RU2634169C1 - Risk management modeling technique for information-management system at information-technical impacts conditions - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: claimed method includes the stages: one creates the database of the external and internal risks parameters; one links it to the specialized organization database; one creates the risks detection, warning and countermeasures system (DWCS); one adds the DWCS functional model and the internal risks model into the IMS model, which is functioning within the conditions of the external risks; one teaches the DWCS; one assesses the damage, caused by the external and internal risks, one changes the DWCS parameters if necessary; one compares the DWCS risks measured parameters with the values from its database; one determines the risk for the IMS level; one assesses the possible damage when identifying the risks marks; one carries out the countermeasures against the risks if necessary; one evaluates the recorded parameters, and adds the DWCS databases if necessary.

EFFECT: functional capacities enhancement and modelling outcomes integrity increase.

1 dwg

Description

The invention relates to the field of telecommunications, and in particular to the field of diagnosis and control of the technical condition of the information management system (IMS) in the conditions of internal and external risks.

Risk is understood as the impact of uncertainty on goals (Impact is the deviation from what is expected (positive and / or negative). Goals can have different aspects (for example, financial and environmental, in terms of health and safety) and can be applied at different levels (strategic, organization-wide, project, product, or process-wide). Risk is often characterized by potential events, consequences, or combinations thereof. Risk is often expressed as a combination of consequences of events (including changes in circumstances) and the associated probability or possibility of occurrence (clause 2.1, GOST R ISO 31000-2010, Risk management: principles and guidelines).

Information and technical influences are understood as the application of methods and means of information impact on information and technical objects, equipment and weapons in order to achieve their goals (Center for Strategic Assessments and Forecasts. Information War and Information Protection. Glossary of basic terms and definitions, www.csef. ru, Moscow, 2011, p. 25).

Information management system - a system designed to collect, comprehensively process operational information and information exchange between various subsystems and links of a management system, as well as to ensure that daily management bodies transmit necessary instructions to forces and means (Clause 2.2.13, GOST R 22.0. 02-94, Safety in emergency situations. Terms and definitions of basic concepts).

The well-known "Method for modeling processes to ensure the technical readiness of communication networks during technical operation and a system for its implementation" (RF patent No. 2336566, G06N 1/00, publ. 20.10.2008, bull. No. 29). The method consists in performing the following sequence of actions. The circuitry characteristics of the elements of the communication network are determined, their relationships are established, the structure of the communication network is described, all communications are divided into primary and backup, arbitrary combinations of damage to the communication network elements are set, the state of communications between the communication network elements is determined, and the process of technical readiness during operation is modeled communication networks, imitate various types of failures, damage and malfunctions of the main elements of a communication network, replace damaged communications with backup ones, about dictated by the value indicator disaster recovery networks, collect statistics, predict technical condition of the main elements of the communications network and calculate the main indicators of the functioning of communication networks.

Given that the risks caused by external and internal events are different in the ongoing processes, the disadvantages of this method are the low reliability of the simulation results due to the lack of modeling of internal risks and the lack of assessment of damage caused by internal and external risks.

The closest in technical essence and functions performed analogue (prototype) to the claimed one is the method implemented in the invention, “A method for ensuring the stable functioning of a communication system” (RF patent No. 2405184, G05B 23/00, G06F 17/50, 11/27/2010) consisting in the fact that the communication system, including N structural elements and the connections between them, is deployed in a working state, destabilizing effects on its structural elements are recorded, according to the received data, a simulation model of the communication network is formed, destab is modeled on it iruyuschie impact on the simulation results of reconfiguring the simulation model of the communication network and calculate the probability of violations of its functioning by the destabilizing effects at the network connections in real-world conditions and the impact it is only destructive effects of endogenous measure time communication network reconfiguration after every destructive impact. The time intervals after the completion of the reconfiguration to the next destructive impact are also measured. When a communication network is operating under exogenous destructive influences, data on the number of actions on each element of the communication network are also counted and stored, where n = 1, 2 ... N, the number N _in , elements of the communication network subjected to destructive external influences. Measure, calculate and remember the time intervals for reconfiguring the communication network after each external destructive impact, where j = 1, 2 ... M, M is the total number of destructive influences. The time intervals between the jth and (j + 1) th external destructive influences and the time intervals of the communication network functioning after the jth reconfiguration to the (j + 1) th destructive external influence are measured. The average reconfiguration time, the average operating time of the communication network and the average time between external destructive influences, as well as the ranking index R of the communication network elements are calculated from the obtained data. Using the ranking indicator, the affected elements of the communication network are ranked, after which the reliability of opening the communication network structure by the acting side D is calculated. In this case, a simulation model is formed according to the received data and with its help destructive external influences are modeled. Next, the number of actions on the corresponding elements of the communication network is calculated and reconfigured after each exposure. The average time interval between destabilizing external influences is calculated and the calculated reliability value D of opening the communication network structure by the acting party is compared with a predetermined threshold level of reliability D _pores . If the value of the calculated reliability D exceeds the threshold D _{then the} real-life communication network is proactively reconfigured in the time interval after the last reconfiguration, less than the calculated average time between the destabilizing external influences on the simulation model.

