Key Concepts of Systemological Approach to CPS Adaptive Information Security Monitoring

Abstract

Modern cyber-physical systems (CPS) use digital control of physical processes. This allows attackers to conduct various cyberattacks on these systems. According to the current trends, an information security monitoring system (ISMS) becomes part of a security management system of CPS. It provides information to make a decision and generate a response. A large number of new methods are aimed at CPS security, including security assessment, intrusion detection, and ensuring sustainability. However, as a cyber-physical system operates over time, its structure and requirements may change. The datasets available for the protection object (CPS) and the security requirements have become dynamic. This dynamic effect causes asymmetry between the monitoring data collection and processing subsystem and the presented security tasks. The problem herein is the choice of the most appropriate set of methods in order to solve the security problems of a particular CPS configuration from a particular bank of the available methods. To solve this problem, the authors present a method for the management of an adaptive information security monitoring system. The method consists of solving a multicriteria discrete optimization problem under Pareto-optimality conditions when the available data, methods or external requirements change. The experimental study was performed on an example of smart home intrusion detection. In the study, the introduction of a constraint (a change in requirements) led to the revision of the monitoring scheme and a different recommendation of the monitoring method. As a result, the information security monitoring system gains the property of adaptability to changes in tasks and the available data. An important result from the study is the fact that the monitoring scheme obtained using the proposed management method has a proven optimality under the given conditions. Therefore, the asymmetry between the information security monitoring data collection and processing subsystem and the set of security requirements in cyber-physical systems can be overcome.

1. Introduction

The development of digital technologies has led to the emergence of a new system class, known as cyber-physical systems (CPS). These systems combine digital and physical process controls. Moreover, the implementation of digital technologies has led to an increase in the number of cyberattacks on various spheres: From medical science to industry related systems, etc. [1] Today, there are a large number of security breaches associated with CPS. Researchers are developing new approaches for the security of cyber-physical systems [2,3], including authentication methods, encryption, etc. However, the current work shows that the task of overcoming protection systems remains possible [2,3,4,5].

A wide variety of CPS, their heterogeneity both structurally and technologically, and the features of operation complicate the task of creating effective protection systems. Due to the continuous changes in the legal framework, the expansion of security objectives in relation to CPS also require continuous changes in systems that ensure their security.

During the process of ensuring the stable functioning of cyber-physical systems, decision-making is based on the information entered into the information security management system from the monitoring system. Therefore, the monitoring system is a key module in ensuring the information security management of cyber systems. A large number of research works have been devoted to modern information security monitoring systems (ISMS), from architectural solutions [6,7,8,9,10,11] to individual methods for solving security problems [12,13,14,15]. However, all of these works pay little attention to the task of ensuring the adaptability of ISMS to the structural and functional evolution of the protected object and the changing environmental conditions.

At present, CPS security methods are actively improved. Researchers are adapting solutions for computer networks and developing specialized approaches. Therefore, in the face of multiple challenges, the choice of the most appropriate method is quite difficult. More importantly, cybernetic systems do not remain unchanged. Their structural elements and the connections between them change, as well as their settings, configurations, and security requirements. In this case, it is necessary not to create a new protection system every time, but to adapt to the existing one. In addition, the methods of solving security problems change due to the changes in data and requirements. Solving this problem for large-scale cyber-physical systems is impossible without applying the analysis and synthesis approaches of complex systems. To manage the security of the CPS effectively, it is necessary to create new adaptive information security monitoring systems (AISMS). AISMS are able to ensure the awareness of the information security management system in the context of the evolution of the object of protection and changes in the external environment. The purpose of this work is to form a systemological approach for this kind of AISMS development based on a systematic approach and system analysis methodology.

2. Approach to Adaptive Information Security

2.1. The Problem of Modern CPS Security Monitoring

Changes in technological process control systems, an increase in the degree of digitalization, in threats and attacks on digital systems, as well as an increase in the severity of the consequences of these attacks [16,17] have led to a change in the approach to information security monitoring. Until recently, the ISMS performed the conformity assessment task [18], which solves the problem of security information and event management (SIEM). Today, this functionality is significantly expanding, which is evident in the example of the creation of a large number of security control centers based on monitoring systems [19], as well as changes in the legal system [20]. The modern ISMS is a continuous process of monitoring and analyzing the results of registration of security events [20]. The purpose of this process is to identify violations of information security, as well as thunderstorms and vulnerabilities in the computer systems of the protected object.

In order to solve the problem of ensuring the security of the CPS, the ISMS system must collect and analyze data on various aspects of the protected object, starting from the functioning of individual objects, to the assessment of the CPS in a complex, and finally the analysis of the external environment (Figure 1).

At the same time, the variety of security tasks leads to the requirement of a large number of monitoring methods. Modern methods for solving ISMS security problems have different efficiencies in relation to the different objects and/or conditions. In addition, these methods require prompt correction of their set in the event of external and internal changes and, often, the joint use of several methods to solve one security problem. A cyber-physical system, as an object of protection, is a complex dynamic system that does not lend itself well to analytical description and modeling [21]. The general theory of systems and the systems approach describe the system features as hierarchy, integration, and connectivity [22]. Under these conditions, the information security monitoring subsystem faces two priority tasks. The first is to ensure the collection and preparation of data from the protected object in all the above aspects. The second is to provide and support methods for analyzing this data in order to solve security problems at all levels of object presentation: From individual components to industrial CPS as a whole, taking into account the context of the external environment, the convergence, and interconnections of the components.

