Methods of Estimating Reliability of Information Security Systems which Protect from Unauthorized Access in Automated Systems
Keywords:
Information Security System, Unauthorized Access, Automated System, Reliability, Refusal, Information Confidentiality, Information Integrity, Information AvailabilityAbstract
Modern methods of protecting information from unauthorized access in automated systems are based on the use of specialized information security systems from unauthorized access. Security systems are necessarily included in the form of additional software systems in the software as in a secure execution. Information security systems from unauthorized access can be developed not only in a process of automated systems design, but also complement the system-wide software of functioning systems. The use of the information security systems from unauthorized access can reduce a overall reliability of the automated systems, if they contain errors that are not detected during debugging. The reliability of the information security systems affects effectiveness of information security (confidentiality, integrity and availability). Guidelines of the Federal Service for Technical and Export Control (FSTEC) of Russia are a methodological basis for the formation of the information security systems’ image both in the process of development and in the process of modernization of the automated systems. The guidance documents of FSTEC of Russia do not contain methodological approaches to assessing the reliability of these program systems. In this regard, the actual design of techniques of estimating reliability of the information security systems from unauthorized access in automated systems in a secure execution. The structural complexity of the information security systems from unauthorized access and large number of functions performed necessitates the use of three reliability indicators that characterize the system in solving problems of confidentiality, integrity and availability of information. To develop the technique, the known methods of evaluating the reliability of complex systems are used, which do not allow their decomposition into serial and parallel connection. The developed methods were tested in assessing the reliability of the information security systems from unauthorized access with typical indicators of initial characteristics. The results of calculations and prospects of using the developed methods are presented in the paper.
References
1. FSTEK RF. Rukovodyashchij dokument. Bazovaya model' ugroz bezopasnosti personal'nyh dannyh pri ih obrabotke v informacionnyh sistemah per-sonal'nyh dannyh (vypiska) [FSTEC RF. Guidance document. The basic model of threats to the security of personal data when they are processed in personal data information systems (extract)]. Available at: https:azanpa.ru.fstek-rossii-vypiska-ot15022008-h1468056-6-6.3 (accessed: 10.07.2019). (In Russ.).
2. FSTEK RF. Rukovodyashchij dokument. Metodika opredeleniya ugroz bez-opasnosti informacii v informacionnyh sistemah [FSTEC RF. [Guidance document. Methodology for identifying information security threats in information systems]. Available at: fstec.ru-component-attachments-download-812 (accessed: 10.07.2019). (In Russ.).
3. Gerasimenko V.A., Maljuk A.A. Osnovy zashhity informacii [Basis of information security]. Moscow: MIPI. 1997. 537 p. (In Russ.).
4. Zhu R., Zeng Y., Xu L., Yi X. Lightweight Privacy Preservation for Securing Large-Scale Database-Driven Cognitive Radio Networks with Location Verification. Security and Communication Networks. 2019. vol. 10. pp. 1–12.
5. Nia M.A., Bahrak B., Kargahi M., Fabian B. Detecting New Generations of Threats Using Attribute-Based Attack Graphs. IET Information Security. 2019. vol. 13. no. 4. pp. 293–303.
6. Jakovina V.S., Fedasjuk D.V., Mamroha N.M. [Analysis of the use of aspect-oriented programming as a means of improving software reliability]. Inzhenerіja programnogo zabezpechennja — Software Engineering. 2010. Issue 2. vol. 2. pp. 24–29. (In Ukr.).
7. GOST R ISO/IEC 15408-1-2013. [Information technology. Methods and means of security. Criteria for assessing the security of information technology. Part 1. Introduction and general model. Part 2. Functional safety components. Part 3. Components of security confidence]. M.: Standardinform. 2014. (In Russ.).
