RU2279124C1 - Method for protecting computer networks from unsanctioned actions - Google Patents

Abstract

FIELD: electric communications engineering, possible use for engineering systems for protection from unsanctioned actions aiming to detect and block these in computer networks, in particular, data transfer networks of type "Internet", based on family of communication protocols TCP/IP.

SUBSTANCE: method for protecting computer networks from unsanctioned actions provides increased stability of functioning of computer networks under conditions of unsanctioned actions due to increased trustworthiness of detection(recognition) of unsanctioned actions by expanding characteristic space of protective system and due to controlling computing resources of computing networks, which is performed by correcting parameters of protection system and structure of computing networks.

EFFECT: increased efficiency.

12 cl, 8 dwg, 1 ex

Description

The invention relates to telecommunications and can be used in systems of protection against unauthorized influences in order to quickly detect and block them in computer networks, in particular in data transmission networks (SPD) of the Internet type, based on the TCP / IP (Transmission Control) family of communication protocols Protocol / Internet Protocol) and described in the book: Kulgin M. Technology corporate networks. Encyclopedia. - St. Petersburg: Publishing House "Peter", 1999. - 704 p.: Ill.

The claimed technical solution expands the arsenal of funds for this purpose.

A known method of protection against unauthorized influences, implemented in the patent of the Russian Federation No. 2179738, "Method of detecting remote attacks ¹ (Interpretation of the terms used is given in the Appendix) in a computer network", cl. G 06 F 12/14 stated 04.24.2000. The known method includes the following sequence of actions. Monitoring the information flow of data packets addressed to the subscriber, including continuously renewed counting of the number of packets, performed within a series of packets arriving successively one after another at intervals of no more than a given time. At the same time, the incoming data packets are checked for compliance with the given rules each time the size of the next observed series reaches a critical number of packets.

The disadvantages of this method are the narrow scope, due to its purpose mainly to protect against substitution of one of the participants in the connection, and insufficient reliability ² when other types of intentional destructive influences are detected. In the analogue, a limited set of indicative descriptions of unauthorized influences is used. At the same time, they do not take into account the presence of a large number of types of unauthorized influences, which creates the conditions for missing the latter and, as a result, for destructive influences on computer networks (AC), which, in turn, leads to a decrease in their stability ³ .

There is also a method that allows for changing the state of the object of protection to detect unauthorized influences, according to the patent of the Russian Federation No. 2134897, class. G 06 F 17/40, “Method for operational dynamic analysis of the states of a multi-parameter object”, decl. 08/20/1999. In the known method, the results of the tolerance assessment of heterogeneous dynamic parameters are converted into corresponding information signals with a generalization over the entire set of parameters in a given time interval and the relative magnitude and nature of the change in the integral state of the multiparameter object is determined.

The disadvantage of this method is the narrow scope, due to the fact that despite the possibility of operational diagnostics of the technical and functional states of a multi-parameter object, it uses a limited set of attribute space, which creates the conditions for skipping unauthorized influences and the destructive effect of remote attacks (see Medvedovsky I. D. et al. Attack on the Internet. - M .: DMK, 1999. - 336 pp., Ill.) And, as a result, reduces the stability of the aircraft.

Closest in its technical essence to the claimed is a method of protection against unauthorized influences, implemented in the device according to the patent of the Russian Federation No. 22199577, "Information Search Device", cl. G 06 F 17/40, claimed 04.24.2002. The prototype method consists in taking the i-th packet from the communication channel, where i = 1, 2, 3, ..., and remember it. Receive the (i + 1) th packet, remember it. Identification signs are extracted from the header of the i-th and (i + 1) -th packets, they are analyzed for consistency and, based on the results of the analysis, they decide on the presence of unauthorized exposure.

Compared with analogs, the prototype method can be used in a wider area, when not only the type of protocol is determined, the state of the controlled object is analyzed, but the rules for establishing and maintaining a communication session are taken into account, which is necessary to increase the reliability of determining the fact of remote unauthorized actions on aircraft, manifested in the appearance of unauthorized connections.

The disadvantage of the prototype is the relatively low stability of the aircraft in conditions of unauthorized influences, due to the fact that by comparing two message packets - the next and the previous one, only one type of unauthorized influences (attacks) is recognized - “storm ⁴ ” of false requests for establishing a connection, while unauthorized influences other types with high destructive capabilities are not recognized.

