DEVELOPMENT OF THE INTELLIGENT DECISION- MAKING SUPPORT SYSTEM TO MANAGE CYBER PROTECTION AT THE OBJECT OF INFORMATIZATION

Current level and further prospects for the development of information– communication systems (ICS) in different areas of human activity cannot be imagined without special attention paid to the issues of information (IS) and cybersecurity (CS). This is, in part, due to the growing number of cyber threats and destructive impacts on the objects of informatization (OBI). That is why, in order to successfully use modern ICS, it is necessary not only to effectively manage their functional resources but also to create efficient information protection control systems (IPCS). Since the objects of control, IPCS, are rather complex organizational-technical structures (OTS) that operate under conditions of uncertainty, effective management of such systems should be based on the innovative information technologies of decision making support that relate to IS and CS. One of the variants to solve this problem is the use of decision support systems (DSS) to manage CS based on intelligent information technologies (IIT). This, in turn, makes it absolutely relevant to examine how to improve existing and develop new methods, models and software (SW) for the operational control over protection of OBI, in particular under conditions of incompleteness of knowledge about the state of ICS.


Introduction
Current level and further prospects for the development of information-communication systems (ICS) in different areas of human activity cannot be imagined without special attention paid to the issues of information (IS) and cybersecurity (CS). This is, in part, due to the growing number of cyber threats and destructive impacts on the objects of informatization (OBI).
That is why, in order to successfully use modern ICS, it is necessary not only to effectively manage their functional resources but also to create efficient information protection control systems (IPCS). Since the objects of control, IPCS, are rather complex organizational-technical structures (OTS) that operate under conditions of uncertainty, effective management of such systems should be based on the innovative information technologies of decision making support that relate to IS and CS.
One of the variants to solve this problem is the use of decision support systems (DSS) to manage CS based on intelligent information technologies (IIT).
This, in turn, makes it absolutely relevant to examine how to improve existing and develop new methods, models and software (SW) for the operational control over protection of OBI, in particular under conditions of incompleteness of knowledge about the state of ICS.

Literature review and problem statement
Growing number of cyberthreats to OBI caused a surge of research in the field of development of mathematical models for DSS [1,2] and expert systems (ES) [3,4] on the issues of information security and information protection (IP). But these studies are mainly represented only by formal mathematical models and are not brought to employable software products.
A separate direction of research into development of DSS [5] of intelligent decision-making support systems (IDMSS) [6] and ES with IS is the papers dedicated to the development of means of automated risk assessment of OBI [7] and program complexes of risk management of IS and CS [8]. Instead, articles [9,10] note that IPCS, which realized intelligent technologies for responding to the events related to violation of IS, are the product of privately-owned companies; in this case, the customer in most cases is not aware of the information on the methods and models for the formation of controlling influences in the systems [11].
Papers [12,13] pointed out the following shortcomings of many DSS and ES in the field of IS: -required presence of experts with high qualification; -difficulties arising in the adaptation of methods and models of IPCS to the needs of a particular organization; -inability to evaluate the effectiveness of a particular IPCS at the object of protection; -the requirement of availability of reliable statistics about the incidents in IS and CS.
Articles [14,15] demonstrate that the existing DSS and ES in the field of IS, in addition to the tasks on managing cyberprotection, are advisable to equip with functional modules that allow improving the efficiency of planning of rational composition of the OBI IP systems (IPS). At the same time, no information about practical experience of applying such modules in DSS is provided by the authors.
Papers [16,17] indicated that the existing standards in the field of IS management do not form specific approaches to managing the cyberptotection of OBI, and it complicates procedures of designing the employable software products that would allow adequate assessment of the degree of OBI. Therefore, given the potential of application of DSS in IPCS, which implement preventive strategy of OBI cyberprotection [18,19], it appears a relevant problem to develop the methods, models and applied SW applicable to the practical implementation in IDMSS. In particular, these studies are topical in the area of intelligent decision-making support for planning the rational structure of IPS, assessment and prediction of risk of violating the IS and CS, as well as management of IP under conditions of uncertainty in the potential impacts from cybercriminals.