2.2. Principles of the Systemological Approach to Adaptive Information Security Monitoring

The choice of an effective set of methods, the timely preparation of data for their application, and the adjustment of the set of methods and data in the case of changes in the object and/or the external environment, require a systemological approach to the adaptive monitoring of information security. It is based on the system analysis methodology and the construction of mutual mappings between the security problems and their solution methods and the available datasets from the object of protection.

The approach to consider the object of the research in the system analysis [22] and the research levels of the object in the general systems theory [23], which is applied to solve the problem of intelligent adaptive monitoring, allows one to formulate the general principles of the adaptive monitoring of information security of CPS, such as:

• The principle of integrity.
• The principle of evolutionary adaptability.
• The principle of hierarchical connectivity.

The principle of integrity is a comprehensive consideration of the research object (object of protection) in relation to all of the security tasks. This is an assessment of both the internal and external environment of functioning. Any system, including the object of protection, is considered both as a set of components/systems of a smaller size, and as part of a system of a higher order. This principle establishes the ability of the monitoring system to take into account all types of security tasks, including security assessment, analysis of the operating environment, and change of protection goals. To implement this principle, the object of protection is represented as a dynamic set of all the observed parameters of its operation, both external and internal due to data-driving technologies. The set of measured parameters is determined by the set of security problems to be solved.

The convergence principle implies a change in the information security monitoring system along with the evolutionary development of the protected object and its functioning environment. It requires not only maintaining the implementation of current security tasks, taking into account the interrelationships, but also changing this list during the evolution of the protected system and environment, as well as the automated or automatic rebuilding of the monitoring process when the working conditions change. Then, the set of measured parameters of the monitoring object in the current operating mode is determined by external factors and is dynamic in the process of functioning.

The evolution of the set of measured parameters requires adaptation of the protected object model, as well as the structures and formats of the data collected during monitoring. To ensure the automatic processing of information in this case, it is necessary to highlight the main data models, which are both used in security monitoring and internally by processing and storage tools.

The principle of hierarchical connectivity highlights the hierarchical organization of systems and components when considering the object of protection from the point of system analysis view. It declares the consideration of an object in the form of a set of hierarchically related representations, corresponding to varying degrees of detail of both the components of the object of monitoring and levels of monitoring from the point of view of the theory and methods of ensuring information security [19,24].

The principles of the systematic approach ensure that the ISMS is adaptive to the changing tasks and structural dynamics of the protection object. Figure 2 contains the proposed scheme of an adaptive ISMS, highlighting the implementation of the principles of the systematic approach.

Each method of solving each security problem requires a specific set of input data. A basic data-driven model of the security object generates these sets. Each set is called a generating model (according to the theory of complex systems [22,23]). The technology of data-driven CPS model development is a separate task and is beyond the scope of this article. The authors of [25,26,27,28] consider it in detail. Next, we will focus on the key technology for implementing the systematic approach in our solution. This is the ISMS management methodology.

The adaptation of monitoring approaches to the changing conditions consists of changing the methods of data processing. It takes place when the old methods no longer meet the requirements (e.g., attack detection rates) or the available datasets have changed and the old methods are no longer applicable since there is no data for them. To ensure optimal performance and meet the given constraints in monitoring adaptation, we used an optimal choice theory approach. The problem, of discrete multicriteria optimization of the monitoring scheme (as a set and order of data processing methods) under the given constraints and the Pareto-optimal set of possible outcomes, is set. The solution for this problem and an experimental example are given below.

3. Management of the CPS Adaptive Information Security Monitoring

To implement the principles of integrity and convergence, it is necessary to mutually map the security problems (goals), solution methods, and datasets.

Based on this map, a formal definition of the monitoring scheme is: $S=〈\left(I^{Cur},M^{Cur}, D^{Cur}\right),F_{IM},F_{MD}〉$ where $I^{Cur}\subseteq I=\left\{i_1,\dots ,i_I\right\}$ is the set of security goals, uniquely determined and used within the framework of a given scheme; $M^{Cur}\subseteq M=\left\{m_1,\dots m_M\right\}$ is the set of all the available methods used to solve these problems at the moment (but only in this scheme or monitoring system mode); $D^{Cur}\subseteq D=\left\{d_1,\dots d_D\right\}$ is the set of used data groups from the protected object, respectively.

$F_{ID}:I\to D$—security tasks mapping to multiple security object datasets. Reverse mapping $F_{ID}^{-1}:D\to I$ shows which problem is solved using specific data.

$F_{IM}:I\to M$—security tasks mapping to a variety of solving methods. Reverse mapping $F_{IM}^{-1}:M\to I$ shows which problem the given method solves.

$F_{MD}:M\to D$—security tasks solving methods mapping to a set of the protected object datasets. Reverse mapping $F_{DM}^{-1}:D\to M$ shows which method uses the given data.

