RU2331158C1 - Method of evasive routing in communication networks (variants) - Google Patents

Abstract

FIELD: physics; communication.

SUBSTANCE: invention relates to the field of info-communication and can be used in the creation of new, and also perfecting the existing communication. The technical result is increase in communication security due to the selection of the safest route. The specified technical result is achieved by the following sequence of actions: information is preliminarily assigned about the structure of the communication network, initial data about the nodes and subscribers of the network, and calculates complex indexes of security in the network nodes. A vertex matrix of the network graph and the total possible link paths between the network subscribers in a tree-type graph are formed. Using the obtained results, a selection of the safest routes in the communication network from the total of all possible link paths between subscribers and bringing secure routes to the subscribers of the network are made.

EFFECT: increasing communication security.

15 cl, 11 dwg

Description

The invention relates to the field of infocommunications and can be used to create new ones, as well as improve existing communication networks (SS).

There is a method of selecting a route in accordance with the conditions of employment of network resources, implemented in the "Method and system for promoting traffic flows with guaranteed quality of service (QoS) in a network operating with IP protocol" according to RF patent No. 2271614, IPC H06L 12/38, publ. 03/10/2006

The method consists in the fact that the choice of the route for delivering packets in communication networks is performed by the resource managers of the delivery network at the control level of the transmission channel, similarly to the functions for services that require guaranteed quality of QoS service. To pass traffic flows according to the path designated by the resource manager in the delivery network, the border routers are monitored in accordance with the busy conditions of network resources. At the same time, the paths of the flows are assigned using the technology of a multi-level label stack.

The disadvantage of this method is the lack of adaptation to changes in the structure of the communication network, as well as the incomplete use of the qualities and conditions of network resources to choose the path of flows.

There is also a method of providing adjustment of routes to network subscribers, implemented in the "Method of adjusting routes in the data network" according to the patent of the Russian Federation No. 2120190, IPC H04L 12/28, publ. 10/10/1998

The method consists in the fact that the search for routes for delivering messages to the subscriber is carried out at the network address of the switching node of its current binding. The choice of routes to the subscriber is carried out on the switching nodes by the service corrective message containing the network addresses of the subscriber, the switching node and the code of the sign of adjustment "record", "erase".

The disadvantage of this method is the lack of adaptation to changes in the structure of the communication network. This is because the adjustment is decentralized and does not cover the entire communication network, but its individual local sections. Lack of parameters for choosing routes to the subscriber, which leads to poor quality selection.

Closest in its technical essence to the claimed one is “The way to select the appropriate route used in the router for uniform distribution in the switching network” according to the application for the invention of the Russian Federation No. 2004111798, IPC H04L 1/00, publ. 05/10/2005

The prototype method consists in pre-setting the initial data containing the quality criteria of the routes. The information about the structure of the communication network, including the addresses of the network nodes and the presence of communication between them, is stored in the router. Form a set of possible communication routes. After receiving the message for the target network address, one route is selected in accordance with the predefined criteria for the quality of routes and messages are sent along the selected route.

The known prototype method eliminates the disadvantages of analogues related to reducing the quality of route selection, due to the introduction of criteria for the quality of routes.

However, the disadvantage of this prototype method is the relatively low stealth of communication when using the selected route of information exchange of subscribers in the communication network. The presence of transit network nodes with a low level of security creates the prerequisites for interception by cybercriminals of the information exchange of network subscribers.

The purpose of the claimed technical solutions is to develop a method (options) for choosing a safe route in the communication network, which provides increased communication secrecy by managing the routes of information exchange of subscribers in the communication network and choosing the most secure route. * Safe route - a sequence of transit network nodes, during transmission through which, the message is not subject to information security threats.

как среднее арифметическое комплексных показателей безопасности

узлов сети, входящих в n-й маршрут связи. В качестве безопасного маршрута связи

выбирают маршрут с наибольшим значением его среднего показателя безопасности

. При этом в случае нахождения нескольких маршрутов с равными средними показателями безопасности выбирают из них маршрут с наименьшим количеством входящих в него узлов z_n. После этого выбранный безопасный маршрут запоминают и формируют сообщения, включающие запомненные маршруты

между i-м и всеми j-ми абонентами, идентификаторы ID_aj и адреса IP_aj всех j-х абонентов. Отправляют сформированные сообщения всем i-м абонентам сети. А для передачи сообщений между абонентами по идентификатору абонента-получателя сообщения ID_a выбирают его адрес IP_a и безопасный маршрут

