RU2834591C1 - Data network security monitoring system - Google Patents

Abstract

FIELD: physics.

SUBSTANCE: invention relates to systems for monitoring and controlling automated systems and communication systems. DTN central security control station, DTN security control stations include DTN open and confidential segments control servers, as well as additionally to all DTN objects, having access to public communication network (PCN), there is a software and hardware complex (SHC) for security control, including server for control of open segment of DTN and server for control of confidential segment of DTN, wherein the SHC safety monitoring system interacts remotely with the central control station of the safety monitoring system of the DTN and the stationary control station of the DTN through the SHC channels. Based on this set of additional elements of the DTN security monitoring system, control over the flow of information, security events, network vulnerabilities and network settings of the DTN telecommunication equipment is carried out.

EFFECT: high security of a data transmission network (DTN) owing to multi-parameter analysis of DTN and faster response to information security incidents.

6 cl, 14 dwg

Description

The invention relates to means of ensuring information security, in particular, to means of monitoring and controlling automated systems and communication systems. The invention is intended to assess the compliance of the state of various samples of telecommunication equipment (TE) and the processes of interaction between them with the established requirements for ensuring the security of information exchange in a data transmission network (DTN).

A system for monitoring program execution using tracing is known, implemented in Russian Federation Patent No. 2459236 dated 20.08.2012, IPC G06F 11/00 (2006.01), G06F 21/06 (2006.01) and intended for prompt detection of unauthorized impacts on an automated system. The system contains an interconnected database for storing text trace lines and the identifiers corresponding to them, as well as a database for storing program modules and the identifiers corresponding to them; a means for replacing existing text trace lines in a program module with the corresponding identifiers stored in the said databases; a means for transmitting a program with a program module in which the trace lines are replaced with the corresponding identifiers; a means for generating a trace file, which is intended for saving information about the progress of the program in a trace file during program execution; a means for transmitting the generated trace file to the control unit. The combination of the above-described elements allows for increased reliability of the formation of trace files and increased security of the automated system by determining additional information about the execution of programs when they are used on several automated workstations (AWP) and using trace files when an attack is detected.

The disadvantage of this system is the low reliability of the control results, due to the fact that, despite the possibility of monitoring the execution of programs, control over the flow of information, security events, network vulnerabilities and network settings of the TKO is not taken into account.

A computer security event monitoring system is known, implemented in the utility model RU 148692 of 10.12.2014 IPC G06F 21/51 (2013.01) and intended for detection and identification of destructive computer security events in real time. The system includes means for collecting events, searching for solutions, registering incidents and analyzing events, a data management unit that ensures the reduction of all event attributes to a single range of values, analysis of the input event stream in the computer system with subsequent selection of a key attribute in each event, selection from the entire flow of events that have a destructive effect on the security of information resources.

The disadvantages of this analogue are: relatively low reliability of the control results, due to the fact that in order to assess information security, all event indicators are reduced to a single range of values, and the specified algorithms for the functioning of the nodes of the information system are not checked.

The closest in technical essence to the claimed system is the control and measuring monitoring system implemented in the Russian Federation patent No. 2662726 dated July 30, 2018 IPC G01S 5/04 (2006.01). The prototype system comprises a central control point (CCP), including a central radio monitoring control point (CRMP), a central technical condition control point (TCCP) of the facilities included in the system, and K≥2 spatially separated stationary monitoring posts, N≥2 auxiliary spatially separated control and measuring complexes (CMC), each of which includes a control point and M≥3 spatially separated stationary monitoring posts, mobile monitoring posts located on mobile objects: ground, ships or airborne lifting facilities (ALF), as well as a set of monitored radio emission sources, wherein the CCP and spatially separated stationary monitoring posts included in the CCP and auxiliary CMC interact remotely via the CCP communication channels, the spatially separated stationary monitoring posts included in the auxiliary CMC interact remotely via the control points of the auxiliary CMC, which include these monitoring posts are included, mobile monitoring posts and radio monitoring posts at the LPS are controlled remotely through the communication channels of the CPU or through the nearest control points of the auxiliary KIC, and in the composition of each stationary monitoring post included in the CPU, in the auxiliary KIC and in each mobile monitoring post, control points for the technical condition are additionally introduced, which interact with the CPUTS through the antenna device of the stationary monitoring post or the mobile monitoring post, depending on where they are located, using the communication channels of the CPU or the nearest control point of the auxiliary KIC.

This system has a fairly high reliability of monitoring results due to the increased efficiency of eliminating technical faults in the monitoring system.

However, a disadvantage of the prototype system is the relatively low reliability of the monitoring results, since control over information security parameters is not organized, in particular over the flow of information, security events, system vulnerabilities and network settings of the TKO.

The technical result of using the declared technical solution is an increase in the reliability of the results of data security control by conducting a multiparameter analysis of data security and increasing the efficiency of response to information security incidents.

