RU2789990C1 - Method and system for automated documentation of security threats and vulnerabilities related to an information resource - Google Patents

Abstract

FIELD: information security.

SUBSTANCE: invention relates to the field of information security. A method for automated documentation of security threats and vulnerabilities related to an information resource includes: initializing an information resource profile; expanding the profile of an information resource by adding new vertices and edges to its knowledge graph in an automated and interactive mode; clarification of the profile of the information resource by classifying the components of the profile and/or enriching the profile; determination of security threats and vulnerabilities related to the information resource by establishing relationships between the vertices of the profile graph and the corresponding threats and vulnerabilities, moreover, information about the components of the information resource that are obtained during the initialization, expansion and refinement of the profile of the information resource, and certain security threats and vulnerabilities related to the information resource are recorded in the documenting file of security threats and vulnerabilities.

EFFECT: increasing the reliability of the information received about threats and vulnerabilities related to the information resource.

11 cl, 4 dwg

Description

Technical field

The invention relates to the field of information security, namely to automated documentation of security threats and vulnerabilities related to an information resource. The invention can be used as part of hardware and software systems for ensuring information security of industrial automation and control systems.

State of the art

There is a known method for assessing the resistance of a cyber-physical system to computer attacks, disclosed in the RF patent for invention No. 2710985 (publ. 01/14/2020, IPC G06F 21/55, G06N 5/02). In a known method, based on the documentation for the system, a computer representation of the system is built in the form of a directed graph. Then the processes inside the system are described as routes on the mentioned graph, and sets of alternative routes are formed for each process. Based on the number of alternative routes, an estimate of the system's resistance to computer attacks is calculated.

However, the known method is characterized by limited functionality, since it does not take into account the qualitative assessment of threats and vulnerabilities of components located on a particular route defined for the system graph. The system components involved in providing routes on the graph may have obvious vulnerabilities that are not taken into account in the known method, which reduces the system security when choosing an alternative route with a vulnerable component.

A known method for testing a system of software and hardware is disclosed in the RF patent for invention No. 2715025 (published on February 21, 2020, IPC G06F 21/57, G06F 11/36, G06F 17/50). In a known method, a test system use model is built based on its formalized description, a threat model of the same type as the use model is built based on descriptions of known threats for similar systems, the threat model is compared with the use model, and based on the results of the model comparison, means of the tested system are found. systems that are vulnerable to known threats.

However, the known method is characterized by limited functionality, since it does not take into account the threats and vulnerabilities for individual components of the system under test, being limited to the model of using such a system. In addition, pre-trained threat models for systems similar to the one under test are used as threat models during system testing, which may not accurately reflect the real security of the system under test.

There is a known ontology-based computer network security assessment method disclosed in Gao J. et al., Ontology-based model of network and computer attacks for security assessment //Journal of Shanghai Jiaotong University (Science). - 2013. - T. 18. - No. 5. - S. 554-562. The prior art method for evaluating security uses an ontology to evaluate the impact of an attack by evaluating the performance of a computer system before and after an attack. Computer system vulnerabilities are detected through special scanners. Five basic concepts are fixed in the ontology: goal, vector, impact, vulnerability, protection. The data source for the ontology is, in particular, open sources such as CWE (Common Weakness Enumeration), CVE (Common Vulnerabilities and Exposures), CVSS (Common Vulnerability Scoring System). Using the ontology allows you to get a list of attacks that are relevant for vulnerabilities identified by scanners.

However, the known method allows only to obtain a quantitative assessment of the effect of an attack on a computer system, but does not allow to obtain a threat model for a computer system. At the same time, the use of scanners limits the scope of the method at the design stage of a computer system, which, in particular, makes it impossible to take into account knowledge about threats specific to individual classes of software and hardware.

There is a known method of building a threat model based on ontology, disclosed in the publication Brazhuk A., Olizarovich E. Framework for ontology-driven threat modeling of modern computer systems //International Journal of Open Information Technologies. - 2020. - T. 8. - No. 2. - S. 14-20. In a known method, a basic ontology is created, including elements for constructing DFD diagrams of a computer system (eng. DFD - Data Flow Diagram) and basic concepts of information security (threats, measures) that are tied to the elements of DFD diagrams. These elements are then associated with threats through templates, which are OWL axioms that define the corresponding class. Further, the basic ontology is extended to the ontology of the subject area, for example, the area of cloud systems. Then, in terms of ontology, a specific DFD diagram is described, a logical conclusion is made, and a list of threats is obtained.

However, the known method is characterized by limited functionality, since it does not take into account the threats and vulnerabilities of individual components, being limited to threats to data flows in a computer system.

There is a known method for building a threat model based on an ontology, disclosed in the publication of Välja M. et al., Automating threat modeling using an ontology framework //Cybersecurity. - 2020. - Vol. 3. - No. 1. - S. 1-20. In a known method, an ontological framework is used that provides standardization of names and classification. In addition, the mentioned framework provides grouping and abstraction from unimportant details. To implement the method, two types of templates are proposed - content, which fixes possible data description models, and output, which fixes data transformation. Computer system vulnerabilities are detected through special scanners. The identified vulnerabilities are then generalized to vulnerabilities known from CWE and further to several significant types of attacks (OWASP Top 10).