Destructive external influences on the simulation model are modeled according to a random law.

Thanks to the indicated set of features, the method implements the possibility, based on measuring the characteristics of the acting destructive factors, to measure the parameters of the communication network operating in these conditions and simulating them on the model to proactively reconfigure the functioning communication network, thereby increasing the stability of the communication network under external destructive influences.

However, the prototype method has the following disadvantages: low reliability of the simulation results due to the lack of modeling of internal risks and the lack of assessment of damage caused by internal and external risks.

An object of the invention is to develop a method for modeling risk monitoring for ICS under the conditions of information and technical influences, which allows expanding the capabilities of the prototype method, increasing the reliability of simulation results by modeling internal risks and assessing the damage caused by internal and external risks of ICS.

The technical problem of the invention is solved by the fact that in the method of modeling risk monitoring for ICS in the conditions of information and technical impacts, the following sequence of actions is performed.

The information management system (IMS), which includes N structural elements and the relationships between them, is deployed in an operational state, and the destabilizing effects caused by external risks on the structural elements are recorded.

Based on the data obtained, a simulation model of the IMS is formed, the destabilizing effects caused by external risks are simulated, the simulation results reconfigure the simulation model of the IMS and the probability of its functioning from the destabilizing effects of external risks is calculated.

At the stage of functioning of the IMS after each exposure, the elements of the IMS subjected to destructive influences are counted, the IMS is reconfigured.

Additionally, at the stage of forming the initial data on the ICS and the parameters of the destabilizing effects of external and internal risks, information leakage channels are identified and measured; identify possible risks associated with undeclared capabilities (NDV) of software and equipment; measure the values of the parameters of equipment with NDV; determine the parameters of other internal risks for IMS.

Create a database and save the parameters of internal and external risks.

Create information links with existing databases of organizations involved in the detection, identification and risk management.

They create a system for detecting, preventing and counteracting (SOPP) the destructive effects of internal and external risks.

Based on the statistical data, physical models of the normal behavior of the IMS subscribers and the abnormal behavior of the subscribers are formed; determine the parameters of the abnormal behavior of the IMS subscribers.

Form the algorithms for the actions of the IMS security system when identifying facts of abnormal behavior of subscribers.

The ICS model operating in conditions of external risks includes the model of functioning of SOPL and the model of internal risks. Using the obtained results of simulation modeling, they teach SOPP; assess the damage caused by internal and external risks, if necessary, change the parameters of the SOPP.

At the stage of functioning of the IMS, the obtained risk parameters are analyzed from the databases of organizations involved in the detection, identification and countering of risks. Monitor parameters characterizing internal and external risks; The measured parameters characterizing the internal and external risks of the SOPP are compared with the values available in the database and they decide on the level of risk for the IMS.

If signs of internal or external risks are identified, assess the possible damage to the IMS. If necessary, carry out measures to counter external and internal risks; at the end of the impact or elimination of external and internal risks, the recorded parameters are evaluated, and if necessary, supplement the databases of the SOPP.

The analysis of the prior art allowed us to establish that analogues, characterized by sets of features that are identical to all the features of the claimed method, are absent. Therefore, the claimed invention meets the condition of patentability "novelty."

Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed invention from the prototypes showed that they do not follow explicitly from the prior art. From the prior art determined by the applicant, the influence of the provided by the essential features of the claimed invention on the achievement of the specified technical result is not known. Therefore, the claimed invention meets the condition of patentability "inventive step".

