DEVELOPMENT OF A FUZZY GERT MODEL FOR INVESTIGATING COMMON SOFTWARE VULNERABILITIES

This paper has determined the relevance of the issue related to improving the accuracy of the results of mathematical modeling of the software security testing process. The fuzzy GERT-modeling methods have been analyzed. The necessity and possibility of improving the accuracy of the results of mathematical formalization of the process of studying software vulnerabilities under the conditions of fuzziness of input and intermediate data have been determined. To this end, based on the mathematical apparatus of fuzzy network modeling, a fuzzy GERT model has been built for investigating software vulnerabilities. A distinctive feature of this model is to take into consideration the probabilistic characteristics of transitions from state to state along with time characteristics. As part of the simulation, the following stages of the study were performed. To schematically describe the procedures for studying software vulnerabilities, a structural model of this process has been constructed. A "reference GERT model" has been developed for investigating software vulnerabilities. The process was described in the form of a standard GERT network. The algorithm of equivalent transformations of the GERT network has been improved, which differs from known ones by considering the capabilities of the extended range of typical structures of parallel branches between neighboring nodes. Analytical expressions are presented to calculate the average time spent in the branches and the probability of successful completion of studies in each node. The calculation of these probabilistic-temporal characteristics has been carried out in accordance with data on the simplified equivalent fuzzy GERT network for the process of investigating software vulnerabilities. Comparative studies were conducted to confirm the accuracy and reliability of the results obtained. The results of the experiment showed that in comparison with the reference model, the fuzziness of the input characteristic of the time of conducting studies of software vulnerabilities was reduced, which made it possible to improve the accuracy of the simulation


Introduction
The current level of threats to the security of software and the increasing requirements of customers for its provision predetermine the need for a number of specialized measures (security testing procedures). Most of these activities are carried out in accordance with procedures [1] that minimize individual risks of cyber threats.
The process of security testing implies the implementation of a complex set of algorithms and procedures that take into consideration the various modes of operation of computer systems and software, as well as subjective factors of interaction in human-machine systems. At the same time, it is known that the main tool for reducing the time of research and obtaining results, as well as the possibility of their repeated and rapid repetition or clarification, are methods of mathematical modeling.
One of the necessary conditions for the application of a mathematical model is the sufficient accuracy of the results obtained. At the same time, improving the accuracy of calculations can be achieved in various ways: the construction of schemes of increased order, highlighting the main features of the solution, the extrapolation of numerical solutions obtained on a sequence of steps, etc. In each of these techniques, it is advisable to consider the factor of fuzziness of input data and uncertainty of external influences. Neglecting this factor, most often, leads to a decrease in the accuracy of the results in assessing the performance of the system. In the problems of mathematical formalization of software security testing processes, this factor becomes even more relevant. the authors did not consider the probabilistic characteristics.
Similar and other restrictions are inherent in a number of scientific articles. Thus, in work [9], the researchers conducted a fuzzy GERT simulation of the software design process. However, the authors used only the Exclusive-or nodes. That, in the end, limited the scope of practical use of the model and reduced accuracy.
In work [10], an attempt was made to eliminate the noted drawback, with the mathematical formalization of the process of assessing the complexity of technical works of architectural construction. The authors expanded the descriptive part of the internal fuzzy processes and were not limited to the Exclusive-or nodes. The results of the simulation once again emphasized the effectiveness of the use of the mathematical apparatus of fuzzy GERT-networks in the formalization of complex, ambiguous, and integrated processes.
In [11], transitions from state to state are described by a positive trapezoidal fuzzy node. However, the cited paper does not take into consideration the impact and possibilities of feedback and cycles. That, in turn, increases the complexity of the resulting models. The issue of reducing the complexity and effect of this negative factor is considered in work [12]. However, the authors also neglected the study of probabilistic characteristics.
GERT-modeling of a complex technological process to produce carbon fiber was performed by the authors of work [13]. It confirms the fact of the effectiveness of the use of the main approaches of fuzzy mathematics in network formalization schemes. However, the integrated use of fuzzy and probabilistic modeling methods was not considered in the cited work, although it is very important in the study of complex technical and technological processes. Such processes include the process of software security testing research.
Paper [14] reports a GERT model of the software penetration testing process. A given model was designed considering the ability to simplify network transformations. However, it just does not take into consideration the factor of fuzziness of internal data and processes, which introduces an error in the results of mathematical modeling.
Thus, it becomes obvious that there is a need to use fuzzy GERT networks in the mathematical formalization of the process of investigating software vulnerabilities.

