Algorithmization of Reference Security Models of Corporate Automation Systems Based on Formal Security Models

The paper considers the process of algorithmization of reference security models implemented on the basis of the existing formal security models. Main approaches to practical implementation of reference security models in a key of identifying potential areas for improvement are studied. The paper describes the analysis of constraints of models for synthesis based on their formal reference model amenable to implementation in a software algorithm for subsequent practical security analysis of real systems. On the basis of a formalized model graph is built which combines multiple information security vulnerabilities and attack methods of realization of the consequences for the security systems on the basis of which controllable models of real systems can be created. An algorithm of the semi-automatic analysis of the security of corporate automated systems is developed.


Introduction
The main assessment tool is reference security models (RSM) when analyzing the security of the corporate automation systems (AS) and studying their peculiarities from the point of view of information security and information protection. Implementation of information protection measures in AS includes getting the actual system within RSM framework [1,4,5]. The process of getting the actual system within RSM framework in the manual mode is difficult and requires the collection and processing of large volumes of data aspects of the AS operation. That means there is a perspective to automate the process of collecting information about these aspects in the context of identifying potential vulnerabilities and threats to information security in the AS.

Reference security models
RSM serves as a list of security requirements to the AS, describes the information flows in AS, structures used by the access control policy contains a formal description of the potential operation of vulnerabilities and materializing information security threats. The basic RSM that determines the methods and forms of AS protection against security, integrity, availability information threats and the detection AS parameters and structures are [1,2,4]: • discretionary access control models; • isolated software environment model; • the security model of information flow; • role-based access control model • logical security management model. Models of these types have the necessary properties of the adequacy and abstraction for analytical and research purposes. Fig. 1 represents a formal classification of these models [3]: Practical implementation represents using several theoretical and methodological approaches. One such approach is that all the processes of information security in AS can be described by the subjects' access to clearly defined objects or groups of objects. An example of such approach is Harrison-Ruzzo-Ulman model [2,3]. In this model AS with discretionary access control is described as set of matrices, each of which corresponds to the AS. To change the properties of the AS and its transition in the various states one can use commands of changing matrices' accesses. The paper considers the process of algorithmization of reference security models implemented on the basis of the existing formal security models. Main approaches to practical implementation of reference security models in a key of identifying potential areas for improvement are studied. The paper describes the analysis of constraints of models for synthesis based on their formal reference model amenable to implementation in a software algorithm for subsequent practical security analysis of real systems. On the basis of a formalized model graph is built which combines multiple information security vulnerabilities and attack methods of realization of the consequences for the security systems on the basis of which controllable models of real systems can be created. An algorithm of the semi-automatic analysis of the security of corporate automated systems is developed.
Keywords: information security, automation systems, reference security models, algorithmization of formal models, automation security systems, analysis of the security of automation systems.
Another approach involves mandatory access control that is often described by terms of Bell LaPadula classical model and special models based on it. [2,3]. Bell automation model presenting AS as an abstract system. An abstr • a closed set of current access rights of subject to system objects; • abstract functions, specifying the access level and the current access level for each subject and the level of confidentiality for each object; • access matrix that gives an opportunity to unite discretionary and mandatory access control a proaches to models.
Described classical models include special definitions of the elements and functions of the AS, in these models the following important featur • the ability of merging subjects and the transfer of access rights; • the ability of the existence of subjects with zero trust level in AS, which must be provided with special working conditions; • the ability of processing of conflict state of the system at the overlap of access subjects functions with zero and nonzero trust levels; • the presence of hierarchical connectivity of entities in AS; • the necessity of defining different access con sections of AS.
The third approach is taken with the purpose of providing a theoretical analysis of access rights le kage conditions and the implementation of prohibited information flows by memory or by into account the essential features of modern AS. The approach is to obtain a set of formal security models of logical access control and information flow (the set of DP рматика и вычислительная техника Bulletin of the South Ural State University. Ser. Computer Technologies, Automatic Control, Radio Electronics 201