8. National vulnerability database. Available at: https:nvd.nist.gov (accessed: 22.06.2019).
9. FSTEK RF. Rukovodyashchij dokument. Sredstva vychislitel'noj tekhniki. Zashchita ot nesankcionirovannogo dostupa k informacii. Pokazateli zashchishchyonnosti ot nesankcionirovannogo dostupa k informacii [FSTEC RF. Guidance document. Computing facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information]. Available at: https:dokipedia.ru.document.5326599 (accessed: 10.07.2019). (In Russ.).
10. FSTEK RF. Rukovodyashchij dokument. Avtomatizirovannye sistemy. Zashchita ot nesankcionirovannogo dostupa k informacii. Klassifikaciya avtomatizirovannyh sistem i trebovaniya po zashchite informacii [FSTEC RF. Guidance document. Automated systems. Protection against unauthorized access to information. Classification of automated systems and information security requirements]. Available at: https:dokipedia.ru.document. 5182727. (accessed: 10.05.2019). (In Russ.).
11. GOST 28195. Ocenka kachestva programmnyh sredstv. Obshchie polozheniya [GOST 28195. Software quality assessment. General provisions]. Available at: http:www.a-podkidyshev.ru.GOST.28195-89.pdf (accessed: 23.04.2019). (In Russ.).
12. GOST 28806-89. Kachestvo programmnyh sredstv. Terminy i opredeleniya. [GOST 28806-89. Quality of software. Terms and definitions]. Available at: http:www.kimmeria.nw.ru.standart.glosys.gost_28806_90.pdf. (accessed: 23.04.2019). (In Russ.).
13. Dordevic N. Software quality standards. Military Technical Courier. 2017. vol. 65. no. 1. pp. 102–124.
14. Abbasov A.E., Abbasov T.E. [Quality evaluation software for modern information processing systems]. Informacionno-tekhnologicheskij vestnik – Information Technology Bulletin. 2015. vol. 5(3). pp. 15–28. (In Russ.).
15. Pandian P.S. Adopting security checks in business transactions using formal-oriented analysis processes for entrepreneurial students. International Journal of Electrical Engineering & Education. 2019. pp. 101–112.
16. Arsanjani A. Empowering the business analyst for on demand computing. IBM Systems Journal. 2005. vol. 44. no. 1. pp. 67–80.
17. Pak V.O., Abrarov R.D., Kuryazov D.A. [Software testing as integral part of software quality].Young scientist. 2016. vol. 9.5. pp. 29–32. (In Russ).
18. Shchennikov A.N. [Quality of information systems]. ITNOU – ITNOU. 2018. vol. 1(5). pp. 53–62. (In Russ.).
19. Ayyub B.M., McCuen R.H. Probability, Statistics and Reliability for Engineers and Scientists. CRC Press. 2016. 656 p.
20. Timashev S.A., Pohabov Ju.P. Problemy kompleksnogo analiza i ocenki individual'noj konstrukcionnoj nadjozhnosti kosmicheskih apparatov (na primere povorotnyh konstrukcij) [Problems of complex analysis and evaluation of individual structural reliability of spacecraft (on the example of rotary structures)]. Yekaterinburg: AMB. 2018. 38 p. (In Russ.).
21. Shubinsky I.B., Rozenberg I.N., Papic L. Adaptive fault tolerance in real time information systems. Reliability: Theory & Applications. 2017. vol. 12. no. 1(44). pp. 18–25.
22. Levitin G., Finkelstein M., Huang H.Z. Scheduling of imperfect inspections for reliability critical systems with shock-driven delayed defects and failures. Reliability Engineering & System Safety. 2019. vol. 189. . pp. 89–98.
23. Paredes R., Dueñas-Osorio L., Meel K.S., Vardi M.Y. Principled network reliability approximation: A counting-based approach. Reliability Engineering & System Safety. 2019. vol. 191. pp. 93–110.
24. Jones C. Applied software measurement: Assuring. Productivity and Quality. 1997.
25. Kit E. Software Testing in the Real World: Improving the Process. Addison-Wesley. 1996.
26. Gnedenko B.V., Belyaev Yu.K., Solov'yov A.D. Matematicheskie metody v teorii nadyozhnosti [Mathematical methods in the theory of reliability]. Moscow: KD Librokom. 2019. 584 p. (In Russ.).
