Protected system – a system in the conventional sense, consisting of many security objects, not necessarily located in one space.

Complex threat – a threat consisting of several different elementary threats, connected by means of certain synchronized mechanisms and not necessarily existing in one space.

Hybrid threat – a variation of a complex threat, which necessarily contains elementary threats that affect different areas of the protected system.

Exploited threat vulnerability – a factor based on the properties of the protected system or methods of protection, which is used in the implementation of a specific elementary threat.

Threat implementation mechanism – a set of actions, which actively use available exploited vulnerabilities and are aimed at the threat implementation.

Consequences of threat implementation – a factor that is caused by a specific threat implementation; it can have a negative impact on the protected system or it can be an exploited vulnerability for another threat.

I.

Scientific publications of both domestic and foreign scientists [ 1-3, 7, 11-13, 15-20 ] show that in domestic and foreign literature and practice in this area, rigorous mathematical models with criteria of control support efficiency in the field of comprehensive security generally do not exist, and the existing comprehensive security systems do not solve the task of automated building a component-based model of a facility as part of comprehensive facility safety control support [ 9 ].

In the case where the finite number of states of the controlled facility at each moment of time is unknown, it is advisable to use a more sophisticated model similar neurographic model [ 9 ].

In retrospect, security threats were considered as atomic units unconnected to each other. This approach has led to the fact that elementary threats are currently well studied and classified [ 5, 6 ], effective hardware and software solutions have been developed to ensure security against them, also organizational and legal methods, general principles of security are widely used.

In practice, when analyzing security incidents and risks, it often becomes obvious that there are internal links between a set of elementary threats, which form a system.

The presence of certain properties in this system allows us to consider the constituent elements of the system not as atomic (elementary) threats, but as a complex security threat.

The paper contains an example of the formation and implementation of a complex threat consisting of several elementary threats connected in a certain way.

It is also worth noting that the existence of hybrid threats is closely related to the term “hybrid war” [ 4, 8, 10 ]. These are subtypes of complex threats and characterized by the property

Complex threats, as a separate type of threat, require the creation of theoretical foundations for security; on their basis, it is possible to ensure the development of appropriate integrated security systems.

II.

As an object of research, complex threats require certain methods of formalization, i. e. principles and tools for modeling, which are currently missing. The following are the rules for basic models formation of complex threats.

The complex threat C can be represented as a combination of a set (1) of the elementary threats T and a set R of interconnections between them:

The elementary threat ti ∈ T consists of (2) (3) non-empty sets of exploited vulnerabilities V, mechanisms for implementing M and consequences of implementing threat A: (1) (2) (3)

To avoid further conglomeration of indexes, we consider records of the form v1 equivalent to v(1).

A link ri,j ∈ R between elementary threats ti and tj exists, if at least, one consequence of the threat implementation ti (ap ∈ Ati ) is an exploited threat vulnerability (vn ∈ Vtj ), i. e. between ap and vn there is some equivalence relation.

Thus, the set R can be represented as a two-dimensional matrix, the rows and columns of which contain elements of the set T, and at the intersection of i row and j column there is an element ri,j, showing the existence of a connection between threats ti and tj.

The nature of such a connection is an open question for further research, however, in a simplified version it is proposed to use binary values for elements of the set R (there is either a connection, then ri,j = 1, or not, in this case ri,j = 0) (4).

ri,j = 1, ∃ ap ∈ Ati , ap ~ vn ∧ (vn ∈ Vtj ) .

(4) 0, otherwise

The above-mentioned modeling principles allow you to make a formalized model of a complex threat, which has a minimum set of parameters for further research.

Copyright © 2019 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0) of forming and implementing the threat components not in a III. EXAMPLE OF BUILDING A BASIC MODEL OF A single space (for example, only in the physical) and in several COMPLEX THREAT spaces simultaneously (for example, in physical and information space). (5) (6)

Let us consider an example of the formation and implementation of a complex threat, which can be called hybrid, as elementary attacks in its composition exist in different spaces.

Example: a group of intruders implements a hybrid threat against a FEC enterprise. The purpose of the attack is to cause economic and reputational damage to the enterprise; the subject of the attack – confidential information of loyalty cards of enduse customers; the protected system is directly a FEC enterprise. In this example, the hybrid threat is implemented in several stages:

1. Exploiting software vulnerability in corporate PACS, inaccurate data is added to the identification code database.

2. Having the ability to pass the perimeter of physical protection freely, since there are false entries in PACS database, the intruder penetrates into the protected area.

