RU213782U1 - ROUTER WITH PROACTIVE PROTECTION OF THE COMPUTATION NETWORK FROM NETWORK INVESTIGATION - Google Patents

Abstract

The utility model relates to the field of data networks. The technical result is to increase the effectiveness of protection by reducing the likelihood of an attacker detecting the fact of using protection means and identifying their characteristics. The router with proactive protection of the computer network from network reconnaissance is additionally equipped with a module for generating false traffic, a block for calculating the self-similarity index, a block for generating network level parameters, and a block for generating transport level parameters. 3 w.p. f-ly, 5 ill.

Description

The proposed utility model relates to the field of data networks and routed networks with packet switching of messages, in particular, to modular scalable structures for building fast Ethernet routers, and can be used to implement secure (protected) information exchange over public communication networks, such as Internet, masking LAN settings from network reconnaissance and managing network connections with an attacker, as well as generating false network traffic.

Known analogue "Protection system for connected computer networks" according to the patent of the Russian Federation No. 2152691 IPC G06F12/14, publ. 07/10/2000, which consists in the fact that the device contains the first network motherboard and the second network motherboard, each of the specified first and second network motherboards has a network interface adapter for exchanging with the specified first and second computer networks, respectively, each of the specified network motherboards additionally has a transmission adapter to exchange with the transmission adapter of another network motherboard, these transmission adapters are paired and identical, each of the network motherboards has network software tools to prevent the transmission of routing service information between the network interface adapters and the transmission adapter of each network motherboards, each network motherboard additionally contains protocol conversion software that prevents upper layer protocol information and source and destination address information from passing between the specified network interface address. an adapter and said transmission adapter of each network motherboard, wherein at least one of the network motherboards has an application program interface middleware for providing application-level exchange services to computers connected to said at least one network motherboard.

The disadvantage of this device is the low secrecy of information directions when organizing communication between computer networks via public communication networks, such as the Internet.

A device for protecting the communication channel of a computer network according to the patent of the Russian Federation No. 2306599, IPC G06F 21/00, publ. 09/10/2007, which consists in the fact that the device contains a local security segment (LSS), the first and second input / outputs of which are connected respectively to the LAN and the router connected to the Internet, and containing the address base storage unit (BHBA), the processor , an encoding / decoding unit (CD), information input and output, the inputs "password" and "transformation type" of which are connected to the corresponding ports of the processor, an address selection unit (BVA), a current address storage unit (BOKhTA) are additionally introduced into the LSZ, the first and second network adapter (NA). The control input of the BVA is connected to the "address" port of the processor, and the x-bit output of the address selection block is connected to the jc-bit input of the BHBA. At BKhBA, the m-bit output is connected to the bit-by-bit input of BOKhTA. The control input and the m-bit output BOCHTA are connected respectively to the "current address request" port and the m-bit "current address" port of the processor. For the first SA, the n-bit output and input are connected, respectively, to the n-bit input "source package" and the output "source package" of the processor. Moreover, the "local network" output of the first SA is the first input/output of the LSZ. At the second SA, the p-bit input and output are connected, respectively, to the p-bit output and the "information/notification" input of the processor, and the t-bit "control" port of the processor is connected to the t-bit control input of the second SA. The "Internet" output of the second SA is the second input/output of the LSZ.

The disadvantages of this device are the narrow scope and relatively low noise immunity. The narrowness of the scope is due to the lack of support for routing protocols and, as a result, the inability to use the device for information exchange over public communication networks, such as the Internet, without an additional router. The relatively low noise immunity is due to the fact that the presence of intentional and unintentional interference in data transmission networks leads to packet losses during their transmission, which leads to failures in the process of receiving and transmitting message packets in the process of changing address information.

Known multi-service router, according to the patent of the Russian Federation No. 186859, IPC H06L 12/701 (2013.01), publ. 02/06/2019 Bull. No. 4. The analog refers to data transmission networks, in particular, to a modular, scalable structure for building routers for fast Ethernet networks. The multiservice router contains a switching unit and a route processor interconnected by the first inputs/outputs, a ternary associative memory, the output of which is connected to the third input of the route processor; the first processor module, the first input/output of which is connected to the third input/output of the switching unit; a second processor module, the first input/output of which is connected to the second input/output of the switching unit; a high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA), the first output of which is connected to the second input of the first processor module, the second output is connected to the second input of the second processor module, and the third output is connected to the second input of the route processor; the first COM port, the input/output of which is connected to the third input/output of the first processor module; the second COM port, the input/output of which is connected to the third input/output of the second processor module; the first Ethernet port, the input/output of which is connected to the fourth input/output of the first processor module; a second Ethernet port, the input/output of which is connected to the fourth input/output of the second processor module; N SFP modules, the inputs/outputs of which are connected, respectively, with the N inputs/outputs of the route processor; a synchronization module, the first output of which is connected to the fifth input of the high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA), and the second output is connected to the fourth input of the high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA).