The "industrial applicability" of the method is due to the presence of an element base, on the basis of which devices can be made that implement this method with the achievement of the destination specified in the invention.

The claimed method is illustrated by the structural-logical sequence (Fig. 1), where in block 1 enter the source data obtained from statistical values of internal and external risks, as well as the IMS parameters specified in the guidelines (Basic model of personal data security threats when processing them in personal data information systems FSTEC 2008 and others).

In block 2, technical channels of information leakage (TKUI) are identified and the parameters of the identified TKUI are measured (I. Nezhdanov “Identification of technical channels of information leakage." Http://www.ci2.info/kr-i-iw/5samo-oborona/ zashhita-sobstvennoj-infomacii / vyyavlenie-texnicheskix-kanalovutechki-informacii).

In block 3, equipment and software with undeclared capabilities (NDV) are identified and equipment parameters are measured using NDV (L. Osovetsky, “Technology for identifying undeclared capabilities in the certification of industrial software.” Cybersecurity Issues No. 1 (9) -2015 )

In block 4, the internal risks for the ICS (element) that are not related to TKUI and NDV are determined, and the parameters of the identified risks are measured (Mazov N.A., Revnivykh A.V., Fedotov A.M. “Classification of information security risks”. Bulletin of NSU, Information Technology Series, Volume 9. Issue 2. 2011, pp. 80-89).

In block 5, information links are created with databases of organizations involved in detecting, identifying and countering risks about existing external and internal risks (O. Simakov, “Distributed Databases”, p. Architecture, client / server. P. 23, MIREA, 2006, http: //Irn.no-ip-fo/other/ddb/ Distributed% 20base% 20data_2006uch_g.pdf).

In block 6 create a database of measured parameters of internal and external risks (chap. 5.4, p. 133-146, chap. 7, p. 168-233, Galitsina OL, etc. Databases: Textbook. Forum-Infra -M, Moscow, 2006.352 s.).

In block 7, on the basis of statistical data, parameters are determined that characterize internal and external risks for training the IMS detection, warning and counteraction (SOPP) system for risks. Form the parameters of the normal behavior of the IMS subscribers. The parameters of the abnormal behavior of ICS subscribers are determined (“A New Approach to Information Protection - Computer Threat Detection Systems”, InfosystemsJet corporate magazine, No. 4, 2007 http://wvw.jetinfo.ru/sta-ti/novyj-podkhod -k-zaschite-informatsii-sistemy-obnaruz-heniya-kompyuternykh). The permissible values of the damage caused by a certain group of risks are determined.

In block 8, on the basis of the available data on internal and external risks, an algorithm for the operation of IOPP IMS is developed (Section 7, Algorithm for countering computer attacks on critical information systems. Astrakhov A.V., Klimov S.M., Sychev M.P. “ Counteraction to computer attacks. Technological fundamentals ", Electronic educational publication of MSTU named after NE Bauman, Moscow, 2013).

In block 9, physical models of IMS, internal and external risks and IOPP IMS are created and their joint functioning is modeled (Varlamov OO “On a systematic approach to creating a computer threat model and its role in ensuring information security in key information infrastructure systems”, Izvestia TRTU / Thematic issue // No. 7 / volume 62/2006, p. 218).

In block 10, the value of the destructive parameters (the damage caused) of the internal and external risks of the ICS is evaluated.

If the values of the parameters of the damage caused by internal and external risks exceed the permissible values, change (supplement) the initial data for the models in block 7, and in block 8 supplement the operation algorithms of the SOPP IMS and IMS.

In block 11 deploy in operational condition SOPP IMS and IMS.

In block 12 control the time of functioning of the IMS.

In block 13, parameters are monitored that characterize internal and external risks (Section 1.2, p. 6, A. Galkin and Dr. Modeling of communication systems channels. Moscow: Communication, 1979, 94 pp.).

In block 14, parameter values characterizing the internal and external risks for the IMS with the available parameters obtained from the databases of organizations involved in the detection, identification and counteraction of risks are evaluated.

When identifying signs characterizing the internal or external risk of ICS in block 15 using the existing model, the damage caused by the ICS caused by the identified risk is predicted.