3. While in the protected area, the intruder detects a storage medium, which contains confidential data and creates its physical copy.

4. Copied confidential information distributes to public sources, which causes economic and reputational damage to the protected system.

Reputational damage involves the reduction of the consumer trust to the company’s ability to ensure the protection of personal customer data.

The economic damage involves loyalty cards usage without the need for their legal acquisition and participation in the loyalty program, as you can purchase stolen data from the intruder.

We formalize this example of a hybrid threat into a basic model. Its general view (5):

C = <T, R>; |T| = 4; |R| = 4.

To simplify the model, the power of the sets V, M, A of every elementary threat is equal to one, i. e. |V| = 1, |M| = 1, |A| = 1 for all t ∈ T.

Further, we consider the problem of modeling nonobviousness and threat implementation, especially hybrid threats, that depends on the power of the sets V, M, A.

In this example, the elementary threat t1 arises, implements and generates consequences only in the information space, as it is based in the PACS software vulnerability and implements by the intruder distantly, changing the reliability and accuracy of the confidential database (6): t1 = < Vt1, Mt1, At1 >, Copyright © 2019 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0)

Vt1 = instohfet widaernetivfuielrnesrtoarbeiliPtAyCS ; Mt1 = {exploiting a software vulnerability};

violation of data reliability .

At1 = in the identifier store

The elementary threat t2 arises in the information space, as it is based on unreliable data in the identifier store; implemented in the physical space by penetration of the intruder into the protected area; also produces consequences in physical space, providing the intruder with access to physical storage media (7):

t2 = < Vt2, Mt2, At2 >,

Vt2 = Mt2 = violation of data reliability ;

in the identifier store penetration into the protected

area via PACS without being detected

;

At2 = {access to physical storage media}.

The elementary threat t3 arises in the physical space, because it is based on access factor of the intruder to physical storage media; it also implements in the physical space, using the media copy mechanism; generates consequences in the information space, that is characterized by the possession of confidential information (8):

t3 = < Vt3, Mt3, At3 >,

Vt3 = {access to physical storage media}; Mt3 = {copying of the physical storage media};

At3 = {access to confidential data}.

The elementary threat t4 arises and is implemented in the information space, it means that an intruder has a confidential access and has the ability to distribute the confidential data to general public; however, threat implementation generates consequences in the economic and social spaces, damaging the company’s reputation and the financial performance of the company (9):

t4 = < Vt4, Mt4, At4 >,

Vt4 = {access to confidential data}; Mt4 = {confidential data distribution};

At4 = image and economic

.

damage to the enterprise

As the sets V, M, A were presented in a simplified form, the elements of the set R are also easy to model (10):

Vt2~At1 → r1,2 = 1; Vt3~At2 → r2,3 = 1;

Vt4~At3 → r3,4 = 1.

For clarity, we also give the matrix form, representing the set R in this case (Fig. 1).

(7) (8) (9) (10)

In fact, the represented matrix is a connectivity matrix for a directed graph (Fig. 2).

The construction of such kind of graphs allows you to visualize the investigated complex threats and the correlation of elementary threats.

As illustrated in the considered example, the proposed system of complex threats modeling can be used as a theoretical basis for constructing formalized descriptions of complex threats for their further analysis.

IV.

PROBLEMATICS OF COMPLEX THREATS

The assumption about the sets V, M, A power is made to simplify the understanding of the example. In practice, as it was shown (2) (3), these sets are strictly non-empty, and their power can be quite large. We give an example of a complete composition of these sets based on t2 (11): 2 = Mt2 =

violation of data reliability ⎧ of the identifier store; ⎫ ⎪⎪ PACS is unequipped by ⎪⎪ ⎪ supplementary power supply; ⎪

recruitment of a company employee; ; ⎨ blackmailing a company employee; ⎬ ⎪⎪ presence of weaknesses in the ⎪⎪ ⎪ physical guard band (obstacles); ⎪ ⎩ the possibility of a power outage. ⎭

penetration into the ⎧ protected area via PACS ⎫ ⎪ ⎪ ⎪ without being detected; ⎪ ⎪ penetration into the territory ⎪

during the PACS shutdown; ⎨ using ID of recruited ⎬ ⎪⎪ agent to evade PACS; ⎪⎪ ⎪ penetration through the ⎪ ⎩weak point of physical obstacles.⎭ ; (11) access to physical storage media; ⎧ physical access to workstations; ⎫ ⎪ ⎪ ⎪ physical access to servers; ⎪ ⎪ physical access to internal ⎪ 2 = computer communication; .