27. Kazarin O.V., Shubinskij I.B. Nadyozhnost' i bezopasnost' programmnogo obespecheniya: ucheb. posobie dlya bakalavriata i magistratury [Software reliability and security: studies' manual for bachelor's and master's degrees]. M.: MGU im. M.V. Lomonosova. 2018. 342 p. (In Russ.).
28. Londeix B. Cost estimation for software development. Addison-Wesley Longman Publishing Co. 1987.
29. Ob utverzhdenii Doktriny informacionnoj bezopasnosti Rossijskoj Federacii: ukaz Prezidenta RF ot 05.12.2016 № 646. [On of the Information Security Doctrine of the Russian Federation: Decree of the President of the Russian Federation of December 5. 2016. №. 646]. Available at: http://www.consultant.ru/document/cons_doc_LAW_208191/ (accessed: 07.06.2019). (In Russ.).
30. Malafeev S.I., Kopejkin A.I. Nadyozhnost' tekhnicheskih sistem: primery i zadachi [Reliability of technical systems: examples and tasks]. SPb.: Lan'. 2016. 320 p. (In Russ.).
31. Zub A.T. Prinyatie upravlencheskih reshenij: uchebnik i praktikum. 2-e izd. ispr. i dop. [Management decision-making: textbook and workshop]. M.: Yurajt. 2018. 332 p. (In Russ.).
32. Gulov V.P. et al. [Methods of assessing the reliability of the information protection system from unauthorized access to medical information system]. Prikladnye informacionnye aspekty mediciny —Applied information aspects of medicine. vol. 1. 2018. pp. 202–209. (In Russ.).
33. Skrypnikov A.V. et al. [Regulation of requirements to characteristics of information security software systems]. Vestnik Voronezhskogo gosudarstvennogo universiteta inzhenernyh tekhnologij – Proceedings of the Voronezh State University of Engineering Technologies. 2018. Issue 80. vol. 4. pp. 96–110. (In Russ.).
34. Filyak P.Yu., Danilova Yu.N., Grishina N.V., Muhammed N.A. [Internet security based on certified intrusion/attack detection and prevention solutions]. Informaciya i bezopasnost' – Information and security. 2018. Issue 21. vol. 4. pp. 510–515. (In Russ.).
35. Oleneva N.R., Semyashkina D.S. [Russian and foreign developments in the field of information security]. Informaciya i bezopasnost' – Information and security. 2018. Issue 21. vol. 3. pp. 380–383. (In Russ.).
36. Samaan N.A. et al. Dynamic Contingency Analysis Tool — Phase 1, PNNL-24843, Pacific Northwest National Laboratory, Richland, WA, 2015. Available at: http://www.pnnl.gov/main/ publications/external/technical_reports/PNNL-24843.pdf (accessed: 28.05.2019).
37. Drovnikova I.G., Etepnev A.S., Rogozin E.A. [The main types of vulnerabilities and the relationship of security components in justifying the reliability of the information protection system from unauthorized access in automated systems]. Pribory i sistemy. Upravlenie, kontrol', diagnostika – Instruments and systems. Monitoring, control and diagnostics. 2019. vol. 3. pp. 59–64. (In Russ.).
38. Cherkesov G.N., Voropaj N.I., Suharev M.G., Chel'cov M.B. Nadyozhnost' sistem energetiki [Reliability of energy systems]. Novosibirsk:Nauka. 1999. 434 p. (In Russ.).
39. Drovnikova I.G., Etepnev A.S., Rogozin E.A. [Formation of performance criteria and failures of the system for protecting information from unauthorized access of the automated system]. Pribory i sistemy. Upravlenie, kontrol', diagnostika – Instruments and systems. Monitoring, control and diagnostics. Moscow: Nauchtechlitizdat. 2019. vol. 5. pp. 18–24. (In Russ.).
