. The object profile of the protected infrastructure will be understood below as a formalized means of describing and displaying the characteristics of the infrastructure as a whole and its individual object in terms of the specification of rules (communication protocols, access to resources) and data exchange procedures at the corresponding observation interval.
The interaction features of the network nodes in a given observation interval are presented in three-dimensional space (Figure 3), where the start and end times of the where general, ( ) is the diagnostic survey value based on for the profile . In ( ) is determined based on the results of previous surveys; cij is the coefficient of survey complexity based on for the profile , it characterizes the laboriousness of the survey, its reliability, duration and other factors. It is assumed that cij does not depend on the previous surveys.
When calculating j, information is averaged and the survey complexity is carried out over all profiles. For survey of complex K of v signs, the optimality coefficient is = ∑ = ( ) ∑ = ( ) ( ) = ( )
.
=
( ( ))
∑ =
corresponding interaction processes are specified on the X-axis, the identified operating
systems (OS) and applications installed on the network node are specified on the
Yaxis, on the Z axis are the numbers used for TCP/UDP port interaction used by the
corresponding applications. The communication profile (CP) of the network object is
represented as
= 1 = 〈
( )
1
, … ,
( )
〉
(
For example, the communication profile of a network object, shown in the diagram in Figure 3, has the following form: ( ) = 〈 , , , , , , , , , , 〉.
where Nm – OS (application) name, V – network object identifier (application instance name); type - network object type (active or passive), typeActPsv; - application version; D - a set of operations; I, k, nN.
BPN(1O)1
Apl1 Instagram(IOS);6.0; act; chat ,..., Apl11 Instagram( Android);5.1; act; chat
BP=Pr3=<Nm1=<I, k, >> BP=Pr2=<Nm1=<Vi, type, k, Ds>> (17) (18) (19) (20) where γ – a security service name; ϕ - version; ψ - operation type (chat, file sharing (download), use of a web browser, download, file sharing (upload), IP-call); I, k, nN.
SPN(1O)1
Apl 3 OpenSSH(sshd ), 2, Kerberos v5 auth ,...,
Apl 8 MSCryptoAPI , 6.1, E2EE
As an example, let us consider the detection of the certificate spoofing at one of the workplaces when accessing a web resource using the SSL/TLS protocols as a result of a passive monitoring. This situation has many alternatives in terms of the development of situations, related to the cyber-resilience violation of the protected infrastructure. If the destructive actions of the user were deliberate, this event (incident) can be associated with both previous incidents, and have a high probability of recurrence in the future (Table 4). Exploited vul
nerability/ vulnerable protocol or compo
nent CVE-20163213/ NetBIOS,
plorer,
Action to prevent or respond to an incident
No.
Network object
System or application software component
tication - DNS DNS name resolution
3. fic monitoring SSL name resolution, maintesystem SSL/TLS nance of a registry of public server trusted key fingerprints
In addition, this incident poses a threat to the protected infrastructure from the intruder’s point of view, gaining an access to the compromised node, as well as compromising other nodes or the entire infrastructure under study. At the first stage, based on the reverse data analysis, it will be necessary to verify the events (as well as their results) with the statistical characteristics are of interest in detecting cause-and-effect links between the user actions to determine his degree participation in the incident: certificate with the authentic issuer; certificate with fake issuer; certificate with valid expiration date; certificate with expired validity; certificate with original issuer, not expired; certificate with original issuer, expired; certificate with fake issuer, not expired; certificate with fake issuer, expired. According to the investigation results, the monitoring system forms a list of preventive (response) actions to the corresponding incident.
Further, a set of the qualitative features is formed, based on the results of the secondary processing of the monitoring results in the form of a decision tree, the interconnection degree between alternative feature groups, technical and economic consequences (damage) for the protected infrastructure and its assets during their manifestation is determined, and a set of possible actions is generated to localize the incident.