This analog supports routing protocols, provides reliable and continuous determination of the current time and the issuance of signals synchronized with the assigned system time scale, which is achieved by providing the ability to synchronize devices. By filtering network packets and converting (translating) network addresses, the device allows you to hide the IP addresses of subnet subscribers from each other.

The disadvantage of the analogue is the relatively low security and secrecy of the communication channel. This drawback is due to the fact that the communication channels of remote segments of the computer network connected by such devices via the Internet are easily distinguished by analyzing traffic at a certain point on the Internet, since they are characterized by a high intensity of message packet exchange with the same addresses of the external interfaces of routers. In this case, it becomes possible to determine the addresses of remote segments of the computer network and reveal the structure of the distributed computer network. Such information is sufficient to disrupt the information exchange, or to carry out destructive influences in relation to a distributed computer network, in particular, on the device itself.

The closest technical solution adopted for the prototype is the utility model "Multiservice router with network connection parameters management and computer network masking", according to RF patent No. 205636, IPC H04L 12/701 (2013.01), publ. 07/23/2021 Bull. No. 21. The prototype relates to the field of data transmission networks and routed networks with packet switching of messages, in particular, to modular scalable structures for building fast Ethernet routers, and can be used to implement secure (secure) information exchange over public communication networks, such as the Internet, as well as for masking LAN settings from network reconnaissance and managing network connections with an attacker. A multiservice router with network connection parameters control and computer network masking, comprising a switching unit and a route processor interconnected by the first inputs/outputs, a ternary associative memory, the first output of which is connected to the third input of the route processor, a processor module, the first input/output of which is the second input/output of the switching unit, a module for high-speed packet data processing with a non-blocking high-speed switching matrix based on FPGA (FPGA), the seventh output of which is connected to the second input of the processor module, the first output - to the second input of the route processor; COM port, the first input/output of which is connected to the fourth input/output of the processor module, Ethernet port, the first input/output of which is connected to the third input/output of the processor module; N SPF-modules, the inputs/outputs of which are connected, respectively, to the N inputs/outputs of the route processor; a synchronization module, the first output of which is connected to the sixth input of the module with a non-blocking high-speed switching matrix based on FPGA (FPGA), and the second output is connected to the fifth input with a non-blocking high-speed switching matrix based on FPGA (FPGA), the information direction masking module, the first input of which connected to the seventh output of the processor module, the fourth output is connected to the second input of the channel layer parameter changer, the first output of which is connected to the second input of the ternary associative memory, the third output of the information direction masking module is connected to the second input of the network layer parameter changer, the first output of which is connected with the third input of the ternary associative memory, the second input of the data direction masking module is connected to the second output of the high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA), the LAN parameter control module , a block for changing the parameters of the network level of the LAN, a network connection management module; block for changing network connection parameters, the first input of the LAN parameter control module is connected to the fifth output of the processor module, the second input is connected to the fourth output of the high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA), the third output of the LAN parameter control module is connected to the second input of the block for changing the parameters of the LAN network layer, the first output of which is connected to the fifth input of the ternary associative memory, the first input of the network connection control module is connected to the sixth output of the processor module, the second input is connected to the third output of the high-speed packet data processing module with a non-blocking high-speed switching matrix on based on the FPGA (FPGA), the third output of the network connection control module is connected to the second input of the block for changing network connection parameters, the first output of which is connected to the fourth input of the ternary associative memory.

In this prototype, the security and secrecy of the operation of the communication channel on the Internet are ensured by synchronously changing the IP addresses of LAN nodes and the IP addresses of the external interfaces of routers within several subnets, at intervals that are adaptively changeable, depending on the characteristics of the functioning of the data transmission system and actions of an attacker, the impossibility for him to identify both the information directions of the computer network and the parameters of its local segments. Also, the introduction of these new elements ensures that the attacker is kept in a long connection, which provides additional time to complete critical connections and subsequently change the IP addresses of LAN nodes and external interfaces of routers, without reducing the availability of information for clients of the computer network, as well as time for the security system to take additional measures. protection.

The disadvantage of the prototype device is the relatively low effectiveness of protection, due to the high probability of detecting by an attacker the fact of using computer network protection tools and identifying their characteristics. This is due to the fact that after a synchronous change in the IP addresses of LAN nodes and IP addresses of external interfaces of routers within several subnets, after detecting the fact of a malicious attack by an intruder, and completing critical connections that cannot be broken, in the subnet where network exchange was previously organized , there will be no active nodes left. This can lead to the detection by an attacker of the fact of using protection tools and identification of their characteristics.

The objective of this utility model is to eliminate the above disadvantages.

The technical result of the proposed utility model is to increase the effectiveness of protection by reducing the likelihood of an attacker detecting the fact of using protection tools and identifying their characteristics.