и передают сообщение, включающее информацию об используемом маршруте. При подключении нового абонента к сети связи формируют сообщение, содержащее адрес узла сети IP_УС подключения нового абонента, его идентификатор ID_ан и адрес IP_ан. После этого отправляют сформированное сообщение на сервер безопасности, где его запоминают в структурном и идентификационном массивах. Затем в сервере безопасности выбирают безопасные маршруты связи между новым абонентом и всеми j-ми абонентами и запоминают их, после чего формируют сообщения, включающие информацию о запомненных безопасных маршрутах связи, и отправляют их всем абонентам сети.In the first variant of the method, the goal is achieved by the fact that in the known method of selecting a safe route in the communication network, which consists in the fact that for a communication network containing X≥2 network nodes pre-set the initial data, remember information about the structure of the communication network, including the addresses of the nodes _CSS IP network and a link therebetween, forming a plurality N of possible communication routes, one of which is selected route and transmitting messages on it. In the predetermined initial data set further structural identification and arrays, IP address of the security server _Sa, ID _a IDs and addresses of IP _a subscribers connected to the communication network. Set for each x-th node of the network, where x = 1, 2, ..., X, Y≥2 security parameters and their values b _xy , where y = 1, 2, ..., Y. A complex safety indicator is calculated k _xΣ for each _xth network node. Form adjacency matrix vertices network graph, which is stored in the structural array network node addresses IP _CSS and addresses of subscribers IP _a network, and information of a link between the nodes and network subscribers, and in the ID array stored identifiers ID _a, ID _Sa and the corresponding They are IP _a , IP _SB addresses of network subscribers and security server. After that, a set of possible communication routes is formed between the ith and jth subscribers of the network, where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j, in the form of N _ij graph trees communication networks, and each nth, where n = 1, 2, ..., N _ij , the graph tree consists of z _n vertices corresponding to the number of network nodes belonging to it. Then, for each of the N _ij possible communication routes, average safety indicators are calculated

as the arithmetic mean of complex safety indicators

network nodes included in the nth communication route. As a secure communication route

choose the route with the highest value of its average safety indicator

. In this case, if several routes are found with equal average safety indicators, a route with the least number of nodes z _n included in it is selected. After that, the selected safe route is remembered and messages are generated that include the stored routes

between the i-th and all j-th subscribers, identifiers ID _aj and IP _aj addresses of all j-th subscribers. Send generated messages to all i-th network subscribers. And for the transmission of messages between subscribers on the identifier of the recipient user ID _a message choose its address and the IP _a safe route

and transmitting a message including information about the route used. When connecting a new subscriber to the communication network is formed message containing IP address of the network node _CSS connecting a new subscriber, his identifier ID and _an IP address of _an. After that, the generated message is sent to the security server, where it is stored in the structural and identification arrays. Then, in the security server, secure communication routes between the new subscriber and all j-th subscribers are selected and stored, after which messages are generated that include information about the stored safe communication routes and sent to all network subscribers.

The complex security indicator k _xΣ for each x-th network node is calculated by summing or multiplying, or as the arithmetic average of its security parameters b _xy .

The number N _ij trees of the graph of the communication network between the i-th and j-th network subscribers is calculated by the formula

- транспонированная матрица к B_o.where B _o = M × K is the transformed adjacency matrix of the vertices of the graph of the communication network, and M = M _p -1, K is the number of rows and columns of the matrix, M _p is the number of rows of the original adjacency matrix equal to the total number of nodes of the communication network;

is the transposed matrix to B _o .

как среднее арифметическое комплексных показателей безопасности

узлов сети, входящих в n-й маршрут связи. В качестве безопасного маршрута связи

выбирают маршрут с наибольшим значением его среднего показателя безопасности

. В случае нахождения нескольких маршрутов с равными средними показателями безопасности выбирают из них маршрут с наименьшим количеством входящих в него узлов z_n. После этого выбранный безопасный маршрут запоминают, формируют сообщение, включающее запомненный маршрут

и адрес IP_aj j-го абонента. Отправляют сформированное сообщение i-му абоненту сети. А для передачи сообщений между абонентами по идентификатору абонента-получателя сообщения ID_a, выбирают его адрес IP_a и безопасный маршрут