The technical result is achieved in that the known security control system (SCS) of the SPD, containing a central control point (CCP), including a central control point for security control (CCSP) of the SPD and a central security control point (CSCP) of the SPD, K≥2 spatially distributed stationary security control points (SPCP) of the SPD (2 ₁ , 2 ₂ ,…, 2 _K ), mobile security control points (MSCP) of the SPD, located on ground mobile objects, as well as a set of controlled SPD objects having access to the public communication network (PCN) and SPD objects that do not have access to the PCN, wherein the spatially distributed SPCP SPD interact remotely with the CCP via the PCN channels, the MPCB SPD interact remotely via the communication channels of the SPCB SPD, characterized in that a hardware and software complex (HSC) of security control, including a control server, is additionally introduced into the composition of all SPD objects having access to the PCN. open segment (OS) of the SPD and the control server of the confidential segment (CS) of the SPD, whereby the security control PAC interacts remotely with the CPU and the SPKB of the SPD through the channels of the SSOP.

The central control point for security control consists of a cascade-connected communication antenna, a radio station, a radio modem and an external router, the second input/output of which is connected to the router of the central control point for security control, and the third input/output of which is connected to the first input/output of the network switch, the second input/output of which is connected to the first input/output of the network switch of the central control point for security control, and the third input/output is connected to the first input/output of the crypto router, the second input/output of which is connected to the first input/output of the firewall, the second input/output of which is connected to the first input/output of the network switch, the second, third, fourth and fifth inputs/outputs of which are connected to the inputs/outputs of the first, second PC, the central control server for security control of the central control point for security control and the video wall, respectively, and the sixth input/output is connected to the first input/output of the network switch of the central control point for security control.

The central control point for the security of the SPD consists of a network switch, the second and third inputs/outputs of which are connected to the inputs/outputs of the PC and the central control server of the SPD OS, respectively, and a network switch, the second and third inputs/outputs of which are connected to the inputs/outputs of the PC and the central control server of the SPD CS, respectively.

The fixed point of control of the security of the SPD consists of a cascade-connected communication antenna, a radio station, a radio modem and an external router, the second input/output of which is connected to the router of the SPD, and the third input/output is connected to the first input/output of the network switch, the second input/output of which is connected to the first input/output of the network switch, the second and third inputs/outputs of which are connected to the inputs/outputs of the first PC and the SPD OS control server, respectively, and the third input/output of the network switch is connected to the first input/output of the crypto router, the second input/output of which is connected to the first input/output of the firewall, the second input/output of which is connected to the first input/output of the network switch, the second, third, fourth and fifth inputs/outputs of which are connected to the inputs/outputs of the second, third PC, the SPD CS control server and the SPD security control management server, respectively.

The mobile SPD security control point consists of a cascade-connected communication antenna, a radio station, a radio modem and an external router, the second input/output of which is connected to the router of the SPD object that does not have access to the SSOP, the third input/output is connected to the first input/output of the network switch, the second and third input/output of which are connected to the inputs/outputs of the first PC and the SPD OS control server, respectively, and the fourth input/output of the network switch is connected to the first input/output of the crypto router, the second input/output of which is connected to the first input/output of the firewall, the second input/output of which is connected to the first input/output of the network switch, the second and third inputs/outputs of which are connected to the inputs/outputs of the second PC and the SPD CS control server, respectively.

The SPD object having access to the DMZ consists of a SPD segment containing public services and separating them from private services (a demilitarized zone), including an external router, the first input/output of which is connected to the DMZ router, wherein the second input/output of the external router is connected to the first input/output of the network switch, the second input/output of which is connected to the first input/output of the crypto router, wherein the third input/output of the network switch is connected to the input/output of the OS SPD control server of the PAK security control system, and the fourth up to N inputs/outputs of the network switch are connected to the OS SPD equipment, wherein the second input/output of the crypto router is connected to the first input/output of the firewall, the second input/output of which is connected to the input/output of the CS SPD control server of the PAK security control system, and a network switch, the first input/output of which is connected to the third input/output of the firewall, and the second up to N inputs/outputs are connected to the equipment of the SPD CS.

Thanks to the new set of essential features in the declared system, control over information security parameters is ensured, in particular over the flow of information, security events, vulnerabilities of the data protection system and network settings of the TKO, as a result of which the reliability of the control results is increased.

