176 Methods of Profiling the Behavior of Dynamic Objects of a Critically Important Information Infrastructure* Sergei A. Petrenko1[0000-0003-0644-1731], Alexander V. Olifirov2[0000-0002-5288-2725], Krystina A. Makoveichuk2[0000-0003-1258-0463], Nikolay N. Oleinikov2[0000-0002-9348-9153] 1Innopolis University, Kazan, Russia s.petrenko@rambler.ru 2V.I. Vernadsky Crimean Federal University, Yalta, Russia alex.olifirov@gmail.com christin2003@yandex.ru oleinikov1@mail.ru Abstract. According to ISO/IEC TR 18044: 2004, an incident means an undesir- able or unexpected event (or a combination of such events) that could compro- mise the information interaction processes in a critically important infrastructure or threaten its information security and/or cyber resilience. Accordingly, the in- cident prediction means the identification process of vulnerable object interaction state of the critically important information infrastructure under the disturbances. According to the incident prediction results, it becomes possible to develop a profile of the profile of an observed object, containing information about the ex- ploited vulnerability, the actions of the intruder and possible scenarios of a pro- active counteraction against these attacking influences. Keywords: inverse similarity theorem, dynamic control of correctness of calcu- lation programs, correctness of computing processes. 1 Introduction We propose a possible way of profiling the behavior of the key IT services and IT systems of a critically important information infrastructure under perturbation condi- tions. Here the dynamic profiles allow identifying the classes of the vulnerable states of the mentioned infrastructure. In this case, the recognition of the informative signs of the possible vulnerabilities is carried out in conditions of extremely large amounts of data monitoring. When selecting information, the dynamic weights of the recognition signs and the corresponding values of the profiling of the observed objects are deter- mined; this can significantly reduce the response time to potential incidents and pur- posefully select the adequate measures to ensure the required cyber resilience [1, 4]. Thus, a new method is proposed for profiling the complex dynamic subsystems of critically important infrastructure under the incompleteness and competing information * Copyright 2019 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). 177 on the state of the observed objects. This profiling method is based on the mathematical apparatus for iteratively diagnosing the potentially dangerous states of the complex dy- namic systems using communication (Pr1), behavioral (Pr2) profiles, as well as profiles, providing the required cyber resilience (Pr 3) of observed objects [2, 5]. It is significant that the profiling method, mentioned above, makes it possible to model the potential behavior of an intruder, during the implementation of threats to resilience (security) and make decisions about the organization of the special scenarios to ensure the required cyber resilience and prevent serious incidents with the transfer of the critical infor- mation infrastructure to an irreversible catastrophic state. 2 The problem of profiling the objects’ behavior of critical information infrastructure Unlike the well-known cyber resilience approaches, the proposed profiling method is implemented both at the stages of the primary processing of the monitoring results of critical information infrastructure objects and at the stages of the analyzing and sum- marizing a heterogeneous information concerning the functioning processes of the ob- served infrastructure and its individual elements (devices and resources). At the first stage (analytical description of processes Pr1,…, Prn of interaction of objects of critical information infrastructure G1) (Figure 1Ошибка! Источник ссылки не найден.) it is necessary to take into account the structural and functional characteristics of the ob- servation objects, the composition and specificity of the system and application soft- ware, the characteristics of the operating system [3, 8]. This is necessary to form the sets of quantitative (B1) and qualitative (B2) signs, reflecting the options for the devel- opment of information technology impact situations on the objects of the critically im- portant information infrastructure being protected. Fig. 1. Protected infrastructure profiling scheme Based on the specifics and characteristics of disturbances in the functioning and com- position of the feature set, at the third stage, a set of methods (active ( M GAct ) and / or 