Моделирование APT-атак, эксплуатирующих уязвимость Zerologon

Abstract

Purpose: the need to assess the effectiveness of the security systems for significant objects of critical information infrastructure determines the need to develop simple and adequate mathematical models of computer attacks. The use of mathematical modeling methods in the design of security system of significant object allows without significant cost and impact on the functioning of the object to justify the requirements to the system as a whole or its individual parts. The purpose of the present paper is to develop a model of the process of multistage targeted computer attack that exploits the Zerologon vulnerability, based on the representation of the attack by a Markov random process with discrete states and continuous time. Methods: methods of Markov process theory, probability theory, computational mathematics and graph theory are used in the model to formalize the attack. Novelty: application of methods of computational mathematics for functional analysis of the results of Kolmogorov’s system of equations allows to solve the problem of maximizing the time of stable operation of critical information infrastructure during computer attacks against it, using the known methods of analysis of continuous functions. Result: formulated a general statement of the problem of modeling the process of a multistage targeted computer attack using a system of Kolmogorov equations, describing the probabilities of being in conflict states of the security system with the intruder. By the Adams method implemented in Mathcad environment, numerical solutions depending on time were obtained. We introduce a security system performance index as a ratio of probability of triggering the security system and blocking intruder’s actions during the attack to the probability of successful completion of the attack. We give an example of research of computer attack realization in a typical information infrastructure, including a corporate network with domain architecture and an automated control system of some technological process. 1 For the considered example defined the optimal values of time parameters of security system. When implementing protective measures with reasonable probabilistic-time characteristics proved an increase in time of stable operation of critical information infrastructure from 11 to 189 hours.