Analysis and optimization of decision-making in integrated security systems

The paper offers a comprehensive set of characteristics of integrated security systems for electronic document management, which allows conducting research on the degree of protection of such systems from external and internal threats from the point of view of system analysis and modeling their functioning in various conditions. Classification descriptions are given and data analysis is performed when modeling decision-making processes in integrated security systems on the example of responding to threats of information leakage through parametric channels. The optimal set of response measures is given for performing illegal actions by an attacker to intercept information via parametric channels when using the corresponding modes of operation of the TCP Protocol. The type of analytical models of performance characteristics of measures to respond to threats of information leakage through parametric channels is determined by the functional model of such measures. The resulting system-level characteristics of effective response to the threat of information leakage on parametric channels is based on the stochastic representation of the conditions for timely interventions.


Introduction
Electronic document management systems in modern realities, including in the context of a pandemic and remote access to information resources, are among the most popular and critical in terms of security integrated security systems (ISMS). This article offers a comprehensive set of characteristics of such ISB, which allows us to study the degree of protection of such systems from external and internal threats from the point of view of system analysis and to model their functioning in various conditions. We define a set of mathematical models for evaluating the characteristics of the effectiveness of measures to respond to threats of information leakage through parametric channels [1][2][3][4][5][6][7].

The theoretical part
In accordance with the compositional nature of the procedure for forming a system of characteristics of the effectiveness of measures to respond to threats of information leakage through parametric channels, the initial data for mathematical models of the characteristics of the second level of the hierarchy of such a system are -set {(bijk)} time characteristics of functions for detecting signs that an attacker is performing illegal actions to intercept information via parametric channels.
Characteristics of the second system-level characteristics of effective response to the threat of information leakage on parametric channels are graded on the following sets of models: -set of models {M(  (рjk))} to estimate the average time of implementation of TSR operation modes in the process of illegal actions to intercept information via parametric channels; -set of models {M(  (уjk))} to estimate the average time of establishing the facts of the implementation of certain modes of operation of the TSR in the process of illegal actions to intercept information via parametric channels.
Features of the third system level performance characteristics of responses to the threat of information leakage on parametric channels are graded on the following sets of models: -set of models {M(  (ek))}to estimate the average values of the time when an attacker implements certain stages of illegal actions to intercept information via parametric channels; -set of models {M(  (еk))} to estimate the average response time to the actions of an attacker during the implementation of certain stages of illegal actions to intercept information via parametric channels; -set of models {M(P(р)k)} to assess the probability of timely response to the actions of an attacker when they implement certain stages of illegal actions to intercept information via parametric channels. The assessment of the fourth level characteristic -the system indicator R of timely response to threats of information leakage through parametric channels is carried out on the assumption of independence of events related to timely response to the actions of an attacker during the implementation of certain stages of illegal actions to intercept information through parametric channels.
The time characteristics of the attacker's ability to implement the TSR operation modes in the process of illegal actions to intercept information via parametric channels are formed at the second composite level of the system of characteristics of the effectiveness of response measures to such threats to information security [11,12]. The formation procedure is based on establishing inter-level compositional relationships between these characteristics and the characteristics of the initial (first) level of this system. The content of these links, and, consequently, the type of mathematical models of characteristics of this level is determined by the corresponding functional models of illegal actions to intercept information via parametric channels. Typical formats of generated analytical dependencies are presented in [8][9][10].
In accordance with the order of operations performed by the attacker in the process of calculating the availability zones of informative acoustic signals of the intelligence object, the average value ¯(р13) of the random value of the time spent by the attacker on implementing this mode of operation of the transmission control Protocol (TCP) is determined in accordance with the expression: where 131, 132, 133 and 134the probability of an attacker performing operations in the course of illegal actions о131, о132, о133 and о134, respectively, ¯(о131), ¯(о132), ¯(о133) and ¯(о134) -average values of random variables of the time spent by an attacker to perform operations о131, о132, о133 and о134, respectively, а о137)) means the average value of the composition of random variables (о135), (о136) and (о137) time when the attacker performs operations о135, о136 and о137, respectively.
