<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">inform</journal-id><journal-title-group><journal-title xml:lang="ru">Информатика</journal-title><trans-title-group xml:lang="en"><trans-title>Informatics</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1816-0301</issn><issn pub-type="epub">2617-6963</issn><publisher><publisher-name>UIIP NASB</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.37661/1816-0301-2020-17-3-72-77</article-id><article-id custom-type="elpub" pub-id-type="custom">inform-1063</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>ЗАЩИТА ИНФОРМАЦИИ И НАДЕЖНОСТЬ СИСТЕМ</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>INFORMATION PROTECTION AND SYSTEM RELIABILITY</subject></subj-group></article-categories><title-group><article-title>Анализ защищенности веб-ресурсов на основе метрики CVSS</article-title><trans-title-group xml:lang="en"><trans-title>Web resource security analysis based on CVSS metrics</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0003-3668-7759</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Давлатов</surname><given-names>Ш. Р.</given-names></name><name name-style="western" xml:lang="en"><surname>Davlatov</surname><given-names>Sh. R.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Давлатов Шохрух Рустамович, аспирант кафедры защиты информации </p><p>Минск</p></bio><bio xml:lang="en"><p>Shohrukh R. Davlatov, Postgraduate Student of the Department Information Security</p><p>Minsk</p></bio><email xlink:type="simple">shohrukh.92@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Кучинский</surname><given-names>П. В.</given-names></name><name name-style="western" xml:lang="en"><surname>Kuchinsky,</surname><given-names>P. V.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Кучинский Петр Васильевич, доктор физико-математических наук, директор</p><p>Минск</p></bio><bio xml:lang="en"><p>Pyotr  V.  Kuchinsky,  Dr.  Sci.  (Phys.-Math.),  Director</p><p>Minsk</p></bio><xref ref-type="aff" rid="aff-2"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Белорусский государственный университет информатики и радиоэлектроники</institution></aff><aff xml:lang="en"><institution>Belarusian State University of Informatics and Radioelectronics</institution></aff></aff-alternatives><aff-alternatives id="aff-2"><aff xml:lang="ru"><institution>Научно-исследовательское учреждение «Институт прикладных физических проблем имени А. Н. Севченко» Белорусского государственного университета</institution></aff><aff xml:lang="en"><institution>A. N. Sevchenko Institute of Applied Physical Problems of Belarusian State University</institution></aff></aff-alternatives><pub-date pub-type="collection"><year>2020</year></pub-date><pub-date pub-type="epub"><day>11</day><month>06</month><year>2020</year></pub-date><volume>17</volume><issue>3</issue><fpage>72</fpage><lpage>77</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Давлатов Ш.Р., Кучинский П.В., 2020</copyright-statement><copyright-year>2020</copyright-year><copyright-holder xml:lang="ru">Давлатов Ш.Р., Кучинский П.В.</copyright-holder><copyright-holder xml:lang="en">Davlatov S.R., Kuchinsky, P.V.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://inf.grid.by/jour/article/view/1063">https://inf.grid.by/jour/article/view/1063</self-uri><abstract><p>На основе анализа данных об уязвимостях веб-ресурсов и метрики CVSS (Common Vulnerability Scoring System) изучено распределение усредненной величины оценки по стандарту CVSS для расчета числового показателя уязвимости по десятибалльной шкале для сайтов Республики Беларусь. Проведена проверка гипотезы о распределении оценки уязвимостей CVSS по закону Пуассона методом критерия хи-квадрат. Установлено, что около 10 % веб-ресурсов из исходной генеральной выборки размером 19 000 имеют критическую усредненную оценку уязвимости. В рамках проведенного исследования создана универсальная система для сбора технической информации об активных веб-ресурсах в сети Интернет из общедоступных каталогов и реестров. Разработаны специальные шаблоны поиска с помощью RegExp-выражений языка программирования JavaScript для точного определения версий технологий, которые были использованы для создания веб-сайтов. На базе полученных данных установлены процентные соотношения используемых технологий, доменов верхнего уровня и географическое расположение серверов, которые обслуживают веб-ресурсы. Предлагаемая система может быть адаптирована под любые уникальные требования, необходимые специалистам по защите информации для проведения аудита безопасности веб-ресурсов.