Towards Intelligent Data Processing for Automated Determination of Information System Assets

Introduction

Well-known challenge of the modern information world is related to the analysis of huge amounts of data. It affects almost all research areas. In the chapter the authors consider this challenge on the example of tasks related to discovering of various data objects, or assets, including an inappropriate, dubious and harmful information, and the tasks of security assessment. Security assessment is directly connected with discovering of various objects. Assessment quality significantly depends on the accuracy of identifying the objects of various nature including the components of the analyzed system, vulnerabilities, attacks, attackers, etc.

The chapter focuses on the determination of information system assets. For any organization it is important to discover as primary assets as well as secondary assets that support viability of primary assets. While the assets should be specified on the design stage, this does not always happen. The features of the modern information systems complicate this task. In modern organizations the assets are connected by various data channels and semantic relations, and they can be strongly distributed. In such conditions if the architecture of the target information infrastructure is sufficiently large-scale then the expert inventory of assets requires significant time costs and human resources. Besides, in process of the system operation its infrastructure may change as a result of installing new software and hardware, system updates, countermeasure implementation, etc.

The authors believe that an automation of assets discovery and determination of hierarchy of relationships between them will allow more accurate and detailed construction of the risk model for cyber security assessment. This task is rather challenging. Currently network scanners can detect various network objects, such as services, the ports they use, the hosts on which they are deployed, and communication nodes. However, these tools do not allow automated determination of different types of static and dynamic objects (for example, processes, sessions, users, privileges, operation systems, etc.) and of their hierarchy. This prevents obtaining an actual dynamical model of the information system, which is initially uncertain.

In the chapter the authors propose a technique that incorporates determining the types of object characteristics, the types of objects (or system assets), and their hierarchy based on the statistical analysis of system events.

The proposed technique is based on the methods of correlation of events accumulated in security logs. The authors believe that dynamic analysis of system events and calculation of static and dynamic indexes, including frequency characteristics of event types, variability of event property values, pair utilization rates of event properties, and total utilization rates of the properties will allow one to determine the main event sources (objects) and the hierarchy of object types. Namely, the authors use calculated pair utilization rates for event properties, variability of values of object properties, and the total utilization rates of the properties. It allows determining the object types and their hierarchical interconnections from the point of view of a target infrastructure operation. This process can be realized from root object type “infrastructure” to leaf atomic object types, e.g. process id, taking into account subordination relations. The chapter describes different types of event analysis (statistical, structural, dynamic, etc.) that allows one to do it with maximum accuracy that is limited only by the source data on the assets in the event logs.

Though the approach is limited by the information stored in the event logs, the authors believe that further integration of dynamic models of infrastructure objects with the static data on the software and hardware will eliminate this limitation. Consideration of the conditionally static types of security data (vulnerabilities, weaknesses, attack patterns, etc.) will make possible proactive monitoring of organization security state for the preventive deployment of countermeasures. The developed approach has the broad application prospects to discover the inappropriate, dubious and harmful information.

Thus, the main objective of this chapter is to demonstrate how intelligent data processing can help to make an adequate representation of the initially uncertain infrastructure and its processes on the basis of the variety of heterogeneous information about events in the system.