The nature of threats and vulnerabilities of information complex systems and hybrid cloud ecosystems in cyberspace is complex, heterogeneous, multifactorial, flexible and rapidly modifiable. Traditional approaches to building security systems do not take into account many threats that are not obvious from the user's point of view. To study and develop new approaches to building reliable data protection systems and analyze their efectiveness, the vulnerabilities of confidential data in modern cloud environments are assessed, taking into account the modification of modern types of software architecture. Particular attention is paid to the features of microservice software architecture and their impact on the vulnerabilities of cloud ecosystems. It is proposed to use discrete-event simulation approaches to modeling security systems, taking into account the characteristics of hybrid cloud ecosystems.
Cloud technologies have a sustainable development, are constantly modified, in particular in terms of increasing the speed of computing, expanding the capabilities of analytics, and the wider use of big data and artificial intelligence [ 1, 2]. The nature of threats and vulnerabilities of information complex systems and hybrid cloud ecosystems in cyberspace is complex, heterogeneous, multifactorial, flexible and rapidly changing. Traditional approaches to building security systems do not take into account many threats that are not obvious from the user’s point of view.
In order to research and develop new approaches to building reliable data protection systems and analyze their efectiveness, it is necessary to conduct a thorough assessment of vulnerabilities of confidential data in modern cloud environments, taking into account the modification of modern types of software architecture, in particular the impact of the popular microservice architecture of software tools on the vulnerabilities of cloud environments, and to propose appropriate technologies for modeling protection systems, taking into account the characteristics of hybrid cloud ecosystems.
Ensuring security in cloud environments remains a pressing issue against the backdrop of the growing dependence of supporting the vital processes of the information society on cloud platforms and services based on cloud environments.
In addition, the large amounts of data already stored in popular clouds such as Azure, Amazon, Google Cloud, etc. are constantly increasing and will contain a significant portion of files with confidential information, including configuration files, API keys, credentials, etc. The problem of leakage of conference information due to incorrect settings of cloud segments remains and can lead to security breaches and unauthorized access to various cloud services such as databases, cloud infrastructure, third-party APIs, etc.
Modern software, most applications, are not developed from scratch; some of the necessary functions are used from the ready-made functionality of other services, often cloud-based. At the same time, access to services is protected by various types of credentials: passwords, tokens, usernames, certificates, API keys, etc. In turn, such confidential credentials may not be reliably protected at the software development stage. As a result, the likelihood of misuse of resources and unauthorized access to information increases significantly and can lead to critical consequences [ 3, 4]. Examples are known. Many researchers confirm frequent leaks of confidential data through various channels [3, 5, 6, 7]: • modern version control platforms; • virtual server images; • incorrectly configured cloud storage; • large language models based on code sharing platforms; • mobile applications; • mini applications, micro services; • Docker containers, etc.
In addition to quantifying confidential data leakage, studies suggest various approaches to increasing
the eficiency of detection processes [
The transition to new software architectures is leading to an increase in the problem of confidential data leakage and end-user losses. It is interesting to investigate the efectiveness of security processes in applications and platforms based on microservice architecture. Such hybrid ecosystems consist of many elements: the parent application server, the developer server, the hosting service, the services used by the developers, the client application, etc. A mandatory component of the joint eficient operation of all these elements is their constant joint authentication, which difers from user authentication on the platform or in applications. This is a type of technical authentication that allows an attacker to access various services on behalf of developers, which can be a significant vulnerability in the context of currently used insecure software development practices.
For example, research [7] has shown that a significant number of WeChat (over 36 thousand detections) and Baidu (112 detections) microservices and applications have non-obvious vulnerabilities related to development technologies and features of the chosen architecture. Most often, this is due to the so-called hard auto-identification used by developers. Undoubtedly, this causes quite significant security issues, including privacy violations for both developers and users. A study [7] confirmed the conclusion that any knowledgeable attacker on the network can make it impossible for an application to work, even if they do not have their own account on the parent platform. Also, such an ofender will potentially have the opportunity to engage in phishing, gain access to confidential information, and send out mailings to platform users.