The technical result is ensured by the fact that in a multiservice router with control of network connection parameters and computer network masking, containing a switching unit and a route processor interconnected by the first inputs/outputs, a ternary associative memory, the first output of which is connected to the third input of the route processor, the processor module , the first input/output of which is with the second input/output of the switching unit, a high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA), the seventh output of which is connected to the second input of the processor module, the first output is connected to the second input of the route processor; COM port, the first input/output of which is connected to the fourth input/output of the processor module; Ethernet port, the first input/output of which is connected to the third input/output of the processor module; N SPF-modules, the inputs/outputs of which are connected, respectively, with the N inputs/outputs of the route processor; a synchronization module, the first output of which is connected to the sixth input of the module with a non-blocking high-speed switching matrix based on FPGA (FPGA), and the second output is connected to the fifth input with a non-blocking high-speed switching matrix based on FPGA (FPGA), the information direction masking module, the first input of which connected to the seventh output of the processor module, the fourth output - to the second input of the channel layer parameter changer, the first output of which is connected to the second input of the ternary associative memory, the third output of the information direction masking module is connected to the second input of the network layer parameter changer, the first output of which is connected with the third input of the ternary associative memory, the second input of the information direction masking module is connected to the second output of the high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA), the LAN structure parameter control module; block for changing the parameters of the network level of the LAN; network connection management module; block for changing network connection parameters, the first input of the LAN parameter control module is connected to the fifth output of the processor module, the second input is connected to the fourth output of the high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA), the third output of the LAN parameter control module is connected to the second input of the block for changing the parameters of the LAN network layer, the first output of which is connected to the fifth input of the ternary associative memory, the first input of the network connection control module is connected to the sixth output of the processor module, the second input is connected to the third output of the high-speed packet data processing module with a non-blocking high-speed switching matrix on based on the FPGA (FPGA), the third output of the network connection control module is connected to the second input of the block for changing network connection parameters, the first output of which is connected to the fourth input of the ternary associative memory;

additionally, a module for generating false traffic, a block for calculating the self-similarity index, a block for generating network layer parameters, a block for generating parameters of the transport layer are additionally introduced, the first output of the module for generating false traffic is connected to the eighth input of the processor module, the second output of the module for generating false traffic is connected to the eighth input of the high-speed processing module packet data with a non-blocking high-speed FPGA switching matrix (FPGA), the third output of the false traffic generation module is connected to the first output of the self-similarity index calculation unit, the second output of the self-similarity index calculation unit is connected to the first input of the network layer parameter generation unit, and the third output is connected to the first input of the block for generating parameters of the transport layer, the second output of the block for generating parameters of the network layer is connected to the sixth input of the ternary associative memory, the second output of the block for generating parameters of the transport layer is connected to the seventh input ternary associative memory.

The Hurst exponent is chosen as the variable parameters for calculating the self-similarity index of the block for calculating the self-similarity index.

IP addresses, the time of sending message packets, and the subnet number are selected as the changeable parameters of the network layer of the block for generating network layer parameters.

As changeable parameters of the transport layer of the block for generating parameters of the transport layer, the numbers of network ports, the size of message packets, data transfer protocols are selected.

All elements of the router with proactive protection of the computer network from network intelligence are made using digital technologies.

Comparison with the prototype shows that the proposed device is characterized by the presence of new blocks and their connections between them. Thus, the claimed device meets the criterion of "novelty".

Comparison of the proposed solution with other technical solutions shows that the listed elements are known, however, their introduction in the specified connection with the rest of the elements leads to the expansion of the functionality of the device. This confirms the compliance of the technical solution with the criterion of "significant differences".

The introduction of the listed new elements in the specified connection with other elements leads to the preservation of the advantages of the prototype and the elimination of its shortcomings, forms a single, centrally controlled, protective mechanism, which, due to the generation of false traffic, makes it impossible for an attacker to detect the fact of using protection tools and identify their characteristics. The claimed utility model is illustrated by drawings:

Fig.1 is a block diagram of a router with proactive protection of a computer network from network reconnaissance;

fig. 2 illustrates the distribution of source traffic network port numbers between IP addresses;

fig. 3 is an illustration of the duration of sessions, the number of message packets and the amount of data that is transmitted within each session;

Fig 4 is an illustration of the results of calculating the self-similarity index for the selected parameters of the original network traffic;

fig. 5 is an illustration of the phase portraits of the network and transport layer generators for the selected parameters of the original network traffic.

A known method for protecting computer networks Maksimov R.V., Sokolovsky S.P., Voronchikhin I.S., Gritchin A.D., Bodyakin M.S., Ignatenko A.V. according to the patent for invention RU 2726900, publ. 07/16/2020, Bull. No. 20, which implements the cyber maneuver technique - periodic (time-synchronized) or uncontrolled (random) changes in the network settings of information systems (used address space and subscriber port numbers), in which, upon detection of an intruder, the DHCP server forcibly terminates the lease of current IP addresses by legitimate subscribers information system and sends them new network settings containing IP addresses from another subnet not previously known to the attacker. However, after reassigning new network parameters to the network devices of subscribers, there will be no active devices left in the subnet where they previously functioned, which will be an irrefutable fact of the use of protection tools, and as a result of the next cycle of network reconnaissance, this fact will be revealed by an attacker, and the protection tools will be compromised . To eliminate such a threat, it is necessary not only to change the parameters of network devices of subscribers within several subnets, but also to “load” network information objects of a compromised configuration with the functions of false network information objects. Support in this way between them false information traffic, which has the statistical characteristics of a compromised computer network, so that the cyber maneuver is not detected by an attacker.