40. Rogozin E.A. et al. Metody i sredstva ocenki zashchishchyonnosti avtomatizirovannyh sistem organov vnutrennih del: monografiya [Methods and means of assessing the security of automated systems of internal Affairs bodies: monograph]. Voronezhskij institut MVD Rossii. 2017. 88 p. (In Russ.).
41. Conto J. MPjobs — a tool to run PSSe scripts in parallel. ERCOT. 2015.
42. Zmeev A.A. et al. Metody i sredstva evolyucionnogo i strukturnogo modelirovaniya pri obosnovanii trebovanij k programmnym sistemam zashchity informacii [Methods and means of evolutionary and structural modeling in justifying the requirements for software systems to protect information]. Voronezhskij institut MVD Rossii. 2015. 91 p. (In Russ.).
2. FSTEK RF. Rukovodyashchij dokument. Metodika opredeleniya ugroz bez-opasnosti informacii v informacionnyh sistemah [FSTEC RF. [Guidance document. Methodology for identifying information security threats in information systems]. Available at: fstec.ru-component-attachments-download-812 (accessed: 10.07.2019). (In Russ.).
3. Gerasimenko V.A., Maljuk A.A. Osnovy zashhity informacii [Basis of information security]. Moscow: MIPI. 1997. 537 p. (In Russ.).
4. Zhu R., Zeng Y., Xu L., Yi X. Lightweight Privacy Preservation for Securing Large-Scale Database-Driven Cognitive Radio Networks with Location Verification. Security and Communication Networks. 2019. vol. 10. pp. 1–12.
5. Nia M.A., Bahrak B., Kargahi M., Fabian B. Detecting New Generations of Threats Using Attribute-Based Attack Graphs. IET Information Security. 2019. vol. 13. no. 4. pp. 293–303.
6. Jakovina V.S., Fedasjuk D.V., Mamroha N.M. [Analysis of the use of aspect-oriented programming as a means of improving software reliability]. Inzhenerіja programnogo zabezpechennja — Software Engineering. 2010. Issue 2. vol. 2. pp. 24–29. (In Ukr.).
7. GOST R ISO/IEC 15408-1-2013. [Information technology. Methods and means of security. Criteria for assessing the security of information technology. Part 1. Introduction and general model. Part 2. Functional safety components. Part 3. Components of security confidence]. M.: Standardinform. 2014. (In Russ.).
8. National vulnerability database. Available at: https:nvd.nist.gov (accessed: 22.06.2019).
9. FSTEK RF. Rukovodyashchij dokument. Sredstva vychislitel'noj tekhniki. Zashchita ot nesankcionirovannogo dostupa k informacii. Pokazateli zashchishchyonnosti ot nesankcionirovannogo dostupa k informacii [FSTEC RF. Guidance document. Computing facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information]. Available at: https:dokipedia.ru.document.5326599 (accessed: 10.07.2019). (In Russ.).
10. FSTEK RF. Rukovodyashchij dokument. Avtomatizirovannye sistemy. Zashchita ot nesankcionirovannogo dostupa k informacii. Klassifikaciya avtomatizirovannyh sistem i trebovaniya po zashchite informacii [FSTEC RF. Guidance document. Automated systems. Protection against unauthorized access to information. Classification of automated systems and information security requirements]. Available at: https:dokipedia.ru.document. 5182727. (accessed: 10.05.2019). (In Russ.).
11. GOST 28195. Ocenka kachestva programmnyh sredstv. Obshchie polozheniya [GOST 28195. Software quality assessment. General provisions]. Available at: http:www.a-podkidyshev.ru.GOST.28195-89.pdf (accessed: 23.04.2019). (In Russ.).
12. GOST 28806-89. Kachestvo programmnyh sredstv. Terminy i opredeleniya. [GOST 28806-89. Quality of software. Terms and definitions]. Available at: http:www.kimmeria.nw.ru.standart.glosys.gost_28806_90.pdf. (accessed: 23.04.2019). (In Russ.).