The aim and tasks of the study
The aim of present study is to develop a model for counteracting the cyberattacks based on the application of IDMSS to select rational variants of response to the CS events with regard to operational data on the state of OBI.
To achieve the set aim, the following tasks have to be solved: -to design an architecture for the information protection control system of OBI with a centralized and a decentralized variant of processing; -to improve an operational control model (OC) of OBI CS, which makes it possible to increase the efficiency of IS management under condition of uncertainty in the state of OBI, as well as to improve the process of planning the rational structure of IPS; -to develop a software complex of IDMSS to manage the OBI cyberprotection and to explore effectiveness of the proposed model.

Architecture of information protection control system
The main problem in the construction of IPCS, in particular control system (CoS) with CS, is the choice of the model of threats [20,21]: where B j are the business processes of an enterprise; INF j is the set of types of information arrays (IM); RES j are the resources of OBI ICS; VUL j is the set of vulnerabilities of OBI; U j is the set of OBI ICS users; COM j is the set of information flows of OBI; j r D is the set of states of OBI; j=1,2,...,w. Based on the principles of control under conditions of uncertainty [5,9,16,17] and the selected model of threats (1), we propose a generalized architecture of IPCS and CS, Fig. 1.
As a controlled variable, we use an indicator -the level of security (LS) [5,9,12,17]. LS value depends on the maximal level of criticality of information processed in ICS.
In the circuit of organizational-technical management (OTM), we set up control mechanisms of IP during a change in appropriate business processes, for example, in the content of information arrays (IM), infrastructure, etc. An OTM circuit, given the results presentes in [6,9], was improved by the implementation of block that allows controlling the assigned parameters of OBI CS. In the block of controlled parameters (CP), we implemented the algorithm for partition of space of attributes of anomalies and cyberattacks into clusters [12,19] in the course of implementation of the procedure for the recognition of destructive influences. An improved architecture of IPCS differs from existing solutions by the possibility of simultaneous optimization when computing control tolerances for anomalies and cyberattacks. In this case, analysis of the level of OBI protection is performed in real time. The circuit includes: IDMSS for choosing a strategy of protection, a system for security level estimation (risk). Controlling influence in the circuit is executed by employees of the department (service) of IS. The command information is formed in the course of a purposeful selection of the rational structure of a complex of information protection means (CIPM).
In the OC circuit, operational command information is formed, which is delivered to the object of control by a security administrator or automatically by means of the realization of controlling influences.
The following abbreviations are adopted: SA -security administrator; DIB -data input block; KBIPM -knowledge base of information protection means; ISD -information security department; E -experts; MRCI -means of realization of controlling influences on the controlling modules embedded to IPM; CP -controlled parameters; MIE-SO -module for the implementation of exhaustive search algorithm of options from compatible software and hardware means; OC MCS -module of control over the state of object of control; MDA -module of deviation assessment; MPAM -module for processing additional matrices; MPCmatrices of pairwise comparisons; MFMM -module for the formation of morphological matrices; MFOF -module for the formation of objective function; OCI -operational command information; PLP -primary level of protection; SCI -scheduled command information; ROIPM -rational options for the information protection means; IDMSS -intelligent decision making support system over operational control (OC) of information protection.
The IDMSS developed for the tasks on IP is expedient to consider for the subsystems of CS, which consist of five perimeters for centralized and decentralized architecture of OBI, Fig. 2 [22]. In Fig. 2, a, perimeters of IS are denoted as conditional boundaries that separate zones with different (required) security levels. In Fig. 2, b, perimeters of IP are formed based on possible threats to OBI SC. Corresponding methods for the means of IP are marked in green. b -decentralised option of OBI In Fig. 2, The following designations are adopted: AVP -antivirus protection; DIC -data integrity control; AEIS -audit of events of information security; PSIOphysical security of information object; B -backup; UAC -user access control; SDCA -subsystem of detection of cyber attacks; MACS -monitoring and analysis of cyber security; NLAC -Network-level access control.