The disadvantage of the known method is the inability to use the proposed ontological framework to analyze the vulnerabilities of the designed system and identify threats by software type. In addition, the known method uses a simplified metamodel (classes, instances, relationships) that is not supported by any formal apparatus, which leads to limited expressiveness and rigor of semantics.

Disclosure of the essence of the invention

The technical problem underlying the present invention is to provide the possibility of documenting security threats and vulnerabilities related to an information resource in an automated mode.

The technical result achieved by the implementation of the present invention is to increase the reliability of the information received about threats and vulnerabilities related to the information resource by providing the possibility of their documentation in an automated mode with the involvement of formalized expert knowledge.

Additional technical results achieved in the implementation of the invention:

- increasing the completeness of information obtained as a result of identifying threats and vulnerabilities related to the information resource;

- automation of the process of documenting threats and vulnerabilities related to the information resource.

As an invention, a method for automated documentation of security threats and vulnerabilities related to an information resource is claimed, including the following steps:

- initialization of the profile of the information resource, while such a profile is represented by a knowledge graph, in which the vertices reflect the components of the resource, and the edges reflect the links between such components, and at the initialization step, the profile graph contains a single root element that reflects the information resource;

- expanding the profile of an information resource by adding new vertices and edges to its knowledge graph in an automated and interactive mode, while in an automated mode, information about the components of an information resource is obtained from automatic means of collecting data on computer systems, and for assigning names to vertices and edges, they are used in advance a prepared ontology of the subject area for building information security threats, containing concepts and relationships between them, standardized for the mentioned subject area; in interactive mode, information about the components of the information resource is obtained as a result of user input based on the questionnaire provided to the user and formed on the basis of the context of previously added vertices, edges in the profile graph and the mentioned ontology of the subject area that determines the structure and composition of the questionnaire;

- refinement of the profile of the information resource by classifying the profile components, and/or enriching the profile, while classifying the components, vertices are added to the profile graph, reflecting the classes to which the profile components belong; when enriching, vertices are added to the profile graph, reflecting additional information about the components added when expanding the profile;

- determination of security threats and vulnerabilities related to the information resource by establishing relationships between the vertices of the profile graph and the corresponding threats and vulnerabilities, while the mentioned relationships are reflected in the mentioned domain ontology or are logically derived based on the initially specified relationships between the concepts of this ontology, moreover, the source of information about threats and vulnerabilities is at least one external information security knowledge base that describes known threats and vulnerabilities for the components of the information resource;

- moreover, information about the components of the information resource, which are obtained during the initialization, expansion and refinement of the profile of the information resource, and certain security threats and vulnerabilities related to the information resource, are recorded in the documenting file of security threats and vulnerabilities.

Additional advantages and essential features of the present invention can be presented in the following particular embodiments.

In particular, the information resource profile graph is represented by an RDF graph.

In particular, the components of the information resource are represented by software and hardware components.

In particular, at least one component of the information resource is represented by a component of a real computer system.

In particular, at least one information resource component is represented by a computer system component being designed. Adding a designed component to the profile of an information resource makes it possible to obtain information about potential threats to information security, taking into account possible changes in the information resource associated with the introduction of this component into a real computer system.

An information resource consists of at least one component that is a resource or part of a resource selected from the following group: information asset, access object, information infrastructure, information infrastructure object, including information and telecommunications network, information system, automated control system.

As an invention, a system for automated documentation of security threats and vulnerabilities related to an information resource is claimed, containing an information resource profile represented by a knowledge graph in which the vertices reflect the components of the resource, and the edges reflect the links between such components;

ontology of the subject area, which contains concepts and relations between them, standardized for the subject area, reflects the relationship between the vertices of the profile graph and their corresponding threats and vulnerabilities;

a profile initialization and extension module associated with a user interaction module, modules for processing data on the structure of an information resource, a module for processing a questionnaire for expanding a profile and an ontology of a subject area, while said data processing modules are associated with modules for collecting data about the structure of an information resource, a module for processing a questionnaire associated with a module for constructing a profile extension questionnaire, wherein the questionnaire is formed based on the context defined by the vertices and edges added to the profile graph, and the ontology of the subject area that determines the structure and composition of the questionnaire;

a profile component classification control module associated with profile component classification and recognition modules, these modules being associated with their respective modules for accessing external data sources of profile component classes;

profile enrichment module associated with the information security knowledge graph, which is associated with its construction and updating module, and this module is associated with external information security data sources, including at least one information security knowledge base describing the threats and vulnerabilities that are reflected in the profile graph of the components of the information resource;

a module for determining security threats and vulnerabilities related to an information resource, associated with an inference module that allows you to logically derive relationships between the profile graph vertices and threats and vulnerabilities based on the ontology of the subject area, and a module for automated documentation of security threats and vulnerabilities that provides a record in the documentation file information about the mentioned threats and vulnerabilities.

In particular, modules for collecting data on the structure of an information resource are represented by automatic tools for collecting data on computer systems.

In particular, the database of product version identifiers (CPE), the database of vulnerabilities (CVE), the database of weaknesses (CWE), the database of attack patterns (CAPEC), the information security threat database of the FSTEC of Russia are external sources of information security data.

In particular, the system may include a profile building control module that controls the operation of system modules based on a command stream.