The purpose of the claimed technical solution is to develop a method for protecting computer networks from unauthorized influences, providing increased stability of the aircraft functioning under unauthorized influences by increasing the reliability of detection (recognition) of unauthorized influences by expanding the attribute space of the protection system and by managing the computing resources of the aircraft, which is carried out by correction of the protection system parameters and aircraft structure. Achieving the stated goal is necessary for the timely provision of service capabilities to authorized subscribers, as well as to ensure integrity ⁵ , accessibility ⁶ and confidentiality ^{7 of the} processed information.

This goal is achieved by the fact that in the known method of protecting aircraft from unauthorized influences, which consists in receiving message packets with numbers k = 1, 2, 3 ... sequentially from the communication channel, identifying it from the header of each received message packet , analyze them and, based on the results of the analysis, make a decision on the presence or absence of unauthorized exposure, pre-set an array of N≥1 reference identifiers of authorized compounds and remember them. Arrays for storing Q≥1 irrelevant identifiers of authorized connections, P≥1 identifiers of unauthorized connections and X≥1 temporarily blocked identifiers, as well as M≥1 names of authorized processes are defined. In addition, the maximum permissible number K _{max of} occurrences of any of the received unauthorized connections is set, the initial level Z _{OP of} the relevance coefficient for all reference identifiers is set, the initial number K _{i of} occurrences of the i-th unauthorized connection is set to zero, where i = 1, 2, 3 ... P. In addition, the initial values of the number of identifiers Q, P, and X are set to zero. After receiving the next k-th message packet and extracting identification signs from its header, which are taken as the connection identifier, it is analyzed, for which the highlighted identifier of the received message packet is compared with reference identifiers of authorized connections. If the j-th coincides, where j = 1, 2, 3 ..., the number of the reference identifier, which coincides with the identifier selected from the received message packet, corrects the relevance coefficients of the reference identifiers, and also adjusts the arrays of the reference and irrelevant identifiers in accordance with the coefficients relevance of reference identifiers. They accept the next packet of messages and repeat the actions in comparison with its identifier with the reference ones. If there is no coincidence of the identifier of the received message packet with the reference ones, the relevance coefficients of the reference identifiers are adjusted, and the arrays of reference and irrelevant identifiers are adjusted in accordance with the relevance coefficients of the reference identifiers. Additionally, the identifier of the received message packet is compared with the identifiers recorded in the array of irrelevant identifiers. Then, in case of coincidence, they supplement the array of reference identifiers, receive the next packet of messages and repeat the steps in comparison with its identifier with reference and irrelevant identifiers. If there is no match, the identifier of the received message packet is additionally compared with the previously stored identifier of the i-th unauthorized connection, and if they coincide, K _{i is} increased by one. If there is no match, the arrays of reference and temporarily blocked identifiers are corrected, after which the array of unauthorized identifiers is adjusted. Receive the next batch of messages and repeat the above steps until the condition K _i = K _max . When it is executed, the address of the initiator of the i-th unauthorized connection is compared with the addresses of the initiators of the connections contained in the reference and irrelevant identifiers. If they coincide, they identify the process M _i that initiated the unauthorized connection, and if the name of the process M _i coincides with the previously stored names of the authorized processes M, they supplement the array of reference identifiers. If there is no coincidence of the name of the process and if there is no coincidence of the initiator's address with the addresses of the initiators contained in the reference and irrelevant identifiers, they decide on the presence of unauthorized influence. After that, the source of the unauthorized connection is blocked and its identifier is deleted, arrays of reference and temporarily blocked identifiers are corrected. Then they take the next packet of messages and repeat the cycle of comparisons and decision making.

As the connection identifier, identification signs of the connection are taken, which contain the addresses and port numbers of the sender and receiver of the packets.

To correct the relevance coefficients of the reference identifiers, if the identifier of the received message packet matches one of the reference coefficients, the relevance coefficients of all the reference identifiers, except for the coincident Z _j , are reduced by one.

For correction of arrays of reference and irrelevant identifiers, additional reference identifiers, the relevance coefficient of which Z _j = 0, are stored in an array of irrelevant identifiers. The reference identifiers are deleted, the relevance coefficient of which is zero from the array of reference identifiers, and the number of non-relevant identifiers Q is increased by the number of reference identifiers moved to the array of non-relevant identifiers.

To correct the relevance coefficients of the reference identifiers in the absence of a match of the identifier of the received message packet with the reference ones, the relevance coefficients of all the reference identifiers are reduced by one.

To supplement the array of reference identifiers, the identifier that matches the identifier of the received message package is removed from the array of irrelevant identifiers, stored in an array of reference identifiers, the relevance coefficient Z _j = Z _{OP is} set for it, and the number of irrelevant identifiers Q is reduced by one.