In this case, the following options for solving the problem of implementing false information traffic are possible.

Preliminary recording of information system network traffic and subsequent sending of the stored packets to the network. In this case, the time interval between packets is taken from the network traffic record. The disadvantages of this approach, associated with the need to store large amounts of data, are obvious. In addition, with a relatively small number of subscribers in the information system, it is possible to detect the fact of traffic reuse.

Another and more preferred method is to generate spurious information traffic based on real traffic characteristics, which is performed by spurious network information objects. To ensure the maximum likelihood of false network traffic, its statistical properties must correspond to the statistical properties of the information traffic of the protection object. Otherwise, the application of such protection measures will be compromised, and the objectives of the simulation will not be achieved.

Thus, there is a contradiction between the need to implement an effective masking exchange and the lack of a unified method for generating false information exchange in a LAN. The proposed utility model is aimed at eliminating this contradiction.

The device works as follows. The function of routing message packets - determining the route of message packets in computer networks, in the device is performed by a specialized route processor (1), in which software operates to analyze the contents of a message packet, translate network addresses, direct to the desired interface (9) in accordance with the table routing, which is formed by the processor module (5). Local configuration of the device is carried out via the COM port (8) and Ethernet port (7) connected directly to the processor module (5). To switch N SFP modules (9) to the route processor, a switching unit (PCI switch) is used, see block 2 in FIG. 1. SFP (from the English Small Form-factor Pluggable) is an industrial standard for modular compact transceivers (transceivers) used to connect a network device board (in particular, a router) to a cable communication line (optical fiber or unshielded twisted pair) and to match electrical junction (interface) parameters.

The routing table is formed when the device is initialized, using the processor module (5) static or dynamic routing. The generated table is stored in the ternary associative memory (4) used in the device to improve its performance when searching the routing table. When a message packet arrives through the SFP module (9), the route processor (1) analyzes the header of the message packet, and, based on the results of the analysis, if a service message packet is found, sends it to the processor module (5) through the module (3) of high-speed packet data processing with non-blocking high-speed switching matrix based on programmable logic integrated circuits, FPGA, or FPGA (from the English. Field-Programmable Gate Array), user-programmable gate arrays.

Otherwise, that is, if a transit (non-service) message packet is detected, the route processor (1) searches for routing information in the routing table stored in the ternary associative memory (4) and, based on the results of the search, translates the message packet through the corresponding SFP module ( 9) to the network.

The synchronization module (6) is designed to ensure the device noise immunity under conditions of intentional and unintentional interference, by providing continuous determination of the current time and output of 10 MHz and 1 Hz signals to the module (3) of high-speed packet data processing with a non-blocking high-speed switching matrix based on FPGA (FPGA ).

To improve the security and secrecy of the communication channel operation, the information direction masking function is activated in the device, for which the information direction masking module (12) is initialized. In this case, initialization can be carried out locally by transmitting control information through the COM port (8) and the Ethernet port (7) by means of a processor module (5), the seventh output (5.7) of which is connected to the first input (12.1) of the information direction masking module (12), or remotely, by transmitting service message packets received by the SFP module (9) through the route processor (1) and the high-speed packet data processing module (3) with a non-blocking high-speed FPGA-based switching matrix (FPGA), the output (3.2) of which is connected to the input (12.2 ) information direction masking module (12). Initialization of the masking information directions module (12) consists in receiving, decoding and applying by the device configuration information containing the connectivity matrices of masked information directions by MAC addresses and IP addresses, in order to increase the effectiveness of protection in comparison with the prototype device that changes within several subnets, and the value of the time parameter of their change (in practice, the value of this parameter is chosen in the range from 1 to 10 seconds). To reduce the resource intensity of protection caused by unreasonable constant changes in MAC addresses and IP addresses, the initialization of the information direction masking module (12) is carried out after each case of detecting an attempt of unauthorized scanning of protected network resources, upon a command received from the network protection means of the data transmission system or the same command from the security administrator.

Decoded by the information direction masking module (12), the connectivity matrices of the masked information directions by MAC addresses and IP addresses changed within several subnets, are stored respectively in the block (13) for changing the parameters of the link layer (MAC addresses), the input (13.2) of which connected to the output (12.4) of the information directions masking module (12), and in the block (14) for changing network layer parameters (IP addresses), the input (14.2) of which is connected to the output (12.3) of the information directions masking module (12). These matrices are pointers to the variation of the addresses of the external (external) interface (interfaces) of the router, selected (selected) for organizing masking information directions, and their connectivity, that is, the logic of masking information directions, is available for reading from the ternary associative memory (4), input (4.2) which is connected to the output (13.1) of the block (13) for changing the parameters of the link layer (MAC addresses), and the input (4.3) is connected to the output (14.1) of the block (14) for changing the parameters of the network layer (IP addresses). The module for masking information directions (12), block (13) for changing the parameters of the link layer (MAC addresses) and block (14) for changing the parameters of the network layer (IP addresses) can be implemented using Soft microprocessors and (or) memory chips, for example , such as FeRAM (Ferroelectric Random Access Memory) - ferroelectric non-volatile memory using a special ferroelectric film. The memory operates with ultra-low power consumption, high speed and virtually unlimited write cycles.