In block 16, the possible damage to the ICS by the identified risk is compared with the acceptable values of the damage caused by the identified risk.

In block 17, if necessary, measures are taken to counteract IR (for example, options for reconfiguring or reconnecting SS channels), (the essence of the reconfiguration process is described in "On the reliability of the application layer, taking into account the possibility of reconfiguring the MPLS network" / http://nauchebe.net/2013/ 01 / onady-ozhnosti-prikladnogo-urovnya-s-uchyotom-voz-mozhnosti-rekonfiguracii-sei-mpls2013), (the essence of the process of switching is described in "Virtual local area networks. Creating VLANs allows you to increase the performance of each of them and isolate each other's networks from a friend ... ", http://www.osp.ru/lan/2002/12/136942 //" Journal of the set solutions / LAN ”, No. 12, 2002).

Upon termination or elimination of the identified external or internal risk, in block 18 the damage caused by the ICS is assessed by the identified risk, and the recorded parameters of the identified risk are evaluated.

In block 19, after each exposure, the elements of ICS subjected to destructive influences are counted. The parameters of the recorded risks are compared with the available values, if necessary, changes are made to the algorithms for the functioning of the IMSS IAP.

Evaluation of the effectiveness of the claimed method was carried out as follows. According to one of the well-known classifications of cyberthreats for ICS communication systems in particular (S. Troshin Modern cyberthreats of 2013 URL http://sergeytroshin.ru/articles/modern-cyber-threats), 7 external and 2 internal threats are currently identified. In this regard, the effectiveness of the claimed modeling method can be determined as follows.

Based on the technical result, the prototype method is able to model and make decisions on external threats. Based on the classification of cyberthreats, the prototype method processes 7 threats. The proposed method simulates 7 external threats and 2 internal threats for IMS.

(Е.С. Вентцель. Теория вероятностей и ее инженерное приложение. М.: Изд. Наука, 1988, с. 463, ф-ла 11.8.5) проводилась согласно следующему выражению:Evaluation of the effectiveness of the proposed modeling method was carried out based on a comparison of the reliability of the simulation results. One of the determining parameters of the reliability of simulation results is the probability of error. Error Probability Estimation

(ES Wentzel. Probability Theory and its engineering application. M: Publishing House Nauka, 1988, p. 463, file 11.8.5) was carried out according to the following expression:

where: Ф - Laplace function;

ε is the value of the confidence interval;

N is the number of simulated threats;

- средняя статистическая вероятность моделирования;

- average statistical probability of modeling;

- минимальная вероятность достоверной моделирования.

- minimum probability of reliable modeling.

проведен по следующей формуле:The calculation of the reliability of the assessment of modeling by the prototype method, with ε = 0.02; N = 7;

carried out according to the following formula:

проведен по следующей формуле:The calculation of the reliability of the simulation estimates of the proposed method with ε = 0.02; N = 9;

carried out according to the following formula:

Evaluation of the effectiveness of the developed method in comparison with the prototype method was carried out according to the expression:

Based on a comparison of the main indicators of the prototype method and the claimed method, it follows that it expands the capabilities of the prototype method, increases the reliability of simulation results by 12.4%, by modeling internal risks and assessing the damage caused by internal and external risks of ICS.

Information sources

1. GOST R ISO 31000-2010, Risk management principles and guidelines.

2. GOST R 22.0.02-94, Safety in emergency situations. Terms and definitions of basic concepts.

3. Patent RU No. 2405184, G05B 23/00, G06F 17/50, 11/27/2010 (analog).

4. The basic model of threats to the security of personal data when they are processed in FSTEC 2008 personal data information systems.

5. Nezhdanov I.Yu. "Identification of technical channels for information leakage."

6.http: //www.ci2.info/kr-i-iw/5samo-oborona/zashhita-sobstvennoj-informacii/vyyavlenie-texnicheskix-kanalovutechki-informacii.

7. Osovetsky L.G. "Technology for identifying undeclared opportunities in the certification of industrial software." Cybersecurity Issues No. 1 (9) -2015.

8. Mazov N.A., Revnivykh A.V., Fedotov A.M. "Classification of information security risks." Bulletin of NSU. A series of information technology. Volume 9. Issue 2. 2011. S. 80-89.

