dc.description.abstract | Compared to universal information systems, the information system for critical use has a simplified structure of the information environment and specific requirements regarding the volumes and nature of information resources. This fact allows us to refuse excessive detail and to narrow the simulation object to the process of forming a security policy for an information system for critical use, an adequate problem description of which is achievable under the condition of a rational choice of the mathematical apparatus.
Objective. Synthesis of mathematical apparatus for the complex unified description of static and dynamic, controlled by integrity and authenticity, processes in the information system for critical use in its hierarchical representation.
Method. In the article new complex mathematical models of processes of information processing and access separation to it are obtained, which, in contrast to the existing ones, describe in the framework of the mathematical apparatus of E-networks mechanisms for protecting the environment and resources of the information system for critical use and allow to quantify the integrity of its information resources. The mathematical models of the synthesis of the policy of safe information processes interaction in the information system for critical use are developed, which allow guaranteeing the observance of local security policies on the various structural elements of the system and integrating them into the global security policy, observing a single discretionary policy everywhere in the system.
Results. The practical consequence of the obtained theoretical results is the methods of optimizing the operation of the data processing and the access separation units, which are responsible in the information system for critical use for controlling the information integrity and the authenticity of access to it, respectively. In particular, the model of security policy of a information system for critical use adapted for practical application, a method for dynamically information integrity controlling with a corresponding criterion based on the mathematical apparatus of semi-Markov networks for a comprehensive stochastic description of discrete states of the information integrity control at selected hierarchical levels of the system during the continuous discretionary access. The method allows us to select the maximum allowable values of information integrity control coefficients at the sub-levels of the OSI application level allocated in the information system for critical use based on the pre-set amount of the size of controlled information, the speed of information integrity control and the maximum period of the system is in the appropriate state. Also describes a method for controlling access to information processes that are described by superblocks on the E-network representation of the ISCU using sets of classifiers integrated into each block of the superblock that capture the fact of exceeding the corresponding thresholds by weighted degrees of identity of the attributes of the object that wants to access, which allows us to classify the identified information threat and initiate the corresponding reaction described in the system security policy. The analysis of the results of the experiments allowed to obtain optimal parameters of groups of classifiers, which, in the framework of global, local and discretionary security policies, prevent the unauthorized access to system information resources or attempts to violate their integrity.
Conclusions. The article presents for the first time the mathematical model of the information system of critical use, in which, unlike the existing ones, a single approach has been introduced to describe information processes within the global, discretionary and local security policies with an attachment to the hierarchical structure of the information system, which allows analysis and synthesis of functions services supporting user roles based on the object-relational model of organization of information resources of the system, to perform their integration, induction and ensure compatibility within a single security policy, to control the information and the authenticity of static and dynamic access to it. | en |