The main stages of the adaptation process in the information security monitoring system are:

• Assessment of the state, including the assessment of the all the security goals fulfillment and objectives, as well as the assessment of the sufficiency conditions and minimality of data and methods for solving the problem.
• Adjustment and fixation of security tasks.
• Determination of the available methods. In their absence, a transition to a higher-level adjustment of security objectives or system parameters, including technical capabilities for data collection and resource-based boundary conditions.
• Development of a new monitoring scheme, including the assessment of the time methods characteristics and data preparation, the assessment of the entire set of boundary conditions, and the solution of the problem of finding the optimal monitoring scheme.
• Adjustment of the data collection and preprocessing scheme in accordance with the new information security monitoring scheme.

Then, the adaptability of information security monitoring from the point of a systematic approach and within the framework of the proposed systemological principles is achieved by timely adjusting the monitoring scheme through building a new map in the context of the changed data sets, methods or tasks.

Managing the adaptive monitoring process includes the construction of a mutual map between a variety of security problems, a variety of methods for their solution, and a variety of sets of observable data of an object, followed by a selection of applied methods subsets and measured data based on a fixed set of tasks.

For each monitoring scheme, we will assign a set of parameters or characteristics $Par$, where parameter $p{r}_q\in Par$ is defined by tuple $p{r}_q=〈Name,Value〉$. In addition, for each of these parameters, there is an objective function $Fp{r}_q^0\left(i_j,m_k,D_k^{Cur}\right)$, defined in class $ℝ$ real numbers for all the security problems accepted in a certain scheme $i_j\in I^{Cur}$, for the method of solving each individual problem $m_k\in M^{Cur}$, and the datasets for that solution $D_k^{Cur}\subseteq D^{Cur}$.

The set of parameters $Par$ is defined as:

$$Par=\left\{\begin{array}{c}p{r}_q|\forall \left(i_j\in I^{Cur},m_k\in M^{Cur},D_k^{Cur}\subseteq D^{Cur}\right)\\ \exists Fp{r}_q^0\left(i_j,m_k,D_k^{Cur}\right)\in ℝ\end{array}\right\}$$

(1)

A corresponding objective function is available for each parameter of the scheme. In this case, the parameter value will be the value of this objective function of this parameter or $p{r}_q=〈Name,Value=Fp{r}_q^0〉$.

The objective functions of the different parameters are multidirectional. For example, when defining the parameter “the processing time for detecting some attack”, the value of the time function should be minimized to accelerate the work. At the same time, the parameter “the accuracy of detecting the some attack” should be maximized to reduce the number of errors of the first and second work.

To reduce the objective functions of the parameters to a general form and form a generalized objective function of the monitoring scheme, along with maximizing its value when solving the problem of finding the optimal scheme, we introduce the following transformation rules for the initial objective functions of the parameters:

• For the initial objective functions of parameters of the form $Fp{r}_q^0\to max$, take the resulting objective function of this parameter as $Fp{r}_q=Fp{r}_q^0$.
• For the initial objective functions of parameters of the form $Fp{r}_q^0\to min$, take the resulting objective function of this parameter as $Fp{r}_q=1/Fp{r}_q^0$.

Let us give an example of the original objective function parameter transformation, which is the decision time for a scheme $s_l\in S$ and security objectives $i_j$. The time of this operation, in the general case, consists of the preparation time of the slowest piece of data for making a decision $\underset{t}{\max }\left(t_t^{d_{j,k,t}^{Imp}\in F_{MD}\left(m_{j,k}\right)}\right)$, where t is a dataset number, $m_{j,k}$ is the k method for solving the j security problem, $d_{j,k,t}^{Imp}$ is the processed data fragment t by method k for task j, and the running time of the analysis method is $t_j^{m_{j,k}\subseteq F_{IM}\left(i_j\right)}$, where $i_j$ is a security problem. Then, the time function that minimizes the total decision-making time, transformed in accordance with the rules above is as follows:

$$p{r}_i^{decision time}.Value=1/\underset{k}{\min }\left(t_j^{m_{j,k}\subseteq F_{IM}\left(i_j\right)}+\underset{t}{\max }\left(t_t^{d_{j,k,t}^{Imp}\in F_{MD}\left(m_{j,k}\right)}\right)\right)$$

(2)

In fact, the transformed function (2) reflects the “speed” of decision-making in solving the security problem and is subject to maximization.

On the basis of the maximized objective functions of the parameters of the scheme, we define the general objective function of information security monitoring scheme $s_i$ as a multiparameter function of the form:

$$F_{s_i}^{\mathsf{\Sigma }}=F\left(\sum \left(Fp{r}_q|q\in \left[1,\left|Par\right|\right]\right)\right)\to max$$

(3)

which is a function of the overall objective functions of parameters. Determination of a specific objective function (3) is a specific task of AISMS management. It regulates the final criteria for choosing the optimal data scheme and may be dependent on the protected object.

Based on the set of possible mappings between the security problems, methods, and data, a number of monitoring schemes can be formed that implement the solution of a given set of security problems and, potentially, even satisfy the boundary condition R.

