Въпроси на преподаването
A METAGRAPH MODEL OF CYBER PROTECTION OF AN INFORMATION SYSTEM
https://doi.org/10.53656/math2022-2-7-ame
Резюме. The aim of this article is to present a developed metagraph model which serves to verify the minimum requirements for cyber security in web-based student information management systems. The model presents the correlation between cyber attacks and cyber defense of the system. The protection is based on a created model for cybersecurity \(3-12\) and is divided into 3 categories – software, server and information system users. The most common 9 cyber attacks on automated information systems have been selected. Twelve countermeasures to these attacks have been selected. The application of the metagraph model is used to check whether the system meets the requirements of the model 3-12. The developed information system has been tested in foreign language training of students at Nikola Vaptsarov Naval Academy. The developed metagraph model can be applied to other information systems.
Ключови думи: metagraph; cyber security; cyberattacks; information system
1. Introduction
Student information management systems are complex electronic resources with multi-user access and sensitive information. This makes them subject to a large number of cyberattacks in order to gain access to the system, to the information stored in it, to disrupt its availability or to destroy the information stored in it (Sivkov & Andreev 2019) This requires the use of technological solutions and software implementations (Spasova 2018) in order to increase cyber security, which leads to a reduction in the number of administrators (Petrova 2019; Petrova 2021).
The cyber attack of the information system can be identified by several models. They can be represented graphically using the graph theory – simple graphs and digraphs. The problem with such data structure is that they usually associate individual information elements and not sets of elements. However, in many cases, it is necessary to associate sets of elements, such as multiple attributes in data relations, multiple variables in decision models, multiple logical variables in decision rules, and multiple documents in workflow systems. (Basu & Blanning 2007). In recent years, a new type of data structure has been developed that overcomes these limitations – the metagraph. It allows representation and analysis of more complex systems (Gapanyuk 2019).
The goal of this article is to present a metagraph model of cyber security of an information system.
2. Cyber security of an information system
The most common types of cyberattacks in information systems are directed against1), 2), 3) (Melnick 2018):
1. User profiles in the information system;
2. The server on which the system is running;
3. The software platform used to build the system.
At Nikola Vaptsarov Naval Academy an automated information system for monitoring student status has been developed. The system has been tested in the process of training foreign students. The system protection is based on the specially developed model 3-12, published in (Sivkov & Andreev 2019). Its development is a process of implementation of best practices, modifying and combining the widely used models of cyber protections based on the experience of implementing information systems (Petrova 2019). Three basic levels of cybersecurity are differentiated (Figure 1). They are related to system users, the server on which the system is being executed, and the software product, used to build the system. Based on these three cybersecurity levels, twelve mandatory security requirements have been selected.
Figure 1. Model 3-12 for cyber defense (Sivkov & Andreev 2019)
Cyber security in the software product includes the following elements:
1. Fault prevention. It is a stage to identify all potential areas where a fault can occur and to close those gaps. The incomplete business rules and requirements will give rise to a heap of defects during development. Any team should be aware of how and by what rules the project will be developed. Depending on the number of people in the team, the most appropriate development methodology can be selected. During the individual development of the automated information system, it is envisaged that the system will be maintained by a small, expert team size of three to nine developers.
2. Deployment security. It includes security verification milestones. It is a fully automated process. When choosing a version control system, it must be predicted how the information will be sent to the server . Each project must have two parts, located in two different logical places for users and developers. It is a good practice to use two different domains to access them. In the version that is available to users, administrators often forget to turn off server errors. In this way, they are displayed when loading the automated information system. This information can be used to search for vulnerabilities. For better protection, an approach to exploiting the latest stable version of automated information system is used.
3. Use framework – To prevent multiple vulnerabilities a good approach is to use a ready-made framework for automated information system development. Framework developments are developed and tested by many people and thus security is achieved. Examples of open source frameworks are: Secure Software Development Framework (SSDF) (Souppaya, Scarfone & Dodson 2022) CodeIgniter, Symfony, Laravel and others.
The cyber security of the server includes the following elements:
1. Three-level access restriction – Access control is a process in which users request access to resources or data supported by a system, and the system determines whether the request should be granted or rejected. First, a list of IP addresses that can be accessed by the server through a virtual machine is used. Second, a username and a password to access the automated information system must be required. The third step requires a username and a password to access the virtual machine itself.
