#### 3.1. Computer Network Model

A computer network model based on attributive metagraphs allows to describe the software components of computer networks and all possible connections between them. The study considers only the software elements of computer networks (computer network software components and applications) and the links between them. The software in this case includes the application, system, and network software. A similar approach to the classification of system elements was applied in [

36]. Links are implied not only between elements located at the same level, but also by indicating the nesting of one element in another. That is, application software operates in operating systems, which are system software. In turn, operating systems operate within the framework of local area networks (or subnets) implemented through network software. Thus, three levels of computer network software are distinguished. For convenience, the levels are designated as the application level, the operating system level, and the network level.

As a mathematical apparatus for the implementation of the model, attributive metagraphs were chosen [

37]. The metagraph contains and coordinates among itself two main properties of the system: unity (a set of interlinked elements) and divisibility (each element of the system is also a system). In this regard, subsystems can be distinguished from the system. This allows to focus on the system or its subsystem if necessary.

The attributive metagraph nested at n levels of depth is represented as an ordered pair:

where

G is the attributive metagraph nested at n levels of depth;

$X=\left\{{x}_{i}\right\},i=\overline{1,n}$ is nonempty finite set of vertices;

$E=\left\{{e}_{k}\right\},k=\overline{1,m}$ is nonempty finite set of edges.

Each edge of an n-dimensional graph connects two subsets of the set of vertices:

where

${V}_{i},{W}_{i}\subseteq X;\text{}{V}_{i}{\displaystyle \cup}{W}_{i}\ne \varnothing $;

$i$ is nesting level.

There are also functions that indicate the nesting of vertices and edges of a metagraph:

where

$l,p,r,\dots ,t$ is number of vertices and edges at the appropriate level.

The vertices and edges of the attribute metagraph are characterized by many attributes:

where

${x}_{i}$ is a vertex of the metagraph,

${x}_{i}\in X$;

${e}_{i}$ is an edge of the metagraph,

${e}_{i}\in E$;

$at{r}_{j}$ and

$at{r}_{h}$ are attributes of vertices and edges, respectively.

Thus, the elements of the computer network applications and the connections between the elements are represented by the following symmetric sets:

${X}_{1}=\left\{{x}_{1}^{k}\right\}$, $k=\overline{1,q}$ is a set of applications;

${X}_{2}=\left\{{x}_{2}^{l}\right\}$, $l=\overline{1,r}$ is a set of operating systems;

${X}_{3}=\left\{{x}_{3}^{m}\right\}$, $m=\overline{1,s}$ is a set of networks;

${E}_{1}=\left\{{e}_{1}^{n}\right\}$, $n=\overline{1,t}$ is a set of links between applications, defined over a set ${X}_{1}$;

${E}_{2}=\left\{{e}_{2}^{o}\right\}$, $o=\overline{1,u}$ is a set of links between operating systems, defined over a set ${X}_{2}$;

${E}_{3}=\left\{{e}_{3}^{p}\right\}$, $p=\overline{1,v}$ is a set of links between networks, defined over a set ${X}_{3}$.

The entire computer network can be represented as the following attributive metagraph, or the ordered sequence of six values:

Moreover, there are functions that indicate the occurrence of applications in operating systems and operating systems in networks:

where

${x}_{1}^{k}$ is an element of the set of applications;

${e}_{1}^{n}$ is an element of the set of links between applications;

${x}_{2}^{l}$ is an element of the set of operating systems.

where

${x}_{2}^{l}$ is an element of the set of operating systems;

${e}_{2}^{o}$ is an element of the set of links between operating systems;

${x}_{3}^{m}$ is an element of the set of networks.

The vertex is characterized by a set of attributes:

where

$i=\overline{1,3}$ is the level of nesting of the vertex;

$b$ is the vertex number at a corresponding level

$i$;

$at{r}_{a}$ are the attributes of the vertex (number, line, etc.).

The edge is characterized by a set of attributes:

where

${x}_{i}^{s}$,

${x}_{i}^{e}$ are vertices connected by the edge;

$i=\overline{1,3}$ is the level of nesting of the edge;

$at{r}_{z}$ are the attributes of the edge (number, line, etc.).

Table 1 shows the potential attributes of the elements of the sets in question.

In addition, a rule is introduced that a link between two elements at the i-th level exists if and only if a link exists between all elements located at higher levels to which objects of the i-th level belong. This means that applications installed on different operating systems are interlinked only if the corresponding operating systems are also interlinked. Similarly, operating systems in different networks can be interlinked only if such networks are interlinked as well.

With using the developed model, it is possible at the design stage of the system structure to take the characteristics of the elements and the relationships between them into account for requirements for the functions of information security tools.