The aim and objectives of the study
The purpose of this study is to improve the accuracy of the results of mathematical formalization of the process of investigating software vulnerabilities under the conditions of fuzziness of input and intermediate data. This will make it possible to improve the security of the software.
To accomplish the aim, the following tasks have been set: -to build a structural model for conducting software vulnerability studies and develop an algorithm for investigating software vulnerabilities, taking into consideration such indicators as the time of the study, the probability of starting the study, the probability of successful completion of the research; -to construct a fuzzy GERT-model for investigating software vulnerabilities; -to develop an improved algorithm of equivalent transformations of the GERT-network; -based on the algorithm, to improve the fuzzy GERT-model of investigating software vulnerabilities; Thus, improving the accuracy of the results of mathematical modeling of the security testing process is a relevant task. It can be resolved by improving and building a mathematical model for studying the vulnerability of software, taking into consideration the uncertainty factor of the input and intermediate test results.
Paper [2] reports a mathematical model of the first stage of identifying software vulnerabilities, the results of which can be used in the second, main, stageinvestigating software vulnerabilities. At the same time, taking into consideration the uncertainties of input data and intermediate results is one of the innovative components of modeling.

Literature review and problem statement
Probabilistic network modeling methods remain popular among modern approaches to mathematical formalization. This is largely due to new developments of scientists and the improvement of known network approaches to modeling. As an example, we can cite the dynamic advancement of GERT models, which have become popular due to the developments reported in [3]. This is largely due to the availability of the mathematical apparatus for finding a continuous probability distribution density of the time of passage of the GERT network. One of the conditions, in this case, is that the set of distributions that can characterize the individual arcs of the model includes known (uniform, exponential, gamma, normal, etc.) distributions. In addition, it is possible to find and use continuous distributions of arbitrary types. This makes it possible to improve the accuracy of the simulation results in comparison with other network methods.
A series of improvements [4] of GERT models are related to the initial need to predict probabilistic distributions. That limited the possibilities of mathematical description of intermediate processes in this network concept and, accordingly, reduced the accuracy of the simulation results.
In work [5], an attempt was made to develop GERT models in order to unify the problems by using the Erlang distribution with different coefficients. However, that solution did not make it possible to avoid errors in the simulation results under the conditions of uncertainty of input or intermediate data.
One of the many attempts to solve the problem of analysis of fuzzy data was carried out in work [6]. At the same time, that approach did not provide for the use of fuzzy logic in network modeling structures.
Adaptation of the provisions of fuzzy mathematics in the application to the network modeling method is reported in [7]. The authors proposed to replace the probabilistic parameters of network transitions with fuzzy ones. At the same time, the weakest t-norm was used in the descriptive part of the GERT network transitions. The authors proved the effectiveness of this modeling approach in comparison with interval mathematics. However, the study of only individual fuzzy parameters (for example, only temporary) did not make it possible to unify these models and use them in cases where it is necessary to take into consideration probabilistic indicators. At the same time, it is the set of time and probabilistic indicators that makes it possible to comprehensively assess the accuracy of the simulation results.
A similar approach is used in work [8], where a fuzzy GERT model using a z-tag was developed. In addition, its special case of application in the formalization of the process of weapons management was considered. However, this process was described in the form of a standard GERT network, Fig. 2.
This model can be interpreted as follows. Node 1 corresponds to the initial status "The preliminary stage of preparation for investigating software vulnerabilities was passed. The necessary package of documentation, source and executable codes have been collected." Node 2 interprets the status "Expert analysis was conducted". Node 3 -the status "Static analysis was carried out". Node 4 corresponds to the status "Dynamic analysis was performed". Node 5 -the status "Manual analysis was carried out". Node 6 -the status "Procedures for decision-making and confirmation of software vulnerabilities have been carried out".
The corresponding branches of the model formalize the direct implementation of the planned algorithms and procedures for software research, as well as decision-making about software vulnerabilities. In particular, the transition (1-2) formalizes the process of expert analysis. Transitions (1-3) and (2)(3) correspond to the procedures for static analysis of software vulnerabilities. Transitions (1-4), (2)(3)(4), (3)(4) formalize algorithms and procedures for dynamic analysis and evaluation of the test object. It should be noted that these procedures should take into consideration the fuzziness of the input and output data. Transitions (1-5) and (3)(4)(5) characterize the process of manual software analysis. Transitions (2-6), (3)(4)(5)(6), (4)(5)(6), and (5-6) describe one of the most complex processes in terms of mathematical formalization, the decision-making process, and confirmation of software vulnerabilities. Transitions (3-1), (4-1), and (5-1) are possible if the input data are insufficient and formalize the processes of requests for their repetition.
It should be noted that a given model does not take into consideration the procedures for re-examination after correcting possible security errors.
The equivalent W-function of the process of preparing for vulnerability studies can be represented as the following expression: In accordance with expression (1), the characteristics of the branches and the distribution parameters are given in the form of Table 1.
-to conduct comparative studies to confirm the reliability of the results obtained.