For routers where the information direction masking module (12) is missing or not initialized, as well as for software that analyzes the availability of network interfaces, or analyzes the traffic of packets of messages at some point in the public communication network, the masked information direction will be presented ("look" ) as a set of changing information directions (MAC and/or IP addresses) in accordance with the set value of their change parameter. To activate the LAN settings masking function in the device, which provides increased security and secrecy of LAN settings, which is especially important for protection against threats from an internal intruder, by replacing static LAN settings with dynamic ones, the LAN settings control module (10) is initialized. To reduce the resource intensity of protection, the initialization of the LAN parameter control module (10) is carried out synchronously with the module for masking information directions (12) after fixing an attempt of destructive influences. The moment when the settings start to be changed is the moment when a command is received from the network protection means of the data transmission system or a command from the security administrator. To increase the secrecy of LAN parameters, changing the IP addresses of its nodes is carried out within several subnets, as well as changing the IP addresses of router interfaces by the information direction masking module (12).

In this case, the initialization of the LAN parameter control module (13) can be carried out locally, transmitting control information through the COM port (8) and the Ethernet port (7) by means of the processor module (5), the fifth output (5.5) of which is connected to the first input (10.1) LAN parameters control (10), or remotely, by transmitting the service packets of messages received by the SFP module (9) through the route processor (1) and the high-speed packet data processing module (3) with a non-blocking high-speed switching matrix based on FPGA (FPGA), output (3.4 ) of which is connected to the input (10.2) of the LAN parameters control module (13). Initialization of the LAN parameters control module (13) consists in receiving, decoding and applying by the device the configuration information containing the IP addresses of the LAN nodes and the value of the change time parameter.

After the security system fixes an attempt of the next destructive impact, the LAN parameters control module (13) generates new IP address values, but with a different subnet number different from the previous one and a new value of the change time parameter, identical to the value of the IP address change time parameter , formed by the information direction masking module (12). The IP addresses decoded by the LAN parameter control module (13), the time of their change and the subnet number are stored respectively in the block (16) for changing the LAN network level parameters, the input (16.2) of which is connected to the output (10.3) of the LAN parameter control module (10). What is a pointer to the variation of the IP addresses of the LAN nodes, and the logic of masking the LAN structure, is available for reading from the ternary associative memory (4), the input (4.5) of which is connected to the output (16.1) of the block (16) for changing the parameters of the network layer (IP- host addresses, lease time, subnet number). The LAN parameters control module (10) and the block for changing the LAN network level parameters (IP addresses of LAN nodes, the time of their change, subnet number) (16) can be implemented using Soft microprocessors and (or) memory chips, for example, such as FeRAM (Ferroelectric Random Access Memory) - ferroelectric non-volatile memory using a special ferroelectric film. The memory operates with ultra-low power consumption, high speed and virtually unlimited write cycles.

When fixing an attempt to implement destructive impacts on the components of the data transmission network, the device activates the function of keeping an attacker in a forced network connection. Activation of this function is implemented by introducing a network connection management module (11), a block for changing network connection parameters (15) into the composition of a multiservice router with network connection parameters management and masking the computer network, and their initialization.

To do this, initialize the network connection management module (11). Initialization of the network connection management module (11) can be carried out locally by transmitting control information through the COM port (8) and Ethernet port (7) by means of the processor module (5), the sixth output (5.6) of which is connected to the first input (11.1) of the network management module. connections (11), or remotely, by transmitting the service packets of messages received by the SFP module (9) through the route processor (1) and the module (3) of high-speed packet data processing with a non-blocking high-speed switching matrix based on FPGA (FPGA), the output (3.3) of which connected to the input (11.2) of the network connection control module (11). Initialization of the network connection management module (11) consists in receiving, decoding and applying by the device information containing the initial value of the "window size" field of the service header of the response TCP message packet intended for an identified intruder (in practice, the value of this parameter is chosen in the range from 1 to 30 bytes) and the value of the "window size" field equal to zero to keep the network connection with the attacker at the final stage of establishing the network connection.

The values of the “window size” field of the service header of the response TCP message packet for the identified intruder decoded by the network connection management module (11) are stored in the block (15) for changing network connection parameters (the value of the “window size” field), the input (15.2) of which is connected to output (11.3) of the network connection control module (11). These values are pointers for varying the values of the "window size" field of the service header of the response TCP message packet at the initial and final stages of establishing a network connection, to exclude the possibility of an attacker to compromise the network protection tool by the value of the "window size" field using specialized software and hold an attacker in a forced connection before the connection timeout expires. Their application logic is available for reading from the ternary associative memory (4), the input (4.4) of which is connected to the output (15.2) of the block (15) for changing network connection parameters (the value of the “window size” field).