The claimed data transmission network security control system is illustrated by drawings that depict the following:

Fig. 1 - spatial arrangement of elements of the SPD safety control system;

Fig. 2 - structural diagram of the Central Control and Information System of the SPD;

Fig. 3 - structural diagram of the Central Design Bureau of the SPD;

Fig. 4 - structural diagram of the SPKB SPD;

Fig. 5 - structural diagram of the MPCB SPD;

Fig. 6 is a structural diagram of a data processing facility that has access to the SOP;

Fig. 7 is a structural diagram of the automated control system (ACS) of the SPD safety monitoring system;

Fig. 8 - an algorithm for the functioning of the automated control system of the data processing safety control system when performing tasks to control information flows;

Fig. 9 - an algorithm for the functioning of the automated control system of the SPD safety control system when performing tasks for registering safety events;

Fig. 10 - an algorithm for the functioning of the automated control system for the security control of the data processing system when performing tasks to identify vulnerabilities;

Fig. 11 - an algorithm for the functioning of the automated control system of the data processing system security control when performing tasks to control network settings and security policy;

Fig. 12 - the algorithm for the functioning of the automated control system of the SPD safety control system when performing tasks on inventory and control of equipment;

Fig. 13 - graphs of the dependence of the probability of an intruder's impact on the response time of the SPD security control system;

Fig. 14 shows graphs of the dependence of the probability of protection of the SPD on the time of detection of the impact of an intruder by the SPD security control system.

The claimed SPD safety control system (see Fig. 1) consists of a CPU (1), K≥2 spatially separated SPD SPKB (2 ₁ ,2 ₂ ,…,2 _K ), SPD MPKB (3) located on ground mobile objects, as well as a set of controlled SPD objects (5) having access to the SSOP (7) with the safety control PAC (4) introduced into them, and SPD objects (6) that do not have access to the SSOP (7). The CPU (1) consists of the SPD CPUKB (1.1) and the SPD CPKB (1.2), the CPU (1) also has a control zone (8), in which the controlled SPD objects (5) are also located, having access to the SSOP (7) with the safety control PAC (4) introduced into them, which interact remotely with the CPU (1) via the SSOP (7) channels. Moreover, the TsPUKB SPD (1.1) and TsPKB SPD (1.2) interact via the communication channels of the CPU (1), and the spatially separated SPKB SPD (2) located in the control zone (8) interact remotely with the CPU (1) via the channels of the SSOP (7). The spatially separated SPKB SPD (2 ₁ ,2 ₂ ,…,2 _K ) have control zones (8), in which the controlled objects of the SPD (5) are also located, having access to the SSOP (7) with the safety control PAC (4) introduced into them, which interact remotely with the SPKB SPD (2) via the channels of the SSOP (7). The MPKB SPD (3) located on ground mobile objects have control zones (9), in which the controlled objects of the SPD (6) are also located, not having access to the SSOP (7), which interact remotely with the CPU (1) and SPKB SPD (2) via communication channels.

Communication between the CPU (1), SPKB SPD (2) and MPKB SPD (3) is organized via fiber optics, 400-450 MHz radio relay communication channels, 140-170 MHz radio communication, GSM channels, Internet, etc. The most common principle of organizing radio communication is the "star" type.

The TsPUKB SPD (1.1) is intended for receiving and converting received signals, processing the received information and storing the results of security monitoring, its circuit can be implemented in various ways, in particular, as shown in Fig. 2, and consists of a cascade-connected communication antenna (1.1.1), a radio station (1.1.2), a radio modem (1.1.3) and an external router (1.1.4), the second input/output of which is connected to the router of the SSOP (7), and the third input/output is connected to the first input/output of the network switch (1.1.5). The second input/output of the network switch (1.1.5) is connected to the first input/output of the network switch (1.2.1) of the TsPUKB SPD (1.2), and the third input/output is connected to the first input/output of the crypto router (1.1.6). The second input/output of the crypto router (1.1.6) is connected to the first input/output of the firewall (1.1.7), the second input/output of which is connected to the first input/output of the network switch (1.1.8). The second, third, fourth and fifth inputs/outputs of the network switch (1.1.8) are connected to the inputs/outputs of the first (1.1.9), second (1.1.10) PC, the central server for managing the security control of the SPD (1.1.11) and the video wall (1.1.12), respectively, and the sixth input/output is connected to the first input/output of the network switch (1.2.4) of the SPD Central Design Bureau (1.2). Any VHF antenna can be used as a communication antenna (1.1.1).

The central control server of the SPD (1.2) is designed to detect, warn and issue control commands to eliminate violations of the SPD security policy. Its circuit can be implemented in various ways, in particular, as shown in Fig. 3, and consists of a network switch (1.2.1), the second and third inputs/outputs of which are connected to the inputs/outputs of the PC (1.2.2) and the central control server of the SPD OS (1.2.3) and the network switch (1.2.4), respectively. The second and third inputs/outputs of the network switch (1.2.4) are connected to the inputs/outputs of the PC (1.2.5) and the central control server of the SPD CS (1.2.6), respectively.