In particular, the operation of the system modules is initialized by changing the data in the modules with which they are associated and/or changing the data in the information resource profile.

The need to automate the documentation of threats arises in two cases: when the conditions of a previously solved problem change (for example, a change in the structure of an information resource); and when setting a new task for a previously unseen information resource.

Ensuring the possibility of documenting threats and vulnerabilities related to an information resource in an automated mode is achieved by:

- formalization and unification of expert knowledge;

- linking expert knowledge;

- generalization of expert knowledge;

- unification of software components for working with knowledge;

-accumulation and reuse of software components.

Formalization of expert knowledge makes it possible to move to the representation of knowledge in a machine-readable format and, thereby, make knowledge available to software tools. For example, the formalization of knowledge about vulnerabilities makes it possible to obtain additional information about a vulnerability, for example, a vulnerability class, by its identifier without involving an expert.

Unification involves the use of a unified system of standards for the representation and processing of knowledge, which reduces the number of tools needed to work with knowledge.

In addition, unification allows the most efficient (i.e., without the need for intermediate transformations) linking knowledge. Linking makes it possible to move from one knowledge to another without the involvement of an expert. For example, by product ID, request vulnerabilities found for a given product, and by received vulnerabilities, request threats that are implemented through these vulnerabilities.

The generalization of expert knowledge allows, by abstracting from the specifics of specific information resources, to form a set of concepts and relationships necessary and sufficient to describe various classes of these resources, which eliminates the need to form such a set every time the need arises to obtain information about threats. In particular, this set may include concepts and relationships for describing the elements of a computer network.

In addition, generalization allows the use of unified computer tools that are focused on working with a fixed set of concepts and relationships, which eliminates the need to develop applications for each new task. In particular, on the basis of a fixed set of concepts and relationships, a questionnaire can be built to clarify data on a protected resource, which will be processed in a unified way.

In view of the fact that the same computer tools are often used to solve the problem of automating the documentation of information security threats, it is advisable to create component libraries for working with such tools. For example, a component for unifying and linking information obtained from one or another type of network scanner.

To provide formalization, unification, linking and generalization of knowledge, the ontology description language OWL (OWL 2 DL), based on descriptive logic, can be used.

Ontologies are used as a consistent source of expert knowledge that reflects the subject area through a set of concepts and relationships between them.

The set of concepts and relationships defined in the ontology makes it possible to build an information resource profile graph in an automated mode using active and passive means of collecting data about an information resource.

In addition, the use of the ontology makes it possible to automate the issuance of recommendations based on the current content of the information resource profile graph for expanding such a graph by processing the results of user input made when interacting with the user's profile.

Thus, the involvement of expert knowledge in conjunction with the automation of the operations of their receipt, processing and transmission, can reduce the impact of the human factor on the preparation of information about threats and vulnerabilities related to the information resource. In turn, this leads to an increase in the reliability of the information received about such threats and vulnerabilities, which is an important component for ensuring the information security of automated systems in various fields of activity.

The term "RDF" refers to the data presentation model of the Resource Description Framework (resource description environment). An RDF model consists of RDF resource assertions in a machine-readable form.

The term "RDF graph" refers to a directed graph consisting of RDF statements. The vertices of an RDF graph are subjects and objects, and the edges represent relationships.

The term "SPARQL query" refers to a query to data structured as an RDF graph.

The term "DL query" refers to an expression that describes the OWL class you are looking for.

The term "CPE" (eng. Common Platform Enumeration) refers to a structured naming scheme for systems, software and information technology packages.

The term "IRI" (English Internationalized Resource Identifier) refers to an internationalized resource identifier - a short sequence of characters that identifies an abstract or physical resource in any language of the world.

The term "OWL" (Eng. Web Ontology Language) is understood as a language for describing ontologies.

Brief description of the drawings

FIG. 1 illustrates a block diagram of a system for implementing a method for documenting security threats and vulnerabilities.

FIG. 2 illustrates a visual representation of the domain ontology for determining security threats and vulnerabilities related to an information resource.

FIG. 3 illustrates a flow diagram of a method for documenting security threats and vulnerabilities related to an information resource.

FIG. 4 illustrates an example of an information resource profile.

Description of an embodiment of the invention

In accordance with FIG.1 , illustrating a system for documenting security threats and vulnerabilities related to an information resource, the proposed system contains a pre-built domain ontology 101 .

A fragment of the domain ontology is presented in FIG.2 . To work with ontologies and knowledge graphs, several types of applied software and hardware can be used: editors (for creating and modifying ontologies and knowledge graphs), storage systems (for storing and accessing ontologies and knowledge graphs) and software frameworks - frameworks (for computer processing of ontologies and knowledge graphs). It should be understood that the functional modules that ensure the operation of the invention, at the physical level, access the storage systems of ontologies and knowledge graphs in order to access the information presented in the ontology and stored on disk space; to frameworks - to gain access to information presented in the ontology and located in the RAM of the computing device.

An ontology is a strict (formalized) and consistent description written in a machine-readable format. As a language for constructing such descriptions, the OWL language based on descriptive logic can be used. The ontology written in the OWL language includes two sets - Tbox 201 and ABox 202 The set TBox 201 contains definitions of concepts that are significant for the selected subject area. Each concept is represented by an ontology class. The restrictions imposed on ontology classes are given in the form of axioms. Thus, axioms define classes, their properties and relations between them.

