AUTOMATIC SECURITY ANALYSIS OF INFORMATION SYSTEMS INDEPENDENTLY OF FORMAL SPECIFICATIONS
Read the full article
For citation: Kavchuk D.A., Matveev Y.N. Automatic security analysis of information systems independently of formal specifications. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2017, vol. 17, no. 3, pp. 431–438 (in Russian). doi: 10.17586/2226-1494-2017-17-3-431-438
Subject of Research.The paper considers the method for security analysis of information systems. The method enables to evaluate the security state of information system under research in terms of the presence of unpatched vulnerabilities, which could be exploited with the public instruments. The proposed method allows for the state analysis of information system under research with no need to compose any formal specifications. The validation is carried out upon the live system in automatic mode, and system reaction to the attacking influences, performed with the Metasploit penetration testing platform, is observed. Method. The attack tree for the system under research is being constructed on the basis of the input data matching. The tree traversal follows. This provides the possibility of multi-stage attack validation. The decrease of total security analysis time period is achieved due to marking the constructed tree with probabilities of its nodes successful triggering and probability accounting during tree traversal. This probabilistic elaboration is performed with the help of radial-basis artificial neural network. Reliability of performed analysis is provided with the actual validation of presumptive vulnerabilities during tree traversal. Main Results. The program system is implemented on the basis of the proposed method. The experiments on the processing rate and effectiveness are carried out. During the experiment the security state of information systems from the set was analyzed with the help of developed program and its analog. The developed system transcends the analog from 1.5 to 6 rate by the introduced quantitative index of effectiveness. This fact proves the efficiency of proposed method. Practical Relevance. Organizations and security analysts could apply the program system, implemented on the basis of proposed method, as the standalone penetration testing and security analysis instrument.