Preview

Herald of Dagestan State Technical University. Technical Sciences

Advanced search

Optimization tasks related to quantifying the security level based on vulnerability analysis of automated systems

https://doi.org/10.21822/2073-6185-2026-53-1-64-72

Abstract

Objective. The article discusses the problem of quantifying the level of security of automated systems of internal affairs bodies (AS) in the context of a constant increase in the number of identified vulnerabilities and limited resources spent on their elimination. An analysis of approaches to assessing the security of information systems is conducted, and their limitations associated with the lack of a formalized accounting of resource constraints and relationships between vulnerabilities are shown.

Method. A mathematical apparatus based on a set of optimization models is proposed. Three tasks are considered: minimizing the likelihood of exploiting system vulnerabilities by selecting the optimal elements of the AS control system; selecting the most vulnerable elements for priority verification; selecting a set of vulnerability mitigation tools, taking into account their cost and error tolerance. Dynamic programming and optimization methods were applied.

Result. The results of the computational experiment on model data demonstrate the effectiveness of the proposed approach, which makes it possible to move from "greedy" algorithms for eliminating vulnerabilities to optimal security strategies. Joint solution of optimization problems ensures rational allocation of resources and reduction of the probability of vulnerabilities under time and cost constraints.

Conclusion. The developed method and models can be used as a basis for practical mechanisms for managing the security of ATS automated systems. The application of the proposed approach opens up the prospect of integrating quantitative methods into the assessment processes and increasing the level of security of automated law enforcement systems.

About the Authors

A. O. Efimov
Voronezh Institute of the Ministry of Internal Affairs of Russia
Russian Federation

Aleksey O. Efimov, Lecturer, Department of Automated Information Systems of Internal Affairs Bodies,

53 Patriotov St., Voronezh 394065



E. A. Rogozin
Voronezh Institute of the Ministry of Internal Affairs of Russia
Russian Federation

Evgeny A. Rogozin, Dr. Sci. (Eng.), Prof., Prof., Department of Automated Information Systems of Internal Affairs Bodies,

53 Patriotov St., Voronezh 394065



References

1. Avetisyan A.I., Belevantsev A.A., Chuklyaev I.I. Technologies of Static and Dynamic Analysis of Software Vulnerabilities. Cybersecurity Issues. 2014;3(4): 20–28. – EDN SSYPXV.

2. Bokova O.I., Drovnikova I.G., Etepnev A.S. [et al.] Methods for Assessing the Reliability of Information Security Systems against Unauthorized Access in Automated Systems. SPIIRAS Proceedings. 2019;18(6): 1301–1332. – DOI 10.15622/sp.2019.18.6.1301-1332. – EDN YBHXOB.

3. GOST R 53114-2008. Information Technology. Information Security. Basic Terms and Definitions. – Effective from 2009-01-01. – Moscow: Standartinform, 2009. – 14 p.

4. GOST R 56546-2015. Information Security. Information Protection. Security Indicators of Information Systems. – Effective from 2016-01-01. – Moscow: Standartinform, 2016. – 12 p.

5. GOST R 58142-2018. Information Security. Methods and Means of Information Protection. General Provisions. – Effective from 2018-12-01. – Moscow: Standartinform, 2018. – 24 p.

6. Doinikova E.V., Chechulin A.A., Kotenko I.V. Assessment of Computer Network Security Based on CVSS Metrics. Information and Control Systems. 2017;6(91):76–87. DOI 10.15217/issn1684-8853.2017.6.76. – EDN ZXWUWH.

7. Drovnikova I.G., Etepnev A.S., Rogozin E.A. Main Types of Vulnerabilities and the Relationship of Security Components in Justifying the Reliability Indicators of Information Protection Systems against Unauthorized Access in Automated Systems. Devices and Systems. Control, Diagnostics. 2019;3:59–64. EDN VWGOHY.

8. Efimov A.O., Livshits I. I., Meshcheryakova T.V., Rogozin E.A. Conceptual Framework for Assessing the Security Level of Automated Systems Based on Their Vulnerabilities // Information Technology Security. – 2023. – Vol. 30, No. 2. – P. 63–79. – DOI 10.26583/bit.2023.2.04. – EDN LGPQZP.

9. Konovalenko S.A., Korolev I.D. Detection of Vulnerabilities in Information Systems Using a Combined Method of Analyzing Parametric Data Determined by Computer Network Monitoring Systems. Almanac of Modern Science and Education. 2016;11(113): 60–66. – EDN XEEDXH.

10. Kravchenko A.S., Rodin S.V., Smolentseva TE. Hardware and Software Tools and Information Processes for Protecting Systems Providing Users with Access to Software Resources. Modern Problems of Science and Education. 2015;1-1:357. – EDN VIDYLR.

11. Kubarev A.V. An Approach to the Formalization of Information System Vulnerabilities Based on Their Classification Features. Cybersecurity Issues. 2013;2(2): 29–33. – EDN SZEDHH.