To correct arrays of reference and temporarily blocked identifiers, the number of identifiers of unauthorized connections P is increased by one and compared with the total number of temporarily blocked and irrelevant identifiers Q and X. When the condition P> (Q + X) is fulfilled, one reference identifier with the lowest coefficient of relevance, remember it in an array of temporarily blocked identifiers and the number of temporarily blocked identifiers X increase by e dynice.

To correct an array of unauthorized identifiers, the identifier of the received message packet is stored in an array of unauthorized identifiers, assigned to it the next (i + 1) th identification number and the number of its occurrences K _{i + 1 is} increased by one.

To identify the process M _i form a package with a request to the initiator of the i-th unauthorized connection to provide the name of the process M _i initiating an unauthorized connection. The packet with the request is transmitted, the initiator of the i-th unauthorized connection receives the packet with the request to provide the name of the process M _i and form a packet with a response containing the name of the process M _i . Transfer it and compare the name of the process M _i with previously stored names of authorized processes M.

To complement the array of reference identifiers in the case of coincidence here M _i process names authorized processes additionally stored in the array reference identifiers new reference identifier, and its relevance coefficient is assigned the initial value Z _OP.

To correct arrays of reference and temporarily blocked identifiers after blocking the initiator of an unauthorized connection, the number of unauthorized connections P is reduced by one, after which, when condition X> 0 is fulfilled, one blocked identifier with the highest relevance coefficient is deleted from the array of temporarily blocked identifiers, and it is stored in the array of reference identifiers and the number of temporarily blocked identifiers X is reduced by one.

Improving the stability of the functioning of the aircraft in the conditions of unauthorized influences in the claimed method is ensured by a new set of essential features by increasing the reliability of detection (recognition) of unauthorized influences by expanding the attribute space of the protection system and by managing the computing resources of the aircraft, which is carried out by adjusting the parameters of the protection system and structure Sun, which is necessary for the timely provision of service capabilities with nktsionirovannym subscribers as well as to ensure the integrity, availability and confidentiality of information being processed, as sun nodes have vulnerabilities ⁸ software undergo intentional destructive effects remote computer attacks, features whose presence is unauthorized connections and high bandwidth modern SAP significantly expands destructive capabilities remote attacks. In addition, unauthorized connections may indicate malicious software and a violation of security policy by ⁹ authorized users. In the worst case, not only will the work of authorized subscribers be disrupted, but the capabilities of the protection system to correct the parameters of the system and aircraft structure will be limited due to a sharp increase in the consumption of computing resources due to unauthorized influences and due to the response of the protection system to unauthorized influences. In this regard, it is necessary to timely release the computing resource by temporarily suspending some non-critical authorized applications.

The analysis of the prior art made it possible to establish that analogues that are characterized by a combination of features identical to all the features of the claimed technical solution are absent, which indicates the compliance of the claimed device with the patentability condition of "novelty". Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed object from the prototype showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided by the essential features of the claimed invention, the transformations on the achievement of the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The claimed method is illustrated by drawings, which show:

figure 1 - the hierarchy of protocols of the TCP / IP family;

figure 2 - the relationship of the security indicators of the aircraft from unauthorized influences;

figure 3 - the structure of the headers of the IP and TCP message packets;

figure 4 - block diagram of an algorithm that implements the claimed method of protecting computer networks from unauthorized influences;

5 is a user interface of a software layout of the aircraft protection system against unauthorized influences;

6 is a histogram explaining the change in the relevance coefficients of authorized compounds.

It is known that in order to ensure the information security of the aircraft, it is necessary to determine with high reliability the facts of unauthorized influences and to respond in a timely manner to their occurrence. The destructive capabilities of remote attacks and malware are related to the fact that most of them are directly aimed at the weaknesses of security tools, vulnerabilities in operating systems and system applications (see, for example, Koneev I.R., Belyaev A.V. Information security of an enterprise. - SPb .: BHV-Petersburg, 2003. - 752 p.: Ill. P. 115-123), which constitute the material basis of the aircraft nodes. Computing resources are spent to perform the aircraft’s target functions and the protection system, and the appearance of unauthorized influences may, in the worst case, cause, along with a decrease in the data throughput, a lack of computing resources. This is due to the need to respond to the emergence of unauthorized connections, with limited processing power of the security system and a limited queue of service requests. This leads to the conclusion about the low stability of the aircraft in the event of unauthorized influences, a sign of which is the appearance of unauthorized connections. It is guaranteed to solve the problem of timely provision of computing resources by temporarily blocking some target functions of the aircraft. The target functions of the aircraft are processing service requests from authorized subscribers and performing settlement tasks. Existing technical solutions do not allow to achieve these goals in automatic mode and require the intervention of staff.