Network connection management module (11), block (15) for changing network connection parameters (values of the “window size” field) can be implemented using Soft microprocessors and (or) memory chips, for example, such as FeRAM (Ferroelectric Random Access Memory) - ferroelectric non-volatile memory using a special ferroelectric film. The memory operates with ultra-low power consumption, high speed and virtually unlimited write cycles.

The technical result of the utility model in terms of improving the effectiveness of protection is achieved by including in the device and initializing the module for generating false network traffic (17), the block for calculating the self-similarity index (18), the block for generating network layer parameters (19) and the block for generating transport layer parameters (20). In this case, the module for generating false network traffic (17) can be initialized locally by transmitting control information through the COM port (8) and the Ethernet port (7) by means of a processor module (5), the eighth output (5.8) of which is connected to the first input (17.1) module for generating false traffic (17), or remotely, transmitting the service packets of messages received by the SFP module (9) through the route processor (1) and the module (3) of high-speed packet data processing with a non-blocking high-speed switching matrix based on FPGA (FPGA), output ( 3.8) which is connected to the input (17.2) of the module for generating false network traffic (17). Initialization of the module for generating false traffic (17) consists in reading information exchange parameters, such as IP addresses, network port numbers, data transfer protocols, message packet sizes, duration of network connections, between LAN subscribers for a specified time and decoding these parameters.

The sequences of network packets of real LAN nodes of the computer network decoded by the module for generating false traffic (17) are stored in the block for calculating the self-similarity index (18), the input (18.1) of which is connected to the output (17.3) of the module for generating false network traffic. The calculated self-similarity indicators for each parameter of the network (IP addresses, message packet sending time, subnet number) and transport (network port numbers, message packet size, data transfer protocols) levels are stored, respectively, in the network layer parameter generation block (19), the input (19.1) of which is connected to the output (18.2) of the block for calculating the self-similarity index (18), and the block for generating parameters of the transport level (20), the input (20.1) of which is connected to the output (18.3) of the block for calculating the self-similarity index (18).

Subsequent, after changing the parameters of network devices of LAN subscribers, the generation of false network traffic by the blocks for generating network layer parameters (19) and generating transport layer parameters (20) provides an increase in the effectiveness of protection compared to the prototype device. To exclude unreasonable generation of false traffic, initialization of the blocks for generating network layer parameters (19) and generating transport layer parameters (20) is carried out after each of the cases of detecting an attempt of unauthorized scanning of protected network resources, by a command received from the computer network network protection means or by a command from the security administrator and only after changing the parameters of network devices of computer network subscribers within several subnets.

The module for generating false traffic (17), the block for generating network layer parameters (18), the block for generating transport layer parameters (20) can be implemented using Soft microprocessors and (or) memory chips, for example, such as FeRAM (Ferroelectric Random Access Memory ) - ferroelectric non-volatile memory using a special ferroelectric film. The memory operates with ultra-low power consumption, high speed and virtually unlimited write cycles.

An illustration of the principle of generating false traffic is shown in FIG. 2, 3, 4, 5.

Let a certain number of message packets between LAN nodes be transmitted through the device during a given time. For the transmitted message packets, the following parameters were read, decoded and stored in the self-similarity parameters calculation block (18): IP addresses of the source and destination of message packets, time of sending message packets, subnet number, numbers of network ports of source and destination of message packets, packet size messages, data transfer protocols.

Figs 2a and 2b illustrate the distribution of source and destination IP addresses and network ports, respectively, fig. 3, a, 3, b and 3, c - the duration of sessions, the number of message packets and the amount of data that is transmitted within each session between LAN nodes.

Simulation of false information traffic to protect the structural and functional characteristics of a computer network is not an easy task due to the self-similarity of its statistical properties in IP networks, which is known and described, for example, in the work of O.I. Sheluhin, S.M. Smolskiy and A.V. Osin, Self-Similar Processes in Telecommunications, Wiley, London, 2007, not only at the current time, but also retrospectively. This means that some property of the object is preserved when scaling space and/or time. Otherwise, they say that there is a repeatability of the statistical characteristics of natural time series with a change in scale.

It is known that processes with self-similarity properties are characterized by the presence of an aftereffect due to factors that cause complex dependencies. The resulting traffic (in the general case, a process) becomes "pulsating": with a relatively low average rate of arrival of message packets in a computer network, large bursts of intensity are possible.

The generally accepted indicator of process self-similarity - the Hurst exponent, is calculated by the algorithm of the analysis of the corrected changed range, for example, proposed in the works of Anis, A.A. The expected value of the adjusted rescaled Hurst range of independent normal summands / A.A. Anis, E.H. Lloyd //Biometrics. - 1976. - No. 63. - P. 283-298. and Peters, E.E. Fractal Market Analysis: Applying Chaos Theory to Investment and Economics / E.E. Peters. - New York: Wiley, 1994. - 336 p.