Research methods
A series of methods were used to solve our tasks. To build a structural model for conducting research on software vulnerabilities, methods of expert evaluation and composition, which are part of the complex of methods of system analysis, were applied. This has made it possible to synthesize the knowledge of experts in the field of software security testing into a general structure of investigating software vulnerabilities.
The development of a fuzzy GERT model for investigating software vulnerabilities was based primarily on the probabilistic method of network planning (GERT-networks). They make it possible to effectively formalize complex design processes in cases where it is difficult or impossible to unambiguously determine which activities and in what sequence should be performed to achieve the goal of the project. We have improved the GERT model based on the formalization of the provisions of the theory of fuzzy logic and their introduction into the method of network planning.
When describing the types of uncertainties of the time of vulnerability research, trapezoidal fuzzy sets (fuzzy numbers) were used.
Modernization of the GERT network was carried out using approaches for simplifying equivalent transformations that reduce the computational complexity of the mathematical model.
Comparative evaluation of the GERT model for investigating software vulnerabilities was carried out on the basis of the experimental results using the engineering mathematical software Mathcad.

1. The scheme of software vulnerability research
To schematically describe procedures for investigating software vulnerabilities, a structural model of this process has been built ( Fig. 1). It should be noted that the implementation of the set of analysis methods shown in Fig. 1 in full is advisable to carry out for testing the security of software systems of critical application. In cases of less budgetary projects, it is possible to neglect certain methods of analysis, for example, the method of manual analysis in the presence of expert and dynamic analyses results.
The structural model shown in Fig. 1  In work [14], the "reference GERT-model" for investigating software vulnerabilities was presented. At the same time, (2) Table 1 shows that the generating function of moments of almost all transitions is described by the exponential law of distribution. At the same time, the totality of the presented steps and their interpretation can make it possible to form an arbitrary equivalent function.

2. A fuzzy GERT model for investigating software vulnerabilities
It is advisable to introduce several restrictions and assumptions related to the structure of the GERT network and the formalization of its branches: 1. Trapezoidal fuzzy numbers are used when estimating the time of investigating software vulnerabilities. This assumption is due to the convenience of representing and calculating this indicator, as well as the clarity of the linear membership function.
2. The structural elements of the GERT network are characterized by the following features: when describing the input parts, typical structures are used in accordance with Table 2; when describing the output parts, probabilistic characteristics are used.
3. The uncertainty of the input and resulting data is characterized by a probabilistic type.
4. The maximum number of parallel branches is three. We also introduce definitions, limitations, and assumptions that relate to the mathematical descriptive component of the software vulnerability research model. 5. Evaluated parameters for investigating software vulnerabilities: study time t ij , the probability of starting the analysis (starting analysis) , , i j p the probability of successful study completion (useful conclusion) is the fuzzy set membership function.
. A trapezoidal fuzzy number is a convex fuzzy set that is defined as The improved algorithm for simplifying equivalent transformations.
Considering the scheme shown in Fig. 2, and taking it as a basis, it must be remembered that the ultimate goal of this stage of software security research is to form a set of vulnerabilities and undeclared software capabilities, as well as tools and algorithms for confirming vulnerabilities. At the same time, its distinctive feature is the use of the mathematical apparatus of fuzzy data to confirm software vulnerabilities.
The factor of the presence of a separate class of fuzzy input data determines the need to use the appropriate mathematical apparatus in modeling. At the same time, the choice of dynamic analysis techniques is based on taking into consideration the logic of fuzzy data. Therefore, it is advisable to transform the scheme of investigating software vulnerabilities (Fig. 1) and the GERT network of the software vulnerability research process (Fig. 2) into a fuzzy GERT network and represent it in the form shown in Fig. 3. Fig. 3 shows that the structure is complex and has a number of elements that are subject to simplifying equivalent transformations.