Thus, the analysis shows that the nature of threats in cyberspace is heterogeneous, multifactorial, lfexible, and rapidly changing. Traditional algorithms for detecting all threats at each access point and in each user application, including in the cloud environment, and neutralizing them are not efective. To research and develop new approaches to building data protection systems and analyze their efectiveness, there is a need to develop new approaches to modeling such systems, taking into account the features of integrated cloud environments.
Usually, when modeling protection systems, it is proposed to use continuous modeling methods. The main features of which are as follows: • The system is considered to be constantly changing in time; • Time is the main parameter and often the criterion; • Models continuously track the state of the system in the time dimension.
It is suggested to change the viewing angle. Continuous monitoring or modeling of a complex hybrid ecosystem is a complex and resource-intensive task. It is proposed to investigate the possibility of applying a discrete approach to modeling systems with continuous information processes, in particular, to consider the principles of DES modeling.
Usually, Discrete-Event Simulation (hereinafter referred to as DES) considers a system as a sequence of events in time. It is assumed that events occur at certain points in time, separated from each other. The basic features of DES modeling can be identified: • An event occurs at a specific time point. As defined above, DES is used to model systems, processes, and flows that can change at identifiable points in time. At the same time, DES will not track the state of flows, systems, processes between these moments of time, i.e. continuously. • Focus on events. That is, DES focuses on events that change the state of the system. • Skipping time intervals between events. DES does not investigate the state of the system between the moments of time when the event occurred, which reduces the complexity and the amount of resources required for modeling processes. During the modeling process, DES moves from one event to the next, the next. • Widespread use of queueing theory. This is not a mandatory feature of DES, but in cases where the processes of receiving and servicing requests are significant in the system, the use of queue theory is more than reasonable. Unlike continuous modeling, the main features of DES are as follows: • No changes between events • The main parameter is not time, but an event • The state of the system between moments of time does not matter.
When modeling data protection in complex heterogeneous systems, including hybrid cloud ecosystems, we assume that: • From the point of view of functional suitability, the state of protection systems is significant at the time of a cyber incident, attack, unauthorized access attempt, etc. • Outside of the moments of attack and intrusion attempts, the state of the protected system is unimportant.
At the same time, such a system can be considered as discrete, and the event that will afect the change in the system state is the moment of attack, and there is a finite set of such moments. Figure 1 shows the DES process of a data protection system in hybrid cloud ecosystems as a discrete-event system.
The properties of data protection systems in hybrid cloud ecosystems identified by the authors allow us to attribute them to discrete-event systems, which are most widely used in the theory of automata with their variants, such as various graphs and the mathematical apparatus of Petri nets. The latter has an intuitive graphical representation, has been widely used in applied problems of modeling asynchronous and parallel dynamic systems, and has algorithmic developments.
In the classical representation [12], a Petri net has four components: = (, , , ) (1) where: = {1, 2, 3, ..., } is a finite set of positions, >= 0 is the power of the set ; = {1, 2, 3, ..., } is a finite set of transitions, >= 0 is the power of the set ; ∩ = ∅ - the sets and do not intersect. , = 1, 2, ..., - any element of ; , = 1, 2, ..., - any element of ; - is an input function that represents the transition of to the set of positions ( ); - is an output function that represents the transition of to the set of positions ( ).
Thus, the structure of a Petri net is defined by its positions, transitions, input and output functions, and is usually represented as a graph. Such a graph is a bipartite, oriented multigraph, in which one part is formed by positions and an arc by transitions. Many arcs connect positions and transitions. In such a graph, there are two types of nodes: a position (denoted by a circle) and a transition (denoted by a bar). Arcs are oriented and connect positions and transitions. An arc that has a direction from position pi to transition tj determines the position that is the output of the transition.
In the further development of distributed modeling methods, the models and structure became more complex, high-level networks, nested, functional, hierarchical, etc. appeared. A characteristic feature was often the modular representation of diverse distributed systems, with the allocation of a separate autonomous module that functioned independently, had a certain internal state (whether dynamic or stable) and a certain set of inputs and outputs. The inputs/outputs were used to interact with the external environment.
To solve the problem of modeling protection systems, it is necessary that such a functional module can be located separately from the basic system.