⎨ physical access to internal ⎬ ⎪⎪ electric service lines; ⎪⎪ ⎪ physical access to the ⎪ ⎩ fire protection system. ⎭

A deeper analysis of vulnerabilities can give the full composition of the sets V, M, A, however, we will focus on the above example and make a few remarks:

Comment 1. It is obvious that between the elements of sets V and M must also be a certain connection. In this example, the presence of the intruder inside the protected system (vulnerability vt(23) or vt(24)) allows not only to use its ID to deceive the PACS (mechanism mt(23)), but also to break the power supply of the PACS (vulnerability v(6)), then penetrate

t2 the area while PACS' inoperability (mechanism mt(22)).

According to the authors, this connection can be defined as follows: for an intruder to be able to use this mechanism mi ∈ M to implement the elementary threat, this mechanism mi must be based on at least one exploited vulnerability vi ∈ V. At the same time, the increase of vulnerabilities vi, upon which the mechanism mi depends, have to increase the probability that intruders will use the mi mechanism when implementing an elementary threat.

Comment 2. Adding elements to all the sets V, M, A for the remaining elementary threats t1, t3 and t4, and having done an additional analysis of the received model, the content of the set R requires clarification, since one cannot rule out the possibility of additional connections that will be modeled on the basis of the data added to the model.

Let us consider another example of mapping the set R into a matrix form, without reference to the previously considered problem, and make an appropriate graph (Fig. 3, Fig. 4).

Fig. 3. Mapping an example of the set R into a matrix

The connection r2,3 and r2,4 (Fig. 4) means, that the threat t2 can be implemented in the way, that the threat implementation t3 will no longer be necessary before implementation t4, since required vulnerabilities (Vt4) for t4 will already exist as a result of the threat t2 (At2). However, such reasoning is true only if t4 is accepted as the target of a complex attack.

In the problem discussed above, the elementary threat t1 was accepted as ‘initial’, i.e. implemented the first (in terms of the linear time flow). The connection r4,1 means that there is a transition to the threat t1 from t4, i.e. literally ‘threat implementation t4 will make consequences At4, which can be used in the threat t1 as vulnerabilities Vt1’.

Obviously, the connection may exist in the model, but it does not make practical sense at first glance, if t1 is considered as ‘initial’ threat, to which there is no need to return.

In addition, with such a set of connections in R it becomes unclear which elementary threat among t1-t4 is an aim for the intruder, i.е. that one of them will allow him to achieve the goal of a complex attack.

Returning to the considered example of complex threat, the whole process of its formation and implementation was known, therefore it became possible to make a model and track the relation between threats. The tasks such as complex threat detection, the determination of its purpose and the order of elementary threats implementation as a part of it, did not require a solution – this information was contained in the initial data.

However, as follows from all of the above, it is these tasks that are the main ones and the most difficult to solve.

1. The task of detecting the presence of a complex threat can be kept to define the set of links R, if the content of the set of elementary threats T is known (moreover, the full description of this set is required).

Attempts to detect complex and hybrid threats by humans will be “late” for at least two elementary attacks t, as this number allows to conclude that there is at least one link r.

If a complex threat consists of three planned attacks – the ‘human’ detection system is almost useless.

Let us consider the question of determining the goal of a complex threat. Despite the fact that the complex threat includes many elementary threats T, which can cause some damage on their own, the real (main) purpose of a complex threat, in general, is only one – it is a deep systemic vulnerability in the protected system.

The main purpose of a well-planned and implemented complex threat is not obvious to the security service until the intruder reaches the target, in some cases – after, because the consequences of a complex threat implementation and the achievement of the main goal can be hidden and stretched over time.

The example considered above (Fig. 4) is a visual representation of the purpose of a complex threat uncertainty.

The

Elementary threats t1-t4 are occurred

through vulnerabilities, which are the consequences of other threat.

Neither goals of the complex threat nor the order of its implementation is obvious.

Fig. 5 presents a situational pattern, wherein the expert is aware of seven potential elementary threats and the existence of the connection of r1,2: case, seems to be quite difficult for human thinking even for seven threats. In reality, the number of potential threats that can be implemented next, can be measured in hundreds.