In addition to this set, it is proposed to formulate and solve a discrete multicriteria optimization problem based on the above-defined target function of the monitoring scheme and to search for an optimal scheme for collecting, processing, and analyzing data for adaptive monitoring of industrial CPS. Taking into account the convergence principle based on the mutual mapping of $F_{IM},F_{MD}$, due to the reduction of the set R, it is defined as $\left\{〈\left[\left(i,m,d\right):i\in I^{Cur},m\in M,d\in D\right]〉\right\}$ where based on functions $F_{IM},F_{MD}$ each security problem is associated with some non-empty set of methods for its solution, and each method corresponds to a non-empty set of initial data consumed by it. Then, the set of security problems, taking into account the related methods and data, can be represented as U, which is a set of variants of triplets for monitoring schemes:

$$U=\left\{\left(i_j,\left\{\left(m_{j,k},D_{j,k}^{Imp}\right)\left|\begin{array}{c}{m}_{j,k}\subseteq F_{IM}\left(i_j\right)\\ D_{j,k}^{Imp}\subseteq F_{MD}\left(m_{j,k}\right)\end{array}\right.\right\}\right)\left|i_j\in I^{Cur}\right.\right\}$$

(4)

where each problem from a fixed $I^{Cur}$ is assigned a set of possible solution methods and the data required for them $\left(m_{j,k},D_{j,k}^{Imp}\right)$, which corresponds with the mapping rules $m_{j,k}\subseteq F_{IM}\left(i_j\right)$ and $D_{j,k}^{Imp}\subseteq F_{MD}\left(m_{j,k}\right)$.

Furthermore, the set of solutions R satisfying the conditions of sufficiency and non-redundancy is reduced based on the boundary values determined by the characteristics of the goals and objectives of security.

Since every solution of the set R is initial for some monitoring scheme from the set $S\subseteq S_0$ based on (4), the monitoring scheme parameters for which the objective functions are set can also be applied. For each significant parameter of the scheme $pa{r}_h\in Par$, the boundary condition $b_h$ is determined as the minimum boundary of the objective function value $Fp{r}_q$. The identification of the parameter and the corresponding boundary is carried out by name. The boundary value is then described as a tuple $b_h=〈Name, Value〉,$ where the value as well as $Fp{r}_q$ are defined on the set of real numbers and the aggregate set of boundary values can be given as:

$$B=\left\{b_h|b_h=〈Name, Value〉, Value\in ℝ,h\in \left[1,H\right]\right\}$$

(5)

The fulfillment of the boundary conditions, in accordance with the constraint (5), over the scheme parameters determines the following rule:

$$\forall b_h\in B\exists p{r}_q\in Par\left[\left(p{r}_q. Name=b_h.Name\right)\wedge \left(Fp{r}_q>b_h.Value\right)\right]$$

(6)

If above a certain scheme $s_l\in R$, the condition specified by the corresponding rule (6) is met, indicating that this scheme satisfies all of the boundary conditions. Then, the $s_l$ scheme satisfies all of the requirements for the security goals and objectives, as well as the technological capabilities of the protected object. In addition, it can be included in many potentially applicable monitoring schemes $S^{Imp}$. For the formation of a set $S^{Imp}\subseteq S$, the following steps are needed:

• For each initial information security monitoring scheme $s_l\in R$, significant parameters of the scheme are determined and a vector of parameter values $\overrightarrow{Pa{r}_l}$ is formed.
• The creation of the sorted scheme $s_l\in R$ projections of the form $〈s_l,pa{r}_{q,l}〉$ ascending the parameter value, which is $\forall \left(p{r}_{q,l}\in \overrightarrow{Pa{r}_l} ,p{r}_{q,l+1}\in \overrightarrow{Pa{r}_{l+1}}\right)\left[p{r}_{q,l}.Value>p{r}_{q,l+1}.Value\right]$ where $q\in \left[1,\left|\overrightarrow{Pa{r}_l} \right|\right]$ и $l\in \left[1,\left|R \right|\right]$.
• Filtering projections according to the boundary condition for each significant parameter for which the corresponding boundary is set (5). In this case, schemes with parameters not exceeding the boundary value are excluded from the set S, which is $S^{Imp}=S\backslash \left\{s_l\right\}$, where $\left\{s_l\right\}$ is a set of schemes that do not satisfy the boundary conditions. For each excluded element $s_l$ of set $\left\{s_l\right\}$, there is a way out of at least one boundary value:

  $$\forall s_l\exists b_h\in B\left[p{r}_{q,l}.Name=b_h.Name\wedge p{r}_{q,l}.Value\le b_h.Value\right]$$

  (7)

  where (7) defines the filtering rule.
• Formation of the resulting set $S^{Imp}$ after eliminating from R all of the schemes that violate at least one boundary.

The resulting set of schemes $S^{Imp}$ defines a variety of monitoring schemes that satisfy all of the requirements. If eventually $S^{Imp}=\varnothing$, therefore, a monitoring scheme that satisfies all of the boundary conditions does not exist within the given technological boundaries (although there are schemes that satisfy the conditions of sufficiency and non-redundancy). If $\left|S^{Imp}\right|>1$, the next task is to determine the optimal scheme from this set, corresponding to the protected object.

