RU2265242C1 - Method for monitoring safety of automated systems - Google Patents

Abstract

FIELD: digital communication systems.

SUBSTANCE: method includes considering rules of setting up and maintaining of communication session by increasing number of cached message packets and maximal allowed number of coincidences, to provide higher stability and reliability to authorized clients.

EFFECT: higher reliability, higher durability, higher efficiency.

2 cl, 4 dwg, 1 tbl

Description

The invention relates to telecommunications and can be used in automated technical means of information retrieval for monitoring ¹ ( ¹ Monitoring - regular monitoring of events occurring in the process of exchanging information, with registration and analysis of predefined significant or suspicious events. The concepts of "audit" and "monitoring" at the same time, they differ somewhat, since the first involves the analysis of events after the fact, and the second is close to the real-time mode [Koneev IR, Belyaev AV Information Security enterprises. - SPb .: BHV-Petersburg, 2003. - 752 pp., ill. on p. 30].) security of automated systems (AS) and operational identification used in digital communication systems and, in particular, in a data transmission network ( SPD) type "Internet" family of communication protocols TCP / IP (Transmission Control Protocol / Internet Protocol), described in the book Kulgin M. Technology corporate networks. Encyclopedia. - St. Petersburg: Publishing House "Peter", 1999. - 704 p.: Ill.

The claimed technical solution expands the arsenal of funds for this purpose.

There is a known method of monitoring the safety of nuclear power plants according to RF patent No. 2179738, “A method for detecting remote attacks ² ( ² Attack - the practical implementation of a threat or an attempt to implement it using one or another vulnerability [Koneev IR, Belyaev AV Information security of the enterprise. - SPb .: BHV-Petersburg, 2003. - 752 pp., Ill. On p. 30].) In the computer network ”, class G 06 F 12/14, declared. 04.24.2000. The known method includes the following sequence of actions. Monitoring the traffic of data packets addressed to the subscriber, including constantly renewed counting of the number of packets, performed within a series of packets arriving successively one after another at intervals of no more than a predetermined time, while checking the incoming data packets for compliance with the given rules is performed every time the size of the next the observed series reaches a critical number of packets.

The disadvantage of this method is the narrow scope, due to its purpose mainly to protect against substitution of one of the participants in the connection. In the analogue, a limited set of attribute space is used - they do not take into account the presence of a large number of types of possible packets and not all of their acceptable sequences, which leads to a decrease in the availability of SPD due to skipping the attack - “storm ³ ” ( ³ Storm - transmitting as many as possible to the attacked object false TCP requests to create a connection on behalf of any host, while the attacked network operating system, depending on the computing power of the computer, either stops responding to legal connection requests (denial of service), or, in the worst case, practically freezes [Medvedovsky ID et al. Attack on the Internet. - M.: DMK, 1999. - 336 pp., ill. on p. 121].) false requests for establishing a connection (see ID Medvedovsky and others. Attack on the Internet. - M .: DMK, 1999. - 336 pp .: ill. on pages 120-128) and limits the scope of its application.

There is also a known method of monitoring the safety of nuclear power plants according to the patent of the Russian Federation No. 2134897, class G 06 F 17/40, "Method for the operational dynamic analysis of the states of a multi-parameter object", decl. 08/20/1999. The known method includes the following sequence of actions. The results of the tolerance assessment of heterogeneous dynamic parameters are converted into the corresponding information signals with a generalization over the entire set of parameters in a given time interval and the relative magnitude and nature of the change in the integral state of the multiparameter object is determined.

The disadvantage of this method is the narrow scope, due to its purpose for the operational diagnosis of the technical and functional states of a multiparameter object according to the measurement information and to improve performance when presenting and dynamically analyzing the integral state of a multiparameter object in real time. To monitor the safety of speakers, this method is not effective enough, because it uses a limited set of attribute space and does not provide for the detection of a “storm” of false requests to establish a connection (see ID Medvedovsky and others. Attack on the Internet. - M.: DMK, 1999. - 336 pp., ill. on p. 120-128), which limits the scope of its application.