The radio station (1.1.2) included in the TsPUKB (1.1) intended for receiving/transmitting signals, the radio modem (1.1.3) intended for transmitting digital data over a radio channel, are known, developed and manufactured by OOO NTI Research Institute, St. Petersburg. The firewall (1.1.7) is intended to protect network segments or individual SKB SPD hosts from unauthorized access using vulnerabilities in the OSI network model protocols or in the software installed on the SKB SPD PC and are software or software and hardware elements of SKB SPD. The Dionis DPS device can be used (http://www.dps.factor-ts.ru/produckciya/utm-dionis-dps/). Network switches (1.1.5, 1.1.8, 1.2.1, 1.2.4) from the TsPUKB SPD (1.1) and TsPKB SPD (1.2) are designed to connect several nodes of the SKB SPD network. The Tavolga Telecom 31 BT device based on Baikal-T1 can be used (http://www.itint.ru/market/goods/tavolga_telekom_31bt_rossiyskie_kommutatory_dostupa_na_baze_protsessora_baikal_t1). The central server for managing the security control of SPD (1.1.11) of the TsPUKB SPD (1.1) and the central servers for monitoring the OS SPD and KS SPD (1.2.3, 1.2.6) of the TsPKB SPD (1.2) are designed to accumulate and store information on the results of security control and the technical condition of SKB SPD, respectively. A dedicated PC with functional software can be used as a server.

The SPKB SPD (2) is designed to detect, warn and issue control commands to eliminate violations of the SPD security policy, transmit the results of security monitoring of the SPD SKB elements via communication channels to the CPU (1) directly, its circuit can be implemented in various ways, in particular, as shown in Fig. 4. The SPKB SPD (2) consists of a cascade-connected communication antenna (2.1), a radio station (2.2), a radio modem (2.3) and an external router (2.4), the second input/output of which is connected to the SSOP router (7), and the third input/output is connected to the first input/output of the network switch (2.5). The second input/output of the network switch (2.5) is connected to the first input/output of the network switch (2.6). The second and third inputs/outputs of the network switch (2.6) are connected to the inputs/outputs of the first PC (2.7) and the SPD OS control server (2.8), respectively. The third input/output of the network switch (2.5) is connected to the first input/output of the crypto router (2.9). The second input/output of the crypto router (2.9) is connected to the first input/output of the firewall (2.10). The second input/output of the firewall (2.10) is connected to the first input/output of the network switch (2.11). The second, third, fourth and fifth inputs/outputs of the network switch (2.11) are connected to the inputs/outputs of the second (2.12), third (2.13) PC, the SPD security control server (2.14) and the SPD security control management server (2.15), respectively.

The MPKB SPD (3) is intended for detection, warning and sending control commands to eliminate violations of the SPD security policy, transmission of the results of security control of the SPD SKB elements via communication channels to the CPU (1) directly or via the SPKB SPD (2), depending on what it pertains to, and elimination of violations in the technical condition of the SPD SKB, its circuit can be implemented in various ways, in particular, as shown in Fig. 5. The MPKB SPD (3) consists of a cascade-connected communication antenna (3.1), a radio station (3.2), a radio modem (3.3) and an external router (3.4), the second input/output of which is connected to the router of the SPD object (6), which does not have access to the SSOP (7). The third input/output of the external router (3.4) is connected to the first input/output of the network switch (3.5). The second and third input/output of the network switch (3.5) are connected to the inputs/outputs of the first PC (3.6) and the SPD OS control server (3.7), respectively, and the fourth input/output of the network switch (3.5) is connected to the first input/output of the crypto router (3.8). The second input/output of the crypto router (3.8) is connected to the first input/output of the firewall (3.9). The second input/output of the firewall (3.9) is connected to the first input/output of the network switch (3.10). The second and third inputs/outputs of the network switch (3.10) are connected to the inputs/outputs of the second (3.11) PC and the SPD OS control server (3.12), respectively.

The SPD facility (5) having access to the NSS with the introduced security control system (4) intended for continuous monitoring and analysis of the results of registration of security events and other data in order to identify violations of the security policy, threats to information security and NSS vulnerabilities, processing of the received information, transmission of the results of security control via communication channels to the CPU (1) directly or via the SPD SPKB (2), depending on what it pertains to, its scheme can be implemented in various ways, in particular, as shown in Fig. 6. The SPD facility (5) having access to the NSS with the introduced security control system (4) consists of a demilitarized zone (5.1) including an external router (5.2), the first input/output of which is connected to the NSS router, and the second input/output of which is connected to the first input/output of the network switch (5.3). The second input/output of the network switch (5.3) is connected to the first input/output of the crypto router (5.4), where the third input/output of the network switch (5.3) is connected to the input/output of the SPD OS control server (4.1) of the security control PAC, and the fourth to N inputs/outputs of the network switch are connected to the SPD OS equipment (5.7). The second input/output of the crypto router (5.4) is connected to the first input/output of the firewall (5.5). The second input/output of the firewall (5.5) is connected to the input/output of the SPD CS control server (4.2) of the security control PAC, and the network switch. The first input/output of the network switch (5.6) is connected to the third input/output of the firewall (5.5), and the second to N inputs/outputs are connected to the SPD CS equipment (5.8).