The choice of the final optimal information security monitoring scheme is based on solving the optimization problem along with maximizing the objective function of the monitoring scheme $F_{s_i}^{\mathsf{\Sigma }}$ by maximizing its constituent components. Due to the complexity of the problem solving and the inconsistency of the monitoring scheme parameters, the t Pareto optimal solutions set $S^{Opt}$ with its subsequent narrowing is the only variant of the scheme.

To form a set $S^{Opt}$ over the potentially applicable schemes ISMS $S^{Imp}$ the dominance relation is given: Scheme $s_x$ dominates $s_y$ ($s_x\succ s_y$), if for all $Fp{r}_q$ values $Fp{r}_q^{s_x}\ge Fp{r}_q^{s_y}$. Scheme $s_x$ dominates $\succ$ scheme $s_y$ if and only all the values of the scheme parameters $s_x$ are greater than or equal to the corresponding values of the scheme $s_y$ parameters.

$$\left(\begin{array}{c}\forall pa{r}_q\in Par\left[pa{r}_q^{s_x}.Value\ge pa{r}_q^{s_y}.Value\right]\\ \wedge \exists pa{r}_q\in Par\left[pa{r}_i^{s_x}.Value>pa{r}_i^{s_y}.Value\right]\end{array}\right)⟺s_x\succ s_y$$

(8)

Monitoring schemes $s_x$, $s_y$ ($s_x=s_y$) are considered equivalent if for all $Fp{r}_q$ values $Fp{r}_q^{s_x}=Fp{r}_q^{s_y}$. To determine the optimal monitoring scheme from a variety of potentially applicable monitoring schemes $S^{Imp} ,$ satisfying the boundary conditions excludes all of the schemes for which there is a dominant or equivalent scheme in the following set:

$$\forall s_l\in S^{Imp},s_g\in S^{Imp} \left[\left(s_g\succ s_l\right)\vee \left(s_g=s_l\right)\Rightarrow S^{Imp}:=S^{Imp}\backslash \left\{s_l\right\}\right]$$

(9)

A set of optimal schemes $S^{Opt}$ is formed based on the rule (2.16):

$$S^{Opt}=\left\{s_l\left|\left(s_l\in S^{Imp}\right)\wedge \left(\nexists \left(s_g\in S^{Imp}\right)\left|\left(s_g\succ s_l\right)\vee \left(s_g=s_l\right)\right.\right)\right.\right\}$$

(10)

Evidently, this set cannot be empty, since the exclusion of the schemes occurs sequentially, and $S^{Opt}=\varnothing$ is possible only by excluding the last single scheme. However, the exclusion of this scheme is possible only if there is a dominant one over it, which, given its singleness is impossible. If $\left|S^{Opt}\right|=1$, we can say that $S^{Opt}=\left\{s_l\right\}$, where scheme $s_l$ is the only optimal solution and optimal scheme for monitoring information security, which is $s^{Cur}=s_l=〈\left(I^{Cur},M^{Cur}, D^{Cur}\right),F_{IM},F_{MD}〉$. Otherwise, when $\left|S^{Opt}\right|>1$, the multitude $S^{Opt}$ (10) is the Pareto optimal and needs to be reduced to a single solution.

In modern mathematics and the optimization theory, a set of methods has been developed to reduce the Pareto optimal sets in the field of discrete optimization [29]. Today, the main approaches to solving this problem are:

• Method of criteria (parameters) prioritization.
• Method for calculating the generalized criterion.
• Derived methods.

A preference relation allows one to take into account the characteristics of a particular cyber-physical system and correct the preference attitude throughout the life cycle of a protected object. The introduction of a generalized criterion presupposes a strict formalization of the above-defined objective function of the monitoring scheme $F_{s_i}^{\mathsf{\Sigma }}$ with the establishment of a relationship between heterogeneous parameters of the monitoring scheme. However, today the parameters of the monitoring scheme are very heterogeneous, including both temporal and qualitative resource characteristics, in which the formation of a method for generating a generalized criterion seems to be too heterogeneous and a poorly formalized task.

For industrial cyber-physical systems, we propose the prioritization of the monitoring scheme parameters, since this approach will allow the following:

• Reflect the peculiarities of a particular industrial CPS from the point of view of decision-makers and combine the automatic and automated selection of the optimal monitoring scheme.
• Reflect the shift in priorities in the choice of the monitoring scheme when the stability margin changes the CPS for a particular set of limited resources taken into account in the scheme parameters.
• Conduct a correspondence between the generation of the information security monitoring scheme and the risk-based threat model CPS, automatically prioritizing the directions of increased risk, which is, for threats with maximum residual risk values, maximize the margin of detection accuracy while remaining in the boundary values for the rest of the characteristics.