1 178 passive ( M Pass ) and means ( Sr ) of monitoring the protected infrastructure G1 are G1 G1 formed. These methods and means should take into account the intruder impact type and their interconnection with a threat model of the protected infrastructure. At this stage, the degree of the interconnection between alternative groups of the negative sign impacts, the consequences (damage) of their manifestation are also determined, and a list of possible measures to ensure the required cyber resilience is developed. After the corresponding procedures of iterative diagnostics and primary processing of the ob- tained data are carried out, the intruder actions and the corresponding cyber resilience violation events are verified, and the profiles of the corresponding objects of the pro- tected infrastructure are developed. Thus, the effectiveness of ensuring the required cyber resilience of the protected in- frastructure is ensured by diagnosing the potentially vulnerable states of the observed infrastructure, determining the type and criticality of vulnerability, and developing the plan of possible measures to ensure the required cyber resilience. The proposed ap- proach of profiling the behavior of dynamic objects of the protected infrastructure re- quired solving the problem of diagnosing complex dynamic cyber systems under the temporary observability absence of the corresponding interaction processes [6, 7]. Usually, a typical object of the protected infrastructure is a complex dynamic cyber system (both in structure and behavior), operating in the absence of temporal or partial observability of interaction with other infrastructure objects. Here, the diagnosis task of the mentioned cyber systems is to determine the state of the object and the aggregate of monitored parameters, which can be used to judge the functional cyber resilience of the infrastructure object, i.e. to determine whether its cur- rent system configuration and application software is currently vulnerable, or whether the object has no distinguishable vulnerabilities. The desired solution involves the de- velopment of such diagnosis procedures, the content of which depends on the properties of the protected infrastructure, the priorities and diagnosis direction, as well as the con- ditions for its implementation. Let some protected critically important information infrastructure S=P (Fig- ure 1 and Figure 2) be consisted of a set of objects B=, where 𝐁𝟏 = 〈𝐁𝟏(𝟏) , 𝐁𝟐(𝟏) , … , 𝐁𝐦 (𝟏) 〉 are many devices (routers) and web resources (servers), 𝐁𝟐 = 〈𝐁𝐦+𝟏 , 𝐁𝐦+𝟐 , … , 𝐁𝐧(𝟐) 〉 - set of users (data sources) of the mentioned infrastructure, (𝟐) (𝟐) (𝟑) (𝟑) (𝟑) 𝐁𝟑 = 〈𝐁𝟏 , 𝐁𝟐 , … , 𝐁𝐡 〉 - a set of an information, gathering and processing the means (nodal and network sensors of the cyber-attack detection system) associated with each other communication channels [12], represented by a connection matrix in the given units of measurement between points B1 and Bj(I, j =1,…n); 𝐥𝟏𝟏 , 𝐥𝟏𝟐 , … , 𝐥𝟏𝐧 𝐋 = ‖𝐥𝟐𝟏 , 𝐥𝟐𝟐 , … , 𝐥𝟐𝐧 … ‖ – the connection matrix between objects (lij≥0, with i≠j, lii=0, 𝐥𝐧𝟏 , 𝐥𝐧𝟐 , … , 𝐥𝐧𝐧 j=1,…n). Let the values of the monitoring data collection time (T col), the recording time (T 0) (the action 𝐝с6 𝟏 ) and the processing of the monitoring data be known, with the 𝐝с6 𝟏 ∈ 𝐃 с6 𝟏 . The cyber attack detection systems allow receiving as a source of multiple 179 packet streams of the i-th node of the protected infrastructure (b 1N) with intensities 𝛌 = {𝛌𝐢𝟏 , 𝛌𝐢𝟐 , … , 𝛌𝐢𝐛 } and generate a set of packets i infrastructure node (b 1N) with 𝛎𝐢 = {𝛌𝐢𝟏 , 𝛌𝐢𝟐 , … , 𝛌𝐢𝐠 }. Fig. 2. Graphological representation of the protected infrastructure In modern monitoring systems, subsystems of the active (based on scanning a network object according to the “request-response” principle with subsequent response pro- cessing) and passive (based on the analysis of network traffic parameters in the listening mode of the selected interface) data collection are implemented. In general, the data processing system using active monitoring methods (i = 1, ..., m) can be represented by the seven arrays (𝐜) (𝟏) (𝐜) (𝐜) (𝐜) (𝐜) 𝐁𝐢 = {𝐓𝐢 , 𝐏𝐫𝐬𝐢 , 𝐏𝐫𝐝𝐢 , 𝐕𝐢 , 𝐅 (𝐜) , 𝚽 (𝐜) , 𝐓𝐢 }, (1) (𝐜) (𝐜) (𝐜) (𝐜) where 𝐓𝐢 = {𝐭 𝐢𝟏 , 𝐭 𝐢𝟐 , … , 𝐭 𝐢𝐫𝟏 } – the set of t time values of the protected infrastruc- ture object observation; (𝐜) (𝐜) (𝐜) (𝐜) 𝐏𝐫𝐬𝐢 = {𝐩𝐫𝐬𝐢𝟏 , 𝐩𝐫𝐬𝐢𝟐 , … , 𝐩𝐫𝐬𝐢𝐪𝟏 }, 𝐪𝟏 ∈ 𝐍𝐪 is the set of parameter values (input signals) of scan sessions, conducted as regards the infrastructure object; 180 (𝐜) (𝐜) (𝐜) (𝐜) 𝐏𝐫𝐝𝐢 = {𝐩𝐫𝐝𝐢𝟏 , 𝐩𝐫𝐝𝐢𝟐 , … , 𝐩𝐫𝐝𝐢𝐠𝟏 } , 𝐠 ∈ 𝐍𝐚 is the set of values of passive traffic scanning (output