RU2663473C1 - Method of protection from simultaneously computer attacks - Google Patents

Abstract

FIELD: computer equipment.SUBSTANCE: invention relates to computer equipment. Way to protect against co-operative computer attacks is to process all the requests to the service on the sensors with further aggregation of the information received, update the filtering rules on the collectors, using the information received from the sensors, filter traffic on the cleaning centers according to the specified filtering rules, while forming the structure of the communication center, forming the direction of communication and the fragment of the external network that generates information and technical effects, then form a set of information and technical impacts, after entering the specified filtering rules, imitate the arrival of information and technical impacts on the network node, while gradually increasing their intensity from the minimum amount to the maximum, measure and store the values of the intensity of the impact, at which the information protection system begins to respond to information and technology impacts, and further in the process of imitation of the inflow of information and technical influences form a set of filtration rules that correspond to certain information and technical influences, enter the resulting set of filtering rules into the real system, then filter traffic on the cleaning centers, using rules, corrected according to the set of filtering rules.EFFECT: technical result is increased reliability of the identification of information and technical impacts due to the analysis of the parameters of various types of information and technical impacts, which come both singly and somewhat together, which allows us to determine their totality.1 cl, 2 dwg

Description

The invention relates to the field of computer technology and can be used to detect information technology impacts, both single and conducted together.

Interpretation of terms used:

information and telecommunication communication network - a set of information and computing systems combined by a data transmission system [Center for Strategic Assessments and Forecasts. Information war and information protection. Dictionary of basic terms and definitions, www.csef.ru, Moscow, 2011, p. 25].

As elements of a communication network, nodes and channels (lines) of communication are considered [AG Yermishyan, Theoretical Foundations of the Construction of Military Communication Systems in Associations and Unions: A Textbook. Part 1. Methodological foundations for the construction of organizational and technical systems of military communications. SPb .: YOU, 2005.740 s.].

Information and technical influences are understood as the application of methods and means of information impact on information and technical objects, equipment and weapons in order to achieve their goals [Center for Strategic Assessments and Forecasts. Information war and information protection. Glossary of basic terms and definitions www.csef.ru Moscow, 2011, p. 25].

The well-known "Method of ensuring the stable functioning of the communication system" (patent RU No. 2405184, G05B 23/00, G06F 17/50, published on November 27, 2010, Bulletin No. 33), namely, that the communication system is deployed in working condition, fix destabilizing effects on its structural elements, form a simulation model of a communication network, model the process of functioning of a communication system under impacts, conduct proactive reconfiguration of a functioning communication system.

The disadvantage of this method is the low reliability of identification of information and technical influences due to the lack of fixation and determination of two or more jointly occurring information and technical influences on the communication node.

The well-known "Method for monitoring the security of automated systems" (RF patent No. 2355024, G06F 15/00, G06F 17/00, published. 05/10/2009 Bulletin No. 13). The method consists in the fact that for monitoring the security of automated systems pre-set a lot of controlled parameters characterizing the security of the automated system, and their reference values. Then, a cycle of measuring the values of the monitored parameters and comparing them with the reference values is performed, when they do not match, an alarm is generated about the controlled parameters in the group exceeding the permissible values, after which the operation of the elements of the automated system is blocked and a report on the state of the automated system is generated.

The disadvantage of this method is the low reliability of identification of information and technical influences due to the lack of fixation and determination of two or more jointly occurring information and technical influences on the communication node.

The closest in technical essence and functions performed analogue (prototype) to the claimed one is a system and method for reducing false positives when determining a network attack (RF patent No. 2480937, H04L 29/06, G06F 15/16, G06F 21/30, publ. 27.04. 2013, Bull. No. 12), which consists in redirecting traffic to the service to sensors and cleaning centers, processing all service requests on the sensors with further aggregation of the received information, updating the filtering rules on the collectors using the information received from the sensors, and adjusting update Based on the statistics of previous network attacks, the established filtering rules using the control module filter traffic at the cleaning centers using the specified filtering rules, while the cleaning centers are connected to the main communication channels through channels with high throughput.

The disadvantage of the prototype method is the low reliability of identification of information and technical influences due to the lack of fixation and determination of two or more jointly emerging information and technical influences on the communication site.

The objective of the invention is to provide a method of protection against jointly conducted computer attacks. The technical result of the invention is to increase the reliability of identification of information and technical influences by analyzing the parameters of various types of information and technical influences, which come both singly and severally together, which makes it possible to determine their combination.