In the general case, it is proposed to prioritize the characteristics of detecting destructive impacts by ranking them in accordance with the residual risk assessments. Then, over the set of parameters of the monitoring scheme $p{r}_q\in Par$ a priority relation $\succ$ must form a ranked list of parameters $p{r}_1\succ p{r}_2\succ \dots \succ p{r}_{\left|Par\right|}$. Due to the risk-oriented approach to the information security of the CPS [30,31,32,33], the following procedure is proposed for the formation of this list:

• Comparison of the set of residual risks Ri with the parameters of the monitoring scheme through mappings to security objectives $Ri\to I^{Cur}$, $I^{Cur}\to Par$ and construction of the transitive mapping $Ri\to Par$, forming a pair of risks and related parameters of the ISMS scheme of the form $\left\{r_i,Pa{r}_{r_i}\right\}$, where $r_i\in Ri$ а $Pa{r}_{r_i}\subseteq Par$.
• Ranking a set of pairs $\left\{r_i,Pa{r}_{r_i}\right\}$ based on the cost of the risks.
• Ranking of each subset $Pa{r}_{r_i}$ according to the degree of influence on the corresponding risk of each individual parameter.

Selecting the final scheme $s^{Cur}=〈\left(I^{Cur},M^{Cur}, D^{Cur}\right),F_{IM},F_{MD}〉$ based on a ranked list of prioritized schema parameters $p{r}_1\succ p{r}_2\succ \dots \succ p{r}_{\left|Par\right|}$ is produced by taking previously constructed parametric projections of the schemes $〈s_l, pa{r}_{q,l}〉$ for $s_l\in S^{Opt}$, ranking according to order $p{r}_1\succ p{r}_2\succ \dots \succ p{r}_{\left|Par\right|}$ and consistent reduction $S^{Opt}$ until $\left|S^{Opt}\right|>1$. The latter scheme will be selected as the optimal solution to the problem of constructing an information security monitoring scheme based on the convergence of security problems, methods for their solution, and datasets of the protected object.

4. Experimental Studies

To test the adaptive monitoring management method experimentally, the security task of detecting anomalies in network traffic signaling the presence of cyber-attacks based on the [34,35,36,37,38,39,40] papers, was considered. Data-driven technologies for CPS were used to collect data and model the object of protection [41,42,43].

Figure 3 shows a schematic of the experimental stand. The CPS is represented by the dataset from the water treatment system [40]. The data contained a normal operation and attacks. The security management system was not simulated. The monitoring system is represented by the management subsystem (gray in Figure 3). The management subsystem contains a method bank and a management module. The control module is implemented according to the methodology based on the multicriteria optimization problem previously mentioned.

The bank of methods is represented by 18 algorithms for solving a given security task. It contains two types of machine learning-based and one of the multifractal algorithms in six different implementations each, including multi-threaded implementations. The algorithms have different characteristics in terms of time, accuracy, and computational requirements. The variability in characteristics is sufficient to test the control method, as shown in the example below. Newer algorithms, such as [41,42,43,44], were not included, since their implementation and testing on a given dataset for the comparability of results would be time consuming [45,46,47]. By the time this data was ready, there would still be new algorithms. The bank of methods can be extended by any new method, including [2,48,49,50,51,52]. At the same time, the comparative characteristics of the methods are important for management methodology testing, since the task of choosing the best method from the existing ones is not set. Here, we solve the task of a method selecting by the given criteria.

In the experimental example, we considered the task of monitoring control to solve the problem of the detection of DoS attack on the CPS traffic. The number of published methods for detecting specific attacks was not sufficiently diverse [45,47] for each attack to test the control module. We will repeat this experience when there are more of them, expanding the method bank in industrial implementation.

The bank of methods for solving the problem was formed on the basis of methods well described in the sources, the characteristics of which are available for evaluation, in particular, on the basis of references [36,37,38,39]. The solution bank included methods based on two well-known industry classifiers of network traffic: The classifier k-nearest neighbor (KNN 1–6) and the support vector machine (SVM 1–6) in various modifications (six modifications of each classifier), as well as the multifractal (MF) analysis method in various implementations. For the latter, the characteristics of five different implementations were included, taking into account data parallelization, starting from one computational node.

The problem of finding the optimal scheme was considered under certain constraints. First, the use of only one solution method (both technological and financial constraint). Secondly, the required quality of detection, expressed in the indicator $Accuracy=0.85$. Third, the time to detect an attack is no more than 1 s, excluding data preparation time.

Since the time spent on detecting an attack is minimized, according to the method used, the function expressing this indicator during the formation of the objective function of this parameter was replaced by the inverse ($Velocity$ was introduced) and a limitation was set: $F_{vel}^{a_1^{DoS}}=\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$F_{\mathrm{attack} \mathrm{detection} \mathrm{time}}^{a_1^{DoS}}$}\right.>B_{vel}.Value$. All of the methods located in the knowledge base accept a fixed input dataset in the form of a time series, the preparation time of which is the same for all of them: $\forall \left(m_i\in M_{a_1^{DoS}}\right)\to t_{preprocessing}=const$. This eliminates the influence of the preprocessing stage on the final efficiency. As a result, the limitation of the anomaly detection time was set as: $F_{vel}^{a_1^{DoS}}=\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$F_{\mathrm{attack} \mathrm{detection} \mathrm{time}}^{a_1^{DoS}}$}\right.>1$

Then, the boundary conditions are: $B_{vel}=\left\{〈Velocity, 1〉\right\}$, $B_{Accur}=\left\{ 〈Accuracy, 0.85〉\right\}$. Limitations on the number of methods $Metho{d}_{NUM}=1$ are also used consider various situations. An additional limitation on the number of nodes was introduced $Parralell=0$. The conditions on the number of methods and computational nodes were applied in filtering (reduction of sets of monitoring schemes), first during the initial generation of schemes and second during the last assessment of applicability, as an additional condition.

