The main scientific results received during 2005-2013
- The formal statement of the research problem and the basic requirements to the components realizing the intelligent security mechanisms and the life cycle support of distributed protected computer systems were offered. The principles of construction, structure and a fragment of the distributed knowledge base for intelligent security mechanisms based on subject domain ontology, and the life cycle support environment of distributed protected computer systems are developed. The formal models of particular components of intelligent security mechanisms and the life cycle support environment of distributed protected computer systems are developed. In particular, the components for the specification of security policies and protected system (network) configuration, security policy verification, determination of security level and monitoring of security policy performance are suggested.
- The general approach to verification of security policy of corporate computer networks based on hybrid multi-modular architecture of verification system, the models of particular verification components and a verification system software were developed. Using the advantages of multi-modular architecture, the approach allows combining general purpose modules with specialized methods. General purpose modules are constructed on the basis of theorem proving (with use of Event Calculus) and model checking methods. They allow processing the contradictions of various types, including dynamic ones. The specialized methods are directed on more effective processing of contradictions of concrete types.
- The models of computer attacks and malefactor, attack tree formation and an estimation of computer network security level were developed. As against existing models, the model of computer attacks allows to use for representation of attack actions both expert knowledge and open databases of vulnerabilities. The malefactor model allows taking into account not only the malefactor's rights on network computers and the host from which he realizes attack actions, but also the level of knowledge and skills of malefactor, and also his primary knowledge about an attacked network. The important feature of the given models is also the account of malefactor's characteristics at attack scripts formation. The model of attack tree formation analyses the dependences of pre-conditions and post-conditions of attack actions. The given model possesses the following features: the attack tree nodes are represented as three , that allows to define the concepts «attack trace» and «threat»; at construction of attack tree the network traffic filtering rules which are set on firewalls are obviously taken into account. The model of an estimation of computer network security level uses the Common Vulnerability Scoring System (CVSS) approach for determining the primary security parameters, that considerably simplifies their calculation, and for defining the qualitative integrated security parameter of computer network, the combination of the CVSS approach and the Facilitated Risk Analysis and Assessment Process (FRAAP) techniques of risk analysis is used.
- The automated technique of detailed analysis of computer network security was developed. It possesses the following features: it uses the uniform approach (based on construction and analysis of attack tree) both for a network design and its operation stages; the basic stages of the technique are automated; the active security analysis software (capable to break the functioning of particular services or a network as a whole) is not used. The developed technique allows: to take into account a variety of initial locations of malefactor, his knowledge about an attacked network; to use for analysis not only computer network configuration, but also the rules of security policy implemented; to take into account various types of attack actions; to use present-day open vulnerabilities databases; to calculate a set of parameters describing computer network security a as a whole and its particular components; to define computer network security «bottlenecks», i.e. the hosts responsible for most of attack traces and vulnerabilities; to determine an integrated parameter of network security.
- The software of computer network security analysis which is based on the offered security analysis models and technique was developed. Carrying out of experiments with test computer networks has shown the serviceability and higher efficiency of this software in comparison with existing similar systems.
- The models and software prototype of proactive monitoring of security policy performance in computer networks were developed. Offered models of security policy monitoring are based on the active imitation of users' actions (both legal and forbidden by security policy) and determining the divergences of system reactions from predefined. As against relevant research, the given approach is applicable to various categories of security policy (authentication, access control and authorization, filtering, channel protection, etc.). The models are based on optimizing the test influence sequence which involves the following aspects: removal of superfluous test influences; finding the optimum test influence sequence; determining the test influence subsequences which can be carried out in parallel. The approach is based on planning and generating a set of scripts for carrying out security policy monitoring, use of the distributed set of scanners, gathering and correlation of the information received from them. The offered models and software components allow carrying out checking the conformity of security policy specified at a design stage, to its realization in real network (system), and also the analysis of adequacy of this policy to the goals of protecting the information resources of computer system from the current security threats.