13. Dordevic N. Software quality standards. Military Technical Courier. 2017. vol. 65. no. 1. pp. 102–124.
14. Abbasov A.E., Abbasov T.E. [Quality evaluation software for modern information processing systems]. Informacionno-tekhnologicheskij vestnik – Information Technology Bulletin. 2015. vol. 5(3). pp. 15–28. (In Russ.).
15. Pandian P.S. Adopting security checks in business transactions using formal-oriented analysis processes for entrepreneurial students. International Journal of Electrical Engineering & Education. 2019. pp. 101–112.
16. Arsanjani A. Empowering the business analyst for on demand computing. IBM Systems Journal. 2005. vol. 44. no. 1. pp. 67–80.
17. Pak V.O., Abrarov R.D., Kuryazov D.A. [Software testing as integral part of software quality].Young scientist. 2016. vol. 9.5. pp. 29–32. (In Russ).
18. Shchennikov A.N. [Quality of information systems]. ITNOU – ITNOU. 2018. vol. 1(5). pp. 53–62. (In Russ.).
19. Ayyub B.M., McCuen R.H. Probability, Statistics and Reliability for Engineers and Scientists. CRC Press. 2016. 656 p.
20. Timashev S.A., Pohabov Ju.P. Problemy kompleksnogo analiza i ocenki individual'noj konstrukcionnoj nadjozhnosti kosmicheskih apparatov (na primere povorotnyh konstrukcij) [Problems of complex analysis and evaluation of individual structural reliability of spacecraft (on the example of rotary structures)]. Yekaterinburg: AMB. 2018. 38 p. (In Russ.).
21. Shubinsky I.B., Rozenberg I.N., Papic L. Adaptive fault tolerance in real time information systems. Reliability: Theory & Applications. 2017. vol. 12. no. 1(44). pp. 18–25.
22. Levitin G., Finkelstein M., Huang H.Z. Scheduling of imperfect inspections for reliability critical systems with shock-driven delayed defects and failures. Reliability Engineering & System Safety. 2019. vol. 189. . pp. 89–98.
23. Paredes R., Dueñas-Osorio L., Meel K.S., Vardi M.Y. Principled network reliability approximation: A counting-based approach. Reliability Engineering & System Safety. 2019. vol. 191. pp. 93–110.
24. Jones C. Applied software measurement: Assuring. Productivity and Quality. 1997.
25. Kit E. Software Testing in the Real World: Improving the Process. Addison-Wesley. 1996.
26. Gnedenko B.V., Belyaev Yu.K., Solov'yov A.D. Matematicheskie metody v teorii nadyozhnosti [Mathematical methods in the theory of reliability]. Moscow: KD Librokom. 2019. 584 p. (In Russ.).
27. Kazarin O.V., Shubinskij I.B. Nadyozhnost' i bezopasnost' programmnogo obespecheniya: ucheb. posobie dlya bakalavriata i magistratury [Software reliability and security: studies' manual for bachelor's and master's degrees]. M.: MGU im. M.V. Lomonosova. 2018. 342 p. (In Russ.).
28. Londeix B. Cost estimation for software development. Addison-Wesley Longman Publishing Co. 1987.
29. Ob utverzhdenii Doktriny informacionnoj bezopasnosti Rossijskoj Federacii: ukaz Prezidenta RF ot 05.12.2016 № 646. [On of the Information Security Doctrine of the Russian Federation: Decree of the President of the Russian Federation of December 5. 2016. №. 646]. Available at: http://www.consultant.ru/document/cons_doc_LAW_208191/ (accessed: 07.06.2019). (In Russ.).
30. Malafeev S.I., Kopejkin A.I. Nadyozhnost' tekhnicheskih sistem: primery i zadachi [Reliability of technical systems: examples and tasks]. SPb.: Lan'. 2016. 320 p. (In Russ.).
31. Zub A.T. Prinyatie upravlencheskih reshenij: uchebnik i praktikum. 2-e izd. ispr. i dop. [Management decision-making: textbook and workshop]. M.: Yurajt. 2018. 332 p. (In Russ.).