The initial set of schemes S after the primary filtering of the set R, taking into account the conditions of sufficiency, non-redundancy, and restrictions on the number of methods, took the form presented in

Table 1. Set of monitoring schemes and their characteristics.

Scheme	Scheme Parameters
	Parralell	Velocity	Accuracy
KNN-1	0	0.0001	0.915
KNN-2	0	0.0002	0.9
KNN-3	0	0.0002	0.874
KNN-4	0	0.0001	0.823
KNN-5	0	0.0002	0.775
KNN-6	0	0.0003	0.86
SVM-1	0	0.938	0.907
SVM-2	0	1.183	0.89
SVM-3	0	1.480	0.863
SVM-4	0	2.427	0.807
SVM-5	0	2.469	0.757
SVM-6	0	5.181	0.837
MF-1 sequential	0	0.779	0.97
MF-1 parallel	1	3.211	0.97
MF-2 parallel	1	3.305	0.97
MF-3 parallel	1	3.439	0.97
MF-4 parallel	1	3.787	0.97
MF-5 parallel	1	4.224	0.97

.

Furthermore, mandatory restrictions B_vel and B_Accur were applied for these schemes for constructing a set of valid schemes. In this case, a boundary estimate of time (Figure 4) and accuracy (Figure 5) was carried out.

Next, we will consider the basic version of solving the problem of finding the optimal scheme without taking into account the possibility of parallel computing or its absence $Parralell$. Then, the reduction of the original set of schemes according to the indicated restrictions ($B_{vel}$ and $B_{Accur}$) leads to a set of potential security monitoring schemes $S^{Imp}$, including the schemes SVM 2, 3 and MF parallel 1–5.

The set $S^{Opt}$ is defined based on the application to ${\mathit{S}}^{\mathit{I}\mathit{m}\mathit{p}}$ by assessing the dominance relationship between the schemes $\left(s_i,s_j\right)\in {\mathit{S}}^{\mathit{I}\mathit{m}\mathit{p}}$. In this example, the scheme “MF-5 parallel” dominates the rest in terms of time and accuracy, which leads to a single solution $s^{Cur}=“\mathrm{MF} -5 \mathrm{parallel}”$.

The next example with the additional condition $Parralell=No$ occurs when the reduction of the set of the initial monitoring schemes takes place. Then, the reduction by the indicated constraints leads to a set of potential security monitoring schemes ${\mathit{S}}^{\mathit{I}\mathit{m}\mathit{p}}$, including the schemes from

Table 2. The set of monitoring schemes ${\mathit{S}}^{\mathit{I}\mathit{m}\mathit{p}}$ and their characteristics (option 2).

Scheme	Scheme Parameters
	Parralell	Velocity	Accuracy
SVM-2	1	1.183	0.89
SVM-3	1	1.480	0.863

.

In this case, the assessment of dominance will not allow the exclusion of one of the schemes, since “SVM-2” prevails $\mathit{A}\mathit{c}\mathit{c}\mathit{u}\mathit{r}\mathit{a}\mathit{c}\mathit{y}$ and “SVM-3” prevails $\mathit{V}\mathit{e}\mathit{l}\mathit{o}\mathit{c}\mathit{i}\mathit{t}\mathit{y}$. Consequently, ${\mathit{S}}^{\mathit{I}\mathit{m}\mathit{p}}$ is a Pareto-optimal set, which is proposed to be prioritized according to the accuracy of observations and ${\mathit{s}}^{\mathit{C}\mathit{u}\mathit{r}}=\mathrm{SVM}\text{-}2$.

5. Discussion

Three characteristics of information security monitoring (in general) are considered: Completeness, reliability, and timeliness. The completeness of information security monitoring indicates the provision of all the security problems with methods and data for their solution. Reliability indicates the ability to reflect the real processes of the protected object or the provision of methods for solving security problems with non-obsolete data reflecting the state of the CPS. Timeliness refers to the ability to analyze information security monitoring data in compliance with the specified boundary conditions.

Let us formally prove the compliance of the obtained solution with the requirements of completeness, reliability, and efficiency of monitoring. At first, let us show that the above-mentioned approach to finding a rational mapping between the sets A, M, D expressed in the final information-processing scheme $s^{Cur}=〈\left(A^{Cur},M^{Cur}, D^{Cur}\right),F_{AM},F_{MD}〉$ allows one to meet the requirements for completeness, reliability, and timeliness of information security monitoring, if there is no distortion of data of the protected object during transmission to the monitoring system.

To ensure the completeness of adaptive monitoring, the following conditions ought to be met:

• All of the sets of safety problems have methods for their solution, if these methods exist.
• All of the applied methods of solving security problems have data from the protected object.