Let a time series be given

in which its initial segments are sequentially distinguished

for each of which the current average is calculated

вычисляют накопленное отклонение для каждого из отрезков длины t:Further, for each fixed

calculate the accumulated deviation for each of the segments of length t:

The main characteristic of a sample of a random process is the normalized range R/S, where

maximum range of amplitudes of a random process, S - standard deviation of the process

t - discrete time with integer values; τ is the duration of the considered time interval.

где Н - показатель Херста. Логарифмируя обе части этого равенства, получают декартовы координаты (хτ, yτ) точек траектории H, ординаты и абсциссы которых соответственно равны:The normalized R/S range is described by the empirical relation

where H is the Hurst exponent. Taking the logarithm of both parts of this equality, one obtains the Cartesian coordinates (хτ, yτ) of the points of the trajectory H, the ordinates and abscissas of which are respectively equal:

а ординаты

The R/S trajectory required for the fractal analysis of the series is represented in Cartesian logarithmic coordinates by a sequence of points whose abscissas

and the ordinates

Fig. Figure 4 illustrates the results of the block for calculating the self-similarity index for: a - sequence of source network port numbers in transmitted traffic, b - sequence of destination network port numbers, c - sequence of duration of data transmission sessions, d - sequence of sizes of transmitted data within sessions, e - sequence the number of message packets transmitted within the sessions.

которые могут быть выражены в векторной форме (время τ>0). В общем виде выражение для модели (уравнение регрессии или регрессия в терминах математической статистики) записывается какThe information traffic characteristics generation model defines a set of output variables

which can be expressed in vector form (time τ>0). In general, the expression for the model (regression equation or regression in terms of mathematical statistics) is written as

where the vector aT is the coefficients of the model obtained from the results of traffic dumping up to the moment T inclusive, and the matrix F is a set of approximating functions.

In most cases, to analyze the behavior of a dynamical system, it is necessary to study only its attractor - a compact subset of the phase space, to which the evolution trajectories of all points of the system located not far from this subset are asymptotically "attracted". Its dimension determines the amount of information required to set the coordinates of a point belonging to the attractor within the specified accuracy.

The fractal dimension D can be expressed in terms of the Hurst exponent H by the relation

The attractor is related to the fractal dimension through the correlation integral C(r), which is estimated directly for a sequence of points (shows the relative number of pairs of points located at a distance not greater than r):

where

(Heaviside function), ρ is the distance between a pair of points in the n-dimensional phase space, m is the number of points xi on the attractor.

In Tokens F. Detecting Strange Attractors in Turbulence//Dynamical Systems and Turbulence. - Lecture Notes in Mathematics. - Berlin: Springer-Verlag, 1981. V. 898. P. 366-381 shows that for almost every smooth dynamical system it is possible to calculate the correlation integral and the fractal dimension from measurements of only one of the phase coordinates of this system.

The method of synthesis of the mathematical model of the process, described in Davydov A.E. Protection and safety of departmental integrated infocommunication systems / A.E. Davydov, R.V. Maksimov, O.K. Savitsky. - Moscow: Voentelecom, 2015. - 520 p., based on the use of the so-called pseudo-phase reconstruction.

r - временная задержка (в дискретах времени), и m - размерность пространства вложения. Таким образом, для исходного набора измерений фазовой координаты x(1),x(2),…,x(N), где N - количество измерений, можно реконструировать исходный аттрактор в пространстве точек с задержками [x(t),x(t+τ),…,x(t+(m-1)⋅τ)], таким образом, что он будет сохранять важнейшие топологические свойства и динамику оригинального аттрактора. Размерность m определяется по формуле m≥2[d]+1, где d - фрактальная размерность аттрактора.Pseudo-phase reconstruction is a mapping that associates the point x(t) of the time series with the point [х(t), x(t+τ),…,х(t+(m-1)⋅τ)]∈Rm, where t - discrete time

r is the time delay (in time steps) and m is the dimension of the nesting space. Thus, for the initial set of measurements of the phase coordinate x(1),x(2),…,x(N), where N is the number of measurements, it is possible to reconstruct the original attractor in the space of points with delays [x(t),x(t +τ),…,x(t+(m-1)⋅τ)], so that it retains the most important topological properties and dynamics of the original attractor. The dimension m is determined by the formula m≥2[d]+1, where d is the fractal dimension of the attractor.

Therefore, to synthesize a mathematical model of network traffic of a computer network, it is necessary to calculate the Hurst exponent H for one of the parameters of the network traffic dump and then, using the known mathematical models of attractors, select their coefficients so that the Hurst exponent Hs of the synthesized time series coincides with R to within some ε.