We will impose certain restrictions: we will assume that external influences from the environment are directed exclusively to the set of inputs, and the result can be considered exclusively in the set of outputs. This approach is inherent in functional networks, which have a more regular structure in the presence of these restrictions.
= (, , , , , ) (2) where: = {1, 2, 3, ..., } is a finite set of positions, >= 0 is the power of the set ; = {1, 2, 3, ..., } is a finite set of transitions, >= 0 is the power of the set ; ∩ = ∅ - the sets and do not intersect. , = 1, 2, ..., - any element of ; , = 1, 2, ..., - any element of ; - is an input function that represents the transition of to the set of positions ( ); - is an output function that represents the transition of to the set of positions ( ). ⊆ - is the set of input positions of the Petri net; ⊆ - is the set of output positions of the Petri net. ∩ = ∅ - the sets and do not intersect.
With this approach, another set PV is formed - the set of internal positions that are not included in the sets PI and PO.
Given that the defense systems under consideration will receive heterogeneous threats at the input positions and will require diferent times for the defense system to react, our model needs to include time delays for threat processing and determine the moment when the DES process is initiated. Let’s get the model: = (, , , , , , , ) (3) where: = {1, 2, 3, ..., } is a finite set of positions, >= 0 is the power of the set ; = {1, 2, 3, ..., } is a finite set of transitions, >= 0 is the power of the set ; ∩ = ∅ - the sets and do not intersect. , = 1, 2, ..., - any element of ; , = 1, 2, ..., - any element of ; - is an input function that represents the transition of to the set of positions ( ); - is an output function that represents the transition of to the set of positions ( ). - is the set of input positions of the Petri net; - is the set of output positions of the Petri net. - time delay for threat processing; - is a position label that characterizes a certain state of the model.
It is also possible to increase the eficiency and accuracy of the analysis and the corresponding model built on the basis of hierarchical Petri nets. In this case, the same Petri nets can act as constituent elements. In the task of ensuring data protection in hybrid cloud environments, each nested element can identify diferent types of threats and/or perform direct protection actions. The mathematical model in this case will be as follows: = (, , , , 0, , , ) (4) where: = {1, 2, 3, ..., } is a finite set of positions, >= 0 is the power of the set ; = {1, 2, 3, ..., } is a finite set of transitions, >= 0 is the power of the set ; ∩ = ∅ - the sets and do not intersect. , = 1, 2, ..., - any element of ; , = 1, 2, ..., - any element of ; - is an input function that represents the transition of to the set of positions ( ); - is an output function that represents the transition of to the set of positions ( ). 0 - is the set of initial labeling of the network; - is the set of nested Petri nets in ; - is the set of input positions of nested Petri nets; - is the set of output positions of nested Petri nets.
The developed model, among other things, can allow analyzing the dynamics of the system being modeled.
Is it enough to focus on the approaches proposed in this article for the problem under consideration? Certainly not. The research will continue. It would be advisable to consider other approaches for modeling complex security systems in cloud heterogeneous ecosystems that will allow first to efectively model and then find a platform for building such systems, taking into account the rapid changes in IT technologies, the growth of processed data, the development of quantum technologies, etc. Sustainable search for appropriate solutions will contribute to the development of more efective data protection technologies in complex systems and hybrid cloud ecosystems, which will generally contribute to the creation of a more secure cyberspace.
The article reveals the complex and multifactorial nature of threats and vulnerabilities of information large systems and hybrid cloud ecosystems in cyberspace. The following properties of such systems are important to take into account: heterogeneity, hierarchy, multifactoriality, flexibility, and high speed of complex changes. Traditional approaches to building defense systems and corresponding algorithms are not efective enough and usually do not take into account a whole group of threats associated with the architectures of the developed defense systems.
To research and develop new approaches to building data protection systems in hybrid cloud ecosystems and analyze their efectiveness, it is proposed to use DES technologies to model protection systems, taking into account the characteristics of hybrid complex systems.
The authors have not employed any Generative AI tools. [1] I. B. Tregubenko, V. Y. Kotetunov, Problems of information security of hybrid integration ecosystems based on cloud technologies, in: Proceedings of the III International Scientific and Practical