The given procedure for performing operations by an attacker in the process of determining the optimal availability of informative acoustic signals of the intelligence object allows you to form an expression for determining the average value ¯(р14) random value of the time spent by the attacker to implement this mode of operation TSR, in: где E((о141) • (о142)) means the average value of the composition of random variables (о141) and (о142) time when the attacker performs operations о141 and о142, respectively. In accordance with the given procedure for performing operations by an attacker in the process of intercepting electrical signals modulated by informative acoustic signals using tracking equipment AR on the channel of acoustoelectric transformations, the average value ¯(р21) random value of the time spent by the attacker to implement this mode of operation TSR, defined according to the expression: where E((о211) • (о212)) means the average value of the composition of random variables (о211) and (о212) time when the attacker performs operations о211 and о212, respectively. The given procedure for performing operations by an attacker in the process of increasing the intelligibility of intercepted informative acoustic signals using special software (hardware and software) methods allows you to form an expression for determining the average value ¯(р22) a random value of the time spent by the attacker to implement this TSR mode, in the form of: where E((о221) • (о222) • (о223)) means the average value of the composition of random variables (о221), (о222) and (о223) time when the attacker performs operations о221, о222 and о223, respectively.
In accordance with the order in which the attacker's operations in the process of intercepting the re-emitted high-frequency (HF) signals, modulated informative acoustic signals in the auxiliary technical tools and systems (VTSS) of the object exploration using equipment conduct acoustic intelligence (AR) channel RFirradiation, mean value ¯(р31) of a random variable the time spent by the attacker to implement this mode of operation of TSR is determined in accordance with the expression: where E((о311) • (о312)) means the average value of the composition of random variables (о311) and (о312) time when the attacker performs operations о311 and о312, respectively.
The given procedure for performing operations by an attacker in the process of increasing the intelligibility of intercepted informative acoustic signals using special software (hardware and software) methods allows you to form an expression for determining the average value ¯(р32) a random value of the time spent by the attacker to implement this mode of operation of the TSR, in the form of: ) means the average value of the composition of random variables (о321), (о322) and (о323) time when the attacker performs operations о321, о322 and о323, respectively.
In accordance with the above procedure for performing operations by an attacker in the process of intercepting re-emitted RF signals modulated by informative acoustic signals in the VTSS of the reconnaissance object using the AR equipment for conducting RF radiation, the average value of ¯(р41) the random value of the time spent by an attacker to implement this mode of operation of the TSR is determined in accordance with the expression: where E((о411) • (о412) • (о413)) means the average value of the composition of random variables (о411), (о412) and (о413) time when the attacker performs operations о411, о412 and о413, respectively.
The given procedure for performing operations by an attacker in the process of increasing the intelligibility of intercepted informative acoustic signals using special software (hardware and software) methods allows you to form an expression for determining the average value ¯(р42) ) the random value of the time spent by an attacker to implement this mode of operation of the TSR is determined in accordance with the expression: ¯(р 42 ) = ( (о 421 ) ω(о 422 4) ω(о 423 )) where E((о421) • (о422) • (о423)) means the average value of the composition of random variables (о421), (о422) and (о423) time when the attacker performs operations о421, о422 and о423, respectively.
In accordance with the order in which the attacker's operations during the interception of high-frequency electromagnetic signals generated during operation of the generators included in the technical means and (or) spurious (auto) generation in the technical means of object exploration using the apparatus of reference AR channel spurious (auto) generation, the mean value ¯(р51) the random value of the time spent by an attacker to implement this mode of operation of the TSR is determined in accordance with the expression: ¯(р 51 ) = ( (о 511 )ω(о 512 )) where E((о511) • (о512)) means the average value of the composition of random variables (о511) and (о512) time when the attacker performs operations о511 and о512, respectively. The given procedure for performing operations by an attacker in the process of increasing the intelligibility of intercepted informative acoustic signals using special software (hardware and software) methods allows you to form an expression for determining the average value ¯(р52) a random value of the time spent by the attacker to implement this mode of operation of the TSR, in the form of: ¯(р 52 ) = ( (о 521 ) ω(о 522 ) ω(о 523 )) where E((о521) • (о522) • (о523)) means the average value of the composition of random variables (о521), (о522) and (о523) time when the attacker performs operations о521, о522 and о523, respectively.