The SKB SPD is designed to perform the following tasks: tasks of monitoring information flows (the algorithm for the functioning of the SKB SPD when performing this task is shown in Fig. 8);

tasks for registering security events (the algorithm for the functioning of the SKB SPD when performing this task is presented in Fig. 9);

tasks for identifying vulnerabilities (the algorithm for the functioning of the SKB SPD when performing this task is presented in Fig. 10);

tasks for monitoring network settings and security policies (the algorithm for the functioning of the SKB SPD when performing this task is presented in Fig. 11);

tasks for inventory and control of equipment (the algorithm for the functioning of the SKB SPD when performing this task is presented in Fig. 12).

To solve the above-mentioned problems, an automated control system (ACS) was created, the structural elements of which are located on the corresponding blocks. The structural diagram of the ACS SKB SPD is shown in Fig. 7. The ACS SKB SPD is a modular system and consists of a module for managing the security control of the ACS, a module for ensuring the protection of control data, a module for presenting data on the results of control, a module for monitoring information flows, a module for registering security events, a module for analyzing security events, a module for identifying vulnerabilities, a module for monitoring network settings and security policies, a module for inventory and monitoring of equipment, and a module for remote control of the ACS equipment. Each module of the ACS SKB SPD performs specific tasks and functions in accordance with the connections shown in Fig. 7 according to the algorithms shown in Figs. 8-12.

The ACS SKB SPD includes three types of databases.

The security incident database is installed on the central server for managing the security control of the SPD (1.1.11) of the TsPUKB SPD (1.1) and the server for managing the security control of the SPD (2.15) of the SPKB SPD (2). It contains structured information on the results of monitoring information flows and detected violations of the security policy in the content of network traffic, data on the actions of users and processes necessary to identify intentional or unintentional violations of established security policies, work regulations, facts of prohibited activities, attempts to perform unauthorized access and information leakage.

The SPD vulnerability database is installed on the central server for managing the SPD security control (1.1.11) of the TsPUKB SPD (1.1) and the server for managing the SPD security control (2.15) of the SPKB SPD (2). It contains data on security events from the means that register security events (security event sources); data on the results of identifying (searching for) vulnerabilities; data on new threats to information security; information on known vulnerabilities of the software (SW) used.

The database of the composition and condition of the equipment of the SPD is installed on the central server for managing the security control of the SPD (1.1.11) of the TsPUKB SPD (1.1) and the server for managing the security control of the SPD (2.15) of the SPKB SPD (2). It contains data on the results of monitoring the composition of software and hardware, software and information protection tools (IPS) (inventory data), including information on the location and geographic affiliation of network addresses; data on the results of monitoring software updates; data on the results of monitoring the compliance of software and IPS settings with the established requirements for information protection (security policies); data on the operability (non-disabling) of the software and IPS.

The control module of the KB SPD is installed on the central server for control of the security control of the SPD (1.1.11) TsPUKB SPD (1.1) and the server for control of the security control of the SPD (2.15) SPKB SPD (2). It is responsible for:

- normalization of the received data to the format required for their further processing and storage;

- data aggregation (combining normalized data into groups based on common characteristics);

- storage of aggregated data for the storage period specified by security requirements;

- analysis of security events and other monitoring data in order to identify vulnerabilities, threats and security incidents;

- matching security events with threat data streams containing indicators of compromise;

- comparison of the results of security event registration with the results of vulnerability analysis;

- identification of security incidents;

- warning (signaling, indication) to the administrator when the set portion (percentage or actual value) of the memory volume for storing control data is filled;

- recording new data on the security control of the SPD over obsolete data;

- archiving (backup copying) of data on data security control of the personal data on removable machine storage media, in a data storage network, on specialized devices or on dedicated servers;

- generation of reports on control results:

• statistical, based on collected data on information security events;

• about security incidents identified during the analysis of information security events and other control data;

• with a description of the identified vulnerabilities:

• with collected inventory data;

• on the results of monitoring the compliance of software and information security system settings with established security requirements (security policies);

• about the state of security event and data sources;

- obtaining new data on indicators of compromise, vulnerabilities and threats to information security from available sources;

- identification of new threats to information security based on the results of the analysis of security events and security incidents (for example, indicating atypical user activity) identified during the monitoring process;

- development of requirements for the collection, processing, storage and presentation of data on security events and other control data from various sources, taking into account changes in information security threats and new data on indicators of compromise and vulnerabilities;

- development of new and clarification of existing rules for the analysis of security events and other control data used to identify security incidents;

- development of recommendations for the implementation of additional measures and activities aimed at minimizing existing and identified new security threats;

- development of measures to promptly prevent security incidents.