signals) identifying the state of some infrastructure object; (𝐜) (𝐜) (𝐜) 𝐕𝐢 = {𝐕𝐢𝟏 (𝐭), 𝐕𝐢𝟐 (𝐭), … , 𝐕𝐢𝐝𝟏 (𝐭)}, 𝐝 ∈ 𝐍𝐚 is the statespace of the protected infra- structure object during monitoring; F(c) - transition operator, reflecting the mechanism of changing the object state of the protected infrastructure under the action of internal and external cyber-attacks; Φ(с) is the output operator, describing the mechanism for generating the output signal as a response of the protected infrastructure object to internal and external disturbances; (𝐜) (𝐜) (𝐜) (𝐜) 𝐓𝐢 = {𝐓𝐢𝟏 , 𝐓𝐢𝟐 , … , 𝐓𝐢𝐩𝟏 }, 𝐩𝟏 ∈ 𝐍𝐚 is a set of the values, formed by the results of monitoring and establishing the truth values of passive scanning of the object of the protected infrastructure. The structure of the process characterizing the dynamics of changes in the properties of devices and users of the protected infrastructure, when conducting the passive mon- itoring sessions t ∈ [t i , t i +△i ), i=1, m), we will present in the form of a chain of map- pings (1) (2) (3) (1) (2) (3) R〈χB(1),B(2) (t), χB(3) (t)〉 → R〈Bt , Bt , Bt 〉, R〈Bt , Bt , Bt 〉 → (3) (1) (2) (3) (1) (2) Bt , R〈Bt , Bt , Bt 〉Bt , Bt , (1) (2) (3) Bt , B t , R〈χB(1),B(2) (t), χB(3) (t)〉 → χB(1),B(2) (t), Bt → χB(3) (t), where x(.)(t) - states of devices, users and controlled detection systems КА; RR〈x〈.〉 , x〈.〉 〉 – connections between states; (1) (2) (3) 𝑅〈𝐵𝑡 , 𝐵𝑡 , 𝐵𝑡 〉 - connections between devices, users and sensors of the cyber- attack detection system, which change over time and characterize the above-mentioned process of monitoring the objects of the protected infrastructure. Operators implement mappings: (𝑐) (𝑐) (𝑐) 𝐹 (𝑐) : 𝑇𝑖 × 𝑃𝑟𝑠𝑖 × 𝑉𝑖𝑑1 (𝑡) → 𝑉𝑖 (2) (𝑐) (𝑐) (𝑐) (𝑐) 𝛷 (𝑐) : 𝑇𝑖 × 𝑃𝑟𝑠𝑖 × 𝑉𝑖𝑑1 (𝑡) → 𝑃𝑟𝑑𝑖 (3) Every state of the protected infrastructure object Vi is characterized at each moment (𝑐) of time tT by a set of variables 𝑉𝑖𝑑 , 𝑑 ∈ 𝑁𝑎 , changing under the influence of cyber intruder attacks and the internal disturbances caused, for example, by component vul- nerabilities of the system and/or application software. Thus, with restrictions on the selected method of processing observations u(t)Uadd, on the intensity of the processed information flows (1(t)2), on the amount of stored information about users and devices of the protected infrastructure (V1V(t)V2), on the total time of collecting information about infrastructure users and devices ( 𝑚𝑖𝑛 ∑𝑘𝑖=1 𝑇𝑖 (𝑑𝑖сб. )) need to find: 𝑑𝑖 ∈𝐷доп. 181 ─ Functional of state identification and control by the complex dynamic systems in the absence of time observability or partial observability of objects of the protected in- frastructure :TPrsVPrd, ф:PrdT, :PrdTmon, k:TPrdset, :TTmon, i:TmonPrdset; ─ Management law of the network (node) cyber-attack sensor, which would provide the total time spent on collecting the monitoring data of the protected infrastructure objects, not exceeding the directive value with restrictions on the acceptance region of management programs and a possible list of actions to ensure the required cyber resilience. 𝑎𝑟𝑔 𝑢∗ (𝑡) = 𝑢(𝑡)∈{𝑈𝜕 (𝑡)}(∑𝑘𝑖=1 𝑇(𝑢(𝑡), 𝑑𝑖сб ) ≤ 𝑇∑𝜕 ), {𝑼𝝏 (𝒕)} = 𝒖𝝏 (𝒕)|(𝝀𝟏 ≤ 𝑑𝑖 ∈{𝐷𝜕 } 𝝀(𝒕) ≤ 𝝀𝟐 ) ∩ (𝑽𝟏 ≤ 𝑽(𝒕) ≤ 𝑽𝟐 ) ∩ (𝑵𝟏 ≤ 𝑵 ≤ 𝑵𝟐 ). (4) In the secondary processing of monitoring data, the system for developing scenarios of proactively countering the cyber-attacks of the intruder and ensuring the required cyber resilience should assess the situation at t=t0, determined by the dependencies be- tween the states of the information sources and the sensors of the cyber-attack system. At the final time moment, the dependencies between the states become different, there- fore the process of achieving the goal is described as a change in the dependencies 𝒙𝑩(𝟏),𝑩(𝟐) (𝒕𝟎 )𝑹<∙> 𝒙𝑩(𝟑) (𝒕𝟎 )𝒙𝑩(𝟏),𝑩(𝟐) (𝒕𝒌 )𝑹<∙> 𝒙𝑩(𝟑) (𝒕𝒌 ) (5) moreover, the logical entailment from the initial to the final state is associated with a set of possible informational actions. The action list and sequence is determined by the logic of behavior B (3), its settings. In fact, B(3) performs the functions of a control unit that prepares some decision to en- sure the required cyber resilience. Working out a solution, it is necessary to consider all possible choices leading to the achievement of the goal 𝑷(𝝉̂req < 𝝉̂ < 𝝉̂enough ) = 𝑷PV , where 𝝉̂ = 𝝉̂𝒑 + 𝝉̂pass + 𝝉̂act + 𝝉̂RV , 𝒑 ≥ 𝝉̂req , and when deciding among the possible solutions it should be chosen the one most preferred choice. Choosing the possible solutions and the actions behind them, it is necessary to choose such chains from them that satisfy the condition (5). The emerging information situation at the protected infrastructure is fixed by a set of decision rules, reflecting the connections between the states B (1), B(2), B(3) with t=tk. Thus, at the next stage of ensuring the required cyber resilience of the protected infra- structure, it is necessary to determine the observation parameters, based on the deter- mining the diagnostic value of signs of a potentially vulnerable critically important in- formation infrastructure. 