In accordance with the above procedure for performing operations by an attacker during the conversion of data intercepted through channels of acoustoelectric transformations, RF irradiation, parasitic (auto) generation, and RF imposition, the average value of ¯(р61) the random value of the time spent by an attacker to implement this mode of operation of the TSR is determined in accordance with the expression: where E((о621) • (о622) • (о623)) means the average value of the composition of random variables (о621), (о622) and (о623) time when the attacker performs operations о621, о622 and о623, respectively.
In accordance with the given procedure for performing operations by an attacker in the process of analyzing the sufficiency of information intercepted through the channels of acoustoelectric transformations, RF irradiation, parasitic (auto) generation and RF imposition to disclose the content of the information process, the average value of ¯(р63) the random value of the time spent by an attacker to implement this mode of operation of the TSR is determined in accordance with the expression: where E((о631) • (о632)) means the average value of the composition of random variables (о631) and (о632) time when the attacker performs operations о631 and о632, respectively.
The time characteristics of the attacker's ability to implement the stages of illegal actions to intercept information via parametric channels are formed at the third composite level of the system of characteristics of the effectiveness of response measures to such threats to information security. In this case, the formation procedure is based on establishing inter-level compositional relationships of these characteristics with the characteristics of the second level of this system.
The following expressions (16 -(21) are mathematical models for estimating the average time of implementation of stages of illegal actions to intercept information via parametric channels.
In accordance with the procedure given in [1,2,5] for an attacker to implement the TSR operation modes in the process of searching for places of intelligence availability of informative acoustic signals of the VP organs via channels of acoustoelectric transformations, RF irradiation, parasitic (auto) generation and RF imposition, the average value of ¯(e1) the random value of the time spent by the attacker on the implementation of this stage of illegal actions is determined according to the expression: ¯( 1 ) = ( (р 11 )ω(р 12 ) (р 13 )ω(р 14 )) where E((р11) • (р12) • (р13) • (р14)) means the average value of the composition of random variables (р11), (р12), (р13) and (р14) time when the attacker performs operations р11, р12, р13 and р14 TСP working, respectively.
The given order of implementation by an attacker of the TСP operation modes in the process of interception of electrical signals modulated by informative acoustic signals due to acoustoelectric transformations in the HTSS of the exploration object, the lines of which have an exit outside the controlled zone, allows us to form an expression for determining the average value ¯(e2) a random value of the time spent by the attacker on the implementation of this stage of illegal actions, in the form of: where E((р21) • (р22)) means the average value of the composition of random variables (р21) and (р22) time when the attacker performs operations р21 and р22 TCP working, respectively. In accordance with the above procedure for implementing the attacker's TCP operation modes in the process of intercepting re-emitted RF signals modulated by informative acoustic signals in the VTSS of the intelligence object, the average value of ¯(e3) the random value of the time spent by the attacker on the implementation of this stage of illegal actions is determined according to the expression: where E((р31) • (р32)) means the average value of the composition of random variables (р31) and (р32) time when the attacker performs operations р31 and р32 TCP working, respectively.
The given order of implementation by an attacker of the TCP operation modes in the process of interception of "imposed" high-frequency electrical signals modulated by informative acoustic signals in the VTSS lines of the intelligence object that go beyond the controlled zone allows us to form an expression for determining the average value ¯(e4) a random value of the time spent by the attacker on the implementation of this stage of illegal actions, in the form of: where E((р41) • (р42)) means the average value of the composition of random variables (р41) and (р42) time when the attacker performs operations р41 and р42 TCP working, respectively. In accordance with the given procedure for the implementation by an attacker of the TSR operating modes in the process of intercepting high-frequency electromagnetic signals that occur during the operation of generators that are part of technical means and (or) parasitic (auto) generation in the technical means of the intelligence object, the average value of ¯(e5) the random value of the time spent by the attacker on the implementation of this stage of illegal actions is determined according to the expression: where E((р51) • (р52)) means the average value of the composition of random variables (р51) and (р52) time when the attacker performs operations р51 and р52 TCP working, respectively. The given procedure for implementing the TCP operation modes by an attacker in the process of analyzing the amount of intercepted information by the criterion of sufficiency for its disclosure allows us to form an expression for determining the average value ¯(e6) a random value of the time spent by the attacker on the implementation of this stage of illegal actions, in the form of: ¯( 6 ) = ( (р 61 )ω(р 62 )ω(р 63 )) where E((р61) • (р62) • (р63)) means the average value of the composition of random variables (р61), (р62) and (р63) time when the attacker performs operations р61, р62 and р63 TCP working, respectively.