The module for ensuring the protection of control data is installed on the central server for managing the security control of the SPD (1.1.11) of the TsPUKB SPD (1.1) and the server for managing the security control of the SPD (2.15) of the SPKB SPD (2). It is responsible for:

- identification and authentication of users when accessing software and hardware components used for control;

- management of user identifiers when accessing software and hardware components used for control;

- management of authentication means (authentication information) of users when accessing control data and (or) automated control means;

- management of user accounts used to access monitoring data and/or automated control tools;

- protection of authentication information during the process of its input for authentication from possible use by persons who do not have the authority to do so (when accessing control data and (or) automated control means);

- managing user access when accessing control data and/or automated control tools;

- limiting unsuccessful attempts to access software and hardware components used to access control data and/or automated control tools;

- registration of user actions when accessing control data and (or) automated control means;

- notification of the data protection security control operator about potentially dangerous actions of users accessing software and hardware components used to access control data and (or) automated control means.

The module for presenting data on control results is installed on the central server for managing the security control of the SPD (1.1.11) of the TsPUKB SPD (1.1) and the server for managing the security control of the SPD (2.15) of the SPKB SPD (2). It is responsible for:

- management of control parameters and presentation of control data, including (if necessary) with reference to control objects;

- presentation of data on objects of control, their status and connections between them;

- presentation of control data in near real time;

- presentation of control data in accordance with the sampling conditions according to established parameters (requests);

- presentation of control data in both text and graphic form;

- timely informing of responsible persons about identified security incidents;

- informing responsible persons about the results of vulnerability searches, monitoring the installation of software updates, monitoring the composition of software and hardware, software and information security tools;

- information about malfunctions, failures and failures in the functioning of software and hardware of the SPD.

The information flow control module is installed on the central control server of the SPD OS (1.2.3) of the TsPKB SPD (1.2), the control server of the SPD OS (2.8) of the SPKB SPD (2), the control server of the SPD OS (3.7) of the MPKB SPD (3) and the control server of the SPD OS (4.1) of the SPD facility (5). It is responsible for:

- control of network traffic volumes (incoming and outgoing) for various types of protocols and types of transferred files;

- control of the content of the network traffic of the SPD OS for various types of protocols and files in order to identify information containing confidential data, through the implementation of the following functions:

• selection of information messages and attached archives, documents and graphic files from outgoing and incoming network traffic of the SPD OS;

• analysis of archives, documents and graphic files by keywords;

• identification of violations of security policy related to the transfer of information containing confidential data via the SPD OS;

- control of input/output information flows when working with removable machine storage media in order to identify unauthorized activity, as well as information containing confidential data;

- control of information output to print.

The security event registration module responsible for collecting data on suspicious network activity and computer attacks or signs of preparation for them, as well as unauthorized user actions on the network (e.g., attempts at unauthorized user access to various information resources or connection of third-party devices to the network) is installed on the central server for monitoring the SPD OS (1.2.3, 1.2.6) of the TsPKB SPD (1.2), the server for monitoring the SPD OS (2.8, 2.14) of the SPKB SPD (2), the server for monitoring the SPD OS (3.7, 3.12) of the MPKB SPD (3), and the server for monitoring the SPD OS (4.1, 4.2) of the SPD facility (5).

The security event analysis module is installed on the central server for monitoring the SPD OS (1.2.3, 1.2.6) of the TsPKB SPD (1.2), the server for monitoring the SPD OS (2.8, 2.14) of the SPKB SPD (2), the server for monitoring the SPD OS (3.7, 3.12) of the MPKB SPD (3) and the server for monitoring the SPD OS (4.1, 4.2) of the SPD facility (5). It is responsible for:

- normalization, filtering and aggregation of data on security events;

- analysis of security events and other control data;

- matching security events with data streams containing indicators of compromise;

- control, accounting and analysis of actions of users and administrators;

- identifying hidden vulnerabilities by comparing the results of security event registration with the results of vulnerability analysis;

- identification of violations of established security policies and regulations for the operation of solid waste management systems and information security systems.

The vulnerability detection module is installed on the central server of the SPD OS control (1.2.3, 1.2.6) of the CPKB SPD (1.2), the server of the SPD OS control (2.8, 2.14) of the SPKB SPD (2), the server of the SPD OS control (3.7, 3.12) of the MPKB SPD (3) and the server of the SPD OS control (4.1, 4.2) of the SPD object (5). It is responsible for identifying (searching for) vulnerabilities in:

- general system (common) software;

- application software;

- special software;

- software and hardware;

- MSW;

- SZI.

The module for monitoring network settings and security policies is installed on the central server for monitoring the SPD OS (1.2.3, 1.2.6) of the CPKB SPD (1.2), the server for monitoring the SPD OS (2.8, 2.14) of the SPKB SPD (2), the server for monitoring the SPD OS (3.7, 3.12) of the MPKB SPD (3), and the server for monitoring the SPD OS (4.1, 4.2) of the SPD facility (5). It is responsible for:

- control of compliance of software and information security system settings with established information security requirements;

- control of starting/stopping various processes;

- control over the connection of removable machine storage media and work with them;

- control over installation/removal of software (software components);

- control over the exclusion of the use of factory passwords for access to solid municipal waste;

- control over quarterly changes of passwords in the personal data protection system, as well as their compliance with the password database;

- control over changes to network settings of automated workplaces and servers;

- control over the legitimacy of connecting the network equipment of the SPD;

- control of attempts to remotely access workstations and servers;

- control of facts of work with administrative rights and powers;

- control over changes to local security policies, rights and privileges;

- control over the creation and work with shared resources;

- control over the shutdown (blocking) of unused MSW ports;

- control of the correctness of the settings of the filtering and routing rules for MSW;

- control of the correctness of the tunneling settings on the TKO OS SPD;

- control of the relevance of the accounts used.