The following is an example of using the model to describe a computer network. A small computer network consists of three computers, one of which has a mail server, and two mail clients. Since we consider only software, computers are represented by operating systems. To provide an example, not all communications between operating systems and software are provided. A graphical representation of the metagraph describing this network is presented in

Figure 1.

In terms of the proposed model, a computer network will be described as follows:

Set

${X}_{1}$ represents a list of software, set

${X}_{2}$ represents a list of operating systems and set

${X}_{3}$ a list of computer networks. Sets

${E}_{1}$ and

${E}_{2}$ contain lists of relationships between software and operating systems. Next, is an example:

The functions indicating the nesting of software in operating systems will be as follows:

Other nesting functions looks similar.

#### 3.2. Model of Threats

The proposed approach to the classification of threats and the developed threats model are based on elementary operations on metagraphs [

37]. As shown earlier, a computer network is considered as a structure of interacting elements (vertices of the graph) and the links between them (edges of the graph). Threats are understood as an unauthorized change in the structure of a computer network (graph).

At this stage, it is necessary to indicate that the study considers only threats to the security of the system, not the information. At the same time, the classification of threats by violated properties is taken as the basis: confidentiality, integrity, and availability. The threats to the availability of the system are not considered, since when combining the lists of threats to the security of information and of the system, these threats will coincide. Thus, threats to the integrity and confidentiality of computer network software are considered.

The basic operations on attributive metagraphs include adding a vertex or an edge, removing a vertex or an edge and changing a vertex or edge attribute [

38].

Based on this, the following classes of threats to the integrity of a computer network are proposed:

Threats of an element substitution—${C}_{s1X}$

Threats of a link substitution—${C}_{s1E}$

Threats of an element removal—${C}_{s2X}$

Threats of a link removal—${C}_{s2E}$

Threats of an element addition—${C}_{s3X}$

Threats of a link addition—${C}_{s3E}$

Threats of an element settings changing—${C}_{s4X}$

Threats of a link settings changing—${C}_{s4E}$

The threat of an element or link removal is characterized by the removal of a vertex or edge from the set

${X}_{i}$ or

${E}_{j}$, respectively. Thus, for a set of applications, it is characterized as follows:

where

${X}_{1}$ is a set of applications;

${x}_{1}^{k}$ is a remote application and

${x}_{1}^{k}\in {X}_{1}$.

The threat of an element or link addition is characterized by the adding of a vertex or edge from the set

${X}_{i}$ or

${E}_{j}$, respectively. Thus, for a set of applications, it is characterized as follows:

where

${x}_{1}^{q+1}$ is an added application.

The threat of an element or link substitution is characterized by removing a vertex or an edge from the set

${X}_{i}$ or

${E}_{j}$, respectively, and adding a vertex or an edge instead of the deleted one, i.e., for a set of applications, this is described by the sequence of Equations (15) and (16):

The threat of an element or link settings changing is carried out by changing an attribute of a vertex or an edge:

The following threat classes are proposed as a classification of computer network confidentiality threats:

Threats of an element name disclosure—${K}_{s1X}$

Threats of a link name disclosure—${K}_{s1E}$

Threats of an element settings disclosure—${K}_{s2X}$

Threats of a link settings disclosure—${K}_{s2E}$

In graph theory, the confidentiality threats of a computer network are described as the intersection of sets of protected elements, information about which should be hidden, with sets of well-known elements. Hence, the threat of disclosure (leakage) of information about the name of the application is characterized by the intersection of the set

${X}_{1}$ with the set

${J}_{1}$:

where

${X}_{1}{\displaystyle \cap}{J}_{1}=\left\{{x}_{1}^{k}|{x}_{1}^{k}\in {X}_{1}\wedge {x}_{1}^{k}\in {J}_{1}\right\}$;

${x}_{1}^{k}$ is an element belonging to the set

${X}_{1}$;

${X}_{1}$ is set of applications that needs to be protected;

${J}_{1}$ is set of applications whose elements are well-known.

The result of the study is a computer network threat model that integrates classes of threats

${K}_{S}$ and

${C}_{S}$:

where

${K}_{S}$ is threats to the confidentiality of computer network elements;

${C}_{S}$ is threats to the integrity of computer network elements.

At the same time, each of the 12 presented threat classes contains three types of threats: threats at the application layer, threats at the operating system layer, and threats at the network layer. In total, 36 types of threats to the information security of computer network software are obtained. The final threat classification is presented in

Figure 2.

On the basis of the use of basic operations on attribute metagraphs to determine the threat classes, it becomes possible to make an assumption about the completeness of the proposed classification of security threats to computer network software.