3 Selection of observation parameters In the technical diagnostics of the critically important information infrastructure, it is very important to describe the object in the system of signs that has a greater diagnostic 182 value. The use of the non-informative features not only turns out to be useless, but also reduces the efficiency of the diagnostic process itself, disturbing with recognition. We assume that the diagnostic sign value is determined by the information significance that is added by the sign into the observation object state system [9, 13]. Let there be a system Pr, which is in one of n possible states Pri(i=1,2,…,n). Let us call this system - a system of profiles, and each of the states - a profile. Dif- ferent states of the protected infrastructure at discrete instants of time are represented by a set of standards (profiles), while the choice of the number of profiles is determined by the study objectives. Recognition of the Pr system states is carried out by monitoring the system associated with it - the system of signs. We will call the survey result, ex- pressed in one of two symbols or a binary number (0 and 1), a simple attribute. From the point of information theory view, a simple feature can be considered as a system having one of two possible states. If kj is a simple sign, then its two states will be denoted by kj - the sign presence, 𝒌𝒋 - the sign absence. A simple sign may indicate the presence or absence of the measured PST in a certain interval; it may also have a qualitative character (positive or negative test result, etc.) [11, 12]. The two-digit sign (m=2)) has two possible states. The states of the two-digit sign kj are denoted by 𝒌𝒋𝟏 and 𝒌𝒋𝟐 . Let, for example, the sign kj be related to the measurement of PST x, for which two diagnostic intervals are established: x10 and x›0. Then 𝒌𝒋𝟏 corresponds to x10, and 𝒌𝒋𝟐 denotes x›10. These states are alternative because only one of them is realized. It is obvious that the two-digit sign can be replaced by the simple sign k j, putting 𝒌𝒋 𝟏 = 𝒌𝒋 , 𝒌𝒋 𝟐 = 𝒌𝒋 . If the survey detect that the sign kj has the value 𝒌𝒋𝒔 , for this object, then this value will be called the implementation of the sign kj. Denoting it by 𝒌∗𝒋 , we will have 𝒌∗𝒋 = 𝒌𝒋𝒔 .for the diagnosis Pri we take 𝑷𝒓 𝑷( 𝒊 ) 𝒌𝒋𝒔 𝒁𝑷𝒓𝒊 (𝒌∗𝒋 ) = 𝒁𝑷𝒓𝒊 (𝒌𝒋𝒔 ) = 𝒍𝒐𝒈𝟐 (6) 𝑷(𝑷𝒓 ) 𝒊 𝑷𝒓𝒊 where 𝑷 ( ) – profile probability Pri provided that the sign kj received the value 𝒌𝒋𝒔 𝒌𝒋𝒔 ; P(Pri)– is the prior profile probability. The value 𝒁𝑷𝒓𝒊 (𝒌𝒋𝒔 ) was met in works on information theory under the name “infor- mation value”. From the point of view of information theory, the quantity 𝒁𝑷𝒓𝒊 (𝒌𝒋𝒔 ) is information on the state Pri, which the state of the sign 𝒌𝒋𝒔 possesses. The diagnostic weight of a particular implementation of a sign does not yet give an idea of the diag- nostic value of the examination for this sign. Thus, during a survey on a simple sign, it may turn out that its value does not have a diagnostic weight, whereas its absence is extremely important for establishing the profile of the object of the protected infrastruc- ture. 183 We will consider the diagnostic survey value on the m-bit kj sign for the profile Pri the information amount introduced by all implementations of the k j sign to the pro- file Pri 𝒌𝒋𝒔 𝒁𝑷𝒓𝒊 (𝒌𝒋 ) = ∑𝒎 𝒔=𝟏 𝑷 ( ) 𝒁𝑷𝒓𝒊 (𝒌𝒋𝒔 ) (7) 𝑷𝒓𝒊 The diagnostic survey value takes into account all possible implementations of a sign and represents the amount expectation of information contributed by individual imple- mentations. Since the value of 𝒁𝑷𝒓𝒊 (𝒌𝒋 ) refers to only one profile Pri, we will call it the private diagnostic survey value based on kj sign. 𝒁𝑷𝒓𝒊 (𝒌𝒋 ) determines the independent diagnostic survey value. It is situation characteristic when the survey is conducted first or when the results of other surveys are unknown. Write 𝒁𝑷𝒓𝒊 (𝒌𝒋 ) in a form convenient for further calculations 𝑷𝒓𝒊 𝑷( ) 𝒌𝒋𝒔 𝒌𝒋𝒔 𝒁𝑷𝒓𝒊 (𝒌𝒋 ) = ∑𝒎 𝒔=𝟏 𝑷 ( ) 𝒍𝒐𝒈𝟐 [ ] (8) 𝑷𝒓𝒊 𝑷(𝑷𝒓𝒊 ) The generated attribute space allowed identifying and classifying the symptoms of the potentially vulnerable states of the protected infrastructure, determine the network traf- fic parameters used for communication and behavioral profiling of the protected infra- structure objects with atypical interaction macroparameters. Let us further consider the procedure for determining the diagnostic sign weights of vulnerable states of the protected object infrastructure. 