The mechanism used to create connections for organizing the exchange of messages between aircraft nodes due to its flexibility and versatility allows distributed computing and client-server applications. The process of protection against unauthorized influences of the armed forces solving such problems is difficult to formalize and requires the development of new technical solutions. One of the most important reasons for formalization difficulties is the large number of protocols implemented in the TCP / IP family. The hierarchy of the TCP / IP protocol family is shown in FIG.

The search for effective technical solutions to increase the stability of the functioning of the aircraft in conditions of unauthorized influences can be carried out, as shown in figure 2, by increasing the efficiency of the protection system, which can be achieved by increasing the reliability of detection (recognition) of unauthorized influences by expanding the attribute space of the protection system and due to the control of computing resources of the aircraft, which is carried out by adjusting the parameters of the protection system and structure Sun's. The value of the effectiveness indicators of the protection system is selected depending on the required reliability and timeliness of detection of unauthorized connections and taking into account the throughput of the SPD, as well as depending on the susceptibility to changes in the relations of objects and access subjects of the protected aircraft. The criterion for the need for a decision to manage computing resources is the value of the ratio of the number of registered unauthorized connections to the total number of temporarily blocked and irrelevant connections.

The claimed method is implemented as follows. The structure of message packets is known (see, for example, Kulgin M. Technologies for corporate networks. Encyclopedia. - St. Petersburg: Piter Publishing House, 1999. - 704 pp., Ill.), As well as the principle of transferring packets to the sun, which gives the ability to analyze the identification of participants in the connection and the formation of reference identifiers. For example, FIG. 3 shows the header structures of IP and TCP message packets. Fields of connection identifiers are identified in bold for identifying the network addresses of the sender and receiver of message packets, as well as their ports.

Figure 4 presents a block diagram of an algorithm that implements the claimed method of protecting computer networks from unauthorized influences, in which the following notation:

Z _op - the initial level of the coefficient of relevance of all reference identifiers

ID _pr - identifier of the received message packet

ID _op - reference identifier of the authorized connection

{ID _op } - set of reference identifiers of authorized connections

Z _j - the relevance coefficient of the j-th reference identifier of the authorized connection

Id _id - outdated authorized connection identifier

{Id _id } - a collection of irrelevant identifiers of authorized connections

_Ns id - unauthorized connection identifier

ID _bl - identifier of a temporarily blocked authorized connection

{ID _bl } - set of identifiers of temporarily blocked authorized connections

{ _Ns id} - collection of stored identifiers of unauthorized connections

IP _pr - unauthorized connection initiator address (address of the received message packet)

{IP _op } - the set of addresses of the initiators of the connections in the list of reference identifiers

{IP _inact } - the set of addresses of the initiators of the connections in the list of reference identifiers

M _pr - the name of the process that initiated the unauthorized connection

{M _op } - many names of authorized processes

Pre-set (see block 1 in figure 4) an array of N≥1 reference identifiers of authorized connections, which are taken as identification signs of connections containing addresses and port numbers of the sender and receiver of packets, and remember them. Arrays for storing Q≥1 irrelevant identifiers of authorized connections, P≥1 identifiers of unauthorized connections and X≥1 temporarily blocked identifiers are defined, and M≥1 names of authorized processes are specified. In addition, set the maximum allowable number K _max occurrences of any of the received unauthorized connections and establish the initial level Z _OP relevance coefficient for all reference identifiers. The initial number K _{i of} occurrences of the i-th unauthorized connection is set to zero, where i = 1, 2, 3 ... P. In addition, initial values of the number of identifiers Q, P and X are set to zero.