Closest in its technical essence to the claimed one is a method for monitoring the safety of nuclear power plants, implemented in the device according to the patent of the Russian Federation N 2219577, "Information Search Device", class G 06 F 17/40, declared. 04.24.2002. The prototype method is that they take the i-th packet, where i = 1, 2, 3, .... and remember it. Receive the (i + 1) th packet, remember it. The signs of the presence of IP, TCP, the source and destination addresses of the IP packet, port numbers of the sender and receiver of the packet, and the SYN synchronization control bit are selected from the header of the i-th and (i + 1) -th packets. Then the packets are compared for the unambiguous coincidence of the selected signs of the (i + 1) -th packet with the selected signs of the i-packet and, based on the results of the comparison, they decide on the fact of a computer attack consisting in a directed “storm” of false TCP-requests to create a connection.

Compared with analogs, the prototype method can be used in a wider field, when not only the type of protocol is determined, the state of the controlled object is analyzed, but also the rules for establishing and maintaining a communication session are taken into account, which is necessary to increase the stability of the functioning of automated systems under unauthorized exposure (attacks).

The disadvantage of the prototype is the relatively low reliability of ⁴ ( ⁴ Reliability is the degree of objective compliance of the results of diagnosis (control) with the actual technical condition of the object [Kuznetsov V.E., Likhachev AM, Parashchuk IB, Prisyazhnyuk SP Telecommunications. Intelligent glossary of basic terms and abbreviations. Edited by A. M. Likhachev, S. P. Prisyazhnyuk. - St. Petersburg: Publishing House of the Ministry of Defense of the Russian Federation, 2001].) determining the fact of an attack on the speakers, namely, the attack is not recognized when requesting to establish connection with multiple ports or when swapping e message packets sender. This is determined by the fact that only two message packages are compared - the next and the previous, and the fact of the presence of a “storm” of false requests to create a connection is determined by the unambiguous coincidence of the selected signs of message packages, which is insufficient to reliably determine the fact of an attack on the speakers.

The purpose of the claimed technical solution is to develop a method for monitoring the safety of nuclear power plants, providing increased reliability of determining the fact of an attack on the nuclear power systems by monitoring the security of nuclear power plants when recognizing a "storm" of false requests to create a connection by taking into account the rules for establishing and maintaining a communication session by increasing the number of memorable message packets similarity indicators of the selected features of message packages and the maximum allowable number of matches, which is necessary to ensure Nia stable functioning of the AU, is to provide service capabilities to authorized subscribers.

This goal is achieved by the fact that in the known method of monitoring the security of the AU, which consists in receiving message packets, storing them, extracting connection request signs from the headers of the received message packets, comparing the selected signs of the received message packet headers and comparing the decision about the presence of an attack, pre-set the minimum acceptable value of the similarity indicator To _{cx.min of} selected characteristics of message packets, the maximum allowed number matches K _mat.add. and the number N≥1 of memorized message packets. Then, a sequence of N message packets is received sequentially, and after their storage, the (N + 1) th message packet is received. After extracting from the headers of all the received message message signs of the connection establishment request, the signs of the ith, where i = 1,2, ... N, received message packet with the selected signs of the (N + 1) th message packet are sequentially compared. According to the comparison results, similarity coefficients K _{cx.i are calculated} and compared with a predetermined value K _cx.min . If the condition K _{cx is} fulfilled, _i ≥K _{cx. min} remember K _cx.i and the (N + 1) -th message packet and assign the value of the number of matches K _coinc = 1. When the condition K _cx.i <K _{cx. min} stores the (N + 1) th message packet and excludes the first message packet from the previously received set of N message packets. After that, the (N + 2) th, (N + 3) th, and so on message packets are sequentially received, and after receiving the next message packet, the attributes of the connection request are extracted from the headers of each of them, and they are compared with the signs of previously remembered N packets messages, the results of comparison calculate the coefficients of similarity and compare them with a predefined minimum value. When fulfilling the conditions Kskh.≥K _{cx. min} again remember K _si , the next message packet corresponding to it, and increase the value of K _coincide by one, while the above steps are repeated until condition K _coincides. ≥K _{match add.} when executed, they conclude that there is an attack. The similarity coefficient K _{cx.i is} calculated by the formula:

where N ₁₁ is the number of characteristics common to the compared message packets;

N ₀₀ - the number of characteristics that are not in the compared message packets;

N ₁₀ - the number of characteristics of the i-th message packet that are not in the compared message packet;

N ₀₁ - the number of characteristics that are not in the i-th message packet, but available in the compared message packet.