Practical research
These studies are a continuation of the complex experiment described in [1][2][3][4][5]. Assessment of the effectiveness of mechanisms for identifying threats information leakage on parametric channels, in accordance with the above method, consider the model in relation to the characteristics of illegal acts of interception of information by channels of this type and typical characteristics of mechanisms for identifying threats information leakage.
In order to implement this method, a set of programs has been developed to evaluate the effectiveness of mechanisms for detecting threats of information leakage through parametric channels. Figure 1 shows a dialog box for entering initial data on threat characteristics in accordance with their representation in the form (22), obtained by analyzing the signs of illegal actions ri, i = 1, 2, ..., 19 from their set) [5].
where: athe number of unique (non-repeating) actions performed to implement threats of information leakage through parametric channels (procedures for detecting such threats); Athe total number of actions when implementing these threats (procedures for detecting them); bthe number of unique operands used when implementing these actions (procedures); Bthe total number of operands used when implementing threats of information leakage through parametric channels (procedures for detecting such threats). In this case, the column "ID/IND" corresponds to the identifiers and names of functions of the initial level of describing threats of information leakage through parametric channels, the columns"", "Amin", "Amax","", "Bmin", "Bmax" correspond to the parameters of the expression (22).
The values in the "Vmin", "Vmax", "Vsr", and "Vsko" columns correspond to the minimum, maximum, and average values of the information volume of functions and its standard deviation, respectively. These values are determined during the operation of the software package.
Based on these initial data, in accordance with the models given in this paper, we obtain the values of the information volume of functions of the third intermediate level of the functional description of illegal actions to intercept information via parametric channels.

Conclusions
The values obtained in the experiment of the information volume characteristics of the target function of illegal actions to intercept secondary RF radiation of radio-electronic equipment elements (REO) and semi-active tab devices (PAZU) and the target function for detecting threats of information leakage through parametric channels allow us to determine the effectiveness of mechanisms for detecting threats of information leakage through parametric channels, i.e. the efficiency has increased to 78%: Thus, the method given in the article for structuring the characteristics of mechanisms for detecting threats of information leakage through parametric channels allows for significantly higher reliability of the assessment than the reliability of the assessment for individual characteristics of threat detection mechanisms that are not connected to any system. The models considered in this paper are a methodological basis for synthesizing the procedure for evaluating the effectiveness of mechanisms for detecting threats of information leakage through parametric channels. The use of the efficiency assessment of mechanisms for detecting threats of information leakage through parametric channels developed in the article makes it possible to provide a more reliable assessment than traditional methods of assessment [6][7][8][9][10].
In order to formalize the problem and ways to solve it, in accordance with the formulated content statement, we denote by R(N) a set of rules for evaluating the effectiveness of mechanisms for detecting threats of information leakage through parametric channels by the indicator E(b) of the specified nomenclature of N models. At the same time, s(R) threat assessment capabilities are provided. Then the task of modeling mechanisms for identifying threats information leakage on parametric channels can be viewed as the task of developing a rule set R that maximizes the possibility's assessment of the effectiveness of mechanisms for identifying threats information leakage on parametric channel in the range n models not exceeding a given N.
This allows you to formally present the problem statement as:R = argmax S(R).

n ≤ N
The formulated problem of modeling mechanisms for detecting threats of information leakage through parametric channels should be solved by presenting the following main sequentially solved problems: -structuring descriptions of the attacker's actions to intercept information via parametric channels and mechanisms for detecting such actions; -finding correspondences between the functional and mathematical description of the attacker's actions to intercept information via parametric channels and mechanisms for detecting such actions in order to obtain a nomenclature of models that does not exceed the specified one; -conducting experiments to evaluate the effectiveness of mechanisms for detecting threats of information leakage through parametric channels; -determining the value of the indicator of the ability to evaluate the effectiveness of mechanisms for detecting threats of information leakage through parametric channels for various sets of evaluation rules.