The equipment inventory and control module is installed on the central server for monitoring the equipment inventory control system (1.2.3, 1.2.6) of the Central Design Bureau of Equipment (1.2), the server for monitoring the equipment inventory control system (2.8, 2.14) of the Central Design Bureau of Equipment (2), the server for monitoring the equipment inventory control system (3.7, 3.12) of the Central Design Bureau of Equipment (3), and the server for monitoring the equipment inventory control system (4.1, 4.2) of the equipment inventory control system (5). It is responsible for:

- control of the composition and operability of software and hardware, software and information security tools;

- control of software updates.

Remote control module for SPD equipment, responsible for changing the operating parameters of the SPD MOD RF SPI and TKO in near-real-time mode, in accordance with recommendations for the implementation of additional measures and activities aimed at minimizing existing and newly identified security threats. It is installed on the central SPD OS control server (1.2.3, 1.2.6) of the SPD CPKB (1.2), the SPD OS control server (2.8, 2.14) of the SPD SPKB (2), the SPD OS control server (3.7, 3.12) of the SPD MPKB (3), and the SPD OS control server (4.1, 4.2) of the SPD facility (5).

The possibility of implementing the formulated technical result was tested by means of mathematical modeling reflecting the most characteristic features of the control system. As one of the possible models, the representation of the DPT security control system was used as a system with a variable structure, the behavior of which at random time intervals is characterized by various structures and is described by probability laws, for example, an exponential distribution that corresponds to the simplest flow of events and a description of transitions between the states of the DPT security control system by Markov random processes. In this case, the transition of one structure to another occurs at a random moment in time, depending on the value of the phase coordinates of the system. This mathematical apparatus is used in the work [Lipatnikov, V.A. Methodology of proactive management of information security of a distributed information system based on intelligent technologies / V.A. Lipatnikov, A.A. Shevchenko // Information systems and technologies. - 2022. - No. 2 (130). - P.107-115]. As a result of the modeling, the relationship between the probability of the impact of an intruder K _B and the response time of the SPD security control system t _SZI (see Fig. 13) and the relationship between the probability of the SPD security K _З and the time of detection of the impact of an intruder t _OV by the SPD security control system (see Fig. 14) were obtained.

The achievement of the technical result is explained as follows. When using the declared system at t _ISZ = 0.4 min, the probability of an intruder's impact is K _B ≈ 0.7 (see Fig. 13, curve "b"), while when using the prototype system, the probability of an intruder's impact is K _B ≈ 0.8 (see Fig. 13, curve "a"). This indicates that obtaining the most complete and reliable information about the state of the SPD security allows for a prompt response to information security incidents.

At the same time, the use of the claimed system ensures the probability of protection of the SPD K _З ≈0.9 at the time of detection of the intruder's impact t _ОВ = 10 min (see Fig. 14, curve "b"), while at the same time of detection of the intruder's impact t _ОВ = 10 min, the prototype system ensures the probability of protection of the SPD K _З ≈0.75 (see Fig. 14, curve "a"). The above-described facts demonstrate the achievement of the formulated technical result when implementing the claimed system, i.e., an increase in the reliability of the control results, which entails an increase in the protection of the SPD.

Claims (6)