- The models of agent teams realizing attacks «Distributed Denial of Service (DDoS)» and mechanisms of protection against them, and also the models of teams interaction were developed. The models of agent teams differ in use as basis of agent teamwork methods. The peculiarity of these models is applying the procedures of action coordination, monitoring and restoration of agent functionalities, and also communications selectivity. The distinctive features of the models of agent teams' interaction: the representation of various kinds of teams' interactions which are based on antagonistic counteraction, cooperation and adaptation; the use of various methods of defense agent teams' cooperation which allow defense agents to exchange the traffic data and to involve different classes of defense agents; an opportunity of agent teams' adaptation by means of generating new exemplars of attacks and defense mechanisms and scripts of their realization.
- The technique of multiagent simulation of defense mechanisms against DDoS attacks in the Internet (based on the models of agent teams and their interactions) was developed. The peculiarities of the technique: it takes into account the key parameters of investigated processes (the parameters of a network and its hosts, the parameters of attack team and attack realization, the parameters of defense team and defense mechanisms, the parameters of teams' interaction, etc.); the basic stages of the technique are automated; on the basis of output parameters the estimation and comparison of various defense mechanisms is made. The developed models and technique can be generalized for solving a big class of problems, in particular, problems of information counteraction in the Internet, competition in sphere of electronic business, etc. The offered technique can be used for investigating the efficiency of various defense mechanisms, estimating the security of existing networks and developing the recommendations for construction of perspective defense systems.
- The further enhancement of software realization of research environment for investigation of DDoS attacks and defense mechanisms against them (based on agent-based and network packet-based simulation of network security processes) was fulfilled. For realization of the research environment, the simulation system architecture is used. It includes the Base Simulation System, the Internet Simulation Framework, the Multi-agent Simulation Framework and the Module (Library) for DDoS attacks and defense mechanisms against them. The designed simulation environment allows carrying out various experiments to investigate DDoS attack strategies and prospective defense mechanisms. Experiments on research of cooperative defense mechanisms have been carried out. These experiments have included the simulation of such distributed defense mechanisms as DefCOM, COSSACK, «without cooperation», «cooperation at a level of filters», «cooperation at a level of samplers», «full cooperation». Various adaptive methods of agent teams' interaction have been also investigated.
- The proactive approach to protection against network worms was developed. It is based on the combination of various mechanisms of detection and containment of network worms and automatic adjustment of key parameters of defense mechanisms according to the current network configuration and the network traffic. For development of the proactive approach it is offered to use a combination of the following features: the «multi-resolution» approach which combines the use of several time intervals («windows») of network traffic supervision and the application of various thresholds for traced parameters; the hybrid approach consisting in the use of various algorithms and mathematical methods; the multilevel combination of algorithms as a system of base qualifiers processing the traffic data, and the meta-qualifier which chooses the decision; the adaptive mechanisms of detection and containment of network worms capable to change the criterion of detection on the basis of network traffic parameters. The software of simulation and evaluation of detection and containment of network worms was developed. It includes the following components: the traffic sources or the traffic generator (which forms the normal traffic and the network worm traffic); the traffic analyzer; the libraries of defense mechanisms against network worms; testing scenarios and the base test complex or estimation component. A series of experiments for the choice of optimum parameters of defense mechanisms was fulfilled.
- The models of software protection based on the mechanism of remote trust were investigated. This mechanism is intended for detection of non-authorized changes of a client program functioning in potentially hostile environment, and also the possible classes of attacks to the specified defense mechanisms. The mechanism of the mobile module replacement in the client program is offered. It is based of the concept of aspect-oriented programming according to which various functionalities of the client program are programmed separately, and then are built in the target code.
- The theoretical basis and operation algorithms of deception systems (DS) were developed. These systems represent hardware-software tools for information protection that are based on the technology of «traps» and false targets. In particular, we developed the requirements to DS, the generalized architecture of multi-agent DS, the generalized models and algorithms of disguised counteraction to remote non-authorized access to information resources, including the models of malefactor detection and readdressing of non-authorized request to false components, determining the malefactor plan (strategy), generating a plan of false components operation, etc. The offered approach is based on simulation of information systems components and on using three levels of malefactor deception: (1) a network segment level the whole network segment is emulated; (2) a host level among working servers the bait-host is used; (3) a services and applications level -the programs emulating services and applications are applied on servers. The deception software system was implemented. We fulfilled a set of experiments on investigating basic deception functions at realization of different attacks. These experiments are executed on several different scenarios determined according to various attack types.