From the communication channel, the k-th message packet is received (see block 2 in FIG. 4), where k = 1, 2, 3 ..., and identification signs (see block 3 in FIG. 4) are identified from the header of the received packet which are considered the connection identifier. Then compare (see block 4 in figure 4) the selected identifier with the reference for the subject of coincidence. A match in this check means that the received message packet refers to an authorized connection. Next, the relevance coefficients of the reference identifiers are adjusted, for which they reduce (see block 5 in FIG. 4) the relevance coefficients belonging to all the reference identifiers except those that coincide with the one selected from the received message packet. Under the relevance coefficients of reference identifiers, we understand an indicator characterizing the relative frequency of occurrence of a message packet with identification signs that coincide with the reference identifier in the communication channel. The use of this indicator is due to the need to reduce the time spent on the analysis of each message package. Then, the arrays of reference and irrelevant identifiers are adjusted (see block 7 in Fig. 4) in accordance with the relevance coefficients of the reference identifiers, for which additional reference identifiers, the relevance coefficient of which Z _j is equal to zero, are stored in an array of irrelevant identifiers. The reference identifiers, the relevance coefficient of which Z _j is equal to zero, are deleted from the array of reference identifiers. The number of irrelevant identifiers Q is increased by the number of reference identifiers moved to the array of irrelevant identifiers. After that, they take (see block 8 in figure 4) another message packet and repeat the action in comparison with its identifier with the reference ones.

In the absence of coincidence of the identifier of the received message packet with previously stored reference identifiers, the relevance coefficients of the reference identifiers are adjusted, for which the relevance coefficients of all the reference identifiers are reduced by one (see block 9 in FIG. 4). The arrays of reference and irrelevant identifiers are adjusted (see block 11 in Fig. 4) in accordance with the relevance coefficients of the reference identifiers, for which additional reference identifiers, the relevance coefficient of which Z _j is zero, are stored in an array of irrelevant identifiers. Delete reference identifiers whose relevance coefficient Z _j is zero from the array of reference identifiers. The number of irrelevant identifiers Q is increased by the number of reference identifiers moved to the array of irrelevant identifiers.

Then, the identifier of the received message packet with the identifiers recorded in the array of irrelevant identifiers is further compared (see block 12 in FIG. 4).

In case of coincidence, the array of reference identifiers is supplemented (see block 13 in FIG. 4), for which the identifier coinciding with the identifier of the received message packet is removed from the array of irrelevant identifiers, stored in an array of reference identifiers, and set (see block 14 in FIG. .4) for it, the relevance coefficient Z _j equal to Z _OP . The number of irrelevant identifiers Q is reduced by one. After that, they receive (see block 8 in Fig. 4) another message packet and repeat the steps in comparison with its identifier with reference and irrelevant identifiers.

If there is no match (see block 16 in FIG. 4), the identifier of the received message packet is further compared with the previously stored identifier of the i-th unauthorized connection. When they coincide (see block 23 in figure 4), the number of its occurrences K _{i is} increased by one. If there is no match (see block 17 in Fig. 4), the arrays of reference and temporarily blocked identifiers are adjusted, for which the number of identifiers of unauthorized connections P is increased by one and compared (see block 18 in Fig. 4) with the total number of temporarily blocked and irrelevant identifiers Q and X. The result of this comparison is the criterion for the need for a decision on the management of computing resources, which is the value of the ratio of the number of registered unauthorized connections tendency to the total number of temporarily blocked and irrelevant connections. When the condition P> (Q + X) is fulfilled, one reference identifier with the lowest coefficient of relevance is removed from the array of reference identifiers and stored in an array of temporarily blocked identifiers (see block 19 in figure 4). The number of temporarily blocked identifiers X is increased by one. Then, the array of unauthorized identifiers is corrected (see block 21 in Fig. 4), for which the identifier of the received message packet is stored in an array of unauthorized identifiers, assigned to it the next (i + 1) th identification number and the number of its occurrences K _{i + 1 is} increased by unit.

Next, they take the next message packet and repeat the above steps until the condition K _i = K _max (see block 24 in Fig. 4) is fulfilled and, when it is executed, the initiator address is compared (see block 25 in Fig. 4) ith unauthorized connection with the addresses of the initiators of the connections contained in the reference and irrelevant identifiers.

If there is a match, the process M _i that initiated the unauthorized connection is identified. This is due to the fact that in case of detection of an unauthorized IP, an additional check is required, because when an active connection is established in the TCP / IP protocol family, any port from the range 0 ... 65535 can be selected (see, for example, Zolotov S. Internet Protocols. - SPb .: BHV - St. Petersburg, 1998. - 304 p. , ill.), therefore, it is necessary to determine whether the process that initiated the connection is authorized. To do this, form a packet with a request to the subscriber with the address indicated in the identifier of the i-th unauthorized connection, to provide the name of the process M _i that initiated the unauthorized connection, transmit (see block 26 in figure 4) a request packet, receive the i-th initiator an unauthorized connection, a packet with a request to provide the name of the process M _i and form a packet with a response containing the name of the process M _i , transmit (see block 27 in figure 4) it and compare (see block 28 in figure 4) the name of the process M _i with pre preliminarily stored names authorized processes M. In the presence of said M _i here composed of predetermined authorized processes M complement (see. the block 29 in Figure 4) supporting an array of identifiers, for which further reference is stored in the array of identifiers new reference identifier, and its coefficient relevance assign the initial value of Z _OP .