2. Backup design 3-2-1 – The basic concept is that three copies are made of the data to be protected – one copy and two backup copies. The information must be stored on two different types of storage media and one copy of the data is sent to an independent cloud-based server.
3. Htaccess rules – htaccess and regex rules (Bowen 2006) are used to increase the security of MVC software design. The functionality of these rules limits the ability to guess and access unauthorized files and folders.
4. SSL encryption – It is recommended to use an SSL certificate to encrypt the entire communication from the client to the server. This reduces the likelihood of reading data transmitted over the network.
Cybersecurity for users includes the following elements:
1. User registration procedure – users cannot register on their own, administrators have the responsibility and obligation to register them.
2. Double account confirmation – when activating user’s account at the first entering into the system is required a confirmation on the e-mail stated in the registration;
3. Access restriction – the automated information system is available only to registered users.
4. Account restriction – Users have different levels of access to the automated information system depending on the rank they have.
5. Anti-phishing code – Add code to each business letter that verifies the sender of the e-mail to provide protection against phishing attacks.
Table 1 shows the relations between Cyber attack, Levels and security elements of model 3-12.
Table 1. Correlation between cyber attack, levels and model 3-12
4. A metagraph model of cyber protection of an information system
The article uses a metagraph for a formalized description of the cyber security model 3-12. This kind of graph offers the possibility for more details, gives more clarity about the structure of the modeled object, as well as possibilities for modeling the hierarchy, as is the model 3-12. The metagraph is a graphical representation of a description of a subject area in which all objects can be divided into several groups, for example: visual programming languages, databases (Chernenkiy, Gapanyuk, Kaganov, Dunin, Lyaskovsky & Larionov 2018), computer networks (Novokhrestov & Konev 2016), Data Mining, information systems (Chernenkiy, Gapanyuk, Kaganov, Dunin, Lyaskovsky & Larionov 2018) and others. The foundational works on the theory of metagraphs are summarized in the monograph (Basu & Blanning 2007).
Various types of metagraph definitions could be found in different sources, which differ in small details depending on the application of the metagraph in the respective subject area. In (Basu & Blanning 2007), (Basu & Blanning 1994) the concept of “attribute metagraph” MGA is introduced, in which to each vertex and edge can be assigned any number of attributes. They could be numerical, string, etc. The article will use a formalized definition of metagraph (Samokhvalov, Revunkov & Gapanyuk 2015; Chernenkiy, Gapanyuk, Kaganov, Dunin, Lyaskovsky & Larionov 2018), which is adapted to describe the semantics of the information systems.
Let \(M G\) (1) be a metagraph represented by an ordered triple set:
(1)\[ M G=\left\langle M G^{V}, M G^{M V}, M G^{E}\right\rangle, \]
where:
\(M G^{V}\)-is a set of all the vertices of the metagraph;
\(M G^{M V}\)-is a set of all the metavertices of the metagraph;
\(M G^{E}\)-is a set of edges of the metagraph.
The metavertex may include several vertices of the metagraph together with the edges between them.
The vertex of the metagraph is described by several attributes:
\(v_{i}=\left\{a t r_{k}\right\}, v_{i} \in M G^{v}\), where \(v_{i}-\) vertex of the metagraph; \(a t r_{k-}\) attribute.
The edge of the metagraph \(e_{i}\) is described as a set of attributes, start and end vertices, and a direction flag:
\(e_{i}=\left\langle v_{S}, v_{E}, e 0,\left\{a t r_{\nu}\right\}\right\rangle, e_{i} \in M G^{E}, e 0=\) true|false where \(e_{i}-\) edge of the metagraph; \(v_{S}-\) initial vertex of the edge (metavertex); \(v_{E}-\) final vertex of the edge (metavertex); \(e \mathrm{O}-\) flag direction of the edge \((e o=\) true– directed edge (arc), \(e o=f\) als \(e\)– undirected edge); \(a t r_{k}\)– attributes.
Based on the proposed model 3-12 (Figure 1) and Table 1, a metagraph model for cyber defense of an automated student status system has been developed. Its graphical model is presented in Figure 2.