12. Lankin O.V., Sumin V.I., Voronova E.V. A System-Complex Cybernetic Approach to the Formation of Methodological Foundations for Intelligent Information Protection against Unauthorized Access. Bulletin of Voronezh State Technical University. 2011; 7(8):174–176. – EDN NYIJQT.

13. Livshits I.I. A Method for Assessing the Security of Cloud IT Components According to Existing Standards. SPIIRAS Proceedings. 2020;19(2):383–411. – DOI 10.15622/sp.2020.19.2.6. – EDN DPCIDQ.

14. Sumin V.I., Dushkin A.V., Rodin S.V., Zhukova M.A. Mathematical Model of Local Security Policy Considering the Structural Features of an Automated Information System of the Information Center // Mathematical Methods and Information-Technical Tools: Proceedings of the IX All-Russian Scientific and Practical Conference, Krasnodar, June 21–22, 2013 / Editorial Board: I.N. Starostenko (ed.), S.A. Vyzulin, E.V. Mikhailenko, Yu.N. Sopilnyak. – Krasnodar: Krasnodar University of the Ministry of Internal Affairs of the Russian Federation, 2013; 305–307. – EDN YTBIAH.

15. Rodin S.V. Modeling of Information Security Systems in the Information Systems of the Non-Departmental Security Service: Specialty 05.13.18 "Mathematical Modeling, Numerical Methods and Software Complexes", 05.13.19 "Methods and Systems of Information Security, Information Security": Abstract of Dissertation for the Degree of Candidate of Technical Sciences. Rodin Sergey Vladimirovich. Voronezh, 2009;17– EDN NKXWRJ.

16. Sumin V.I., Kravchenko A.S., Rodin S.V. Development of a Network Model of Target Settings of Complex Organizational Systems for Special Purposes. Modeling of Systems and Processes. 2024;17(3):79–87. – DOI 10.12737/2219-0767-2024-77-85. – EDN QIRWOK.

17. FSTEC of Russia. Methodology for Assessing the Criticality of Vulnerabilities of Software and Hardware-Software Tools. – Approved on October 28, 2022. https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokument-ot-28-oktyabrya-2022-g-2 (accessed: 04.10.2024).

18. Shcheglov K.A., Shcheglov A.Yu. Protection Against Application Vulnerability Attacks. Access Control Models. Information Security Issues. 2013;2(101):36–43. – EDN QAVHRX.

19. Forum of Incident Response and Security Teams. Common Vulnerability Scoring System Version 4.0: Specification Document [El.resource]. – URL: https://www.first.org/cvss/specification-document (accessed: 16.01.2025).

20. Lin G., Wen S., Han Q.-L., Zhang J., Xiang Y. Software Vulnerability Detection Using Deep Neural Networks: A Survey. Proceedings of the IEEE. 2020;108(10):1825–1848. DOI: http://dx.doi.org/10.1109/JPROC.2020.2993293.

21. OWASP Foundation. OWASP Risk Rating Methodology [Electronic resource]. – URL: https://owasp.org/wwwcommunity/OWASP_Risk_Rating_Methodology (accessed: 16.01.2025).

22. Russell R. et al. Automated Vulnerability Detection in Source Code Using Deep Representation Learning // 17th IEEE International Conference on Machine Learning and Applications (ICMLA), Orlando, FL, USA. – 2018;757–762. – DOI: http://dx.doi.org/10.1109/ICMLA.2018.00120.

23. Serdechny A.L., Tarelkin M.A., Lomov A.A., Simonov K.V. Maps of Sources Containing Information on Software Vulnerabilities. Information and Security. 2019;22(3):411–422. – EDN ZOUMGN.

24. Wang T., Wei T., Gu G., Zou W. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. IEEE Symposium on Security and Privacy, Oakland, CA, USA. 2010;. 497–512. – DOI: http://dx.doi.org/10.1109/SP.2010.37

25. Efimov, A.O. On the implementation of vulnerability management of automated systems. Herald of the Voronezh Institute of the Ministry of Internal Affairs of Russia. 2023;3:186-196. EDN MAYURS.

26. Efimov A.O., Rogozin E.A. Assessment of the level of security (safety of functioning) of automated systems based on their vulnerabilities, formalized using the theory of queuing systems. Herald of Dagestan State Technical University. Technical sciences. 2023;50():83-89. – DOI 10.21822/2073-6185-2023-50-2-83-89.

27. Efimov, A.O. Forecasting the number of identified information security vulnerabilities based on the theory of "gray systems" / A.O. Efimov, S.A. Mishin, E.A. Rogozin. Herald of Dagestan State Technical University. Technical sciences. 2023;50(3):72-82. DOI10.21822/2073-6185-2023-50-3-72-82. EDN JEDBYH.


Review

For citations:


Efimov A.O., Rogozin E.A. Optimization tasks related to quantifying the security level based on vulnerability analysis of automated systems. Herald of Dagestan State Technical University. Technical Sciences. 2026;53(1):64-72. (In Russ.) https://doi.org/10.21822/2073-6185-2026-53-1-64-72

Views: 132

JATS XML


Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.


ISSN 2073-6185 (Print)
ISSN 2542-095X (Online)