Research of vulnerabilities database for parametrization of markov models of availability web-resources

Yu. L. Ponochovniy; S. Yu. Rohochyi; O. I. Sharai; V. O. Knurenko; V. S. Voronianskyi

doi:10.32836/2521-6643-2019-1-57-5

Yu. L. Ponochovniy Ph.D., Senior Researcher, Associate Professor of the Department of Information Systems and Technologies of the Poltava State Agrarian Academy
S. Yu. Rohochyi master student Poltava National Technical University named after Yuri Kondratyuk
O. I. Sharai master student Poltava National Technical University named after Yuri Kondratyuk
V. O. Knurenko master student Poltava National Technical University named after Yuri Kondratyuk
V. S. Voronianskyi Professor of Poltava College of Oil and Gas at Poltava National Technical University named after Yuri Kondratyuk

DOI: https://doi.org/10.32836/2521-6643-2019-1-57-5

Keywords: vulnerability of web resources; parameter estimation; intensity of manifestation, critical score

Abstract

In this paper we consider issues of obtaining information from open data-bases of vulnerabilities and the creation of excerpt according to several criteria. The relevance of the topic is due to the need to ensure the parameterization of samples. Simulation helps increase the likelihood of detecting a vulnerability be-fore it is used by attackers. The issues of assessing the parameters of vulnerabili-ties of web resources are considered. These parameters are used as input in Mar-kov availability models. Availability is included in the set components of infor-mation security (confidentiality, integrity, availability).
The article discusses the relationship between databases of vulnerabilities. The relationships between the CVE database and other open and paid reposito-ries are analyzed. Analyzed the current state of relations (uplink or downlink). The focus is on issues of updating the information given in open databases. The activity of the database, their openness, paid access or the possibility of trial / limited use are determined.
For processing, information from the NVD vulnerability database in the form of archived XML files was obtained and refined. The following parameters were used as input parameters for Markov models: the intensity of the manifesta-tion of vulnerabilities and the criticality of the attack. The calculations of the in-tensity of the availability of vulnerabilities of Apache family of web servers based on samples for 2015 and 2016 are given. Attention is paid to the specification of the time of fixation of vulnerabilities in the database and the formation of samples based on a set of selection criteria from the open bases of vulnerabilities of NVD and CVE.
The results of the study showed that in 2016, new vulnerabilities from the sample were recorded 3.23 times faster, but at the same time, their criticality de-creased by 3 % on average. The tendency of gradual growth of interest to net-work software products, in particular Apache web servers, is confirmed.

To speed up and more convenient excerpt creation, it is advisable to deve-lop software that automatically creates the necessary excerpte after selecting the formation criteria. Also, to improve the results of the study, it is necessary to re-fine the vulnerability information in several open bases.