Perimeters of OBI protection: PIS (I) -the perimeter of the information system; PCOI (II)perimeter of control of object of informatization; UAP (III) -User Access Perimeter; PNE (IV) -the perimeter of the network equipment; OPIO (V) -the outer perimeter of information object. The task on choosing the rational structure of CIPM for OBI is carried out according to the following criteria [22,23]: minimal probability of the intruder accomplishing all goals; minimum of average level of losses at OBI from the intruder accomplishing all goals; maximum probability of success in the counteraction by CIPM of the intruder accomplishing all goals; minimum value of the integral indicator "cost -risk". For the proposed architecture of IPCS, we used the model of optimization of structural-technological resource (STR) for mission-critical IM and OBI infrastructure components by the criterion of minimum probability of failure to solve the task [18,22].
In other words, according to the set task, it is necessary to find such values * um nm x , which are um unumun um unum um um un 1 um 1 X um un 1 um 1 um 1 um 1 P , min where um* is node in OBI; M inf is the number of IM; N po is the number of program modules of OBI; un unum φ is the distribution of tasks on the nodes of OBI; where T * is the maximum possible time for solving the task; unum θ is the number of requests in OBI for the processing of information; unum λ is the intensity of solving the tasks; Based on the analysis of possibilities to improve IPCS of OBI, we propose the model for operational control over IDMSS with IS, which allows increasing the quality in planning the structure of IPS.

Model for the operational control over cyberprotection of object of informatization
Quantitative assessment of OBI protection can be obtained where C ICR is the coefficient that allows representing the obtained result in the range [0; 1]; At i is the level of violation of IS in the ith node; As i is the criticality of information assets (IA) in the ith node; TL i is the level of confidence in the device that reports IS violations in the ith node; LS i is the level of protective measures in the ith node; the level of protection of the ith node; n is the number of nodes in OBI. Sets of internal and external attacks against OBI will be represented in the form of tuples: where RCA is the remote attack on OBI; ICA l(m) is the internal attack on IA at the criticality level k, which are processed in node NN m when the intruder has an account as a user with the right to access the information whose criticality level does not exceed (k-1) and tries to expand his privileges; EST is the external source of threat; k1 l IST is the internal source of threat; CE is the communication equipment; SS ne , SS h are the security services in the path of growing attack, network and hosting; PP are the protocols, packets; O is the object of access; k m NN is the OBI node, which processes information with the highest level of criticality (k); l, m are the numbers of nodes.
Articles [9,17,19,24] proved that the only effective way to identify attack is the analysis of combinations of anomalous events. That is why IDMSS matches the set of possible ways WCA of spreading the attacks with the set of indicators IND. The number of indicators that were enabled along its progress assesses a probability that a suspicious activity is a cyberattack. The intersection а i (p ) τ defines the set of indicators. Then we receive the following expression: where IND={ind j :ind l } is the indicator of a network or a perimeter of OBI; WCA are the possible ways of spreading the cyberattack against the nodes of OBI; а i (wca ) ζ is the intersection, which defines the set of indicators that correspond to the realization of an attack along a given path.
In order to solve the tasks of IP under conditions of controversy or incompleteness of data on the state of OBI during the attack, IDMSS employs the mechanisms of fuzzy inference. The input information for the module of fuzzy inference is the number and informativeness of the attributes of anomalous events in the system [6,17,22]. The information that is formed at the output of fuzzy inference system corresponds to the original variable, which is the probability that the combination of anomalous events in the network is actually the attack.
Under condition of missing information on the state of OBI, IDMSS employs a model to counteract the threats, which enables a possibility to select the controlling influence that to the largest extent corresponds to the state of an object of control. The process of selecting the optimal option to respond to the security events will be represented in the form of a tuple: where RV i is the variant of response; RE j is the result; RUL are the decisive rules in IDMSS; DA j is the loss assessment; z is the parameter of uncertainty in the state of environment; P(z l ) is the probability of state l of the environment; OF is the objective function of selection; RV rat (P CA ) is the rational option of response; P CA is the probability of attack. An analysis of possible reaction variants {RO i } for the security events [9,17,22] revealed that the number of controlling influences for each situation is limited, iϵ [1,3].