The set ABox 202 contains instances of classes (concepts) defined in the set TBox 201 . In the present description, the term "ontology" is used primarily to refer to the set TBox 201 . The term "threat and vulnerability documentation process knowledge graph" is used herein to refer to multiple instances of ABox 202 .

The use of an ontology makes it possible to separate the description of the subject area from those or other implementations, and allows fixing the restrictions imposed on the subject area.

The ontology of the subject area contains terms that make it possible to describe the protected information resource. Classes are denoted by rectangles containing the name of the class, an arrow with an empty end - an inheritance relationship, rounded rectangles - instances, arrows with a filled end that do not have a name - the relationship “are an instance of the class”.

Depending on the characteristics of the type of information resources being protected, various implementations of the proposed invention may differ in terms of this ontology.

The set TBox 201 contains the following classes. The class 'Information resource' 203 is related by inheritance to the classes 'Computer' 204 and 'Software' 205 . The class 204 is related by inheritance to the classes 'Workstation' 206 and 'Server' 207 . The class 205 is related by inheritance to the class 'System software' 208 . The class 208 is related by inheritance to the classes 'Embedded Software' 209 , 'Operating System' 210 , 'Network Software' 211 . Class 211 is related by inheritance to class 'Virtual Private Network' 212 .

The set ABox 202 contains instances of classes 'Information resource A' 213 , including instances of 'Workstation ₁ ' 214 , 'Server ₁ ' 215 , 'Workstation _m ' 216 , 'Server _n ' 217 . Instance 'Server ₁ ' 215 includes instances 'BIOS _c1 ' 218 , 'OS _c11 ' 219 , 'OS _c12 ' 220 .

Relationships between elements of the sets TBox 201 and ABox 202 are implemented through the relationship "are an instance of the class".

The domain ontology 101 is extended to the knowledge graph of the process of documenting threats and vulnerabilities 102 by including knowledge about the relationship between the elements of the domain ontology and the concepts used in the target information security threat model. A threat model is a listing and description of possible information security threats. The target threat model may include a physical, mathematical, descriptive representation of the properties or characteristics of information security threats, while the type of descriptive representation of the properties or characteristics of information security threats can be a special regulatory document (GOST R 50922-2006 - "Information security. Basic terms and definitions" ). The target is understood as a threat model, in terms of which the documentation of security threats and vulnerabilities related to the information resource will be carried out. In the event that the model of certain regulatory bodies is used as such a model, then the result of the work of this decision can be considered as the basis for the formation of appropriate reporting.

Based on the knowledge graph 102 for a specific information resource, using the profile initialization and extension module 103, an information resource profile 104 is built, which is also a knowledge graph. This column fixes a formal description of the protected information resource, including information about the identified actual threats and vulnerabilities. An information resource profile is a knowledge graph that is built in terms of the domain ontology. The root element of the profile is an instance of the 'Information Resource' 203 class for which security threats and vulnerabilities need to be identified and documented.

In accordance with FIG.3 , illustrating a flowchart of a method for automated documentation of threats and vulnerabilities related to an information resource, at step 301 initialize the information resource profile.

The execution of operations in the method is carried out mainly automatically by means of computer technology. At the same time, some operations are performed in an automated mode, if a user control is required. For such operations, the characteristic "online" is used. In this case, the necessary human-machine interaction operations can be implemented by means of the user interaction module 105 providing a user menu.

The user menu can be implemented by means traditional for information technology: in the form of a console menu or in the form of a graphical user interface, implemented, for example, based on technologies used to build web applications, including but not limited to React, Angular.

It should also be understood that the functional modules defined below that enable the operation of the proposed invention may be implemented through various combinations of hardware and software. At the same time, the names of the operations in the method, formulated using the verbs “carry out ...”, “perform ...”, “implement ...”, etc., suggest that the corresponding action is performed by means of computer technology, and do not serve as an indication of actions performed exclusively user.

In the general case, the invention is implemented by one or more software and hardware capable of executing the functional modules included in the proposed system. In turn, the software part of the mentioned functional modules can be represented by any appropriate number of software modules and can use any appropriate number of libraries, shells, applications, software packages, depending on the specific operations implemented by a particular functional module. The software part of the functional modules can be implemented as machine code or as program text in a programming language such as C, C++, C#, Java, Python, Perl, Ruby, and the like. Separately, it should be noted that the functionality of the invention does not directly depend on the choice of its software implementation and can be supported by a variety of combinations of software and hardware. However, the specific software implementation is not the subject of the present invention, nor are the details of ensuring the compatibility of method operations or functional modules of the system with the specific hardware used. The essential features of the invention are the actions described below on a material object (data stored in the memory of storage systems), using material means (functional modules capable of being executed by one or more processors).

Information resource profile initializations are implemented by the profile initialization and extension module 103. At the same time, the profile knowledge graph is created, consisting of a single instance of the 'Information resource' class 203 .

In accordance with FIG.4 , illustrating an example of the created information resource profile, when the profile is initialized, the top of the graph 'protected information resource A' 401 is created.

In accordance with FIG.3 , at step 302 , the extension of the profile of the protected information resource is carried out.