VI.

METHOD INTELLIGENT DETECTION METHOD OF

COMPLEX THREATS

1. Potential elementary threats Tp – the set of all elementary threats existing within the considered protected system. In this case, the elements of the set Tp also satisfy (2), and the record (1) can be supplemented in the following way (12): |R| > 1; T ⊆ Tp.

(12)

That is, for any complex threat C, the set of elementary threats T will always be formed from the elements of the set of potential elementary threats Tp.

2. Current complex threat model – an updated model in the form of C = <T, R>, created on the basis of information available at a discrete instant of time about the implemented complex threat C.

3. Proposed complex threat model – immutable model C = <T, R>, formed by an intelligent algorithm based on its operational internal rules and knowledge about possible complex threats models.

In fact, having extensive information about the components of the set of potential elementary threats Tp, to synthesize the rules of detection of a specific complex threat C you will have to create a set of assumed integrated threat models C, and then – compare the assumed

models with the current model to identify the most reliable ones.

To detect complex threat C, let N putative models of complex threats <Ti, Ri> (i = 1..N) be synthesized, with each such model satisfying the rules (12) and (2). We introduce the set <Tc, Rc> to denote the current complex threat model C, which also satisfies (12) and (2).

As the complex threat C is implemented, its current model <Tc, Rc> will be supplemented not only with new connections r, but also with the elements of the set Tс. Having calculated the evaluation function (13), where d (p, q) - is a certain measure of similarity, we obtain the closest to the current model <Tс, Rс> the estimated model <Ti, Ri>, which can be considered the most likely case scenario at discrete time:

min( =1(< , >, < , >)). (13)

Thus, it is proposed to reduce the complex threat detection to finding the most “similar” model among the set of pairs of proposed models <Ti, Ri>, which will be made by a special intelligent algorithm.

The proposed rules for the complex threats formalization into a basic model can be used as a basis for further research in the direction of the theory of complex security and hybrid threats protection, neurographic theory of complex security [ 9 ].

The example of constructing a basic model, given in the work, shows its applicability.

The basic model can be supplemented

with various aspects that will improve the accuracy of the created models.

In addition, some aspects identified in the paper remain open for further research, for example, the nature of the links between elementary threats.

The second most important result of the work is the conclusion of a formalized task of complex threats detection (13). The issue, in fact, directly leads to artificial intelligence algorithms usage and big data processing in the construction of integrated security systems, as there are three big tasks:

1. Potential modeling of complex threats. The problem can be solved by creating an artificial intelligence system that has decent knowledge about complex threats modeling, the structure of internal relationships, the features of the complex threats implementation, etc.

Such knowledge can only be obtained by processing large amounts of data, collected during the operation of security monitoring systems. In general, there arises a range of tasks typical for Big Data technologies, which are already widely used in many fields, including the fields of data security and cyber security systems [ 1, 9, 11, 13, 15, 16, 18 ].

2. Creation of rules for determining the most similar anticipated and current models of complex threats. The solution of this problem includes a wide range of possibilities for applying data mining algorithms (Data Mining).

Among the Data Mining algorithms used in relation to this problem can be noted clustering, classification and affinity analysis. It is possible to use regression analysis and genetic algorithms. Data Mining technologies are also widely used in many areas of activity, successfully solving assigned tasks, including the field of security [ 2, 3, 7, 9, 12, 17 ].

3. Tracking and current integrated threat modeling. According to the authors, this task can be solved by creating certain analysis and information system, which can be based on existing corporate information systems and security tools within specific enterprises. Integration and data flow monitoring [ 14 ], emphasis on critical deviations, events recording and relation determination by methods of intellectual analytics are the main assets, the totality of which will solve this problem.

The paper describes the basic principles of complex threats modeling, and the task of complex threats detection is formalized. The proposed modeling principles are based on the idea of identifying the links between elementary threats as part of a complex one. As an example, the process of constructing a complex threat model based on the proposed modeling rules is given. Based on the examples presented in the work, the paper includes the description of tasks while working with complex threats: the tasks of complex threats detection, the identification of their inner structure and purposes of the implementation. Based on the formulated principles of basic modeling, the paper also gives a formal statement of complex threats detection problem, which explains the possibility for applying data mining algorithms and big data processing technologies in the construction of protection systems against complex threats and developing the neurographic theory of complex security [ 9 ].