Since the selection of options to respond to the IS events is carried out under conditions of a potential cyber attack, IDMSS applies a model for assessing the alternative benefits with the estimation of loss -{RE i }, jϵ [1,4]: no damage, loss to a particular user, damage to a group of users, damage from the attack for the entire ICS.
We set the functional, according to which a selection of optimal variant of response is carried out: In order to overcome difficulties in weakly-formalized situations, and for an improved qualitative level of OU, IPCS is equipped with a system of intelligent support of operational control over IP. In the process of organizational-technical management, at the stage of planning the composition of IP means (IPM), there is a consideration of the process of sequential removal of uncertainty concerning the structure and composition of IPM in IPS. The planning process PL of rational combinations (sets) of MIP is described by expression PL=SFS→CS al , (12) where SFS is the set of functional subsystems for the perimeter of IP; CS is the chosen set of IPM.
A process of decision-making by means of IDMSS on selecting the optimal variant of MIP for respective IP perimeters is regarded as the formation of a subset of the best options CS CS.

⊆ ′
The set of options set is represented as where AL is the number of variants of alternative combinations, based on which the choice is made. In order to select the optimal variant of a IPM set, objective function OF is used: CS al =OF(CS).
The set of data that allow comparing the IPM variant includes two subsets: CS is the set of synthesized variants of a set; MA l are the data for the selection of rational variants; OF is the objective function to select the rational choice of IPM (selection rule); CS r is the rational set of IPM, CM lm is the protection means for the realization of the lth functional subsystem.
The selection of rational variants of IPM is implemented based on processing the knowledge of experts in the field of IS. The process of forming the rational complex of IPM is divided into five stages: 1. One develops variants of combinations of MIP. The set of possible variants to solve the task on selection is assigned by a morphological matrix. For the examined perimeters of IP, we developed morphological matrices of IPM.
2. One fills in auxiliary matrices in which one defines software-hardware means compatible with one another (SHM). Auxiliary matrix of compatible solutions is filled as follows. For each pair of IPM from different functional subsystems, one determines whether they are compatible. The result obtained is entered into KBIPM. If MIP are compatible, then compatibility function s(CM lm ,CM pr )=1, otherwise s(CM lm ,CM pr )=0.
3. One generates a set of decisions on the choice of options for MIP. One performs a truncation of this set to a subset of the options of a set from SHM compatible with each other. The set CS={CS 1 ,…, CS R }, consisting of all the possible options for constructing MIP for the IP perimeter, is a Cartesian product of sets of alternatives (rows of a morphological matrix).
Element of the set is represented as follows: where L is the number of functional subsystems for the perimeter of OBI IPS. The generation of a set of decisions on the choice of options of the set, which consists of MIP compatible with each other, is carried out as follows. One runs an iterative synthesis of options which consist of compatible MIP: at the first step, variants of IPM for the first subsystem is sequentially checked, after selecting the alternatives CM li , a transition to the second stage takes place. At the second step, one performs a sequential check of options for IPM of the second subsystem, but the choice is made only for such alternatives CM 2j , for which compatibility function s(CM 1i ,CM 2j )=1 and so on. When selecting the alternatives from the first subsystem, the choice is made only out of such alternatives CM lm , for which the compatibility functions are equal to unity:  MA is the value of indicator "expenditures" on the protection means CM lm .
The criteria of quality of IPM by the indicator "protection" are divided into two groups: indicators of effectiveness of operational methods of protection and indicators of functional applicability. Criteria of quality by the indicator "expenditures" are also divided into two groups: the cost of appropriate IPM and functional expenditures (for example, decrease in the performance of OBI modules when using the given IPM).
