Methodology for analysing the quality of the vulnerability validation mechanism in the corporate networks

Abstract

The article considers the problem of determining and assessing the quality of the vulnerability validation mechanism of the information systems and networks. Based on the practical analysis of the vulnerability validation process and the analytical dependencies of the basic characteristics of the vulnerability validation quality obtained using the Bernstein polynomials, additional key indicators were identified and characterised, which make it possible to assert with high reliability about the positive progress or consequences of the vulnerability validation of the target corporate network. The intervals of these indicators were experimentally determined at which the vulnerability validation mechanism is of high quality. In addition, during the calculations, a single integral indicator was also derived to quantitatively assess the quality of the vulnerability validation mechanism of the corporate networks, and an experimental study was carried out, as well as the assessment of the quality of the automatic vulnerability validation mechanism of the db_autopwn plugin designed to automate the Metasploit framework vulnerability exploitation tool.
As a result, it was proposed the methodology for analysing the quality of the vulnerability validation mechanism in the corporate networks, which allows one to quantify the quality of the validation mechanism under study, which in turn will allow real-time monitoring and control of the validation progress of the identified vulnerabilities. Also, in the study, the dependences of previously determined key performance indicators of the vulnerability validation mechanism on the rational cycle time were obtained, which makes it possible to build the membership functions for the fuzzy sets. The construction of these sets, in particular, allows making decisions with minimal risks for an active analysis of the security of corporate networks.

Keywords: active analysis of the security, corporate network, target system, vulnerability validation, mechanism quality.

References
1. Kyrychok R. Penetration test as a simulation approach to the analysis of security of corporate information systems. Modern information protection. 2018. №2(34). P. 53-58.
2. Chen F., Su J., and Zhang Y. A scalable approach to full attack graphs generation. Engineering Secure Software and Systems, Springer. 2009. P. 150-163.
3. Abramov E., Andreev A., Mordvin D. Application of attack graphs for modeling malicious network attacks. Bulletin of the Southern Federal University. Technical science. 2012. Volume 26. Issue 1. P. 165-173.
4. Barik M., Sengupta A., Mazumdar C. Attack graph generation and analysis techniques. Defence Science Journal. 2016. №66(6). P. 559-567.
5. Shipileva A. Automatic generation of attack graphs based on branching processes in a random environment. International scientific and practical conference "New Science: Strategies and Development Vectors". Part 2. Sterlitamak, March 8, 2017. P. 143-144.
6. Durkota K. and Lisy V. Computing optimal policies for attack graphs with action failures and costs. In 7th European Starting AI Researchers` Symposium «STAIRS’14». January 2014.
7. Sarraute C., Buffet O., Hoffmann J. POMDPs make better hackers: Accounting for uncertainty in penetration testing. In Proceedings of the 26th AAAI Conference on Artificial Intelligence «AAAI’12». Toronto, ON, Canada, July 2012. AAAI Press. P. 1816-1824
8. Obes, J., Richarte G., Sarraute C. Attack planning in the real world. In Proceedings of the 2nd Workshop on Intelligent Security «SecArt’10». Atlanta, USA. July 12, 2010.
9. Qiu X., Wang S., Jia Q., Xia C. and Lv L. Automatic generation algorithm of penetration graph in penetration testing. Proceedings of the 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, IEEE. Guangdong, China. Nov 8-10, 2014. P. 531-537.
10. Steinmetz M. Critical constrained planning and an application to network penetration testing. 26th Int Conf on Automated Planning and Scheduling. 2016. P.141-144.
11. Hoffman J. Simulated Penetration Testing: From “Dijkstra” to “Turing Test++”. In Proceedings of the Twenty-Fifth International Conference on Automated Planning and Scheduling, «ICAPS’15». Jerusalem, Israel. June 7-11, 2015. P. 364–372.
12. Luan J., Wang J., Xue M. Automated Vulnerability Modeling and Verification for Penetration Testing Using Petri Nets. Springer, Lecture Notes in Computer Science. July 2016.
13. Kyrychok R., Shuklin G., Barabash О., Gaidur G. Modeling the vulnerabilities validation mechanism in the active analysis of the security of corporate networks using Bernstein polynomials. // Morden informations systems Vol.4, №3(2020) P. 118-123.
14. Kyrychok R., Shuklin G. Algorithm for constructing analytical dependences of vulnerability validation quality indicators in active analysis of corporate network security. Abstracts of the 9th International scientific and practical conference «SCIENCE, SOCIETY, EDUCATION: TOPICAL ISSUES AND DEVELOPMENT PROSPECTS». Kharkiv, Ukraine. August 2-4, 2020. P. 113-115.