The metagraph on Figure 2 includes the following elements:
1) The set \(M G^{V}=\cup X_{i}\) за \(i=\overline{1,4}\), where:
\(X_{1}=\left\{x_{11}, x_{12}, x_{13}, x_{14}, x_{15}\right\}-\) includes various cyber protections at the user level;
\(X_{2}=\left\{x_{21}, x_{22}, x_{23}, x_{24}\right\}\)– includes server-level types of cyber security;
\(X_{3}=\left\{x_{31}, x_{32}, x_{33}\right\}\)– includes various cyber security at the software level;
\(X_{4}=\left\{x_{41}, x_{42}, x_{43}, x_{44}, x_{45}, x_{46}, x_{47}, x_{48}, x_{49}\right\}-\) includes the various cyber attacks from the first column of Table 1.
Figure 2. Model for cyber protection of an information system, presented through a metagraph
The elements of \(X_{i}, i=\overline{1,4}\) are shown in the Table 2:
Table 2. Elements of the sets \(\mathrm{X}_{\mathrm{i}}, \mathrm{i}=\overline{1,4}\)
2) The set \(M G^{M V}=\cup v_{i}\) for \(i=\overline{1,9}\), where \(v_{i}\) are metavertices of the metagraph \(M G\) :
\[ \begin{aligned} & v_{1}=\left\{x_{12}, x_{13}\right\} \subset X_{1} \\ & v_{2}=\left\{x_{13}, x_{14}\right\} \subset X_{1} \\ & v_{3}=\left\{x_{22}, x_{24}\right\} \subset X_{2} \\ & v_{4}=\left\{x_{32}, x_{33}\right\} \subset X_{3} \\ & v_{5}=\left\{x_{42}, x_{43}, x_{46}\right\} \subset X_{4} \\ & v_{6}=v_{5} \cup\left\{x_{48}\right\} \subset X_{4} \\ & v_{7}=\left\{x_{43}, x_{44}, x_{47}\right\} \subset X_{4} \\ & v_{8}=X_{2} \end{aligned} \]
\[ \begin{aligned} & v_{9}=X_{3} \\ & M G^{E}=\cup e_{i} \text { for } i=\overline{1,10} \end{aligned} \]
Each of the \(M G\) edges is described as an ordered quadruple: \(e_{i}=\left(u_{e}, u_{m}, a t r_{i}, e o\right)\), where:
\(e_{i} \in M G^{E}, i=\overline{1,10}\)
\(u_e\) - initial vertex (metavertex), \(u_{e} \in M G^{V} \cup M G^{M V}\)
\(u_{m-}\) final vertex (metavertex), \(u_{m} \in M G^{V} \cup M G^{M V}\)
\(\operatorname{atr}_{i} \in\{0,1\}, i=\overline{1,10}\)
\(e o=t r u e \mid f a l s e-\) directed \(\mid\) undirected edge.
Initially \(a t r_{i}=0\) for \(\forall i=\overline{1,10}\). In the presence of a cyber attack of the corresponding type, the given attribute is assigned a value of 1.
If \(e o=\)"true"for a given edge, then the edge is directed. Otherwise, ie. \(e o=\)"false"the edge is undirected.
For the presented metagraph model (Figure 2), the edges are as follows:
\(e_{1}=\left(x_{41}, v_{9}, 0\right.\), false \()\)
\(e_{2}=\left(v_{6}, v_{4}, 0\right.\), false \()\)
\(e_{3}=\left(v_{5}, v_{3}, 0\right.\), false \()\)
\(e_{4}=\left(x_{46}, x_{14}, 0\right.\), false \()\)
\(e_{5}=\left(x_{46}, x_{21}, 0\right.\), false \()\)
\(e_{6}=\left(x_{42}, v_{2}, 0\right.\), false \()\)
\(e_{7}=\left(x_{43}, v_{1}, 0\right.\), false \()\)
\(e_{8}=\left(v_{7}, x_{23}, 0\right.\), false \()\)
\(e_{9}=\left(x_{45}, x_{15}, 0\right.\), false \()\)
\(e_{10}=\left(x_{49}, v_{8}, 0\right.\), true \()\)
The proposed metagraph is a graphical representation of the main components of the model 3-12 for cyber protection of the information system.