таким образом, что показатель самоподобия сгенерированной последовательности параметров сетевого трафика будет совпадать с вычисленными в блоке (18) показателями самоподобия с точностью до ε=0.0001.The self-similarity indicators calculated in block (18) are transferred to the blocks for generating parameters of the network (19) and transport (20) levels, in which the coefficients of the non-linear van der Pol oscillator are selected, given by the equation -

in such a way that the self-similarity index of the generated sequence of network traffic parameters will coincide with the self-similarity indices calculated in block (18) with an accuracy of ε=0.0001.

Fig. 5 illustrates the results of the operation of the network layer parameter generation block (19) and the transport layer parameter generation block (20) in the form of phase portraits of nonlinear Van der Pol oscillators for a - a sequence of source ports in transmitted traffic, b - a sequence of destination ports, c - a sequence of duration of data transmission sessions, r - sequences of the volumes of transmitted data within the sessions, q - sequences of the number of packets transmitted within the sessions.

A router with proactive protection of a computer network from network intelligence is industrially applicable, since it can be implemented on the basis of an industrial computer with a simplified set of instructions or industrial microprocessor equipment that allows the use of freely distributed open source Unix software under the GNU GPL license (for example, , single-board computers Olimex, Intel, Raspberry Pi, Orange Pi, Nano Pi) for building routers and allowing the installation of a wide range of additional expansion cards.

Thus, thanks to a new set of essential features in the claimed utility model, a technical result is achieved, which consists in increasing the effectiveness of protection by reducing the likelihood of an attacker detecting the fact of using protection tools and identifying their characteristics.

Claims (4)

1. A router with proactive protection of a computer network from network reconnaissance, containing a switching unit and a route processor connected to each other by the first inputs/outputs, a ternary associative memory, the first output of which is connected to the third input of the route processor, a processor module, the first input/output of which is connected with the second input/output of the switching unit, a high-speed packet data processing module with a non-blocking high-speed FPGA-based switching matrix (FPGA), the seventh output of which is connected to the second input of the processor module, the first output - to the second input of the route processor; COM port, the first input/output of which is connected to the fourth input/output of the processor module; Ethernet port, the first input/output of which is connected to the third input/output of the processor module; N SPF-modules, the inputs/outputs of which are connected, respectively, with the N inputs/outputs of the route processor; a synchronization module, the first output of which is connected to the sixth input of the module with a non-blocking high-speed switching matrix based on FPGA (FPGA), and the second output is connected to the fifth input with a non-blocking high-speed switching matrix based on FPGA (FPGA), the information direction masking module, the first input of which connected to the seventh output of the processor module, the fourth output - to the second input of the channel layer parameter changer, the first output of which is connected to the second input of the ternary associative memory, the third output of the information direction masking module is connected to the second input of the network layer parameter changer, the first output of which is connected with the third input of the ternary associative memory, the second input of the information direction masking module is connected to the second output of the high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA), the LAN structure parameter control module; block for changing the parameters of the network level of the LAN; network connection management module; block for changing network connection parameters, the first input of the LAN parameter control module is connected to the fifth output of the processor module, the second input is connected to the fourth output of the high-speed packet data processing module with a non-blocking high-speed switching matrix based on FPGA (FPGA), the third output of the LAN parameter control module is connected to the second input of the block for changing the parameters of the LAN network layer, the first output of which is connected to the fifth input of the ternary associative memory, the first input of the network connection control module is connected to the sixth output of the processor module, the second input is connected to the third output of the high-speed packet data processing module with a non-blocking high-speed switching matrix on based on the FPGA (FPGA), the third output of the network connection control module is connected to the second input of the block for changing network connection parameters, the first output of which is connected to the fourth input of the ternary associative memory, characterized in that it additionally introduced are a module for generating false traffic, a block for calculating the self-similarity index, a block for generating network layer parameters, a block for generating parameters of a transport layer, the first output of the module for generating false traffic is connected to the eighth input of the processor module, the second output of the module for generating false traffic is connected to the eighth input of the high-speed processing module packet data with a non-blocking high-speed FPGA switching matrix (FPGA), the third output of the false traffic generation module is connected to the first output of the self-similarity index calculation unit, the second output of the self-similarity index calculation unit is connected to the first input of the network layer parameter generation unit, and the third output is connected to the first input of the block for generating parameters of the transport layer, the second output of the block for generating parameters of the network layer is connected to the sixth input of the ternary associative memory, the second output of the block for generating parameters of the transport layer is connected to the seventh input ternary associative memory. 2. Router with proactive protection of the computer network from network reconnaissance, characterized in that the Hurst exponent is chosen as the variable parameters for calculating the self-similarity index of the self-similarity index calculation unit. 3. A router with proactive protection of a computer network from network reconnaissance, characterized in that IP addresses, time of sending a network packet, subnet number are selected as the network level parameters to be changed by the network level parameter generation unit. 4. A router with proactive protection of a computer network from network reconnaissance, characterized in that the network port numbers, the size of message packets, data transfer protocols are selected as the changeable parameters of the transport level of the block for generating parameters of the transport level.

Images