Thanks to the new set of essential features in the claimed method, it is possible to increase the reliability of the detection by the AS safety monitoring systems of an attack on the AS when recognizing a “storm” of false requests to create a connection by taking into account the rules for establishing and maintaining a communication session by increasing the number of remembered message packets and introducing similarity indicators highlighted signs of message packets and the maximum allowable number of matches, which is necessary to ensure a stable function nation of automated systems in the conditions of unauthorized influence (attacks).

The analysis of the prior art made it possible to establish that analogues that are characterized by a combination of features that are identical to all the features of the claimed technical solution are absent, which indicates compliance of the claimed device with the patentability condition “novelty”. Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed object from the prototype showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided by the essential features of the claimed invention transformations to achieve the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The claimed method is illustrated by drawings, which show:

figure 1 - block diagram of an algorithm that implements a method for monitoring the security of automated systems;

_figure 2 - scheme for storing packets and values of K _s.i when K _s.i ≥K _{cx. min} ;

figure 3 - scheme for storing packets when K _s.i <K _{s. min} ;

4 is an illustration of the calculation of similarity coefficients.

The claimed method is implemented as follows. It is known that for the tasks of monitoring the safety of nuclear power plants it is necessary to determine with high reliability the facts of attacks on nuclear power plants, such as departmental networks and public communication networks. Existing technical solutions do not allow achieving the necessary level of protection against attacks of the "storm" type of false requests for connection creation, which belong to the denial-of-service attacks and have as their goal the disruption of the communication networks and AS, since automated systems that process requests for service, have limited computing power for processing requests and a limited length of the queue of requests, and modern SPDs are characterized by high bandwidth.

The search for effective technical solutions can be carried out by determining the response thresholds (sensitivity) of the NPP safety monitoring system, which are determined by the similarity indicators of the characteristics being compared, the maximum allowable number of matches and the number of standards, and the values of the indicators can be selected depending on the required reliability of the attack detection, which is implemented in the proposed method. A block diagram of an algorithm that implements the proposed method for monitoring the security of automated systems is presented in figure 1.

Known technical solutions do not allow detecting an attack when requesting to establish a connection with several ports or when changing the address of the sender of message packets. Thus, in the known technical solutions, the reliability of determining the facts of attacks on the information resources of nuclear power plants, which is required in modern conditions, is not ensured, and, therefore, the service capabilities of nuclear power plants for servicing authorized subscribers are reduced. The claimed method provides an increase in the reliability of determining the facts of attacks on information resources of the AU and, therefore, increasing the service capabilities of the AU to service authorized subscribers by performing the following sequence of actions.

The threshold values of the indicators are preliminarily set: the minimum value of the similarity coefficient K _{cx.min of the} compared characteristics of message packets, the maximum allowable number of matches K _spp. and the number of stored packets N. Changing the values of these indicators will allow you to adjust the sensitivity of the serving device. At the beginning of the work, a collection of N packets is received and stored. Then take the (N + 1) th packet. After highlighting the attributes of the connection establishment request from the headers of the received and each remembered packet of signs, these signs are compared, and depending on the reliability requirements for detecting the fact of an attack, they can be compared both by the known signs of the connection establishment request as a whole and bit by bit.

An attempt to carry out an unauthorized impact (attack), consisting of a directed “storm” of false requests to create a connection, is characterized by the presence in the message packet of signs of the presence of IP and TCP protocols in the packet, sender and receiver addresses of the IP packet, port numbers of the sender and receiver of the packet, control bit SYN synchronization such that the values of these fields of the newly arrived (received) message packet coincide with the values of the fields in the queue for processing the message packet. As a result of the comparison, similarity coefficients K _{cx.i of the} selected features of the (N + 1) th packet with the selected features of each of the N stored packets are calculated. Each calculated similarity coefficient K _{cx.i is} compared with a predetermined value T _cx.min and its and its corresponding packet are _stored at K _cx.i ≥K _{cx. min} (figure 2), thereby training the monitoring system for the safety of speakers. For K _cx.i <K _{cx. min} stores the (N + 1) th packet and excludes the first packet from the set of previously received N packets, thereby shifting the stack of stored N packets (Fig. 3). Next, take sequentially (N + 2) -th, (N + 3) -th, etc. packets, extract the attributes of the connection establishment request from the header of each of them, compare them with the selected features of previously stored N packets, calculate the similarity coefficients of the compared features, compare each calculated similarity coefficient with a predetermined value K _{cx. min} , remember K _cx.i and the corresponding packet for K _cx.i ≥K _{cx. min} . Moreover, the above actions are repeated until the total number of matches reaches K _coinc. ≥K _{match add.} and when this condition is met, they decide on the presence of an attack consisting in a directed “storm” of requests for creating a connection. The similarity coefficient K _{cx.i is} calculated by the formula:

where N ₁₁ is the number of characteristics common to the compared message packets;

