Дослідження баз вразливостей для параметризації марковських моделей оцінювання доступності веб-ресурсів
Ключові слова:
вразливості веб-ресурсів; оцінювання параметрів; ін-тенсивність прояву; критичність вразливості
Анотація
Досліджено актуальне питання оцінювання параметрів вразливостей веб-ресурсів для використання як вхідних даних у марковських моделях до-ступності. Наведено розрахунки інтенсивності прояву вразливостей до-ступності веб-серверів сімейства Apache на основі вибірок за 2015 та 2016 рр. У статті розглянуто зв’язки між базами вразливостей, зокрема між ба-зою CVE та іншими відкритими та платними репозитаріями. Основна ува-га приділяється питанням актуалізації наведеної у відкритих базах інфор-мації, уточненню часу фіксації вразливості в базі та формуванню вибірок на основі множини критеріїв відбору.
Посилання
1. Prisyashniy D. P. (2016), “Udoskonalennya zakhystu veb-resursiv vid atak na osnovi kombinovanoho evrystychno-statystychnoho pidkhodu” [“Improv-ing the protection of web resources from attacks on the basis of a combined heu-ristic-statistical approach”], Collection of scientific works Reyestratsiya, zberi-hannya i obrobka danykh [Registration, storage and processing of data], tom 18, vol. 1, pp. 63–69 [Ukraine].
2. Fedorchenko A. V., Chechulin A. A. and Kotenko I. V. (2014.), “Issle-dovaniye otkrytykh baz uyazvimostey i otsenka vozmozhnosti ikh primeneniya v sistemakh analizazashchishchennosti komp'yuternykh setey” [“Study of open da-tabases of vulnerabilities and assessment of their applicability in computer securi-ty analysis systems”], Journal Informatsionno-upravlyayushchiye sistemy [Infor-mation Control Systems], vol. 5, pp. 72–79 [Russia].
3. Common Vulnerabilities and Exposures / The MITRE Corporation, available at: http://cve.mitre.org – 15.01.2019.
4. Secunia Research Community / Flexera Software LLC, available at: https://secuniaresearch.flexerasoftware.com – 15.01.2019.
5. SecurityFocus database of computer security / SecurityFocus Symantec Corporate Offices, available at: http://www.securityfocus.com – 15.01.2019.
6. Exploit Database by Offensive Security / Exploit Database by Offensive Security, available at: https://www.exploit-db.com - 15.01.2019.
7. Microsoft Security Bulletins / Microsoft, available at: https://docs.microsoft.com/en-us/security-updates/securitybulletins – 15.01.2019.
8. CERT Vulnerability Notes Database / Carnegie Mellon University Soft-ware Engineering Institute, available at: Access mode: https://www.kb.cert.org/ vuls – 15.01.2019.
9. Android Security Bulletins / Android by Google LLC and the Open Handset Alliance, available at: https://source.android.com/security/bulletin – 15.01.2019.
10. National vulnerability database / NIST Computer Security Division, In-formation Technology Laboratory, available at: https://nvd.nist.gov – 15.01.2019.
Fedorchenko A. V., Chechulin A. A. and Kotenko I. V. (2014), "Postroyeniye integrirovannoy bazy uyazvimostey” [“Building Integrated Vulner-ability Base”] Collection of scientific works Izvestiya vuzov. Priborostroyeniye [Izvestiya Vuzov. Instrument making], vol. 57, No. 11, pp. 62-67 [Russia].
12. Beloborodov A. Yu. and Gorbenko A. V. (2015), “Prymenenye baz dannykh uyazvymostey v zadachakh yssledovanyya bezopasnosty prohrammnykh sredstv” [“Using vulnerability databases in software security research tasks”], Visnyk Kharkivs’koho natsional’noho tekhnichnoho universytetu sil’s’koho hos-podarstva imeni Petra Vasylenka [Bulletin of Kharkiv National Technical Uni-versity of Peter Vasilenko], vol. 165, pp. 83–85 [Ukraine].
13. Alaa Mohammed Abdul-Hadi, Ponochovny Yu. L. and Kharchenko V. S. (2013), "Razrabotka bazovykh markovskikh modeley dlya issledovaniya gotov-nosti kommercheskikh veb-servisov” [“Development of basic Markov models for the study of the availability of commercial web services”], Journal Radíoyelektronní í komp’yuterní sistemi [Radio and Computer and Computer Sys-tems, vol. 5 (64), pp. 186–191 [Ukraine].
14. Tsaregorodtsev A. V. and Makarenko E. V. (2015), “Metodika kolich-estvennoy otsenki riska v informatsionnoy bezopasnosti oblachnoy infrastruktury organizatsii” [“Method of quantitative risk assessment in the information security of the organization’s cloud infrastructure”], Journal Daydzhest-finansy [Digest Finance], vol. 1 (233), pp. 56–67 [Russia].
15. Kharchenko V., Ponochovnyi Yu., Mustafa Qahtan Abdulmunem A.-S. and Andrashov A. (2018), “Availability models and maintenance strategies for smart building automation systems considering attacks on component vulnerabili-ties”, Advances in Intelligent Systems and Computing, vol. 582, pp. 186–195.
16. Alaa Mohammed Abdul-Hadi (2013), “Otsenka intensivnosti ataka na uyazvimosti dostupnosti kommercheskikh veb-servisov” [“Assessment of the in-tensity of the attack on the vulnerability of the availability of commercial web services”], Journal Systemy obrobky ínformatsíi [Processing Systems Infor-mation], vol. 6 (113), pp.204–208 [Ukraine].