If there is no coincidence of the name of the process and if there is no coincidence of the initiator address with the addresses of the initiators contained in the reference and irrelevant identifiers, they decide on the presence of unauthorized interference, and then block the source of the unauthorized connection (see block 31 in Fig. 4), for which they block either the process M _i that initiated the unauthorized connection, or the subscriber with the address specified in the identifier of this unauthorized connection, and delete its identifier. Arrays of reference and temporarily blocked identifiers are corrected, for which the number of unauthorized connections P is reduced by one, after which, when condition X> 0 is fulfilled, one blocked identifier with the highest relevance coefficient is deleted from the array of temporarily blocked identifiers and stored (see block 35 in Fig. 4 ) it into an array of reference identifiers. The number of temporarily blocked identifiers X is reduced by one.

After that, they take the next packet of messages and repeat the cycle of comparisons and decision making.

The feasibility of implementing the formulated technical result was tested by creating a mock-up of a software package and conducting a full-scale experiment. Figure 5, a, b presents the user interface of the software layout of the aircraft protection system from unauthorized influences. Figure 5, a shows the authorized connections detected by the protection system, their identifiers and current relevance factors, the connection establishment time, and the names of the processes that initiated them (for example, row 820 shows the connection established at the time indicated in the "time" column ”, With the identifier indicated in the“ sender ”and“ recipient ”columns, the relevance coefficient indicated in the“ coefficient ... ”column, and the name of the process that initiated it, indicated in the“ process ”column). Figure 5, b shows a list of unauthorized connections blocked by the security system, their identifiers and the time of detection, as well as the names of the processes that initiated them (for example, row 4 shows the connection detected at the time indicated in the "time" column with the identifier indicated in the “sender” and “receiver” columns, the relevance coefficient indicated in the “coefficient ...” column, and the name of the process that initiated it, indicated in the “process” column).

During the experiment, the following types of compounds were identified:

- Authorized connections. Identifiers of such connections are contained in an array of reference identifiers, and can also be (can be transferred) in arrays of irrelevant and temporarily blocked identifiers.

- Connections, the sources of which are authorized subscribers, but the identifiers of these connections do not coincide with the reference ones and are stored in an array of unauthorized identifiers. Such connections can, after determining the name of the process that initiated them, be blocked, or their identifiers will be additionally added to the array of reference identifiers.

- Connections originating from unauthorized subscribers and their identifiers are stored in an array of unauthorized identifiers. Such connections are unauthorized and must be blocked.

At the beginning of the layout of the software package, all authorized connections had reference identifiers with a relevance coefficient equal to Z _OP = 500, as can be seen in Fig.6 (time t1). During the operation of the protection system, the relevance coefficients of identifiers of authorized compounds were subject to correction (time instants t2, t3, t4). Among the authorized compounds represented, compounds are displayed whose relevance coefficients for identifiers have decreased to zero (compounds 6, 11). The identifiers of such compounds have been removed from the list of reference identifiers. During the operation of the protection system, new authorized compounds were identified (connections 13, 14, 15), the identifiers of which were additionally included in the list of reference ones, and their reference coefficients were assigned a reference value Z _OP .

From the presented results, the following conclusions follow: when increasing the reliability of detection (recognition) of unauthorized influences by expanding the attribute space of the protection system and when managing the computing resources of the aircraft, which is carried out by adjusting the parameters of the protection system and structure of the aircraft, the claimed method provides increased stability of the aircraft under unauthorized actions.

Additional positive properties of the claimed method are: the possibility of combining subscribers into groups by pre-setting the reference identifiers of authorized connections and ensuring, thus, segmentation of aircraft into security zones; the ability to automatically block authorized subscribers and groups of subscribers that violate the security policy; the possibility of detecting unauthorized influences not only at the stage of the attack, but also, which is very important (see, for example, A. Lukatsky, Detection of attacks. - St. Petersburg: BHV - Petersburg, 2001. - 624 pp., ill. on page .51), at the stage of collecting information about the aircraft by the intruder, as this results in unauthorized connections; increase in the speed of the protection system in comparison with other known systems based on the signature method of detecting unauthorized influences by controlling the legitimacy of connections instead of matching each message packet with a database of signatures of known attacks; increasing the speed of the protection system by automatically removing from the list of reference identifiers of authorized connections of outdated (irrelevant) identifiers, and, therefore, reducing the analysis time of each received message packet.

application

List of Terms Used

¹ Attack - the practical implementation of a threat or an attempt to implement it using one or another vulnerability [Koneev I.R., Belyaev A.V. Information security of the enterprise. - SPb .: BHV - Petersburg, 2003 .-- 752 p.: Ill. on page 30].