4 Reference behavior profiling We will distinguish three different object states of the protected infrastructure (pro- files), caused by the attacking effects of violators: Pr 1 is a profile, characterizing a vul- nerable condition due to an unknown zero-day vulnerability; Pr2 is a profile, character- izing the vulnerable state, due to the configuration of protection means; Pr3 is a profile, characterizing a vulnerable condition, due to an impact on a known vulnerability. Pro- filing is carried out, according to the nine simple non-specific features: byte-frequency for TCP (k1), byte-frequency for UDP (k2), hash value (k3), hash-value based on offset byte (k4), based on the first 4 bytes repeated in packets (k5), the hash value for pairs of the first 16 bytes of the first 4 packets (k6), the length of the first four packets in one direction (k7), the nibble number of the first packet from the server to the client (k 8), duplicate pairs of bytes (k9) [14, 15]. For example, the functional state is diagnosed at 414 of the 450 network nodes of the protected infrastructure (having no known vulnerabilities), 10 of the 36 surveyed nodes that were attacked by the intruders, were in the first vulnerable state, 12 in the second, and 14 in the third [10, 16]. The results of profiling by the characteristics are shown in Table 1. Let us note that the first profile is characterized by the presence of at least two shaded squares (ones) in the first row and at least two white squares (zeros) 184 in the remaining rows, etc. The frequency of characteristic occurrence is taken as its probability. Table 1. Statistical data of profiling infrastructure objects by a simple sign Item No. 𝒌𝒊 sign Geometric interpretation Pri N k1 k2 k3 K4 k5 k6 k7 k8 k9 N1 N2 N3 1 1 1 1 1 0 0 0 0 1 1 2 3 1 2 3 1 2 3 2 1 1 0 0 1 0 0 1 0 4 5 6 4 5 6 4 5 6 3 1 0 1 1 0 0 0 0 1 7 8 9 7 8 9 7 8 9 4 0 1 1 0 0 1 1 0 0 N4 N5 N6 1 2 3 1 2 3 1 2 3 5 1 1 1 1 0 0 0 0 1 Pr1 4 5 6 4 5 6 4 5 6 6 1 1 1 0 1 0 0 1 0 7 8 9 7 8 9 7 8 9 7 1 1 0 1 0 0 0 0 1 N7 N8 N9 8 1 0 1 0 0 1 1 0 0 1 2 3 1 2 3 1 2 3 9 0 1 1 0 0 1 1 0 0 4 5 6 4 5 6 4 5 6 7 8 9 7 8 9 7 8 9 10 1 1 1 0 0 1 1 0 0 N1 N2 N3 1 0 0 1 0 1 1 0 1 0 1 2 3 1 2 3 1 2 3 2 0 1 0 1 0 1 0 0 1 4 5 6 4 5 6 4 5 6 3 0 0 1 1 1 0 1 0 0 7 8 9 7 8 9 7 8 9 N4 N5 N6 4 1 0 0 1 1 1 0 1 0 1 2 3 1 2 3 1 2 3 5 0 0 1 0 1 1 0 0 1 4 5 6 4 5 6 4 5 6 6 0 1 0 1 1 1 0 1 0 7 8 9 7 8 9 7 8 9 Pr2 N7 N8 N9 7 0 0 1 1 0 1 1 0 0 1 2 3 1 2 3 1 2 3 8 1 0 0 1 1 1 0 1 0 4 5 6 4 5 6 4 5 6 9 0 1 0 1 1 0 0 0 1 7 8 9 7 8 9 7 8 9 N10 N11 N12 10 1 0 0 1 1 1 1 0 0 1 2 3 1 2 3 1 2 3 11 0 0 1 0 1 1 1 0 0 4 5 6 4 5 6 4 5 6 12 0 1 0 1 1 1 0 0 1 7 8 9 7 8 9 7 8 9 N1 N2 N3 1 1 0 0 0 1 0 1 1 0 1 2 3 1 2 3 1 2 3 2 0 1 0 0 0 1 0 1 1 4 5 6 4 5 6 4 5 6 3 1 0 0 1 0 0 1 1 1 7 8 9 7 8 9 7 8 9 4 0 0 1 0 1 0 1 0 1 N4 N5 N6 1 2 3 1 2 3 1 2 3 5 1 0 0 0 0 1 1 1 0 4 5 6 4 5 6 4 5 6 6 0 1 0 0 1 0 1 1 1 7 8 9 7 8 9 7 8 9 7 1 0 0 1 0 0 0 1 1 N7 N8 N9 Pr3 1 2 3 1 2 3 1 2 3 8 0 0 1 0 1 0 1 1 1 4 5 6 4 5 6 4 5 6 9 0 1 0 0 0 1 1 0 1 7 8 9 7 8 9 7 8 9 10 0 0 1 1 0 0 1 1 1 N10 N11 N12 11 0 0 1 1 0 0 1 1 1 1 2 3 1 2 3 1 2 3 12 0 1 0 0 1 0 0 1 1 4 5 6 4 5 6 4 5 6 7 8 9 7 8 9 7 8 9 13 0 0 1 1 0 0 1 1 0 14 1 0 0 0 0 1 1 0 1 185 For example, for the first sign (presence of feature k1, absence - 𝒌𝟏 ): 𝒌 𝟖 𝒌 𝟖 𝒌 𝟑 𝒌 𝟓 𝑷( 𝟏 ) = = 𝟎, 𝟖; 𝑷 ( 𝟏 ) = = 𝟎, 𝟖𝟎; 𝑷 ( 𝟏 ) = = 𝟎, 𝟐𝟓; 𝑷 ( 𝟏 ) = = 𝑷𝒓𝟏 𝟏𝟎 𝑷𝒓𝟏 𝟏𝟎 𝑷𝒓𝟐 𝟏𝟐 𝑷𝒓𝟑 𝟏𝟒 𝟏𝟔 𝟎, 𝟑𝟓𝟕; 𝑷(𝒌𝟏 ) = = 𝟎, 𝟒𝟒𝟒. Then, we determine the independent diagnostic imple- 𝟑𝟔 mentation weight of features using the expression (7) and the independent diagnostic survey value for equality (8). The calculation results are shown in Table 2. For the Pr1 profile, the survey by k1, k2, k3 charcteristic is the most diagnostic; for the profile Pr2 – by k4, k5, k6 and for the profile Pr3 – by k7, k8, k9 signs. For the entire profile system, the diagnostic survey result values do not change a lot. Table 2. Probabilities, diagnostic weights of implementation and diagnostic values of various signs Profile Pri Pr1 Pr2 Pr3 Feature kj P(Pr1)= 0,278 P(Pr2) = 0,333 P(Pr3) = 0,389 ZPr(kj) P(kj) 𝑍𝑃𝑟1 (𝑘𝑗 ) 𝑍𝑃𝑟1 (𝑘𝑗 ) 𝑍𝑃𝑟1 (𝑘𝑗 ) 𝑍𝑃𝑟2 (𝑘𝑗 ) 𝑍𝑃𝑟2 (𝑘𝑗 ) 𝑍𝑃𝑟2 (𝑘𝑗 ) 𝑍𝑃𝑟3 (𝑘𝑗 ) 𝑍𝑃𝑟3 (𝑘𝑗 ) 𝑍𝑃𝑟3 (𝑘𝑗 ) 𝑃( ) 𝑃( ) 𝑃( ) 𝑃𝑟2 𝑃𝑟3 𝑃𝑟1 𝑘𝑗 𝑘𝑗 𝑘𝑗 -1,475 -0,315 0,444 0,848 0,383 0,443 0,117 0,357 0,023 0,154 -0,83 0,25 0,21 1 0,8 -1,475 -0,415 -0,635 0,848 0,383 0,333 0,263 0,037 0,286 0,362 0,017 0,444 0,149 