Current Tasks in Identifying Invalid Events in Critical Information Infrastructure

The purpose of the study is to develop an approach for identifying and processing invalid events in critical information infrastructure (CII) based on the concepts of taxonomy and categorization. The approach aims to improve the efficiency of identifying, classifying, and managing information security (IS) incidents. The article addresses the current tasks of ensuring the required level of CII protection and minimizing the negative consequences of information security incidents resulting from invalid events. The identification of these events is associated with the complexity of detecting such events, the need to process large volumes of data, insufficient speed in detecting IS events, as well as technological limitations.
The relevance of identifying and classifying invalid events in information security, especially for CII, is driven by the need for timely detection and response to incidents that could lead to negative consequences. Understanding the nature and characteristics of such events allows for effective system protection and prevention of significant damage. To enhance the effectiveness of ensuring security, it is necessary to identify the class of invalid events among the numerous information security events by considering the characteristics that define invalid events.
The novelty of the proposed approach lies in solving the task of identifying the class of invalid information security events based on taxonomy methods, involving the use of event categorization tools with the attributes of invalid events.
Materials and methods. The approach to identifying invalid events in CII, based on the principles of information security event taxonomy, was used to solve the task. It was shown that identifying invalid information security events is directly related to solving the problem of searching for and analyzing their attributes, which represent the characteristics or parameters used to describe and classify security incidents. Based on the key principles of taxonomy, a model of the structure of the set of invalid events was developed to determine the characteristics that can be the basis for classifying invalid events. The process of identifying invalid information security events includes a sequence of stages: taxonomy, categorization, and classification, with appropriate methods and tools implemented at each stage.
Results. Approaches to identifying invalid events in CII have been analyzed. Problems related to large data volumes, the complexity of event processing, the considerable time required for their detection, and technological limitations were considered. It was shown that the concept of taxonomy and categorization allows for effective identification and classification of information security incidents, ensuring efficient processing and response. The feasibility of applying taxonomy for describing and identifying the attributes of invalid events was justified, contributing to the development of effective protection strategies and improving security levels. A generalized scheme for processing invalid events was proposed, including a set of interconnected stages of identification, categorization, impact assessment, response, documentation, and analysis. An algorithm for structured description and classification of incidents was developed, allowing for more accurate and timely responses to information security threats.
Conclusion. The results obtained increase the effectiveness of solving the task of classifying information security incidents by identifying invalid events, which reduces the level of negative consequences of incidents and enhances the security of CII objects.

1. Federal Law of July 26, 2017 N 187-FZ (as amended on July 10, 2023) «On the Security of Critical Information Infrastructure of the Russian Federation». (In Russ.)

2. ISO/IEC 27035-1:2016 Information technology — Security techniques — Information security incident management – Part 1: Principles of incident management. International Organization for Standardization; 2016.

3. GOST R 59548 - 2022 «Information protection. Registration of security events. Requirements for registered information». (In Russ.)

4. Metodika opredeleniya nedopustimykh sobytiy, stsenariyev i kriteriyev ikh realizatsii kompanii «Positive Technology» = Methodology for determining unacceptable events, scenarios and criteria for their implementation by Positive Technology [Internet]. Available from: https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/metodika-opredeleniya-ns.pdf (cited 10.05.2024). (In Russ.)

5. Metodika otsenki ugroz bezopasnosti FSTEK Rossii = Methodology for assessing security threats of the FSTEC of Russia [Internet]. Available from: https://fstec.ru/dokumenty/vsedokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokument-ot-5-fevralya-2021-g (cited 10.05.2024). (In Russ.)

6. Perechen’ negativnykh posledstviy iz novogo razdela banka dannykh ugroz FSTEK Rossii = List of negative consequences from the new section of the FSTEC of Russia threat database [Internet]. Available from: https://bdu.fstec.ru/threat-section/negatives (cited 10.05.2024). (In Russ.)

7. «Security Information and Event Management (SIEM) Implementation». Author: David Miller; 2010.

8. NIST Special Publication 800-61 Revision 2, «Computer Security Incident Handling Guide». National Institute of Standards and Technology; 2012.

9. «Data-Driven Security: Analysis, Visualization and Dashboards». Authors: Jay Jacobs, Bob Rudis; 2014.

10. MITRE ATT&CK Framework. [Internet]. Available from: https://attack.mitre.org/ (cited 10.07.2024).

11. Howard J. D., Longstaff T. A. A Common Language for Computer Security Incidents. Sandia National Laboratories [Internet]. 1998. Available from: https://www.sandia.gov/app/uploads/sites/51/2021/05/SAND98-8667.pdf (cited 10.07.2024).

12.