The objective of the invention is solved in that in the method of protection against jointly conducted computer attacks, the following sequence of actions is performed.

They process all service requests on the sensors with further aggregation of the received information, update the filtering rules on the collectors, using the information received from the sensors, filter traffic at the cleaning centers according to the specified filtering rules.

According to the invention, a communication node structure is additionally formed, a communication direction and a fragment of an external network generating information and technical actions are formed, then a plurality of information and technical actions are generated. After entering the specified filtering rules, they imitate the receipt of information and technical influences on the node of the communication network, while gradually increasing their intensity from the minimum to the maximum. Measures and stores the values of the intensity of the impact at which the information protection system begins to respond to information and technical influences, and then in the process of simulating the receipt of information and technical influences, a lot of filtering rules are formed that correspond to certain information and technical influences. The resulting set of filtering rules is introduced into the real system. Then filter the traffic at the cleaning centers, using the rules adjusted according to the set of filtering rules.

Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed invention from the prototypes showed that they do not follow explicitly from the prior art. From the prior art determined by the applicant, the influence of the provided by the essential features of the claimed invention on the achievement of the specified technical result is not known. Therefore, the claimed invention meets the condition of patentability "inventive step".

The claimed method is illustrated by drawings, which show:

FIG. 1 is a flowchart of a method of protection against jointly conducted computer attacks;

FIG. 2 is a diagram of an implementation of a method of protection against jointly conducted computer attacks.

The claimed method is illustrated in the flowchart of the method of protection against jointly conducted computer attacks (Fig. 1), where in block 1 the initial data is set. The source data are:

- counter k = 1 - the number of jointly simulated ITV;

- n - the number of specified ITV.

In block 2, a communication node is formed comprising network equipment and an information security system (SZI) (Fig. 2) [Klimov SM, Sychev MP et al. Experimental evaluation of counteraction against computer attacks at a test site. Electronic educational publication / Moscow .: FSBEI of HE "Moscow State Technical University named after N.E. Bauman ”, 2013. - 114 p.].

As communication node No. 2, we understand the personal computer of the end user (PC 3, Fig. 2) and the switching equipment connected to it (router 4, Fig. 2) [router setup process: basic router configuration Using Cisco Configuration Professional. Electronic resource: http://www.cisco.com/cisco/web/support/RU/108/1089/1089854_basic-router-config-ccp-00.pdf]. The firewall is used as the firewall (ME, Fig. 2) [firewall setup process: Cybersafe firewall for Windows. User Guide http://cybersafesoft.com/cs-firewall.pdf].

In block 3 create the direction of communication and a fragment of the external network simulating ITV.

As the direction of communication is understood the communication node and a fragment of the Unified Telecommunication Network (ESE) (Fig. 2).

As a fragment of the ESE we will understand the switching equipment (router 2, Fig. 2) simulating the ESE [process of configuring the router: Basic configuration of the router Using Cisco Configuration Professional. Electronic resource: http://www.cisco.com/cisco/web/support/RU/108/1089/1089854_basic-router-config-ccp-00.pdf] and managed by a personal computer (PC 2, Fig. 2).

A fragment of an external network is understood as a botnet network simulating ITV and consisting of switching equipment (router 3, Fig. 2) [router setup process: basic router configuration Using Cisco Configuration Professional. Electronic resource: http://www.cisco.com/cisco/web/support/RU/108/1089/1089854_basic-router-config-ccp-00.pdf] and a group of PC connected to it (Fig. 2) imitating ITV at communication center No. 2.

In block 4 form a lot of ITV.

When forming this set, many modern ITVs are taken into account, for example, such effects as:

1) denial of service [Kotenko I.V., Ulanov A.V. Multi-agent modeling of distributed denial of service attacks and defense mechanisms against them / Proceedings of SPIIRAS vol. 1, No. 3 of 2006];

2) the attack of the intermediary or the attack "man in the middle" (Eng. Man in the middle (MITM)) [Varlamov O.O. "On a systematic approach to creating a computer threat model and its role in ensuring information security in key systems of information infrastructure" Izvestiya TRTU / Thematic issue // No. 7 / volume 62/2006 P. 218];

3) port scanning [Various methods of port scanning https://nmap.org/man/ru/man-port-scanning-techniques.html; 7 online scanners for finding open ports on the server https://habrahabr.ru/company/hosting-cafe/blog/281943/1;

4) SQL - injection [SQL injection http://www.cyberguru.ru/database/sql/sql-injections.html?showall=1; SQL injection for beginners. Part 1 https://habrahabr.ru/post/148151/1.