N ₀₀ - the number of characteristics that are not in the compared message packets;

N ₁₀ - the number of characteristics of the i-th message packet that are not in the compared message packet;

N ₀₁ - the number of characteristics that are not in the i-th message packet, but available in the compared message packet.

The values of N ₁₁ , N ₀₀ , N ₀₁ , N ₁₀ included in the above formula are determined by known methods based on the following. Since the initial table for automatic classification methods is a table of distances or differences, and the logical data table contains only zeros and ones expressing the presence or absence of the corresponding characteristic, it is necessary to take into account that there are also doubled logical tables, where a new column is defined for each column j∈J j showing the absence of characteristic j. This "equalizes" the presence and absence of property j. Among other things, often there is no reason to ascribe a unit to the presence of a property, rather than its absence. However, there are situations where duplication of the table is not necessary. In these situations, the observation system does not provide symmetry, so the absence of any two properties does not at all indicate a similarity. The choice of the calculation formula (1) is justified by the fact that it does not change when the logical table is doubled [see Zhambyu M. Hierarchical cluster analysis and correspondence: Per. with fr. - M.: Finance and Statistics, 1988. - 342 p. on pages 93-100].

The feasibility of implementing the formulated technical result was tested by machine simulation, calculation and comparative assessment of the reliability of attack detection by the claimed method and the prototype method. For this purpose, the number of remembered N packets was limited to nine (N = 9). The alphabet of classes takes into account the differences between message packages that are essential for the considered task of detecting a “storm” of false requests to create a connection.

Many standards consist of nine standards, one of which will also include objects that go beyond the scope of this classification (unknown types of attacks, unknown protocols, packets distorted by interference, etc.). It is necessary to calculate the coefficient of similarity of the standard (packages No. 1-9) with the implementation. The decision to classify the implementation as one or another class will be made by the value of the similarity coefficient (K _cx.min = 0.9).

Table 1 shows the signs of implementation, which is a package containing signs of an attack "storm" of false requests to create a connection, standards and examples of calculation of K _c.i implementation with each standard.

Table 1 Standards Signs Calculation results K _s.i Package No. 1: match by attribute 1, i.e. N ₁₁ = 1, N ₀₀ = 0, N ₁₀ = 4, N ₀₁ = 4. 1. A sign of the coincidence of the protocols of the network layer of the reference model for the interaction of open systems (EMVOS). For IP, the numeric value is six (06) in an Ethernet 802.3 / LLC frame.

Package No. 2: coincidence by attributes 1 and 2, i.e. N ₁₁ = 2, N ₀₀ = 0, N ₁₀ = 4, N ₀₁ = 3.

Package No. 3: coincidence on the grounds of 1, 2 and 5, i.e. N ₁₁ = 3, N ₀₀ = 0, N ₁₀ = 2, N ₀₁ = 2. 2. The sign of the coincidence of the protocols of the transport layer EMVOS. For TCP, the numeric value is six (06) in the 24th byte of the message packet.

Package No. 4: matching characteristics 1, 2 and 3,
those. N ₁₁ = 3, N ₀₀ = 0, N ₁₀ = 2, N ₀₁ = 2.

Package No. 5: matching characteristics 1, 2 and 4,
those. N ₁₁ = 3, N ₀₀ = 0, N ₁₀ = 2, N ₀₁ = 2. 3. Sign of coincidence of addresses of senders and recipients of message packets in the IP packet header: 27th - 34th bytes of message packets.

Package No. 6: coincidence by attributes 1 and 3, i.e. N ₁₁ = 2, N ₀₀ = 0, N ₁₀ = 3, N ₀₁ = 3.

Package No. 7: coincidence on the grounds of 1, 2, 3 and 4, i.e. N ₁₁ = 4, N ₀₀ = 0, N ₁₀ = 1, N ₀₁ = 1. 4. A sign of the coincidence of the port numbers of the sender and receiver of message packets: 35th - 38th bytes of message packets.