Fig. 1. Classification of RSM in AS
Another approach involves mandatory access control that is often described by terms of Bell LaPadula classical model and special models based on it. [2,3]. Bell-LaPadula classical model is an automation model presenting AS as an abstract system. An abstract system state is formalized by: • a closed set of current access rights of subject to system objects; • abstract functions, specifying the access level and the current access level for each subject and the level of confidentiality for each object; access matrix that gives an opportunity to unite discretionary and mandatory access control a Described classical models include special definitions of the elements and functions of the AS, in these models the following important features of the functioning of modern AS are not considered [3]: • the ability of merging subjects and the transfer of access rights; • the ability of the existence of subjects with zero trust level in AS, which must be provided with • the ability of processing of conflict state of the system at the overlap of access subjects functions with zero and nonzero trust levels; • the presence of hierarchical connectivity of entities in AS; • the necessity of defining different access control rules and information flow control for specific The third approach is taken with the purpose of providing a theoretical analysis of access rights le kage conditions and the implementation of prohibited information flows by memory or by into account the essential features of modern AS. The approach is to obtain a set of formal security models of logical access control and information flow (the set of DP-models) [3].
Another approach involves mandatory access control that is often described by terms of Bell-LaPadula classical model is an act system state is formalized by: • abstract functions, specifying the access level and the current access level for each subject and access matrix that gives an opportunity to unite discretionary and mandatory access control ap-Described classical models include special definitions of the elements and functions of the AS, in es of the functioning of modern AS are not considered [3]: • the ability of the existence of subjects with zero trust level in AS, which must be provided with • the ability of processing of conflict state of the system at the overlap of access subjects functions trol rules and information flow control for specific The third approach is taken with the purpose of providing a theoretical analysis of access rights leakage conditions and the implementation of prohibited information flows by memory or by time taking into account the essential features of modern AS. The approach is to obtain a set of formal security models) [3].
The basis for all model of the set is DP-model developed with the application of regulations of the extended Take-Grant model, Bell-LaPadula model, SVS models, subject-oriented IPS model. It is used a classical approach that is each modeled AS is represented as an abstract system, where each system state is described by the graph accesses, and any transition of a system from one state to the next is carried out as a result of applying one of the rules of the graph accesses transformation.
Thus, using the existing main approaches to RSM in AS allows realizing complex algorithmic approach to conducting a practical security analysis of specific AS by means of software verification tools of the conformity of AS.

Mathematical models of security analysis
There are three main types of mathematical models that are mathematical tool of formalization and machine implementation in the form of the algorithm for security analysis that can be used for practical realization: • models of information attacks designed to reproduce the essential properties and characteristics of attacks. Models of this type allow to research characteristics of a specific attack in the laboratory in order to determine what remedies can be used for attack neutralization; • models of detecting information attacks, allowing to describe the process of detecting attacks on information resources of the AS; • models of information security risk assessment of AS, which allow us to determine the efficacy of the entire security system.
In order to provide the mathematical tool of the researches described models can be formalized in a hierarchical tree (coherent acyclic graph) [7] = < , >, where M -the set of vertices of the tree, N -the set of arcs of the tree. Each vertex of a tree T is associated with a particular security incident in the AS and the root of the tree represents the ultimate goal of the incident (information attacks). On the graph T there is an ability to make a lot of possible paths , where each path ∈ is a sequence of arcs ( , , … , ) such as = , , , ∈ , and final vertex of an arc is initial vertex of the arc . As the initial vertex of the path, there may be leaves of the tree T, as well as the final vertex -the root of the tree T. Thus, every element of the set describes one of the possible scenarios of the incident (information attacks).
A special case of the models based on the described method of formalization is the model of attacks on information resources.
The proposed model of attacks on information resources consists of three basic sets: V -the set of information resources vulnerabilities of the automation system, A -variety of ways of implementing attacks on information resources, C -the set of consequences of the attacks on information resources. The main regulations of the reviewed models are given in [8].
To describe the relationship between elements of the sets A, V and C, it is necessary to define algebraic relation (ternary if n = 3) W: = × × . Then the element ( , , ), belongs to the relation , where ∈ , ∈ , ∈ , and this element is the logical structure "Attack on information resources, which is implemented by way of via exploitation of the vulnerability leads to the consequence ".
The set is the subset of the set A and it is connected with each vulnerability ∈ and includes attacks on information resources, exploiting the vulnerability . The following relation is satisfied: 0 < | | < | |, i.e., the vulnerability cannot be used for the realization of all attacks on information resources from the set A. There is no such vulnerability, based on which none of the attacks on information resources could be implemented.
Each information attack ∈ is connected with the set that is the subset of the set and includes the vulnerability exploited by the attack . The following relation is satisfied: 0 < < | |, i.e., the attack can not exploit all the vulnerabilities of information resources of the automation system. There is no such attack that does not exploit the vulnerability of information resources of the automation system. Each information attack ∈ is connected with the set that is the subset of the set and includes consequences caused by the attack . The following relation is satisfied: 0 < < | |, i.e., the attack can not lead simultaneously to all effects included in the set C, however, the attack leads to one consequence at least.
Every consequence ∈ is connected with the set that is the subset of the set and includes attacks on information resources of the automation system, which lead to the consequence . The following relation is satisfied: 0 < | | < | |, i.e. there is no such consequence that does not lead to the attack. The consequence is not the result of the realization of the attack included in the set .