3. The advanced algorithm of equivalent transformations of GERT-network
To carry out simplifying equivalent transformations of the GERT network for investigating software vulnerabilities, the main ideas from scientific research [15] were used. At the same time, we shall improve the algorithm of simplifying equivalent transformations by taking into consideration the three evaluated parameters of software vulnerability research: the study time t ij , the probability of the beginning of the analysis ( This expression is the basis for calculating the temporal and probabilistic characteristics of investigating software vulnerabilities. The calculation data are given in Tables 3, 4. Analytical expressions for calculating the average time spent in branches not associated with a node (i) can be represented by steps using Table 3. Table 3 Analytical expressions for calculating the average time spent in branches not associated with a node (i) (added average time spent in branches) No. Probability of successful start of analysis In accordance with the laws in Table 3, the value of the added fuzzy investigation time , Consider the next step in the equivalent transformation of a fuzzy GERT network -determining the change in the probability of successful completion of a particular investigation that does not belong to node (i) by excluding the branch (i, i). To this end, assume that the branch (i-j) with the parameters t ij , (starting analysis) , i j p and (useful conclusion) is a branch of the node (i). Using expressions to calculate the probability of successful transition to branches from node i to node j, given in Table 4, we obtain the following analytic expressions Calculating the change in the probability of the beginning of the analysis in branches that do not have a relationship with node ( ) by excluding branch ( , ) can be done as follows. The exclusion of the branch ( , ) entails multiplying the probability of the beginning of the analysis by the value , we investigate the existing rules for the fuzzy description of parallel branches between neighboring nodes (Table 1).
Considering the first example from Table 1 (parallel transitions between two nodes with a "probabilistic" output and an "Exclusive-Or" input), it should be noted that there is only one way to perform these actions. To determine the equivalent time to complete the transition, it is advisable to use the average time indicator, taking into consideration the probabilities of the beginning of the analysis and the successful completion Table 4 Analytical expressions for calculating the probability of successful completion of the investigation in each node i The second example in Table 1 gives parallel branches of the network with a deterministic output and the input "Inclusive-Or". All processes on the network run simultaneously and end as the fastest of them is finished. When determining the equivalent time of passage of the network section, it is necessary to take into consideration the uncertainty factor, and, accordingly, perform defuzzification operations.
The third example in Table 1 is the case of parallel transitions between two nodes with a "deterministic" output and the input "And". Since all these branches must be performed in full, equivalent transformations can be carried out by taking into consideration the maximum of the fuzzy indicator of the investigation.
Probabilistic characteristics can be calculated as follows 0 1 1 8 5 6 ln ln Zero level Simple loop , In the first step of the transformation, one must remove the loops and calculate the updated input values. Then represent the improved fuzzy GERT-model for investigating software vulnerability without loops in the form of a diagram in Fig. 5. In this case, the input parameters of the equivalent GERT network are the values given in Table 5.
After the final calculation of probabilistic-temporal characteristics, we obtain the following values of indicators