References

1. Prisyashniy D. P. (2016), “Udoskonalennya zakhystu veb-resursiv vid atak na osnovi kombinovanoho evrystychno-statystychnoho pidkhodu” [“Improv-ing the protection of web resources from attacks on the basis of a combined heu-ristic-statistical approach”], Collection of scientific works Reyestratsiya, zberi-hannya i obrobka danykh [Registration, storage and processing of data], tom 18, vol. 1, pp. 63–69 [Ukraine].
2. Fedorchenko A. V., Chechulin A. A. and Kotenko I. V. (2014.), “Issle-dovaniye otkrytykh baz uyazvimostey i otsenka vozmozhnosti ikh primeneniya v sistemakh analizazashchishchennosti komp'yuternykh setey” [“Study of open da-tabases of vulnerabilities and assessment of their applicability in computer securi-ty analysis systems”], Journal Informatsionno-upravlyayushchiye sistemy [Infor-mation Control Systems], vol. 5, pp. 72–79 [Russia].
3. Common Vulnerabilities and Exposures / The MITRE Corporation, available at: http://cve.mitre.org – 15.01.2019.
4. Secunia Research Community / Flexera Software LLC, available at: https://secuniaresearch.flexerasoftware.com – 15.01.2019.
5. SecurityFocus database of computer security / SecurityFocus Symantec Corporate Offices, available at: http://www.securityfocus.com – 15.01.2019.
6. Exploit Database by Offensive Security / Exploit Database by Offensive Security, available at: https://www.exploit-db.com - 15.01.2019.
7. Microsoft Security Bulletins / Microsoft, available at: https://docs.microsoft.com/en-us/security-updates/securitybulletins – 15.01.2019.
8. CERT Vulnerability Notes Database / Carnegie Mellon University Soft-ware Engineering Institute, available at: Access mode: https://www.kb.cert.org/ vuls – 15.01.2019.
9. Android Security Bulletins / Android by Google LLC and the Open Handset Alliance, available at: https://source.android.com/security/bulletin – 15.01.2019.
10. National vulnerability database / NIST Computer Security Division, In-formation Technology Laboratory, available at: https://nvd.nist.gov – 15.01.2019.
Fedorchenko A. V., Chechulin A. A. and Kotenko I. V. (2014), "Postroyeniye integrirovannoy bazy uyazvimostey” [“Building Integrated Vulner-ability Base”] Collection of scientific works Izvestiya vuzov. Priborostroyeniye [Izvestiya Vuzov. Instrument making], vol. 57, No. 11, pp. 62-67 [Russia].
12. Beloborodov A. Yu. and Gorbenko A. V. (2015), “Prymenenye baz dannykh uyazvymostey v zadachakh yssledovanyya bezopasnosty prohrammnykh sredstv” [“Using vulnerability databases in software security research tasks”], Visnyk Kharkivs’koho natsional’noho tekhnichnoho universytetu sil’s’koho hos-podarstva imeni Petra Vasylenka [Bulletin of Kharkiv National Technical Uni-versity of Peter Vasilenko], vol. 165, pp. 83–85 [Ukraine].
13. Alaa Mohammed Abdul-Hadi, Ponochovny Yu. L. and Kharchenko V. S. (2013), "Razrabotka bazovykh markovskikh modeley dlya issledovaniya gotov-nosti kommercheskikh veb-servisov” [“Development of basic Markov models for the study of the availability of commercial web services”], Journal Radíoyelektronní í komp’yuterní sistemi [Radio and Computer and Computer Sys-tems, vol. 5 (64), pp. 186–191 [Ukraine].
14. Tsaregorodtsev A. V. and Makarenko E. V. (2015), “Metodika kolich-estvennoy otsenki riska v informatsionnoy bezopasnosti oblachnoy infrastruktury organizatsii” [“Method of quantitative risk assessment in the information security of the organization’s cloud infrastructure”], Journal Daydzhest-finansy [Digest Finance], vol. 1 (233), pp. 56–67 [Russia].
15. Kharchenko V., Ponochovnyi Yu., Mustafa Qahtan Abdulmunem A.-S. and Andrashov A. (2018), “Availability models and maintenance strategies for smart building automation systems considering attacks on component vulnerabili-ties”, Advances in Intelligent Systems and Computing, vol. 582, pp. 186–195.
16. Alaa Mohammed Abdul-Hadi (2013), “Otsenka intensivnosti ataka na uyazvimosti dostupnosti kommercheskikh veb-servisov” [“Assessment of the in-tensity of the attack on the vulnerability of the availability of commercial web services”], Journal Systemy obrobky ínformatsíi [Processing Systems Infor-mation], vol. 6 (113), pp.204–208 [Ukraine].
17. Kharchenko V. S. Alaa Mohammed Abdul-Hadi and Ponochovny Yu. L. (2013), Formirovaniye podmnozhestv uyazvimostey dostupnosti kommerch-eskikh veb-servisov [“Formation of subsets of accessibility vulnerabilities in commercial web services”], Journal Sistemi obrobki ínformatsíí