² Reliability - the degree of objective correspondence of the results of diagnosis (control) to the actual technical condition of the object [Kuznetsov V.E., Likhachev AM, Parashchuk IB, Prisyazhnyuk S.P. Telecommunications. Explanatory dictionary of basic terms and abbreviations. Edited by A.M. Likhachev, S.P. Prisyazhnyuk. St. Petersburg: Publishing House of the Ministry of Defense of the Russian Federation, 2001.].

³ Stability (telecommunication systems (networks)) - the ability of a telecommunication system (network) to perform the required functions both under normal operating conditions and under conditions created by external destabilizing factors. [The main provisions of the development of the Interconnected communication network of the Russian Federation for the future until 2005. Guidance document. Help application 2. Dictionary of basic terms and definitions. - M.: NTUOT Ministry of Communications of Russia, 1996].

⁴ Storm - transfer to the object of attack as many false TCP-requests as possible to create a connection on behalf of any host [Medvedovsky I.D. and others. Attack on the Internet. - M.: DMK, 1999 .-- 336 p .: ill. on p. 121].

⁵ Integrity - a property of information during its processing by technical means, ensuring the prevention of its unauthorized modification or unauthorized destruction [Terminology in the field of information protection. Directory. Moscow, 1993. VNIIstandard].

⁶ Accessibility - a property of information when it is processed by technical means, providing unhindered access to it for authorized operations on familiarization, documentation, modification and destruction [Terminology in the field of information protection. Directory. Moscow, 1993. VNIIstandard].

⁷ Confidentiality - a property of information when it is processed by technical means, ensuring the prevention of unauthorized acquaintance with it or unauthorized documentation (making copies) [Terminology in the field of information protection. Directory. Moscow, 1993. VNIIstandard].

⁸ Vulnerability - a kind of weakness that can be used to violate the system or the information contained in it [Information security and information protection. Collection of terms and definitions. State Technical Commission of Russia, 2001].

⁹ Security policy - a set of formal (officially approved or traditionally established) rules that govern the functioning of the information security mechanism [Koneev I.R., Belyaev A.V. Information security of the enterprise. - SPb .: BHV - Petersburg, 2003 .-- 752 p.: Ill. on page 30].

Claims (12)