Package No. 8: coincidence on the grounds of 1, 2, 3, 4, 5, i.e. N ₁₁ = 5, N ₀₀ = 0, N ₁₀ = 0, N ₀₁ = 0.

Package No. 9: there are no matches on any of the five features, or packages that go beyond the classification, i.e.
N ₁₁ = 0, N ₀₀ = 0. 5. The sign of the presence of the control bit for synchronization of numbers in the SYN queue is one bit in the 48th byte from the beginning of the message frame.

The calculations were carried out as follows (the following are explanations for the calculation of K _s.i ; the calculation of K _{s. 2-9 is} carried out similarly). The standard "Package No. 1" coincides with the implementation only by the first sign. Therefore (figure 4), N ₁₁ = 1, because the number of characteristics common to the compared message packets is one, N ₀₀ = 0, because there are no characteristics missing in the compared message packets, N ₁₀ = 4, because the number of characteristics of package No. 1 that are absent in the implementation is four, N ₀₁ = 4, because the number of characteristics that are absent in package No. 1, but available in the implementation is four. The contents of the fields of the compared packets, which are not related to the signs of an attack, are put in the restriction in the calculation example and are not specified. The value of N ₀₀ will be nonzero if the package No. 9 is compared with an implementation that does not contain signs of attack. Figure 4 shows illustrations of the calculation of K _cx.1 and K _cx.3.

From the presented calculation results, the following conclusions follow: when preliminary setting the similarity indicators, the claimed method provides an increase in the reliability of detection of attacks by monitoring systems for NPP safety.

Thus, it can be seen from the essence of the method that the method provides the possibility of analyzing the protocols, determining the fact of using the TCP protocol, increasing the reliability of recognizing the "storm" of false requests to create a connection by taking into account the rules for establishing and maintaining a communication session by increasing the number of memorable message packets, introducing indicators of similarity of the selected features of message packages and the maximum allowable number of matches, which is necessary to ensure stable functioning I have automated systems in the face of unauthorized exposure (attacks). This achieves the stated goal - the development of a method for monitoring the safety of nuclear power plants, which provides increased reliability of determining the fact of an attack on nuclear power systems by monitoring the security of nuclear power plants when recognizing a "storm" of false requests to create a connection.

Claims (2)

1. A method for monitoring the security of automated systems, which consists in receiving message packets, storing them, extracting connection request signs from the headers of the received message packets, comparing the selected signs of the received message packet headers and deciding on the presence of an attack that differs by pre-setting the minimum acceptable value of the similarity index K _{cx.min of the} selected features of message packages, the maximum allowed number of matches _Dénia To _Sov.dop. and the number N≥1 of memorized message packets, a sequence of N message packets is received sequentially, and after remembering, they receive the (N + 1) th message packet, and after highlighting the attributes of the connection establishment request from the headers of all received message packets, the signs of the ith , where i = 1, 2, ... N, of the received message packet with highlighted features of the (N + 1) th message packet, and similarity coefficients K _cxi are calculated from the results of comparison and compared with a predetermined value K _{cx. min} and for K _cx.i ≥K _cx.min remember K _cx.i and the (N + 1) th message packet and assign the value of the number of matches K _coinc = 1, and when K _cx.i <K _cx.min remember the (N + 1) th message packet and exclude it from earlier of the received set of N message packets, the first message packet, then the (N + 2) th, (N + 3) th and so on message packets are successively received, and after receiving the next message packet, the connection establishment request attributes are extracted from the header of each of them, compare them with the features of previously memorized N message packets and compute the coefficients of similarity va and compare them with a predetermined minimum value and when K _cx.i ≥K _cx.min again remember K _cx.i , the next message packet corresponding to it and increase the value of K _coincide by one, while the above steps are repeated until condition K _coincides ≥ To _mat. , during which they conclude that there is an attack. 2. The method for monitoring the security of automated systems according to claim 1, characterized in that the similarity coefficient K _{cx.i is} calculated by the formula:

where N ₁₁ is the number of characteristics common to the compared message packets; N ₀₀ - the number of characteristics that are not in the compared message packets; N ₁₀ - the number of characteristics of the i-th message packet that are not in the compared message packet; N ₀₁ - the number of characteristics that are not in the i-th message packet, but available in the compared message packet.

Images