Using the T. Saaty method [17,25], DSS carries out estimation of IPM and related criteria [9,22]. It also calculates normalized values of the natural vector of IPM by all criteria to the indicators "protection" 1 LS CR and "expenditures" 1 in CR based on the processing of all the matrices of pairwise comparisons with regard to the links between criteria.
After selecting the rational combinations of IPM for the appropriate perimeters of protection, we receive a rational modular composition of holistic CIPM of OBI, which satisfies the requirement OF→max. where C Σ is the total cost for the implementation of the MIR complex; C per are the financial resources allocated for the implementation of the complex. Indicator C Σ is calculated using the following expression: The choice of a complex of IPM is realized by approaching the rational structure in the process of iterations. Such approach satisfies the requirements of the acceptable expenditures for the implementation of IPS.
In the process of analysis and assessment of risks, IDMSS defines a degree of adequacy of the planned IPM sets to the existing threats. Since the impact on information by different destructive factors is largely at random, then as a quantitative measure of vulnerability, IDMSS employs a probability of security violation of information.
It is accepted that the value of indicator of the mth MIP security information P blm is a subjective probability of detection and blocking by IPM of unauthorized actions, that is, theoretically expected efficiency of the barrier.
It is obvious that the probability of violation of n blm P protection complements P blm to unity, that is n blm blm where n blm P is the probability of information protection violation, or the probability of vulnerability of the mth MIP (the probability of overcoming the appropriate perimeter). It is known that the level of protection and relative risk complement each other to unity. It is proposed to compute the level of protection LS by formula s s S C LS 1 R 1 P , where R is the relative risk; C s is the proportion of cost of information resources in segment s, which is subject to protection; s is the number of segment; S is the number of segments; P s is the resultant probability of threats to the information environment of OBI segment; C Σ is the total unacceptable loss; s C C Σ is the coefficient of danger of the totality of threats in the sth segment, which is defined as the proportion of cost of the object of protection, in particular, the information that is processed in the node. Thus, to assess the level of protection, it is necessary to have a quantitative assessment of the probability of realization of the unauthorized access channels (UAC).
To assess the probability of violation of OBI IS by the subset of intruders {H} on a subset of possible channels for unauthorized obtaining of information (НОІ) {CH} for a node of OBI, the following ratio is used is the probability of НОІ that is processed in the sth segment, accordingly, by an internal (in) and an external (ex) intruder (attacker) for the object of protection that has gate points to the global network, external dedicated communication channels for which remote attacks through a perimeter is possible.
With regard to the proposed architecture and adopted model of protection (b)ex sjk P is calculated as where ex sjk l P is the probability of НОІ that is processed in the sth node, by an attacker in case of overcoming the appropriate perimeter of protection l.
Probability An internal intruder in the course of the realization of UAC chanels must overcome at least three perimeters of protection. Then the probability of НОІ that is processed in segment s by an internal intrder is calculated by formula: where in sl P is the probability of НОІ (that is processed in the sth segment) by an internal intruder in case of overcoming the corresponding perimeter l.
Probability H sjkl P depends on the quality of IPM and the number of perimeters of protection at OBI. If an intruder must overcome M barriers in the appropriate perimeter, then the probability of his successful attack is defined as the product of Based on the proposed model for risk assessment of the IS violation, we developed software packages (SP) for the automated system of intelligent support in the organizationaltechnical and operational management of OBI IP.

Software package "System of intellectual support for making decisions on the control of cybersecurity -DMSSCIS"
Software package "System of intellectual support for making decisions on the control of cybersecurity -DMSSCIS" (Fig. 3) is intended for a substantiated choice of rational complex of IPM when designing OBI IPS. DMSSCIS was also used in the course of modernization of existing IPS in computational centres at enterprises in Chernihiv (2016), Dnipro (2014), Poltava (2013-2014) and several industrial enterprises in Kyiv.
Based on the software tool "DMSSCIS", which in particular implements the method of choosing the rational option of response to the security-related events, we obtained the following results, Table 1.
