Assessment of the level of security (safety of functioning) of automated systems based on their vulnerabilities, formalized using the theory of queuing systems

Objective. The aim of the work is to develop a methodological apparatus, as well as a mathematical model based on the theory of queuing systems designed to assess the level of security of automated systems.
Method. The theory of queuing systems is considered as a mathematical apparatus. In particular, the problem of eliminating vulnerabilities was considered as a multi-channel CFR with an unlimited queue. The flow of detected vulnerabilities of the automated system was considered as an incoming flow of applications. The system, due to the possibility of detecting many vulnerabilities in a short time, has a queue of vulnerabilities. Information security specialists responsible for eliminating vulnerabilities in this system are considered as service channels. Despite the possibility of mutual assistance between specialists, this paper considers a situation where each employee is tasked with eliminating a specific vulnerability. The outgoing flow of applications is the flow of eliminated vulnerabilities of the automated system.
Result. A methodological and mathematical apparatus for assessing the level of security of automated systems based on their vulnerabilities and the process of eliminating vulnerabilities has been developed. The theory of queuing systems was used as a basis. The assessment of security levels is given depending on the probability of a queue of unresolved vulnerabilities.
Conclusion. The developed methodology can be used to assess the level of security of automated systems. And also allows you to assess the sufficiency of resources spent on eliminating vulnerabilities of a specific automated system.

1. Shcheglov, K. A. Protection against attacks on application vulnerabilities. Access control models / K. A. Shcheglov, A. Yu. Shcheglov. Questions of information protection. 2013; 2(101):36-43. (In Russ)

2. Pleskunov, M. A. Theory of queuing: A textbook for university students studying at the USN 01.00.00 “Mathematics and Mechanics” ; Ministry of Science and Higher Education of the Russian Federation, Ural Federal University named after the first President of Russia B.N. Yeltsin. – Yekaterinburg: Ural University Publishing House, 2022; 264. – ISBN 978-5-7996-3539-8.

3. Wentzel, E.S. Operations research / E.S. Wentzel. Moscow: Soviet Radio, 1972; 552 .

4. Wentzel, E.S. Operations research: Tasks, principles, methodology: textbook. manual / E.S. Wentzel. – 5th ed., erased. Moscow: KnoRus, 2010; 192.

5. Saati T.L. Elements of queuing theory and its application. Moscow: Sovetskoe radio, 1965; 510.

6. Common Vulnerability Scoring System v3.0: Specification Document. FIRST Org. Inc, 2015; 21. (https:// www.first.org/cvss/specification-document).

7. Methodology for assessing the level of criticality of vulnerabilities of software, hardware and software: approved by the FSTEC of Russia on October 28, 2022: Methodological Document of the FSTEC of Russia dated 02/28/2022.

8. Konovalenko S.A., Korolev I.D. Identification of vulnerabilities of information systems by means of a combined method of analysis of parametric data determined by monitoring systems of computer networks, Al’manah sovremennoj nauki i obrazovaniya. 2016; 11(113): 60–66 (in Russ)

9. Serdechnyj A.L., Tarelkin M.A., Lomov A.A., Simonov K.V. Maps of sources containing information about software vulnerabilities. Informaciya i bezopasnost’. 2019; 22( 3): 411–422 (in Russ).

10. Fedorchenko A.V., CHechulin A.A., Kotenko I.V. Research of open databases of vulnerabilities and assessment of the possibility of their application in systems of security analysis of computer networks. Informacionnoupravlyayushchie sistemy. 2014; 5(72):72–79 (in Russ).

11. Serdechnyj A.L., Gerasimov I.V., Makarov O.YU. i dr. Technology for identifying information about vulnerabilities of third-party components of open source software. Informaciya i bezopasnost’. 2020; 23 (3):347–364 (in Russ.).

12. Avetisyan A.I., Belevancev A.A., Chuklyaev I.I. Technologies of static and dynamic analysis of software vulnerabilities. Voprosy kiberbezopasnosti. 2014; 3(4): 20–28 (in Russ).

13. Russell R. et al. Automated Vulnerability Detection in Source Code Using Deep Representation Learning. 17th IEEE International Conference on Machine Learning and Applications (ICMLA), Orlando, FL, USA. 2018; 757–762. DOI: http://dx.doi.org/10.1109/ICMLA.2018.00120.

14. Wang T., Wei T., Gu G. and Zou W. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. IEEE Symposium on Security and Privacy, Oakland, CA, USA. 2010;. 497–512. DOI: http://dx.doi.org/10.1109/SP.2010.37.

15. Lin G., Wen S., Han Q. -L., Zhang J. and Xiang Y. Software Vulnerability Detection Using Deep Neural Networks: A Survey in Proceedings of the IEEE. Oct. 2020;108(10):1825–1848. DOI: http://dx.doi.org/10.1109/JPROC.2020.2993293.