A Model of Threats to Information Security of an Automated Data Preparation System for Aircraft Control and a Model of Protection

When reviewing information security of an automated data preparation system for aircraft control, some risk factors need to be raised to the level of threats, namely, the threat of illegal access to system information. In this case, it is possible to obtain a description of threats that could determine the most effective method of implementation of protection mechanisms in accordance with the requirements of information security. For this purpose, models of threats and protection are developed, and a new approach is proposed that involves a comprehensive description of threats and means of protection. The principles of development of the models of premeditated threats and protection incorporate the main procedures of threat realization and are inherent in all the threats. A verbal description of the model of threats contains potential sources capable of realizing the threat, an identifier and an object of impact of the threat, vulnerabilities that can negatively influence securable assets, methods of threat implementation for the securable assets, violated characteristics of safety of the securable assets and possible consequences of the threat impact. Both the formal and the informative presentations of the models of premeditated threats and protection are described. The formal presentation is based on plane graphs, for which concatenations and compositions are defined. The informative presentation contains qualifiers of the model elements, purposes of the threat impact in the form of violation of the main properties of information security such as integrity, confidentiality and accessibility, as well as all types of security features and evaluation trust levels.

References

[1] Minakov V. Bazovaia model’ ugroz bezopasnosti sovmestnym informatsionnym resursam (proekt) ZAShchITA-BR [The basic model of threats to the safety joint information resources (draft) PROTECTION-BR]. Voronezh, GNIII PTZI publ., 2003.111 p.

[2] Lukatskii A. Obnaruzhenie atak [Intrusion detection]. Saint-Petersburg, BHV-SPb publ., 2003.608 p.

[3] Vikhorev S.V. Metodicheskie rekomendatsii po provedeniiu analiza i otsenki vozmozhnostei realizatsii ugroz informatsionnoi bezopasnosti na ob"ekte [Methodical recommendations on carrying out the analysis and an assessment of possibilities of implementation of threats of information security on object]. Moscow, Elvis publ., 2001.32 p.

[4] Kharari F. Teoriia grafov [Graph theory]. Moscow, Mir publ., 2003. 297 p.

[5] GOST R ISO/MEK 15408-3–2013. Informatsionnaia tekhnologiia.Metody i sredstva obespecheniia bezopasnosti. Kriterii otsenki bezopasnosti informatsionnykh tekhnologii. Ch. 3. Komponenty doveriia k bezopasnosti [State Standard 15408-3–2013. Information technology. Security techniques. Evaluation criteria for IT security. Part 3. Security assurance requirements]. Moscow, Standartinform publ., 2014. 267 p.

[6] Glukhov A.P., Kotiashev N.N., Kuptsov A.V. Otsenka chuvstvitel’nosti resursov i riskov primeneniia system kriticheskikh prilozhenii k vliiaiushchim faktoram [Estimation of sensitivity of resources and risks of application of systems of critical applications to influencing factors]. Strategicheskaia stabil’nost’ [Strategic Stability]. 2007, no. 1, pp. 39–44.

[7] Vasilenko V.V., Korneev V.V., Kotiashev N.N. Analiticheskie predstavleniia protsessov riska v kompleksakh i sistemakh kriticheskikh prilozhenii [Analytical representations of risk processes in complexes and systems of critical applications]. Dvoinye tekhnologii [Dual technologies]. 2002, no. 1, pp. 20–24.

[8] Bykov A.Iu., Altukhov N.O., Sosenko A.S. Zadacha vybora sredstv zashchity informatsii v avtomatizirovannykh sistemakh na osnove modeli antagonisticheskoi igry [The task of selecting the means of information protection in automated systems based on the antagonistic game model]. Inzhenernyi vestnik MGTU im. N.E. Baumana [Engineering Bulletin of the BMSTU.]. 2014, no. 4. Available at: http://engbul.bmstu.ru/doc/708106.html (accessed 15 January 2018).

[9] Bykov A.Iu., Gurov A.V. Zadacha vybora sredstv zashchity informatsii ot atak v avtomatizirovannykh sistemakh pri nechetkikh parametrakh funktsii tseli [A Problem on Choosing Protection against Attacks in Automated Systems with Fuzzy Parameters of Goal Function]. Inzhenernyi zhurnal: nauka i innovatsii. MGTU im. N.E. Baumana [Engineering Journal: Science and Innovation]. 2012, no. 1. Available at: http://engjournal.ru/catalog/it/hidden/86.html (accessed 15 January 2018).

[10] Bykov A.Iu., Panfilov F.A., Shmyrev D.V. Zadacha vybora sredstv zashchity v avtomatizirovannykh sistemakh s uchetom klassov zashchishchennosti ot nesanktsionirovannogo dostupa k informatsii [A Problem on Choosing Protection in Automated Systems Taking into Account the Classes of Immunity against Unauthorized Data Access]. Inzhenernyi zhurnal: nauka i innovatsii. MGTU im. N.E. Baumana [Engineering Journal: Science and Innovation]. 2012, no. 1. Available at: http://engjournal.ru/catalog/it/hidden/85.html (accessed 15 January 2018).

[11] Bykov A.Iu., Artamonova A.Iu. Modifikatsiia metoda vektora spade dlia optimizatsionno-imitatsionnogo podkhoda k zadacham proektirovaniia system zashchity informatsii [A Modified Recession Vector Method Based on the Optimization-Simulation Approach to Design Problems of Information Security Systems]. Nauka i obrazovanie. MGTU im. N.E. Baumana [Science & Education. Bauman MSTU]. 2015, no. 1. Available at: http://technomag.bmstu.ru/doc/754845.html (accessed 15 January 2018).

[12] Sidak A.A. Kompozitsionnyi podkhod k formirovaniiu trebovanii k izdeliiam, realizuiushchim funktsii bezopasnosti v informatsionnykh sistemakh semeistva profilei zashchity [Composed approach for formation of the requirements for products that realize security functions in information systems. families of protection profiles]. Strategicheskaia stabil’nost’ [Strategic Stability]. 2010, no. 4, pp. 42–48.