2 0,8 -1,322 -0,263 -0,486 0,678 0,278 0,417 0,222 0,357 0,363 0,059 0,107 0,02 0,5 3 0,8 … -0,662 -1,141 0,208 0,346 0,047 0,333 0,498 0,111 0,786 0,575 0,528 0,141 -0,4 9 0,4 Table 3 presents the condition of the diagnostic survey value after the surveying on the first characteristic. The table shows a significant change in the diagnostic survey value, depending on one or another implementation of the first sign. 186 Table 3. Conditional diagnostic survey values Profile Pri Feature 𝑘𝑗 Pr1 Pr2 Pr3 𝑘𝑗 𝑘𝑗 𝑘𝑗 𝑘𝑗 𝑘𝑗 𝑘𝑗 𝑘𝑗 𝑘𝑗 𝑍𝑃𝑟 (𝑘 ) 𝑍𝑃𝑟 (𝑘 ) 𝑍𝑃𝑟1 ( ) 𝑍𝑃𝑟1 ( ) 𝑍𝑃𝑟2 ( ) 𝑍𝑃𝑟2 ( ) 𝑍𝑃𝑟3 ( ) 𝑍𝑃𝑟3 ( ) 1 1 𝑘1 𝑘1 𝑘1 𝑘1 𝑘1 𝑘1 2 0,42 1 0,678 0,009 0,678 0,009 0,606 0,284 3 0,42 0,737 0,678 0,006 0,678 0,006 0,606 0,209 4 0,011 0,863 0,83 0,136 0,077 0,041 0,31 0,301 … 8 0,189 0 0,082 0,235 0,278 0,235 0,188 0,170 Thus, knowing the diagnostic survey value for the corresponding characteristic groups in the corresponding infrastructure, it is possible to conduct the selective moni- toring, providing a significant reduction in the response time to potential incidents and ensuring the required cyber-resilience. 5 Procedure for iterative diagnosis In the diagnostics tasks of the critically important information infrastructure, the se- lection of the most informative features for describing the object of the mentioned in- frastructure and the subsequent construction of the diagnostic process is extremely im- portant. In many cases, this is due both to the difficulty of obtaining the information itself (the node (network) number sensors of the cyber-attack detection systems, as a rule, is limited), and with the limited time of diagnostic survey under cyber-attacks. Imagine the process of diagnostic survey as follows [13, 15]. A system can be with a certain probability in one of the previously unknown states. If the prior probabilities of the states P(Pri) can be obtained from a statistical data, then the system entropy is 𝐻(𝑃𝑟) = − ∑𝑛𝑖=1 𝑃(𝑃𝑟𝑖 ) 𝑙𝑜𝑔2 𝑃(𝑃𝑟𝑖 ) (9) As a result of a full diagnostic survey of the complex of features K, the system state becomes known (for example, it turns out that the network object is in the state Pr1, then P(Pr1)=1, P(Pr1)=0(i=2,…n). After a complete diagnostic survey, the system en- tropy (uncertainty) H(Pr/K)=0 (10) This information contained in the diagnostic survey, or the diagnostic survey value is JPr(K)=ZPr(k)=H(Pr)-H(Pr/K)=H(Pr) (11) In fact, the condition (10) is far from being always fulfilled. In many cases, a recog- nition is statistical in nature and it is necessary to know that the probability of one of the states is quite high (for example, P(Pr1)=0,95. For such situations, the residual sys- tem entropy (Pr/K)≠0. In practical cases, the required diagnostic survey value is 187 ZPr(K)=H(Pr) (12) where 𝝃 is the survey completeness coefficient, 01. The coefficient 𝝃 depends on the recognition reliability and for real diagnostic pro- cesses should be close to 1. If the prior probabilities of the system states are unknown, then one can always give an upper assessment for the system entropy H(Pr)log2n, where n is the number of the system states. Under the (12) condition it follows that the amount of information that needs to be obtained during a diagnostic survey is given and it is required to make an optimal pro- cess for its accumulation. When making a diagnostic process, it is necessary to take into account the difficulty of obtaining relevant information. Let us call the optimality coefficient of the diagnostic survey based on kj for the profile Pri value is 𝒁𝑷𝒓𝒊 (𝒌𝒋 ) 𝝀𝒊𝒋 = 𝒄𝒊𝒋 (13) where 𝒁𝑷𝒓𝒊 (𝒌𝒋 ) is the diagnostic survey value based on 𝒌𝒋 for the profile𝑷𝒓𝒊 . In general, 𝒁𝑷𝒓𝒊 (𝒌𝒋 ) is determined based on the results of previous surveys; cij is the co- efficient of survey complexity based on 𝒌𝒋 for the profile 𝑷𝒓𝒊 , it characterizes the labo- riousness of the survey, its reliability, duration and other factors. It is assumed that c ij does not depend on the previous surveys. The optimality coefficient for the entire profile system is ∑𝒏 𝒊=𝟏 𝑷(𝑷𝒓𝒊 )𝒁𝑷𝒓𝒊 (𝒌𝒋 ) 𝒁𝑷𝒓𝒊 (𝒌𝒋 ) 𝝀𝒋 = ∑𝒏 = . (14) 𝒊=𝟏 𝑷(𝑷𝒓𝒊 )𝒄𝒊𝒋 𝒄𝒋 When calculating j, information is averaged and the survey complexity is carried out over all profiles. For survey of complex K of v signs, the optimality coefficient is 𝒁𝑷𝒓 (𝑲(𝝂) ) 𝝀= ∑𝝂𝒋=𝟏 𝒄𝒋 (15) where ZPr(K(v)) is the diagnostic survey value of the complex of signs. Thus, the optimality coefficient will be large if a smaller number of the individual surveys obtains the required diagnostic value. In the general case, an optimal diagnostic process should ensure that the maximum value of the optimality coefficient