32. Gulov V.P. et al. [Methods of assessing the reliability of the information protection system from unauthorized access to medical information system]. Prikladnye informacionnye aspekty mediciny —Applied information aspects of medicine. vol. 1. 2018. pp. 202–209. (In Russ.).
33. Skrypnikov A.V. et al. [Regulation of requirements to characteristics of information security software systems]. Vestnik Voronezhskogo gosudarstvennogo universiteta inzhenernyh tekhnologij – Proceedings of the Voronezh State University of Engineering Technologies. 2018. Issue 80. vol. 4. pp. 96–110. (In Russ.).
34. Filyak P.Yu., Danilova Yu.N., Grishina N.V., Muhammed N.A. [Internet security based on certified intrusion/attack detection and prevention solutions]. Informaciya i bezopasnost' – Information and security. 2018. Issue 21. vol. 4. pp. 510–515. (In Russ.).
35. Oleneva N.R., Semyashkina D.S. [Russian and foreign developments in the field of information security]. Informaciya i bezopasnost' – Information and security. 2018. Issue 21. vol. 3. pp. 380–383. (In Russ.).
36. Samaan N.A. et al. Dynamic Contingency Analysis Tool — Phase 1, PNNL-24843, Pacific Northwest National Laboratory, Richland, WA, 2015. Available at: http://www.pnnl.gov/main/ publications/external/technical_reports/PNNL-24843.pdf (accessed: 28.05.2019).
37. Drovnikova I.G., Etepnev A.S., Rogozin E.A. [The main types of vulnerabilities and the relationship of security components in justifying the reliability of the information protection system from unauthorized access in automated systems]. Pribory i sistemy. Upravlenie, kontrol', diagnostika – Instruments and systems. Monitoring, control and diagnostics. 2019. vol. 3. pp. 59–64. (In Russ.).
38. Cherkesov G.N., Voropaj N.I., Suharev M.G., Chel'cov M.B. Nadyozhnost' sistem energetiki [Reliability of energy systems]. Novosibirsk:Nauka. 1999. 434 p. (In Russ.).
39. Drovnikova I.G., Etepnev A.S., Rogozin E.A. [Formation of performance criteria and failures of the system for protecting information from unauthorized access of the automated system]. Pribory i sistemy. Upravlenie, kontrol', diagnostika – Instruments and systems. Monitoring, control and diagnostics. Moscow: Nauchtechlitizdat. 2019. vol. 5. pp. 18–24. (In Russ.).
40. Rogozin E.A. et al. Metody i sredstva ocenki zashchishchyonnosti avtomatizirovannyh sistem organov vnutrennih del: monografiya [Methods and means of assessing the security of automated systems of internal Affairs bodies: monograph]. Voronezhskij institut MVD Rossii. 2017. 88 p. (In Russ.).
41. Conto J. MPjobs — a tool to run PSSe scripts in parallel. ERCOT. 2015.
42. Zmeev A.A. et al. Metody i sredstva evolyucionnogo i strukturnogo modelirovaniya pri obosnovanii trebovanij k programmnym sistemam zashchity informacii [Methods and means of evolutionary and structural modeling in justifying the requirements for software systems to protect information]. Voronezhskij institut MVD Rossii. 2015. 91 p. (In Russ.).
Published
2019-12-04
How to Cite
Bokova, O., Drovnikova, I., Etepnev, A., Rogozin, E., & Khvostov, V. (2019). Methods of Estimating Reliability of Information Security Systems which Protect from Unauthorized Access in Automated Systems. SPIIRAS Proceedings, 18(6), 1301-1332. https://doi.org/10.15622/sp.2019.18.6.1301-1332
Section
Information Security
Copyright (c) 2019 Оксана Игоревна Бокова, Ирина Григорьевна Дровникова, Андрей Сергеевич Етепнев, Евгений Алексеевич Рогозин, Виктор Анатольевич Хвостов
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms: Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).