An information resource generally consists of separate protected components. Information about the components of the protected information resource comes from the module for collecting data on the structure of the information resource 106 . Extension of the information resource profile is the process of including new vertices in the knowledge graph representing the profile of the protected information resource, where each vertex corresponds to a component of the protected information resource or to the information resource as a whole.

To extract information about the components of the protected information resource from the received data and convert it into the RDF format, the corresponding modules for processing data on the structure of the information resource 107 are used. The received information in the form of the top of the knowledge graph is recorded in the profile 104 .

For example, such components can be elements of a computer network - workstations and servers, for each of which there must be a corresponding class 'Workstation' 206 and 'Server' 207 in the domain ontology 101 . The listed components are fixed in the profile shown in FIG. 4 by creating instances of the corresponding classes of the ontology of the subject area 101 and linking them to an instance of the protected information resource by the relation 'includes'.

The profile extension is carried out by iterative refinement: the composition of the information resource components is determined, after which the composition of each of the components is determined separately, etc. Since each component itself is an information resource, which is expressed at the level of the ontology of the subject area as an inheritance relation from the class 'Information resource' 203 , then all profile enhancement actions are implemented in the same way, but with different context corresponding to the level of detail.

In accordance with FIG.4, at step 302 , the following vertices are added to graph 104 , reflecting the components of the information resource: 'server ₁ ' 402 , 'server _n ' 403 , 'workstation ₁ ' 404 , 'workstation _m ' 405 .

The composition of the components that refine the profile is determined by means of the ontology of the subject area 101 .

In accordance with FIG.4, when expanding the information resource profile graph, the composition of the component defined in the previous step and reflected in the top 'server ₁ ' 402 is specified. Next, the vertices 'BIOS _c1 ' 406 and 'OS _c1 ' 407 are added, which are connected by the relation 'includes' 408 with the vertex 'server ₁ ' 402 .

The node 'OS _c1 ' 407 can further be associated with the node 'Microsoft Corp' 409 representing the manufacturer of the operating system, the node 'Windows Server 2010' 410 representing the name of the operating system, and the node '6.3' 411 representing the version of the operating system.

Data about the structure of the information resource can be added in two ways - in automated 303 and interactive mode 304 .

For automated mode 304 , the inputs may be the results of passive and active means of collecting data about computer hardware and software. Passive means receive data from services or a remote user. Such tools are usually built on a two-component architecture, including a remote data collection agent and a centralized service for storing and processing the collected data. As an example, imagine a system in which the user locally executes PowerShell scripts to obtain data about the system and sends the results to a centralized data storage and processing service.

Active tools implement remote hardware and software scanning. An example is specialized software - scanners, for example, the nmap computer network scanner.

When expanding the profile in interactive mode 304 receive the result of user input made using a graphical user interface. The menu for entering information about the component of the protected information resource can be presented in the form of a questionnaire.

The questionnaire is formed by the module for constructing the profile extension questionnaire 108 based on the current context and ontology of the subject area 101 , where the ontology defines the general structure and composition of the questionnaire, and the context defines a fragment that is significant from the point of view of the current level of profile extension of the protected information resource.

The influence of the context can be demonstrated by the example shown in FIG. 4 , where, when expanding the profile, the user is prompted to enter information about the network nodes - servers and workstations; upon further expansion of the profile, the user is prompted to enter information about the selected node 'server ₁ ' 402 .

The structure and composition of the questionnaire are determined by the ontology of the subject area 101 . For example, when expanding the profile in interactive mode 304 , the formal definition of the class 'Server' 207 , which is part of the ontology 101 , will be used, of the form:

(‘Server’ includes ‘Operating System’) AND (includes ‘Firmware’) AND (includes ‘Software’),

where each group will determine the item on the questionnaire to choose from. When selecting an item corresponding to the 'Software' 205 class, in accordance with the class hierarchy of the domain ontology 101 that defines this class, the user will be offered three new items: 'Embedded software', 'Operating system', 'Network software'. Let's say that the user has chosen the 'Network Software' class.

The user can then enter property values for the software. The composition of the properties offered to the user is determined by the formal definition of the properties given in the ontology. The definitions look like:

‘names’ scope ‘Software’ AND scope ‘string’,

'manufacturer' scope 'Software' AND scope 'string',

'version' scope 'Software' AND scope 'string'.

FIG. 4 illustrates the result of entering a single OpenVPN value, the name of the software. Thus, as a result of expanding the profile in interactive mode, a vertex 412 is added to the profile, which is an instance of the 'Network Software' class, having a property 'name' with a value of OpenVPN 413 . This instance is bound to the instance 'server ₁ ' 402 by the relation 'includes'.

The transformation of the questionnaire filled in by the user into elements of the profile graph of the protected information resource is implemented by the questionnaire processing module 109 . The conversion results are passed to the profile initialization and expansion module 103 for direct profile expansion.

In the course of expanding the profile for the root element, vertices are specified, which can reflect the various components of the protected information resource, and edges, which can reflect the links between the mentioned parts. In the general case, the profile vertices can correspond to the network nodes of the information infrastructure, hardware and software components of the network nodes of this infrastructure. Mentioned network nodes can be represented by computing devices, for example, personal and industrial computers, servers, switching, routing devices, but are not limited to these examples of devices. The collected information may relate to both hardware and software, including embedded software installed on the network node, the operating system of the network node, etc.