of the entire survey is obtained (conditions for the diagnostic survey optimality). To describe the interaction (information transfer) between the objects of the pro- tected infrastructure in time, dynamic communication profiles are used. The object pro- file of the protected infrastructure will be understood below as a formalized means of describing and displaying the characteristics of the infrastructure as a whole and its individual object in terms of the specification of rules (communication protocols, ac- cess to resources) and data exchange procedures at the corresponding observation in- terval. The interaction features of the network nodes in a given observation interval are presented in three-dimensional space (Figure 3), where the start and end times of the 188 corresponding interaction processes are specified on the X-axis, the identified operating systems (OS) and applications installed on the network node are specified on the Y- axis, on the Z axis are the numbers used for TCP/UDP port interaction used by the corresponding applications. The communication profile (CP) of the network object is represented as 𝑃𝑟𝑡𝑖 𝑃𝑟𝑡 𝐶𝑃 = 𝑃𝑟1 = 〈𝑆𝑓𝑡(𝑃𝑡𝑘 )1 , … , 𝑆𝑓𝑡(𝑃𝑡𝑘 )𝑛 𝑖 〉 (16) where Sft is the software type (Operating system or application), SftOsApl, Pt - protocol, Prt- TCP/UDP port number, i=1,2,…65535; k,nN. Fig. 3. Representation of the network object interaction For example, the communication profile of a network object, shown in the diagram in Figure 3, has the following form: (𝟏) 𝑨𝒑𝒍𝟒𝟒𝟑 𝟒𝟒𝟑 𝟐𝟐 𝟔𝟖𝟗𝟎 𝟏 , 𝑨𝒑𝒍𝟐 , 𝑨𝒑𝒍𝟑 , 𝑨𝒑𝒍𝟒 , 𝑨𝒑𝒍𝟏𝟐𝟐𝟎 𝟓 , 𝑨𝒑𝒍𝟖𝟎𝟖𝟎 𝟔 , 𝑷𝒓𝑵𝑶𝟏 = 〈 〉. 𝑨𝒑𝒍𝟕 , 𝑨𝒑𝒍𝟖 , 𝑨𝒑𝒍𝟗 , 𝑨𝐩𝐥𝟏𝟎 , 𝐀𝐩𝐥𝟏𝟏 , 𝐀𝐩𝐥𝟒𝟒𝟑 𝟒𝟒𝟒𝟑 𝟒𝟒𝟑 𝟒𝟒𝟒 𝟗𝟎𝟎𝟏 𝟏𝟒𝟑𝟒 𝟏𝟐 Behavioral profile (BP) 189 BP=Pr2=> (17) where Nm – OS (application) name, V – network object identifier (application in- stance name); type - network object type (active or passive), typeActPsv;  - appli- cation version; D - a set of operations; I, k, nN. For example, the behavioral profile of a network object represented in the diagram in Figure 3 has the following form: Apl1 Instagram( IOS );6.0; act; chat ,..., (1) BPNO  (18) 1 Apl11 Instagram( Android);5.1; act; chat  Protection profile (PP) BP=Pr3=> (19) where γ – a security service name; ϕ - version; ψ - operation type (chat, file sharing (download), use of a web browser, download, file sharing (upload), IP-call); I, k, nN. For example, the security profile (SP) of a network object represented in the diagram in Figure 3 has the following form: Apl 3  OpenSSH ( sshd ), 2, Kerberos v5 auth ,..., (1) SPNO  Apl 8  MSCryptoAPI , 6.1, E 2 EE 1 (20) As an example, let us consider the detection of the certificate spoofing at one of the workplaces when accessing a web resource using the SSL/TLS protocols as a result of a passive monitoring. This situation has many alternatives in terms of the development of situations, related to the cyber-resilience violation of the protected infrastructure. If the destructive actions of the user were deliberate, this event (incident) can be associ- ated with both previous incidents, and have a high probability of recurrence in the future (Table 4). 190 Table 4. Possible list of the preventive actions Exploited vul- System or nerability/ Network ob- application Action to prevent No. vulnerable pro- ject software or respond to an incident tocol or compo- component nent CVE-2016- Windows- Windows Installing security system up- 1. 3213/ NetBIOS, hosts 2018 dates MS16-063, MS16-077 ISATAP Internet Ex- Using Firefox, Opera, Chrome plorer, browsers with HPKP technol- HTTP/HTTPS ogy Mutual authentication when es- TLS tablishing a TLS connection Web- Control of application software 2. Client hosts browser with access to the web browser Use of additional sources or da- HTTPS, TLS tabases of permitted keys and certificates Mutual client and server authen- tication - DNS DNS name resolution Network traf- SSL name resolution, mainte- 3. fic monitoring SSL/TLS nance of a registry of public system server trusted key fingerprints In addition, this incident poses a threat to the protected infrastructure from the in- truder’s point of view, gaining an access to the compromised node, as well as compro- mising other nodes or the entire infrastructure under study. At the first stage, based on the reverse data analysis, it will be necessary to verify the events (as well as their re- sults) with the statistical characteristics are of interest in detecting cause-and-effect links between the user actions to determine his degree participation in the incident: certificate with the authentic issuer; certificate with fake issuer; certificate with valid