17. Kharchenko V. S. Alaa Mohammed Abdul-Hadi and Ponochovny Yu. L. (2013), Formirovaniye podmnozhestv uyazvimostey dostupnosti kommerch-eskikh veb-servisov [“Formation of subsets of accessibility vulnerabilities in commercial web services”], Journal Sistemi obrobki ínformatsíí
2. Fedorchenko A. V., Chechulin A. A. and Kotenko I. V. (2014.), “Issle-dovaniye otkrytykh baz uyazvimostey i otsenka vozmozhnosti ikh primeneniya v sistemakh analizazashchishchennosti komp'yuternykh setey” [“Study of open da-tabases of vulnerabilities and assessment of their applicability in computer securi-ty analysis systems”], Journal Informatsionno-upravlyayushchiye sistemy [Infor-mation Control Systems], vol. 5, pp. 72–79 [Russia].
3. Common Vulnerabilities and Exposures / The MITRE Corporation, available at: http://cve.mitre.org – 15.01.2019.
4. Secunia Research Community / Flexera Software LLC, available at: https://secuniaresearch.flexerasoftware.com – 15.01.2019.
5. SecurityFocus database of computer security / SecurityFocus Symantec Corporate Offices, available at: http://www.securityfocus.com – 15.01.2019.
6. Exploit Database by Offensive Security / Exploit Database by Offensive Security, available at: https://www.exploit-db.com - 15.01.2019.
7. Microsoft Security Bulletins / Microsoft, available at: https://docs.microsoft.com/en-us/security-updates/securitybulletins – 15.01.2019.
8. CERT Vulnerability Notes Database / Carnegie Mellon University Soft-ware Engineering Institute, available at: Access mode: https://www.kb.cert.org/ vuls – 15.01.2019.
9. Android Security Bulletins / Android by Google LLC and the Open Handset Alliance, available at: https://source.android.com/security/bulletin – 15.01.2019.
10. National vulnerability database / NIST Computer Security Division, In-formation Technology Laboratory, available at: https://nvd.nist.gov – 15.01.2019.
Fedorchenko A. V., Chechulin A. A. and Kotenko I. V. (2014), "Postroyeniye integrirovannoy bazy uyazvimostey” [“Building Integrated Vulner-ability Base”] Collection of scientific works Izvestiya vuzov. Priborostroyeniye [Izvestiya Vuzov. Instrument making], vol. 57, No. 11, pp. 62-67 [Russia].
12. Beloborodov A. Yu. and Gorbenko A. V. (2015), “Prymenenye baz dannykh uyazvymostey v zadachakh yssledovanyya bezopasnosty prohrammnykh sredstv” [“Using vulnerability databases in software security research tasks”], Visnyk Kharkivs’koho natsional’noho tekhnichnoho universytetu sil’s’koho hos-podarstva imeni Petra Vasylenka [Bulletin of Kharkiv National Technical Uni-versity of Peter Vasilenko], vol. 165, pp. 83–85 [Ukraine].
13. Alaa Mohammed Abdul-Hadi, Ponochovny Yu. L. and Kharchenko V. S. (2013), "Razrabotka bazovykh markovskikh modeley dlya issledovaniya gotov-nosti kommercheskikh veb-servisov” [“Development of basic Markov models for the study of the availability of commercial web services”], Journal Radíoyelektronní í komp’yuterní sistemi [Radio and Computer and Computer Sys-tems, vol. 5 (64), pp. 186–191 [Ukraine].
14. Tsaregorodtsev A. V. and Makarenko E. V. (2015), “Metodika kolich-estvennoy otsenki riska v informatsionnoy bezopasnosti oblachnoy infrastruktury organizatsii” [“Method of quantitative risk assessment in the information security of the organization’s cloud infrastructure”], Journal Daydzhest-finansy [Digest Finance], vol. 1 (233), pp. 56–67 [Russia].
15. Kharchenko V., Ponochovnyi Yu., Mustafa Qahtan Abdulmunem A.-S. and Andrashov A. (2018), “Availability models and maintenance strategies for smart building automation systems considering attacks on component vulnerabili-ties”, Advances in Intelligent Systems and Computing, vol. 582, pp. 186–195.
16. Alaa Mohammed Abdul-Hadi (2013), “Otsenka intensivnosti ataka na uyazvimosti dostupnosti kommercheskikh veb-servisov” [“Assessment of the in-tensity of the attack on the vulnerability of the availability of commercial web services”], Journal Systemy obrobky ínformatsíi [Processing Systems Infor-mation], vol. 6 (113), pp.204–208 [Ukraine].
17. Kharchenko V. S. Alaa Mohammed Abdul-Hadi and Ponochovny Yu. L. (2013), Formirovaniye podmnozhestv uyazvimostey dostupnosti kommerch-eskikh veb-servisov [“Formation of subsets of accessibility vulnerabilities in commercial web services”], Journal Sistemi obrobki ínformatsíí
Опубліковано
2019-06-26
Як цитувати
Ponochovniy, Y. L., Rohochyi, S. Y., Sharai, O. I., Knurenko, V. O., & Voronianskyi, V. S. (2019). Дослідження баз вразливостей для параметризації марковських моделей оцінювання доступності веб-ресурсів. Системи та технології, 1(57), 68-80. https://doi.org/10.32836/2521-6643-2019-1-57-5
Розділ
Articles
ISSN 