9. Simakov O.V. “Distributed Databases”, p. Client / Server Architecture, p. 23, MIREA 2006, http: //Irn.no-ip-fo/other/ddb/Distributed%20base%20data_2006 academic_pdf.

10. ch. 5.4, pp. 133-146, chap. 7, p. 168-233, Galitsina O.L. and other Databases: Textbook. Forum-Infra-M, Moscow, 2006, 352 p.

11. A new approach to information protection - computer threat detection systems, InfosystemJet corporate magazine No. 4 of 2007. http://www.jetinfo.ru/sta-ti/novyj-podkhod-k-zaschite-informatsii-sistemy- obnaruz-heniya-kompyuternykh.

12. p. 7, Algorithm for countering computer attacks on critical information systems. Astrakhov A.V., Klimov S.M., Sychev M.P. “Countering computer attacks. Technological fundamentals ", Electronic educational publication of MSTU. N.E. Bauman, Moscow, 2013.

13. Varlamov O.O. “On a systematic approach to creating a computer threat model and its role in ensuring information security in key systems of information infrastructure”, Izvestiya TRTU / Thematic issue // No. 7 / volume 62/2006, p. 218.

14. p. 1.2, p. 6, Galkin A.P. and others. Modeling channels of communication systems. Moscow: Communication 1979. 94 p.

15. “On the reliability of the application level, taking into account the possibility of reconfiguring the MPLS network” / http://nauchebe.net/2013/01/onady-ozhnosti-prikladnogo-urovnya-s-uchyotom-voz-mozhnosti-rekonfiguracii-sei-mpls 2013 .

16. “Virtual local area networks. Creating a VLAN allows you to increase the performance of each of them and isolate the network from each other ... "http://www.osp.ru/lan/2002/12/136942 //" Journal of Network Solutions / LAN "No. 12, 2002.

17. S. Troshin, Modern Cyberthreats, 2013 URLhttp: //sergeytroshin.ru/articles/modern-cyber-threats.

18. Wentzel E.S. Probability theory and its engineering application. M .: Publishing. Science, 1988, p. 463, file 11.8.5.

Claims (1)

A method for modeling risk monitoring for an information management system under the conditions of information and technical impacts, consisting in the fact that the information management system (IMS), including N structural elements and the connections between them, is deployed in an operational state, and destabilizing effects caused by external risks are recorded on structural elements, according to the obtained data, form a simulation model of IMS, model the destabilizing effects caused by external risks, according to the results of modeling they configure the simulation model of ICS and calculate the probability of disruption of its functioning from the destabilizing effects of external risks, at the stage of functioning of the ICS after each exposure, count the elements of the ICS subjected to destructive influences, reconfigure the ICS, characterized in that at the stage of generating the initial data on the ICS and the parameters of the destabilizing effects of external and internal risks identify and measure channels of information leakage; identify possible risks associated with undeclared capabilities (NDV) of software and equipment; measure the values of the parameters of equipment with NDV; determine the parameters of other internal risks for IMS; create a database and save the parameters of internal and external risks; create information links with existing databases of organizations involved in the detection, identification and risk management; create a system for detecting, preventing and counteracting (SOPP) the destructive effects of internal and external risks; Based on statistical data, physical models of the normal behavior of the IMS subscribers and the abnormal behavior of the subscribers are formed; determine the parameters of the abnormal behavior of the IMS subscribers; form the algorithms of the IMS security system actions when revealing the facts of abnormal behavior of subscribers; in the IMS model operating in conditions of external risks, include the model of functioning of the SOPP and the model of internal risks; using the obtained results of simulation modeling, they teach SOPP; assess the damage caused by internal and external risks, if necessary, change the parameters of the SOPP; at the stage of functioning of the IMS, the obtained risk parameters are analyzed from the databases of organizations involved in the detection, identification and mitigation of risks; monitor parameters characterizing internal and external risks; the measured parameters characterizing the internal and external risks of SOPP are compared with the values available in the database and a decision is made about the level of risk for the IMS; if signs of internal or external risks are identified, assess the possible damage to the IMS; if necessary, carry out measures to counter external and internal risks; at the end of the impact or elimination of external and internal risks, the recorded parameters are evaluated, and if necessary, supplement the databases of the SOPP.

Images