The extracted information is presented in a structured form by converting it into vertices and edges of the profile graph of the protected information resource. To transform the collected data, solutions developed for a given format and data source can be used, or universal solutions, in particular, designed to convert semi-structured data to RDF, such as: Carml, SPARQL-Generate, etc. Each such decision is the basis of one of the modules for processing data on the structure of the information resource 107 .

At step 305 , the user may be prompted to repeat the refinement and perform steps 303 or 304 again.

At step 306 , the user is prompted to perform one of the possible alternative operations: refine the profile (step 307 ) or get a list of threats and vulnerabilities based on the profile (step 311 ).

At step 307 , the information resource profile is refined. The components of the protected information resource added to the profile 104 can be refined in two ways: the component class can be refined - classification 308 ; the list of information about the component can be expanded - enrichment 309 . Refinement refers to the process of adding new information about previously added profile components.

The component classification performed in step 308 may be automated or interactive. The classification is implemented by the profile component classification control module 110 .

In the case of interactive mode, the procedure is similar to the interactive extension, except that the user is given the opportunity to select components that already exist in the profile.

For automated classification, external data sources 111 can be used - knowledge bases and databases (for example, a configuration management database, eng. Configuration management database, CMDB). Knowledge base access modules 112 are used to obtain data from each type of such sources. The control of the process of using an external source and the processing of the received data are implemented by the corresponding module for classifying and recognizing the profile component 113 . Module 113 extracts from the received data the class name of the profile component, taking into account which classes are known from the domain ontology 101 . To implement module 113 , either source-specific approaches or specialized algorithms, such as extracting named entities from natural language texts, can be used.

An example of a classification of a component based on knowledge from an external source is shown in FIG. 4 , where the previously created component, reflected by node 412 , is updated to its class, 'Virtual Private Network' 414 . The open knowledge base Wikidata is used as an external source. Interaction with this knowledge base can be implemented based on queries in the SPARQL language sent via the HTTP protocol. Thus, the corresponding module for accessing the knowledge base 112 must implement the construction and sending of a query in the SPARQL language over the HTTP protocol and receiving a response.

A SPARQL query to a given source can have the following structure:

SELECT ?label {

?sw rdfs:label ?software_name ;

p:P366/ps:P366/rdfs:label ?label.

FILTER(LANG(?label) = "" || LANGMATCHES(LANG(?label), "en"))

} LIMIT 1

The ?software_name variable in this query contains the name of the software component for which you want to qualify the class. In this case, it's OpenVPN. The essence of this request is to obtain options for using the specified software component. The response will be 'virtual private network'.

In this case, the module for classifying and recognizing the profile component 113 implements the method of matching strings - the result obtained with class names from the ontology of the subject area. Since the ontology contains the class 'Virtual private network' 212 , one of the labels of which is 'virtual private network', then the element in question - OpenVPN 413 - is classified as an instance of the corresponding class. As a result, a vertex reflecting this class and an edge connecting the OpenVPN node 413 and the node of the class 'Virtual Private Network' 414 will be added to the profile graph.

At step 309 , the information resource profile is enriched by adding new vertices to the graph, reflecting additional information about the components that were added when expanding the profile 303 .

The profile enrichment module 114 is responsible for profile enrichment. To implement the possibility of enrichment, an information security knowledge graph is preliminarily built on the basis of data from external sources on information security 115 . The module for constructing and updating the information security knowledge graph 116 is responsible for building graph 115 on data from external sources. The following databases can serve as data sources: Product Version Identifier Database (CPE) 117 , Vulnerability Database (CVE) 118 , Weakness Database (CWE) 119 , Attack Pattern Database (CAPEC) 120 .

An option for building a system that implements the functions of module 116 is described in Kiesling, E., Ekelhart, A., Kurniawan, K., & Ekaputra, F. (2019). The SEPSES Knowledge Graph: An Integrated Resource for Cybersecurity. In International Semantic Web Conference (pp. 198–214). https://doi.org/10.1007/978-3-030-30796-7_13. In this version, the construction of an RDF graph based on open information security databases is implemented, data from which can be retrieved using SPARQL queries.

An enrichment example is shown in FIG. 4 where the 'OpenVPN' profile component 413 is indicated by possible product version identifiers, CPE. To do this, on the profile enrichment module 114 , a SPARQL query is formed to the information security knowledge graph 115 , the essence of which is to search for a CPE, the full string representation of which includes the name of the desired component, i.e. 'OpenVPN'. This SPARQL query returns two identifiers corresponding to the found CPEs - 'Aviatrix OpenVPN' 415 and 'OpenVPN' 416 . The resulting identifiers are added to the profile graph as respective vertices 415 and 416, which are linked to the 'OpenVPN' node 413 by the relation 'cpe' 417 .

At step 310 , the user may be prompted to re-qualify the content profile by re-executing steps 308 or 309 .

At step 311 , information security threats are determined for the obtained profile of the protected information resource. The module for determining security threats and vulnerabilities related to the information resource is responsible for the implementation of this function 121 . Threats and vulnerabilities for an information resource are presented in the form of vertices, which are connected by edges with vertices that reflect the components of the information resource.