Conclusion
Metagraphs represent a more complex data structure than ordinary graphs, but allow the possibility for the presentation and analysis of more complex systems. The proposed metagraphic approach allows presenting the main components of the model for cyber defense of the automated system for student status and the connections between them. The presented metagraph is a graph-theoretic construct that captures relationships between the different types of cyber attacks, as well as cyber defenses at different levels (user, server, software). The interaction between objects in the model is described by attributes and relations between metavertices, which are one of the main features of metagraphs. In addition, the graphical visualization of the model 3-12 is a tool with which most common problems faced by the designers and users can be addressed by using the properties of metagraphs.
The \(3-12\) model is a set of rules based on good practices in protecting web-based information systems. The rules include the allowable minimum cyber security of webbased systems and therefore the metagraph model can be used as part of the methodology for quality assessment of cyber security of the automated student status system.
NOTES
1. CWE Top 25 Most Dangerous Software Weaknesses, 2021, https://cwe.mitre.org/ top25/archive/2021/2021_cwe_top25.html.
2. Web Applications Attacks – Common Types of Web Based Attacks, https://www. trustnetinc.com/web-application-attacks/.
3. What Are the Most Common Cyber Attacks?, 2021, CISCO, https://www.cisco. com/c/en/us/products/security/common-cyberattacks.html#~how-cyber-attackswork.
4. What are web threats and online Internet threats? https://www.kaspersky.com/ resource-center/threats/web.
REFERENCES
BOWEN, R., 2006. Access Control. In: The Definitive Guide to Apache mod_rewrite. New York City: Apress Media LLC, 89 – 97. Available from: doi.org/10.1007/978-1-4302-0122-9_9.
BASU, A. & BLANNING, R., 2007. Metagraphs and their applications. New York City: Springer US. Available from: doi.org /10.1007/978-0-387-37234-1.
BASU, A. & BLANNING, R., 1994. Model Integration Using Metagraphs, Information Systems Research, 5(3). Available from: doi.org /10.1287/isre.5.3.195.
CHERNENKIY, V., GAPANYUK, Y., KAGANOV, Y., DUNIN, I., LYASKOVSKY, M. & LARIONOV, V., 2018. Storing Metagraph Model in Relational, DocumentOriented, and Graph Databases, DAMDID/RCDL’2018, 2277(1), 82 – 89.
GAPANYUK, Y., 2019. Metagraph Approach to the Information-Analytical Systems Development, CEUR WORKSHOP PROCEEDINGS/ APSSE 2019, 2514(1), 428 – 439.
MELNICK, J., 2018. Top 10 Most Common Types of Cyber Attacks. https://blog. netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/.
NOVOKHRESTOV, A. & KONEV, A., 2016, Mathematical model of threats to information systems. Maryland: AIP Publishing. Available from: doi.org /10.1063/1.4964595.
SAMOKHVALOV, E., REVUNKOV, G. & GAPANYUK, Y., 2015. Metagraphs for Information Systems Semantics and Pragmatics Definition. Newspaper Bauman Moscow State Technical University. Available from: doi.org /10.18698/02363933-2015-1-83-99.
SIVKOV, Y. & ANDREEV, E., 2019. 3-12 model of Cybersecurity in the Implementation of a Student Information Management System., Proceedings of the Doctoral Scientific Conference. Varna: Nicola Vaptsarov Naval Academy, 11 – 18.
SOUPPAYA, M., SCARFONE, K. &DODSON, D., 2022. Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities, NIST Special Publication, 800-218.
PETROVA V., 2019. Using the Analytic Hierarchy Process for LMS selection. CompSysTech ‘19: 20th International Conference on Computer Systems and Technologies - Ruse, Bulgaria, 332 – 336, ISBN: 978-1-4503-7149-0.
PETROVA, V., 2021. The Hierarchical Decision Model of cybersecurity risk assessment. 12th National Conference with International Participation “Electronica 2021”, 18 – 21, ISBN 978-1-6654-4060.
SPASOVA, V., 2018. Savremenni tendencii v razvitieto na informacionnite sistemi, podpomagashti vzemaneto na resheniya v upravlenieto, Varna: e-Journal VFU, 5, https://ejournal.vfu.bg/bg/it.html [In Bulgarian].