In block 5, the specified filtering rules are entered. Form the initial rules used in real SZI (ME), formed and set, as in the prototype method.

In block 6 imitate the receipt of ITV at the communication center.

At the initial stage, a sequential simulation of a single ITV per communication node is carried out. Then, a joint imitation of ITV in the amount of k (in all possible combinations) is carried out until the counter k reaches the value k> n.

In block 7, all ITVs begin with a minimum value of the intensity of exposure, then the intensity of ITV gradually increases from the minimum to the maximum. Upon reaching the intensity of exposure, at which the SZI begins to respond to ITV, in block 8, the obtained values of the ITV intensity are recorded and stored.

In block 9, the number of jointly simulated ITVs is checked. In the case of joint simulation of several ITVs go to block 11, otherwise they go to block 10 and create filtering rules for the ITV currently being simulated. Then they proceed to block 6 and simulate the receipt of the next ITV at the communication center.

In block 11 calculate the number of all possible combinations of ITV jointly acting on the communication node. In this case, the number of combinations will vary depending on the number of ITVs acting jointly on the communication node. The calculation of all possible combinations for a given amount of ITV is a well-known task and is presented in [N.Ya. Vilenkin “Combinatorics”, M.: Science. Ch. ed. physical - mat. lit., 1969. - 323 p.]

in other words, there is a combination of n elements in m.

In block 12, filtering rules for the currently simulated ITV are generated.

In block 13, the counter k is increased by one and goes to block 14, where the condition k> n is satisfied. If the conditions are met, go to block 15, otherwise go to block 6 and simulate the joint receipt of ITV on the communication node in an amount equal to the value of the counter k.

In block 15, on the basis of the generated filtering rules when simulating single and several ITVs carried out jointly, a lot of filtering rules are generated, which in block 16 are additionally entered into a really functioning system.

In block 17, the sensors process all requests for the service with further aggregation of the received information.

In block 18, traffic is filtered using specified rules.

The calculation of the effectiveness of the claimed method was carried out according to the coefficient of mismatch Theil assessed the accuracy of the forecast made according to the constructed model [E.Yu. Piskunov “Modification of the Tail coefficient”. Electronic journal "Bulletin of the Irkutsk State Economic Academy" No. 5, 2012].

where P _t and A _t are respectively the predicted and actual (realized) change of the variable. Coefficient υ = 0, when all P _t = A _t (case of perfect forecasting); υ = 1, when the forecasting process leads to the same standard error as the “naive” extrapolation of the constancy of growth; υ> 1, when the forecast gives worse results than the assumption of the invariability of the investigated phenomenon.

The advantage of the Tail coefficient is the ability to use when comparing the quality of forecasts obtained on the basis of various methods and models.

The prototype method involves the simultaneous impact of one type of ITV, so the predicted values will correspond to the actual only in this case and the value of the coefficient υ will be less than unity and tend to zero. However, under the combined influence of several ITVs, the predicted values will not correspond to the actual values and the value of the coefficient υ will exceed unity, which indicates a high degree of inaccuracy of the forecast made.

In the proposed method, a joint simulation of several types of ITV is carried out, which allows to increase the degree of compliance of the predicted values with the actual ones. Thus, in contrast to the prototype method in the proposed method, the value of the coefficient υ will be less than unity and tend to zero in the case of both single and joint multiple exposure to ITV.

Based on this, it follows that the claimed method of protection against jointly conducted computer attacks increases the reliability of identification of information and technical influences by analyzing the parameters of various types of information and technical influences that come both singly and severally together, which makes it possible to determine their combination.

Claims (1)

A way to protect against joint computer attacks is that they process all service requests on the sensors with further aggregation of the received information, update the filtering rules on the collectors using the information received from the sensors, filter traffic at the cleaning centers according to the specified filtering rules, characterized in that form the structure of the communication node, form the direction of communication and a fragment of the external network that generates information and technical impacts, then form a lot of information After the introduction of the specified filtering rules, they simulate the receipt of information and technical influences on the node of the communication network, while gradually increasing their intensity from the minimum to maximum, measure and store the values of the intensity of the impact at which the information protection system begins to respond to information and technical influences , and then in the process of simulating the receipt of information and technical influences form a lot of filtering rules that correspond specific information and technical effects, introduced the resulting set filtering rules in a real system, then filtered traffic for purification centers using rules, corrected by the set of filtering rules.

Images