The operation of the information security threat detection module 121 is provided by the presence of formalized expert knowledge about the relationship of profile components with threats and vulnerabilities from the target information security threat model. This knowledge is recorded in the information resource profile 104 , the knowledge graph of the process of documenting threats 102 , the information security knowledge graph 115 . The module itself implements many algorithms for extracting this knowledge in accordance with the chosen method of their formalization in the listed knowledge graphs.

As an example, two possible approaches can be considered. In accordance with the first method, knowledge about the relationship between profile components and threats and vulnerabilities of the target information security threat model is fixed in the definition of component classes, threats and vulnerabilities, for example, in the following form:

'BIOS malware threat''affects'('BIOS' OR includes 'BIOS) .

The essence of this definition is that an instance of the 'BIOS _c1 ' 406 class or a class that is defined through the relation 'includes' 408 'BIOS _c1 ' 406 , will be an object subject to the 'BIOS Malicious Code Injection Threat' 418 threat, which is a threat from the database of information security threats of the Federal Service for Technical and Export Control (FSTEC of Russia), taken in the example as a target model of information security threats. In this case, the target model of security threats is understood as a document that may include a list of possible threats or a physical, mathematical, descriptive representation of the properties or characteristics of information security threats.

Since when expanding profile 303, it included an instance of 'server ₁ ' 402 , the class of which is defined through the relation 'includes' 408 'BIOS _c1 ' 406 , then in aggregate this information allows us to conclude that this type of threat is relevant for the created profile 104 .

The derivation of the described output is implemented by the inference module 122 , which is based on the use of some implementation of the inference engine, such as Hermit. The inference engine allows you to generate DL-queries (queries in the language of descriptive logic) to knowledge graphs. In this case, you need to query the parent classes for the following definition:

‘affects’ ‘Server’

Information about the actual threat is added to the profile 104 as a separate node, which is associated with the 'server ₁ ' 402 component by the relation 'affects'.

The second approach is based on the use of knowledge from external sources, in particular, from the CPE 117 and CVE 118 databases.

Once a possible CPE list has been established for the added 'OpenVPN' component 413 , information about all known current vulnerabilities can be extracted from the information security knowledge graph 115 . For this, a SPARQL query of the form can be used:

CVE-2020-11810 may be returned as one of the current vulnerabilities. Similarly to the previous approach, the corresponding vertex 419 , which reflects the vulnerability, is added to the profile of the protected information resource.

A distinctive advantage of using ontologies is the ability to link different knowledge models and transition between them if necessary. Above, calculation examples were presented for the current threat profile under consideration - ‘Bios Malicious Code Injection Threat’, and the actual vulnerability - CVE-2020-11810. The first artifact belongs to the FSTEC data security threat database, the second one is defined in the National Vulnerability Database, USA (NVD). If it is necessary to build a target model of information threats in terms of a single set of standards, in the example under consideration - FSTEC, you can use formalized and fixed in the ontology of the subject area relations that connect the concepts of different standards. The sources of these relations can be both the standards themselves and the relevant experts, incl. within a single organization.

In particular, the CVE-2020-11810 vulnerability in the FSTEC vulnerability database corresponds to the BDU:2020-01777 vulnerability. This information can be written into the ontology as follows:

'BDU:2020-01777' 'compliant' 'CVE-2020-11810'

This information allows you to get the vulnerability ID from the FSTEC database by the vulnerability ID from the NVD database, for example, using a SPARQL query.

In order to obtain the corresponding FSTEC threat for the FSTEC vulnerability, the relationship between them must also be fixed in the ontology of the subject area, for example, as follows:

‘The threat of bringing the system into a “denial of service” state’ ‘implemented through’ ‘BDU:2020-01777’

The transition to FSTEC threats allows you to include a description of a potential intruder in the target model of information security threats. The connection between the intruder and the threat can be fixed in the ontology as follows:

‘BIOS malware threat’ ‘comes from’ (‘Insider’ AND ‘High Potential Intruder’)

‘Threat of bringing the system into a denial of service state’ ‘comes from’ (‘External intruder’ AND ‘Low potential intruder’)

At step 312 , information about the components of the information resource, which are obtained by initializing, expanding and refining the profile of the information resource, and certain security threats and vulnerabilities related to the information resource, is recorded in a security threat and vulnerability documentation file. The operation corresponding to step 312 is carried out by the module for automated documentation of security threats and vulnerabilities 123, which is able to convert a graph representation of information about an information resource and related threats and vulnerabilities into a document with a given presentation format. In particular, the results of executing SPARQL queries can be converted to CSV format. The described approach allows you to record information about the components and related threats and vulnerabilities as a set of lines of the form:

<information resource component, current threat>

Information recorded in the selected format can be transferred to various visual display tools to represent the model in text, tabular or graphical form. In addition, said information may be communicated to information security regulators using an appropriate information security threat target model.

At step 313 , the user may be prompted to end or repeat any steps of the method.

The proposed system can be implemented in accordance with two general architectures: based on the flow of commands (control-flow) and based on the flow of data (data-flow). The implementation of the first approach is shown in FIG. 1 , where the profile building control module 124 controls the transition from one method step to another.

In the case of a data flow architecture, the module mentioned above is absent, and the operation of the modules 103 , 110 and 114 is determined by the fact that the data in the respective databases has changed. In this case, the modules 103 , 110 and 114 are associated with the profile of the information resource 104 directly.