Both of the conditions are based on the construction of mappings $F_{AM},F_{MD}$. The completeness of these mappings is based on the fulfillment of the conditions of sufficiency and minimality of the data collected and the methods used. Then, the completeness of adaptive monitoring under an intelligent control is ensured if the sufficiency condition is not violated during the search for a rational scheme, as described above.

Let us prove that any resulting scheme $s^{Cur}$ meets these conditions. According to the definition of the original set of schemes $S=〈\left(A^{Cur},M^{Cur}, D^{Cur}\right),F_{AM},F_{MD}〉$, corresponding to the set of sufficient and minimal mappings, the conditions of sufficiency and minimality are satisfied for any scheme $s_l\in S$. Then, in the process of searching for the final scheme in order for these conditions to not be met for $s^{Cur}$, it is necessary to replenish the set S by the scheme s+, over which $F_{AM},F_{MD}$ are not executed. However, only a reduction of the set S occurs, and this scheme is impossible. Consequently, $s^{Cur}$ meets the condition of sufficiency and the completeness of adaptive monitoring is ensured.

Ensuring the reliability of active monitoring, without taking into account the timeliness of data which is defined in its other characteristic, is ensured by the following conditions:

• The representation (model) of the protected object in the monitoring system is complete and reliable.
• Data of the protected object were not distorted during the transfer to the monitoring system.
• All of the methods for solving security problems are provided with the exact data and in the format required for their work.

The completeness and reliability of the representation of the protected object (condition (1)) is based on the use of the systemological approach of the protected object models hierarchy. Each security problem corresponds to a data-based generating model and a solution method. This ensures that there is no task that is not monitored. The condition of not distorting the data during transmission to the monitoring system is key and is stipulated in the condition of completeness, reliability, and timeliness of the proposed approach. Its implementation reduces the task of protecting monitoring data, which is beyond the scope of this article (condition (2)). The provision of methods for solving security problems not only with datasets, but with sets of data demanded by them in the appropriate format (condition (3)) is due to the correctness of the $F_{MD}$ display, defined in the active monitoring model and included in the monitoring scheme $s^{Cur}$.

Ensuring the timeliness of the active monitoring of information security consists of solving security problems in less time than is required for the full or partial implementation of destructive impacts (depending on the type of impact and the task). This property depends on the monitoring methods (modern methods improve the characteristic). Timeliness assurance is based on the fulfillment of the boundary conditions, in terms of the time of generating the result using methods of solving safety problems. Violation of timeliness in relation to a security task $a_i$ consists of exceeding the time interval for developing a solution or in terms of maximizing the parametric functions of the scheme, non-observance of the boundary condition:

$$Fp{r}_i=p{r}_i^{decision time}.Value\le b_i^{decision time}.Value$$

(11)

$Fp{r}_i$ is the speed of a reaction developing to the i-impact, and $b_i^{attak time}$ is the time during which the corresponding response must be developed by the monitoring system. However, the rate of action development is limited by condition (4), according to which all of the schemes that do not satisfy (4) are excluded from the set of possible schemes S and for $p{r}_i^{decision time}.\mathrm{The} value$, if $p{r}_i^{decision time}$, is a characteristic of the resulting scheme $s^{Cur}$ and should also be executed:

$$\left(p{r}_q\in Par\right)\wedge \left(p{r}_q.Name=b_h.Name=‘decision time’\right)\to \left(Fp{r}_q> b_h.Value\right)$$

(12)

Therefore, a contradiction was obtained and it was proved that violation of (11) is impossible for the final scheme.

Consequently, when a complex systemological approach is applied, the properties of completeness, timeliness, and reliability of monitoring are achieved in the absence of data distortion.

6. Conclusions

The construction of an adaptive information security monitoring of the CPS in modern conditions is a difficult task due to the variety of security problems and the dynamic characteristics of the protected object (CPS). The use of the system approach methodology and system theory allows for the formulation of the monitoring principles: Integrity, convergence, and hierarchical connectivity, which generalize the systemological approach to AISMS.

Within the framework of the approach, in accordance with the principle of integrity, the object of protection (the cyber-physical system) is considered from various sides, from individual components to the object as a whole, as well as the characteristics of the external environment. When the adaptive characteristics of monitoring are managed, in order to ensure the compliance of the monitoring system with the protected object and to implement the principles of integrity and convergence, the construction of a mutual mapping process between the security tasks, methods of their solution, and available data is used. Based on this process, an optimal monitoring scheme may be determined, including sets of tasks, methods, data, and mapping between them, that correspond to the boundary conditions, including time and other restrictions (if this scheme can be specified under the current conditions).

The optimality of generating a monitoring scheme in the proposed methodology is based on solving the problem of multicriteria optimization in the choice of data processing methods. The overall efficiency of monitoring depends on the efficiency of individual methods. The proposed methodology allows one to choose the most effective method or a combination of methods from a predetermined set, which can be supplemented with more advanced methods. Based on the generation of the monitoring scheme, when the input requirements or initial datasets, methods, and tasks for the adaptive management of information security monitoring of the CPS are changed, the proposed method makes it possible to determine the optimal monitoring scheme and ensure compliance with the boundary conditions, including the requirement of promptness.