expiration date; certificate with expired validity; certificate with original issuer, not ex- pired; certificate with original issuer, expired; certificate with fake issuer, not expired; certificate with fake issuer, expired. According to the investigation results, the moni- toring system forms a list of preventive (response) actions to the corresponding inci- dent. 191 6 Conclusions Further, a set of the qualitative features is formed, based on the results of the secondary processing of the monitoring results in the form of a decision tree, the interconnection degree between alternative feature groups, technical and economic consequences (dam- age) for the protected infrastructure and its assets during their manifestation is deter- mined, and a set of possible actions is generated to localize the incident. Thus, the proposed method of profiling the behavior of dynamic objects of a criti- cally important information infrastructure allows selecting and putting into a practice (with scientific evidence) the corresponding organizational and technical measures to ensure the required cyber-resilience. References 1. B. R. Shiller, 2014. “First-Degree Price Discrimination Using Big Data.” April 25, Brandeis University, Department of Economics Working Paper 58. [Electronic resource]. - Access mode: http://www.brandeis.edu/departments/economics/RePEc/brd/doc/Brandeis_ WP58R.pdf 2. Beraud P., Cruz A., Hassell S. and Meadows S., "Using Cyber Maneuver to Improve Net- work Resiliency," in MILCOM, Baltimore, MD, 2011. DOI:10.1109/milcom.2011.6127449 3. Biryukov, D. N., Lomako, A. G. Approach to Building a Cyber Threat Prevention System. Problems of Information Security. Computer systems, Publishing house of Polytechnic Uni- versity, vol. 2, pp. 13–19, St. Petersburg, Russia, 2013. 4. Bongard, M. M. The Problem of Recognition, Fizmatgiz, Moscow, Russia, 1967. 5. Bostick, T. P., Connelly, E. B., Lambert, J. H., & Linkov, I. (2018). Resilience Science, Policy and Investment for Civil Infrastructure. Reliability Engineering & System Safety 175:19–23. DOI: 10.1016/j.ress.2018.02.025 6. Colbert, E. J., Kott, A., Knachel III, L., & Sullivan, D. T. (2017). Modeling Cyber Physical War Gaming (Technical Report No. ARL-TR-8079). US Army Research Laboratory, Aber- deen Proving Ground, United States. 7. Collier, Z. A., Linkov, I., DiMase, D., Walters, S., Tehranipoor, M., & Lambert, J. (2014a). Risk-Based Cybersecurity Standards: Policy Challenges and Opportunities. Computer 47:70–76. DOI: 10.1007/978-3-319-77492-3 8. D. J. Bodeau, "Analysis Through a Resilience Lens: Experiences and Lessons-Learned (PR 15-1309) (presentation)," in 5th Annual Secure and Resilient Cyber Architectures Invita- tional, McLean, VA, 2015. 9. Dessavre D. G. and Ramirez-Marquez J. E., "Computational Techniques for the Approxi- mation of Total System Resilience," in Safety and Reliability of Complex Engineered Sys- tems: ESREL 2015, Zurich, Switzerland, 2015. 10. Dorofeev A.V., Markov A.S., Tsirlov V.L. Social Media in Identifying Threats to Ensure Safe Life in a Modern City, Communications in Computer and Information Science, 2016, vol. 674, pp. 441-449. DOI: 10.1007/978-3-319-49700-6_44. 11. Eisenberg, D. A., Linkov, I., Park, J., Bates, M., Fox-Lent, C., & Seager, T. (2014). Resili- ence metrics: Lessons from military doctrines. Solutions, 5(5), 76–87. 192 12. J. Park, T. P. Seager, P. S. Rao, M. Convertino and I. Linkov, "Integrating risk and resilience approaches to catastrophe management in engineering systems," Risk Analysis, vol. 33, no. 3, pp. 356-367, 2013. doi: 10.1111/j.1539-6924.2012.01885.x 13. Kelic, A., Collier, Z. A., Brown, C., Beyeler, W. E., Outkin, A. V., Vargas, V. N., Ehlen, M. A., Judson, C., Zaidi, A., Leung, B., & Linkov, I. (2013). Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks. Environment Systems & De- cisions, 33(4), 544–560. DOI: 10.1007/s10669-013-9479-9 14. Kotenko, I. V. Intellectual mechanisms of cybersecurity management. Proceedings of ISA RAS. Risk Manag. Safety, 41, pp. 74–103, Moscow, Russia, 2009. 15. Lomako, A. G., Petrenko, S. A., Petrenko, A. S. Realization of the immune system of the stable computations organization, In: Information systems and technologies in modelling and management, Materials of the All-Russian scientific and practical conference, pp. 255- 259, Russia, 2017. 16. Patrick McDaniel and Ananthram Swami, The Cyber Security Collaborative Research Alli- ance:Unifying Detection, Agility, and Risk in Mission-Oriented Cyber Decision Making. CSIAC Journal, Army Research Laboratory (ARL) Cyber Science and Technology, 5(1), December, 2016.