In particular, the module 106 is waiting for new data about the information resource. Upon receiving them, it transfers data to the data processing module about the structure of the information resource 107 , which initializes its launch. The module 107 in turn passes the processed data to the profile initialization and expansion module 103 and initializes its operation. Module 103 stores the results of its work in the information resource profile 104 . Changes to the profile initiate the launch of the profile component classification control module 110 and the profile enrichment module 114 . In this case, initialization can be implemented either on the basis of a subscription mechanism, or on the basis of a periodic polling of the profile 104 from the modules 110 and 114 for changes.

It is worth noting that the above description is given by way of example and should not be construed as limiting the scope of protection of the present invention to be determined solely by the scope of the appended claims.

While the particular embodiments described above are given with reference to specific steps performed in a certain order, and the modules that perform these steps, it should be obvious that these steps, modules can be combined or separated without deviating from the essence of the present invention. .

Claims (21)

1. A method for automated documentation of security threats and vulnerabilities related to an information resource, including the following steps: - initialization of the profile of the information resource, while such a profile is represented by a knowledge graph, in which the vertices reflect the components of the resource, and the edges reflect the links between such components, and at the initialization step, the profile graph contains a single root element that reflects the information resource; - expanding the profile of an information resource by adding new vertices and edges to its knowledge graph in an automated and interactive mode, while in an automated mode, information about the components of an information resource is obtained from automatic means of collecting data on computer systems, and for assigning names to vertices and edges, they are used in advance a prepared ontology of the subject area for building information security threats, containing concepts and relationships between them, standardized for the mentioned subject area; in interactive mode, information about the components of the information resource is obtained as a result of user input based on the questionnaire provided to the user and formed on the basis of the context of previously added vertices, edges in the profile graph and the mentioned ontology of the subject area that determines the structure and composition of the questionnaire; - refining the profile of the information resource by classifying the profile components and/or enriching the profile, while classifying the components, vertices are added to the profile graph, reflecting the classes to which the profile components belong; when enriching, vertices are added to the profile graph, reflecting additional information about the components added when expanding the profile; - determination of security threats and vulnerabilities related to the information resource by establishing relationships between the vertices of the profile graph and the corresponding threats and vulnerabilities, while the mentioned relationships are reflected in the mentioned domain ontology or are derived logically based on the initially specified relationships between the concepts of this ontology, and the source of information about threats and vulnerabilities is at least one external information security knowledge base that describes known threats and vulnerabilities for information resource components; - moreover, information about the components of the information resource, which are obtained during the initialization, expansion and refinement of the profile of the information resource, and certain security threats and vulnerabilities related to the information resource, are recorded in the documenting file of security threats and vulnerabilities. 2. The method of claim 1, wherein the information resource profile graph is represented by an RDF graph. 3. The method according to claim 1, in which the components of the information resource are represented by software and hardware components. 4. The method of claim 1, wherein at least one component of the information resource is a component of a real computer system. 5. The method of claim 1, wherein at least one information resource component is a computer system component being designed. 6. The method according to claim 1, in which the information resource consists of at least one component that is a resource or part of a resource selected from the following group: information asset, access object, information infrastructure, information infrastructure object, including information and telecommunications network, information system, automated control system. 7. A system for automated documentation of security threats and vulnerabilities related to an information resource, containing an information resource profile represented by a knowledge graph, in which the vertices reflect the components of the resource, and the edges reflect the links between such components; ontology of the subject area, which contains concepts and relations between them, standardized for the subject area, reflects the relationship between the vertices of the profile graph and their corresponding threats and vulnerabilities; a profile initialization and extension module associated with a user interaction module, information resource structure data processing modules, a profile extension questionnaire processing module, and a domain ontology, while said data processing modules are associated with information resource structure data collection modules, a questionnaire processing module associated with a module for constructing a profile extension questionnaire, wherein the questionnaire is formed based on the context defined by the vertices and edges added to the profile graph, and the ontology of the subject area that determines the structure and composition of the questionnaire; a profile component classification control module associated with profile component classification and recognition modules, these modules being associated with their respective modules for accessing external data sources of profile component classes; profile enrichment module associated with the information security knowledge graph, which is associated with its construction and updating module, and this module is associated with external information security data sources, including at least one information security knowledge base describing the threats and vulnerabilities that are reflected in the profile graph of the components of the information resource; a module for determining security threats and vulnerabilities related to an information resource, associated with an inference module that allows you to logically derive relationships between the profile graph vertices and threats and vulnerabilities based on the ontology of the subject area, and a module for automated documentation of security threats and vulnerabilities that provides a record in the documentation file information about the mentioned threats and vulnerabilities. 8. The system according to claim 7, in which the modules for collecting data on the structure of the information resource are represented by automatic means for collecting data on computer systems. 9. The system according to claim 7, in which the database of product version identifiers (CPE), the database of vulnerabilities (CVE), the database of weaknesses (CWE), the database of attack patterns (CAPEC) act as external sources of information security data. 10. The system according to claim 7, which contains a profile building control module that controls the operation of the system modules based on the command stream. 11. The system according to claim 7, in which the operation of the system modules is initialized by changing the data in the modules with which they are associated and/or changing the data in the information resource profile.

Images