1. A data transmission network (DTN) security monitoring system comprising a central control point (CCP) (1) including a central control point for security monitoring (CCP) of the DTN (1.1) and a central security control point (CSCP) of the DTN (1.2), K≥2 spatially separated fixed security control points (SSCP) of the DTN (2 ₁ , 2 ₂ ,…, 2 _k ), mobile security control points (MSCP) of the DTN (3) located on ground mobile objects, as well as a set of controlled DTN objects (5) having access to the public communication network (PCN) (7) and PCN objects (6) not having access to the PCN (7), wherein the spatially separated SPCB of the DTN (2) interact remotely with the CCP (1) via the PCN (7) channels, the MPCB of the DTN (3) interact remotely via the communication channels of the SPCB of the DTN (2), characterized in that the DTN security monitoring system additionally includes an automated control system has been introduced, consisting of a module for managing the security control of the data processing system, a module for ensuring the protection of control data, a module for presenting data on the results of control, a module for monitoring information flows, a module for registering security events, a module for analyzing security events, a module for identifying vulnerabilities, a module for monitoring network settings and security policies, a module for inventory and monitoring of equipment, and a module for remote control of the data processing system equipment; a hardware and software complex (HSC) for monitoring security (4) has been introduced into all objects of the data processing system (5) that have access to the data processing system (7), including a server for monitoring the open segment of the data processing system (4.1) and a server for monitoring the confidential segment of the data processing system (4.2), wherein the HSC for monitoring security (4) interacts remotely with the CPU (1) and the SPKB of the data processing system (2) via the data processing system (7) channels. 2. The data transmission network security control system according to paragraph 1, characterized in that the TsPUKB (1.1) consists of a cascaded communication antenna (1.1.1), a radio station (1.1.2), a radio modem (1.1.3) and an external router (1.1.4), the second input/output of which is connected to the SSOP router (7), and the third input/output is connected to the first input/output of the network switch (1.1.5), the second input/output of which is connected to the first input/output of the network switch (1.2.1) of the TsPUKB SPD (1.2), and the third input/output is connected to the first input/output of the crypto router (1.1.6), the second input/output of which is connected to the first input/output of the firewall (1.1.7), the second input/output of which is connected to the first input/output of the network switch (1.1.8), the second, third, fourth and the fifth inputs/outputs of which are connected to the inputs/outputs of the first (1.1.9), second (1.1.10) PC, the central server for managing the security control of the SPD (1.1.11) and the video wall (1.1.12), respectively, and the sixth input/output is connected to the first input/output of the network switch (1.2.4) of the SPD Central Control Center (1.2). 3. The data transmission network security control system according to paragraph 1, characterized in that the central control center of the data transmission network (1.2) consists of a network switch (1.2.1), the second and third inputs/outputs of which are connected to the inputs/outputs of the personal computer (1.2.2), respectively, and the central server for monitoring the open segment of the data transmission network (1.2.3), and a network switch (1.2.4), the second and third inputs/outputs of which are connected to the inputs/outputs of the personal computer (1.2.5), respectively, and the central server for monitoring the confidential segment of the data transmission network (1.2.6). 4. The data transmission network security control system according to paragraph 1, characterized in that the data transmission network security control system (2) consists of a cascaded communication antenna (2.1), a radio station (2.2), a radio modem (2.3), and an external router (2.4), the second input/output of which is connected to the SSOP router (7), and the third input/output is connected to the first input/output of the network switch (2.5), the second input/output of which is connected to the first input/output of the network switch (2.6), the second and third inputs/outputs of which are connected to the inputs/outputs of the first PC (2.7) and the open segment data transmission control server (2.8), respectively, and the third input/output of the network switch (2.5) is connected to the first input/output of the crypto router (2.9), the second input/output of which is connected to the first input/output of the firewall (2.10), the second input/output which is connected to the first input/output of the network switch (2.11), the second, third, fourth and fifth inputs/outputs of which are connected to the inputs/outputs of the second (2.12), third (2.13) PC, the confidential segment control server of the SPD (2.14) and the security control management server of the SPD (2.15), respectively. 5. The data transmission network security control system according to paragraph 1, characterized in that the SPD MPCB (3) consists of a cascade-connected communication antenna (3.1), a radio station (3.2), a radio modem (3.3) and an external router (3.4), the second input/output of which is connected to the router of the SPD object (6), which does not have access to the SSOP (7), the third input/output is connected to the first input/output of the network switch (3.5), the second and third input/output of which are connected to the inputs/outputs of the first PC (3.6) and the SPD open segment control server (3.7), respectively, and the fourth input/output of the network switch (3.5) is connected to the first input/output of the crypto router (3.8), the second input/output of which is connected to the first input/output of the firewall (3.9), the second input/output of which is connected to the first input/output of the network switch (3.10), the second and third inputs/outputs of which are connected to the inputs/outputs of the second (3.11) PC and the server for monitoring the confidential segment of the data transmission system (3.12), respectively. 6. The data transmission network security control system according to paragraph 1, characterized in that the DTN object (5) having access to the DMZ (7) consists of a DTN segment containing public services and separating them from private services (demilitarized zone) (5.1), including an external router (5.2), the first input/output of which is connected to the DMZ router (7), wherein the second input/output of the external router (5.2) is connected to the first input/output of the network switch (5.3), the second input/output of which is connected to the first input/output of the crypto router (5.4), wherein the third input/output of the network switch (5.3) is connected to the input/output of the open DTN segment control server (4.1) of the security control PAC (4), and from the fourth to N inputs/outputs of the network switch (5.3) are connected to the equipment of the open DTN segment (5.7), wherein the second input/output the crypto router (5.4) is connected to the first input/output of the firewall (5.5), the second input/output of which is connected to the input/output of the server for monitoring the confidential segment of the SPD (4.2) of the security control system (4), and the network switch (5.6), the first input/output of which is connected to the third input/output of the firewall (5.5), and from the second to N inputs/outputs are connected to the equipment of the confidential segment of the SPD (5.8).

Images