In the course of research we took into account a possibility of the existence of an attacker, who implements remote intrusion through the perimeters, the presence of external and internal users-intruders and an insider that has high privileges and violates security policy of OBI. After forming a rational composition of IPM at the enterprises where we carried out the study, a predicted value of risk, obtained by using the IDMSS "DMSSCIS", amounted to 1.78-1.91 %, which on average is 5.9-6.2 times lower than the value of risk for IPS that were previously used at the enterprises. Fig. 4 shows examples of results of simulating the rational sets of IPM received using DMSSCIS. Fig. 4, a show results of modeling the cost (C) of rational sets of OBI IPM. Fig. 4, b shows dependence of the integral indicator of overall expenses on IPS for OBI, related to the losses from the actions of intruder and the expenditures for the organization of a rational option of the IPM set. The resulting dependence has a clearly pronounced minimum. This indicates that, starting at this point, the level of spending on IPS begins to exceed the level of losses from the actions of intruder, which is why a major share in the value of integral indicator is the total cost of IPM.
Thus, at the overall cost to organize IPS along critical nodes [22] at OBI of the order of 5200-5500 units, the probability of an intruder reaching all aims is 10 -2 .  An increase in expenditures for the organisation of IPS above a certain level (exceeding 13000 units) is not expedient since it does not lead to a significant improvement in the efficiency of IPS. In the course of research, it was demonstrated that the implementation of the IDMSS "DMSSCIS" makes it possible to enhance the level of automation and centralization in the monitoring of OBI protection, as well as reduce the time it takes to inform decision-makers about IS incidents by 6.9-7.2 times.

Discussion of results of IDMSS testing and prospects for further research
The proposed approach to constructing a comprehensive IPS for OBI allowed us to reduce expenditures for IPM by 32-35 % compared to alternative methods [2,6,10,25].
The IDMSS "DMSSCIS" has the following advantages in comparison with similar DSS [8,11,17]: -it allows assessing the level of OBI protection, which consists of a set of nodes that process information of the various criticality levels; allows assigning source data by the number of segments and nodes of OBI, taking into account the criticality levels of IA; -provides efficiency in the evaluation of IPM sets; allows running a comparative analysis of various complexes of IPM during risk management; -allows taking into account the specifics of functioning of a particular OBI and real threats to key resources.
A certain shortcoming of the IDMSS "DMSSCIS" is the requirement to engage at the initial stage of examination a few independent experts for the construction of memebership functions and compiling production rules. At the present stage of research, for this purpose we employed tools from the Fuzzy Toolbox (Matlab), which computes such indicators of MIP as "protection of information" for each involved perimeter of protection.
Further development of present work may include improving the interaction between traditional mechanisms of cybersecurity at OBI, which, in particular, process initial information by the modules of "DMSSCIS".
In general, based on the studies conducted, we can confirm effectiveness of the proposed models and software package for managing IS at the OBI of enterprises.

Conclusions
1. We proposed architecture of IPCS, in which the choice of optimal variant of the set of IP means for the respective perimeter is realized using an objective function that maximizes the ratio of the summary indicator "protection of information" to the summary indicator "expenditures". This makes it possible to obtain a complex of means of protection, certified for a given class of security. The requirements are also taken into account to the reasonable cost of the implementation of an information security system for a centralized and a decentralized variants of processing the information.
2. We improved a model for the operational maanagement of OBI CS and the formation of a balanced complex of means of protection. The model is based on the morphological approach. In contrast to the existing solutions, the model with regard to the morphological matrices for each of the perimeters of protection of OBI prepared by IDMSS allows us to generate variants of sets of means of protection, which take into account the compatibility of software and hardware tools.
3. We developed a software comples for IDMSS in the contours of managing the system of protection of OBI. The adequacy of the proposed model is confirmed. The use of the developed IDMSS in the networks of enterprises where the software package DMSSCIS was verified made it possible to reduce the planned spending on the construction of IPS by up to 35 %.