Modeling the vulnerabilities validation mechanism in the active analysis of the security of corporate networks using Bernstein polynomials

Main Article Content

Roman Kyrychok
http://orcid.org/0000-0002-9919-9691
Herman Shuklin
http://orcid.org/0000-0003-2507-384X
Oleg Barabash
http://orcid.org/0000-0003-1715-0761
Galyna Gaidur
http://orcid.org/0000-0003-0591-3290

Abstract

The subject of the article is the models of the process of active analysis of the security of information systems and networks, in particular, one of its key components, namely the vulnerability validation mechanism. The purpose of the article is to develop a mathematical model for analysing the number of successful and negative validations over a rational cycle of validation of identified vulnerabilities during an automated active analysis of the security of the corporate network. Results: Based on the observations and studies of the exploitation tools of the identified vulnerabilities, it was decided to describe the dynamic of the validation processes using Bernstein polynomials, which successfully approximate the analytical dependencies for the quantitative characteristics of the vulnerability validation process. Also based on a comparison of the empirical and calculated values of these characteristics, it was established that deviations are permissible. Conclusions: The developed mathematical model provides with analytical dependencies for the number of successfully validated, invalidated vulnerabilities and the number of vulnerability validation cases that led to critical errors over the rational cycle of validation of identified vulnerabilities.

Article Details

Section
Methods of information systems protection
Author Biographies

Roman Kyrychok, State University of Telecommunications, Kyiv

postgraduate student, assistant of information and cybersecurity department

Herman Shuklin, State University of Telecommunications, Kyiv

Candidate of Technical Sciences, Head of Information and cyber defense systems Department

Oleg Barabash, State University of Telecommunications, Kyiv

Doctor of Technical Sciences, Professor, Head of the Mathematics Department

Galyna Gaidur, State University of Telecommunications, Kyiv

Doctor of Technical Sciences, Professor, Head of the Department of information and cybersecurity

References

Obes, J., Richarte, G. and Sarraute, C. (2013), “Attack planning in the real world”, arXiv, arXiv:1306.4044, available at: https://arxiv.org/abs/1306.4044

Sarraute, C., Buffet, O. and Hoffmann, J. (2013), “Penetration testing = POMDP solving?”, arXiv, arXiv:1306.4714, available at: https://arxiv.org/abs/1306.4714

Shmaryahu, D. Shani, G. and Hoffmann J. (2017), “Partially observable contingent planning for penetration testing”, 2017 1st Int Workshop on Artificial Intelligence in Security, pp. 33-40, available at:

https://cyber.bgu.ac.il/wp-content/uploads/2017/10/IWAISe-17_paper_8-ds.pdf

Stefinko, Ya.Ya. and Piskozub, A.Z. (2017), “Theory of modern penetration testing expert system”, Information Processing Systems, Vol. 2(148), pp. 129-133, DOI: https://doi.org/10.30748/soi.2017.148.25.

Qiu, X., Wang, S., Jia, Q., Xia, C., and Lv, L. (2014), “Automatic generation algorithm of penetration graph in penetration test-ing”, Proc.of the 2014 Ninth Int. Conf. on P2P, Parallel, Grid, Cloud and Internet Computing, IEEE, P. 531-537.

Steinmetz, M. (2016), “Critical constrained planning and an application to network penetration testing”, 26th Int Conf on Auto-mated Planning and Scheduling, pp. 141-144.

Hoffman, J. (2015), “Simulated Penetration Testing: From “Dijkstra” to “Turing Test++”, ICAPS 2015 Proceedings. Published by The AAAI Press, Palo Alto, CA.

(2020), Armitage, available at: https://www.offensive-security.com/metasploit-unleashed/armitage/

(2020), Browser Market Share, available at: https://netmarketshare.com/

(2020), Operating System Market Share Ukraine, available at: https://gs.statcounter.com/os-market-share/all/ukraine

Malozyomov, V.N. (2019), On Bernstein Polynomials, Seminar "CNSA & NDO". Selected papers, 8 p.