DOI: 10.17586/2226-1494-2017-17-3-431-438


D. A. Kavchuk, Y. N. Matveev

Read the full article 
Article in Russian

For citation: Kavchuk D.A., Matveev Y.N. Automatic security analysis of information systems independently of formal specifications. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2017, vol. 17, no. 3, pp. 431–438 (in Russian). doi: 10.17586/2226-1494-2017-17-3-431-438


Subject of Research.The paper considers the method for security analysis of information systems. The method enables to evaluate the security state of information system under research in terms of the presence of unpatched vulnerabilities, which could be exploited with the public instruments. The proposed method allows for the state analysis of information system under research with no need to compose any formal specifications. The validation is carried out upon the live system in automatic mode, and system reaction to the attacking influences, performed with the Metasploit penetration testing platform, is observed. Method. The attack tree for the system under research is being constructed on the basis of the input data matching. The tree traversal follows. This provides the possibility of multi-stage attack validation. The decrease of total security analysis time period is achieved due to marking the constructed tree with probabilities of its nodes successful triggering and probability accounting during tree traversal. This probabilistic elaboration is performed with the help of radial-basis artificial neural network. Reliability of performed analysis is provided with the actual validation of presumptive vulnerabilities during tree traversal. Main Results. The program system is implemented on the basis of the proposed method. The experiments on the processing rate and effectiveness are carried out. During the experiment the security state of information systems from the set was analyzed with the help of developed program and its analog. The developed system transcends the analog from 1.5 to 6 rate by the introduced quantitative index of effectiveness. This fact proves the efficiency of proposed method. Practical Relevance. Organizations and security analysts could apply the program system, implemented on the basis of proposed method, as the standalone penetration testing and security analysis instrument.

Keywords: automatic security analysis, vulnerability validation, attack trees, attack graphs, artificial neural network

1.     Schneier B. Attack trees. Dr. Dobb's Journal, 1999, vol. 24, no. 12, pp. 21–29.
2.     Camtepe S.A., Yener B. A formal method for attack modeling and detection. Technical Report TR-06-01. Rensselaer Polytechnic Institute, 2006.
3.     Camtepe S.A., Yener B. Modeling and detection of complex attacks. Proc. 3rd Int. Conf. on Security and Privacy in Communications Networks and the Workshops. Nice, France, 2007, pp. 234–243. doi: 10.1109/SECCOM.2007.4550338
4.     Dorodnikov N.A., Arustamov S.A. Probabilistic behavioral model for computer network protection based on attack trees. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2016, vol. 16, no. 5, pp. 960–962. (In Russian) doi: 10.17586/2226-1494-2016-16-5-960-962
5.     McDermott J.P. Attack net penetration testing. Proceedings New Security Paradigms Workshop. Ballycotton, Ireland, 2000, pp. 15–21.
6.     Sheyner O., Haines J., Jha S., Lippmann R., Wing J.M. Automated generation and analysis of attack graphs. Proc. IEEE Symposium on Security and Privacy. Oakland, 2002, pp. 273–284. doi: 10.1109/SECPRI.2002.1004377
7.     Jha S., Sheyner O., Wing J.M. Two formal analyses of attack graphs. Proc. 15th IEEE Workshop on Computer Security Foundations. Cape Breton, Canada, 2002, pp. 49–63. doi: 10.1109/CSFW.2002.1021806
8.     Jajodia S., Noel S., O’Berry B. Topological analysis of network attack vulnerability. In Managing Cyber Threats: Issues, Approaches and Challenges. Springer-Verlag, 2005,
pp. 248–266.
9.     Jajodia S., Noel S. Topological vulnerability analysis: a powerful new approach for network attack prevention, detection and response. In Algorithms, Architectures, and Information Systems Security. Eds B. Bhattacharya, S. Sur-Kolay, S. Nandy, A. Bagch. Springer, 2009, 384 p.
10.  Ingols K., Lippmann R., Piwowarski K. Practical attack graph generation for network defence. Proc. 22nd Annual Computer Security Applications Conference. Miami Beach, USA, 2006, pp. 121–130. doi: 10.1109/ACSAC.2006.39
11.  Tumoyan E., Kavchuk D. The method of optimizing the automatic vulnerability validation. Proc. 5th Int. Conf. on Security of Information and Networks, SIN '12. New York, 2012, pp. 205–208. doi: 10.1145/2388576.2388586
12.  Tumoyan E.P., Kavchuk D.A. Optimizing automated vulnerability assessments of remote information systems. IT Security, 2013, no. 1, pp. 25–30. (In Russian)
13.  Kavchuk D.A. Lexical analysis in the tasks of modeling network attacks. Proc. XI All-Russian Scientific Conf. on Technical Cybernetics, Radio Electronics and Control Systems. Taganrog, Russia, 2012, vol. 2, p. 87. (In Russian)
14.  Haykin S. Neural Networks: A Comprehensive Foundation. Pearson Education, 1999, 823 p.
15.  Podinovski V., Potapov M. Weighted sum method in the analysis of multicriterial decisions: pro et contra. Business Informatics, 2013, no. 3, pp. 41–48. (In Russian)
16.  Waltermire D., Scarfone K. Guide to using vulnerability naming schemes. NIST Special Publication (SP) 800-51. National Institute of Standards and Technology, 2011.
Chambers J., Thompson J. Common Vulnerability Scoring System: Final Report and Recommendations. NationalInfrastructureAdvisoryCouncil, 2004.

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License
Copyright 2001-2019 ©
Scientific and Technical Journal
of Information Technologies, Mechanics and Optics.
All rights reserved.