Studying the improved fuzzy GERT model
When conducting comparative studies, the following data were chosen as standards. The results of mathematical modeling of software testing presented in work [11]. Results of fuzzy GERT-modeling based on Critical Path Method (CPM) [16]. Data from practical experiments, using the model built. The values of the testing time are given in Table 6. Table 6 demonstrates the use of the improved algorithm of equivalent transformations reduced the fuzziness of the output characteristics of the time for investigating software vulnerability by up to 1.12 times compared to the fuzzy GERT model based on CMP [16]. If we take as a basis the reference value of the deviation equal to 28.3, indicated in works [11,16], it can be noted that the accuracy of the simulation results increased to 13 % compared to the results of mathematical modeling of software testing [11]. At the same time, it approached the results of a practical experiment.
One of the distinctive features of the developed mathematical model for investigating software vulnerability is the consideration of probabilistic characteristics of the process along with the time characteristics. Table 6 Results of a comparative study on the criterion of minimum average time and its deviation To prove the reliability of the results obtained using the improved equivalent transformation algorithm, comparative studies were conducted. The results of the experiment are given in Table 7.
The results in Table 7 showed the commensurability of probabilistic and temporal indicators obtained using the improved algorithm of equivalent transformation with the values obtained from implementing known Gavareshki and Hashemin reference algorithms [10,15]. At the same time, the improved algorithm, unlike the reference algorithms, covers a wider range of logical operations and equivalent transformations.

Discussion of results of studying the improved fuzzy GERT-model
A fuzzy GERT model for investigating software vulnerabilities has been constructed. The developed model has made it possible to estimate the time of successful completion of investigating software vulnerability under the conditions of uncertainty, as well as the probability of successful investigation completion. The results of mathematical modeling have made it possible to draw a conclusion about the increased accuracy in the assessment of the time for investigating software vulnerability. The results of the modeling are given in Tables 6, 7. Such an increase in the accuracy of modeling results became possible due to the synthesis of the mathematical apparatus of fuzzy logic into the GERT modeling technique. In addition, the use of the developed algorithm for simplifying equivalent transformations has also made it possible to reduce the "deviation" indicator and bring it closer to the results of a practical experiment.
A structural model for conducting research into software vulnerabilities has been built. A given structural model made it possible to include in the research process a wide range of analysis techniques and expert data on software vulnerabilities in accordance with the MITRE requirements.
The use of modeling methods with a preliminary prediction of the probabilistic distribution in problems has certain disadvantages and limitations. That reduces the accuracy of the simulation. This paper has paid attention to fuzzy methods that significantly expanded the capabilities of network modeling approaches. The combination of fuzzy and probabilistic methods has made it possible to report a new approach to solve the modeling problem in projects with networks with parallel, serial, and reversible branches of the cycle.
It should be noted that a given modeling approach has prospects for further improvement. This is due to such an unresolved disadvantage of probabilistic modeling as a significant increase in the complexity of the model with a slight complication of the network.

Conclusions
1. A structural model for conducting research into software vulnerabilities has been built. A feature of the structural model is the synthesis of expert, static, dynamic, and manual analysis of software, which could reveal its main vulnerabilities recommended by MITRE. On its basis, a clear GERT network for the process of investigating software vulnerability has been developed. The shortcomings of this network associated with neglect of fuzziness of input data and transient characteristics and processes have been revealed.
2. Based on the mathematical apparatus of fuzzy network modeling, a fuzzy GERT model for investigating software vulnerability has been constructed. A distinctive feature of this model is to take into consideration the probabilistic characteristics of transitions from state to state along with time characteristics. This has made it possible to increase the accuracy of modeling up to 13 %.
3. The algorithm for simplifying equivalent transformations has been improved, which differs from known ones by considering the capabilities of the extended range of typical structures of parallel branches between neighboring nodes. This has made it possible to reduce the fuzziness in the output characteristics of the time for investigating software vulnerability (a deviation from the average value) by 1.12 times.
4. Based on the algorithm, a fuzzy GERT model for investigating software vulnerability has been improved, which differs from known ones by the absence of loops in the network structure.
5. Comparative studies were conducted to confirm the reliability of our results. The results of the experiment showed the commensurability of probabilistic and temporal indicators obtained when using the improved algorithm of equivalent transformation with the values obtained from implementing known Gavareshki and Hashemin reference algorithms. Table 7 Results of the comparative experiment of the improved algorithm of equivalent transformation with the reference Gavareshki and Hashemin algorithms