</p></abstract><trans-abstract xml:lang="en"><p>Based on the analysis of vulnerability data for web resources and the CVSS metric, the distribution of the average CVSS (Common Vulnerability Scoring System standard for calculating a numerical vulnerability score on a ten-point scale) score for the websites of theRepublicofBelaruswas studied. The hypothesis on the distribution of the CVSS vulnerability assessment according to Poisson's law was tested by chi-square criteria. It was found that about 10% of web resources from the original general of samples of 19000 size have a critical averaged assessment level of vulnerability. As part of this work an universal system for collecting technical information about active web resources on the Internet from public directories and registries has been developed. Specific search templates have been developed using RegExp JavaScript expressions to detect the versions of technologies that were used to create websites. Based on this data the percentage distribution of used technologies, top-level domains and the geographical location of the servers were calculated. Proposed system can be adapted to any unique conditions required by information security specialists to conduct a security audit of web resources.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>информационная безопасность</kwd><kwd>оценка защищенности</kwd><kwd>веб-сайт</kwd><kwd>веб-сервер</kwd><kwd>метрика CVSS</kwd><kwd>язык программирования JavaScript</kwd></kwd-group><kwd-group xml:lang="en"><kwd>information security</kwd><kwd>security assessment</kwd><kwd>website</kwd><kwd>web server</kwd><kwd>CVSS metric</kwd><kwd>programming language JavaScript</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Дойникова, Е. В., Чечулин, А. А., Котенко, И. В. Оценка защищенности компьютерных сетей на основе метрик CVSS // Информационно-управляющие системы, 76-87. DOI: 10.15217/issn1684-8853.2017.6.76</mixed-citation><mixed-citation xml:lang="en">Doinikova, E.V., Chechulin, A.A., &amp; Kotenko, I.V. (2019). Otsenka zaschischennosti kompyuternyh setey na osnove metrik CVSS. // Informatsionno-upravlyayuschie sistemyi, (6), 76-87. DOI: 10.15217/issn1684-8853.2017.6.76 (in Russ.)</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Li, Н., Zhao, L. Study on the distribution of CVSS environmental score // 5th International Conference on Electronics Information and Emergency Communication. May 2015. DOI: 10.1109/ICEIEC.2015.7284502</mixed-citation><mixed-citation xml:lang="en">Li, Н., Zhao, L. Study on the distribution of CVSS environmental score. // 5th International Conference on Electronics Information and Emergency Communication. May 2015. DOI: 10.1109/ICEIEC.2015.7284502.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Bostic, T., Stanley J., Higgins, J., Chudnov, D., Montgomery, B., Brunell, J. Exploring the Intersections of Web Science and Accessibility // The MITRE Corporation Scientific journal. Aug 2019.</mixed-citation><mixed-citation xml:lang="en">Bostic, T., Stanley J., Higgins, J., Chudnov, D., Montgomery, B., Brunell, J. Exploring the Intersections of Web Science and Accessibility. // The MITRE Corporation Scientific journal. Aug 2019.</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Likarish, P., Jung, E. A targeted web crawling for building malicious javascript collection // Proceeding of the ACM First International Workshop on Data-Intensive Software Management and Mining, Hong Kong, China, November 2009. DOI:10.1145/1651309.165131</mixed-citation><mixed-citation xml:lang="en">Likarish, P., Jung, E. A targeted web crawling for building malicious javascript collection. // Proceeding of the ACM First International Workshop on Data-Intensive Software Management and Mining, Hong Kong, China, November 2009. DOI:10.1145/1651309.1651317.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Man, D., Yang, W., Yang, Y., Wang, W., Zhang, L., A Quantitative Evaluation Model for Network Security // Proc.of the 2007 Intern.Conf. on Computational Intelligence and Security. Dec 2007. P.773-777.</mixed-citation><mixed-citation xml:lang="en">Man, D., Yang, W., Yang, Y., Wang, W., Zhang, L., A Quantitative Evaluation Model for Network Security // Proc.of the 2007 Intern.Conf. on Computational Intelligence and Security.Dec 2007.P.773-777.</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