1. A method of protecting computer networks from unauthorized influences, which consists in receiving message packets with numbers k = 1, 2, 3 ... sequentially from the communication channel, identifying its identifying signs from the header of each received message packet, and analyzing them according to the analysis results make a decision on the presence or absence of unauthorized exposure, characterized in that they pre-set an array of N≥1 reference identifiers of authorized compounds and store them, set arrays for storage I Q≥1 of irrelevant identifiers of authorized connections, P≥1 identifiers of unauthorized connections and X≥1 temporarily blocked identifiers, as well as M≥1 names of authorized processes, in addition, set the maximum number K _{max of} occurrences of any of the accepted unauthorized connections, establish the initial level of relevance coefficient Z _OD for all reference identifiers set initial amount of K _i of occurrences 1st unauthorized equal compound zero, where i = 1, 2, 3 ... P and, in addition, set the initial values of the number of identifiers Q, P and X to zero, and after receiving the next k-th message packet and identifying identification signs from its header, the quality of which is taken by the connection identifier, it is analyzed, for which the highlighted identifier of the received message packet is compared with the reference identifiers of authorized connections and in case of coincidence of the jth, where j = 1, 2, 3 ..., the number of the reference identifier that matches the one selected from accepted soo package identifiers, adjust the relevance coefficients of the reference identifiers, adjust the arrays of reference and irrelevant identifiers in accordance with the relevance coefficients of the reference identifiers, take the next message packet and repeat the steps in comparison with its identifier and the reference ones, and if there is no coincidence of the identifier of the received message packet with the reference ones, correct the coefficients relevance of reference identifiers, adjust arrays of reference and irrelevant identifiers in in accordance with the relevance coefficients of the reference identifiers, they additionally compare the identifier of the received message packet with the identifiers recorded in the array of irrelevant identifiers, after which, in case of coincidence, supplement the array of reference identifiers, take the next message packet and repeat the steps in comparison with its identifier with the reference and irrelevant identifiers, and if there is no match, they additionally compare the identifier of the received message packet with the previously stored identifier of the i-th unauthorized connection, and if they coincide, K _{i is} increased by one, and if there is no match, the arrays of reference and temporarily blocked identifiers are corrected, after which the array of unauthorized identifiers is adjusted, the next message packet is received and the above actions are repeated until the condition K _i = K _max will not be fulfilled, and when it is fulfilled, the address of the initiator of the i-th unauthorized connection is compared with the addresses of the initiators of the connections contained in the set of reference and irrelevant identifiers, and if they coincide, they identify the process M _i that initiated an unauthorized connection, and if the name of the process M _i coincides with the previously stored names of authorized processes M, they supplement the array of reference identifiers, and if there is no coincidence of the name of the process and if there is no address initiator with the addresses of the initiators contained in the reference and irrelevant identifiers, decide on the presence of unauthorized Actions, after which they block the source of the unauthorized connection and delete its identifier, correct the arrays of reference and temporarily blocked identifiers, after which they receive the next message package and repeat the cycle of comparisons and decision making. 2. The method according to claim 1, characterized in that as the connection identifier take the identification signs of the connection, which contain the addresses and port numbers of the sender and receiver of the packets. 3. The method according to claim 1, characterized in that for the correction of the relevance coefficients of the reference identifiers in the presence of a match of the identifier of the received message packet with one of the reference relevance coefficients of all the reference identifiers, except for the coincident Z _j , is reduced by one. 4. The method according to claim 1, characterized in that for the correction of arrays of reference and irrelevant identifiers, additional reference identifiers, the relevance coefficient of which Z _j = 0, are stored in the array of irrelevant identifiers, the reference identifiers, the relevance coefficient of which is zero, are removed from the array of reference identifiers and the number of irrelevant identifiers Q are increased by the number of reference identifiers moved to the array of irrelevant identifiers. 5. The method according to claim 1, characterized in that for the correction of the relevance coefficients of the reference identifiers in the absence of a match of the identifier of the received message packet with the reference factors, the relevance coefficients of all the reference identifiers are reduced by one. 6. The method according to claim 1, characterized in that to supplement the array of reference identifiers, the identifier that matches the identifier of the received message package is removed from the array of irrelevant identifiers, stored in an array of reference identifiers, the relevance coefficient Z _j = Z _{OP is} set for it, and the number of irrelevant identifiers Q is reduced by one. 7. The method according to claim 1, characterized in that for the correction of arrays of reference and temporarily blocked identifiers, the number of identifiers of unauthorized connections P is increased by one and compared with the total number of temporarily blocked and irrelevant identifiers Q and X, and when the condition P> ( Q + X) remove one reference identifier with the lowest coefficient of relevance from the array of reference identifiers, store it in an array of temporarily blocked identifiers, and the number is temporarily blocked x identifiers increase by one. 8. The method according to claim 1, characterized in that for correcting the array of unauthorized identifiers, the identifier of the received message packet is stored in the array of unauthorized identifiers, it is assigned another (i + 1) th identification number and the number of its occurrences K _{i + 1 is} increased by one . 9. The method according to claim 1, characterized in that to identify the process M _i form a packet with a request to the initiator of the i-th unauthorized connection to provide the name of the process M _i initiating an unauthorized connection, transmit a packet with the request, receive the initiator of the i-th unauthorized connection package, requesting process here M _i and generating a response packet containing name M _i process it and transmit the process name is compared with the pre-M _i stored here and authorized processes M. 10. The method according to claim 1, characterized in that to supplement the array of reference identifiers in case of coincidence of the name of the process M with the names of authorized processes, a new reference identifier is additionally stored in the array of reference identifiers, and its initial coefficient Z is assigned the initial value Z _OP . 11. The method according to claim 1, characterized in that to block the source of an unauthorized connection, either the process M that initiated the unauthorized connection is blocked, or the subscriber with the source address specified in the identifier of this unauthorized connection. 12. The method according to claim 1, characterized in that for correcting arrays of reference and temporarily blocked identifiers after blocking the initiator of an unauthorized connection, the number of unauthorized connections P is reduced by one, after which, when condition X> 0 is fulfilled, one blocked identifier with the highest relevance coefficient is removed from an array of temporarily blocked identifiers, store it in an array of reference identifiers, and the number of temporarily blocked identifiers X is reduced by e dynice.

Images