Mathematical model of attacks on information resources
Taking into account the formalization, described mathematical model can be presented as the graph = < , >, where -the set of graph nodes, ⊂ -the set of graph arcs. There is a relation ∈ { × } for graph such as every arc of the set complies with one or more than one elements of the relation . Applying the relation one interprets every arc of the graph as one of the types of modeled attack on information resources of the automation system. In the relation , some elements of the set can comply at the same time with one arc ∈ on conditions that the elements are attacks leading to the identical consequences, i.e.: (∀ ∈ ), (∀ ∈ ), (∀ ∈ ) ∃ ( , ) ∈ , ∃ ( , ) ∈ ↔ = , where = ( , , ), = ( , , ) -the elements that belong to the set W, -ways of attack realization, ′′ -vulnerabilities, -consequences of attack realization. Some arcs can be included in the graph node when in the relation T elements of the set W describing attacks on information resources of automation system that lead to the identical consequences comply with every arc. Thus, graph nodes can consolidate different stages of the attack on information resources that lead to identical consequences. An example of described graph is in Fig. 2.

The algorithm for security analysis of AS
On the basis of the described mathematical model of attacks on information resources, we can realize algorithms and software for the conduction of security analysis of automation systems.
The following set of instructions is an example of such security analysis algorithm: 1. To make lists of vulnerabilities, ways of realization of threats and impacts from their implementing for developing a model of attacks on information resources. These lists are the basis for forming the sets V, A, C.
3. The resultant set is filtered to exclude inappropriate elements to the ternary relation = × × . 4. As result of filtering the set ′ is formed, containing the possible and impossible elementscombinations ( , , ). Then, it is held the second stage of filtering for exclusion elements describing an impossible attack scenario from the set '. For its implementation a plurality of elements ( , ), ( , ), ( , ) that are impossible combinations of attacks and vulnerabilities, attacks and consequences, vulnerabilities, and consequences respectively are formed.
5. Based on the formed sets the set ' is filtered to W that is appropriate for developing attacks model. 6. On the basis of the set W the graph = < , > is constructed by forming the set ∈ { × } taking into account the following rule: in the set , at the same time some elements of the set can correspond to one arc ∈ only under the condition that these items represent attacks that lead to the same consequences.
7. As a result, the set T contains all possible scenarios of attacks on information resources. To implement the security analysis, ratio 0 < < 1 и ∑ = 1 is for each consequence of the set C that is directly proportional to the damage of system resources from ensuing consequences. Every consequence is different from zero, while the total ratio of all the consequences is not more than 1.
Based on the generated ratios in the set T there is a search of such paths in a graph where the sum of the consequences ratio is maximum, i.e. finding ways of implementing information attack that lead to the greatest damage of information system.