и передают сообщение, включающее информацию об используемом маршруте.In the second variant of the method, the goal is achieved by the fact that in the known method of choosing a safe route in the communication network, which consists in the fact that for a communication network containing X≥2 network nodes pre-set initial data is stored information about the structure of the communication network, including the addresses of the nodes _CSS IP network and a link therebetween, forming a plurality N of possible communication routes, one of which is selected route and transmitting messages on it. The structural and identification arrays, an array of access control rules, an IP _SB security server address, ID _a and IP _a addresses of subscribers connected to the communication network, data on access control between the ith and jth subscribers are additionally specified in the predefined initial data, networks, where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j. Set for each x-th node of the network, where x = 1, 2, ..., X, Y≥2 security parameters and their values b _xy , where y = 1, 2, ..., Y. A complex safety indicator is calculated k _xΣ for each _xth network node. An access matrix is formed, for which purpose the subscriber identifiers ID _a and the corresponding access control data corresponding to them are stored in an array of access control rules. Then formed adjacency matrix vertices network graph, which is stored in the structural array network node addresses IP _CSS and addresses of subscribers IP _a network, and information of a link between the nodes and network subscribers, and in the ID array stored identifiers ID _a, ID _Sa and their corresponding IP _a , IP _SB addresses of network subscribers and security server. When connecting a new subscriber to the communication network is formed message containing IP address of the network node _CSS connecting a new subscriber, his identifier ID and _an IP address of _an. After that, the generated message is sent to the security server, where it is stored in the structural and identification arrays. A request is made from the i-th subscriber about the possibility of access to the j-th subscriber of the network, including the identifiers of the i-th ID _ai and j-th ID _{aj of the} subscribers. Send a request to the security server, where it is remembered. Check the availability of the requested access using the access matrix, and if it is absent, form and send to the i-th network subscriber a response about the lack of access to the j-th network subscriber. If there is access, a set of possible communication routes is formed between the i-th and j-th subscribers of the network in the form of N _ij trees of the graph of the communication network, and each n-th, where n = 1, 2, ..., N _ij , the graph tree consists of z _n vertices corresponding to the number of network nodes belonging to it. Then, for each of the N _ij possible communication routes between the i-th and j-th network subscribers, the average security indicators are calculated

as the arithmetic mean of complex safety indicators

network nodes included in the nth communication route. As a secure communication route

choose the route with the highest value of its average safety indicator

. If several routes with equal average safety indicators are found, a route with the smallest number of nodes z _n included in it is selected. After that, the selected safe route is remembered, a message is generated that includes the stored route

and the IP address _{aj of the} jth subscriber. Send the generated message to the i-th subscriber of the network. And for sending messages between subscribers by the ID of the recipient of the message ID _a , select his IP address _a and a safe route

and transmitting a message including information about the route used.

The complex security indicator k _xΣ for each x-th network node is calculated by summing or multiplying, or as the arithmetic average of its security parameters b _xy .

The number N _{ij of} trees of the graph of the communication network between the i-th and j-th subscribers of the network is calculated by the formula

- транспонированная матрица к B_o.where B _o = M × K is the transformed adjacency matrix of the vertices of the graph of the communication network, and M = M _p -1, K is the number of rows and columns of the matrix, M _p is the number of rows of the original adjacency matrix, equal to the total number of nodes of the communication network;

is the transposed matrix to B _o .

как среднее арифметическое комплексных показателей безопасности

узлов сети, входящих в n-й маршрут связи. В качестве безопасного маршрута связи

выбирают маршрут с наибольшим значением его среднего показателя безопасности

. При этом в случае нахождения нескольких маршрутов с равными средними показателями безопасности выбирают из них маршрут с наименьшим количеством входящих в него узлов z_n. Сравнивают средний показатель безопасности

выбранного маршрута с предварительно заданным допустимым показателем безопасности маршрута k^доп. При выполнении условия

формируют и отправляют i-му абоненту сети ответ об отсутствии безопасного маршрута между i-м и j-м абонентами сети. А при выполнении условия

, выбранный безопасный маршрут запоминают. Формируют сообщение, включающее запомненный маршрут

и адрес IP_aj j-го абонента. Отправляют сформированное сообщение i-му абоненту сети. Для передачи сообщений между абонентами по идентификатору абонента-получателя сообщения ID_aj выбирают его адрес IP_a и безопасный маршрут

и передают сообщение, включающее информацию об используемом маршруте.In the third variant of the method, the goal is achieved by the fact that in the known method of choosing a safe route in the communication network, which consists in the fact that for a communication network containing X≥2 network nodes pre-set the initial data, remember information about the structure of the communication network, including the addresses of the nodes _CSS IP network and a link therebetween, forming a plurality N of possible communication routes, one of which is selected route and transmitting messages on it. The structural and identification arrays, acceptable route security indicator k ^additional , address of the security server IP _SB , identifiers ID _a and IP addresses IP _{a of} subscribers connected to the communication network are additionally specified in the predefined initial data. Set for each x-th node of the network, where x = 1, 2, ..., X, Y≥2 security parameters and their values b _xy , where y = 1, 2, ..., Y. A complex safety indicator is calculated k _xΣ for each _xth network node. Then, a network connectivity matrix of vertices of the graph, which is stored in the structural array network node addresses and IP addresses of subscribers _CSS IP _a network, and information of a link between the nodes and the subscribers of the network. The identifiers ID _a , ID _cp and the corresponding IP _a , IP _SB addresses of the network subscribers and the security server are stored in the identification array. When connecting a new subscriber to the communication network is formed message containing IP address of the network node _CSS connecting a new subscriber, his identifier ID and _an IP address of _an. After that, the generated message is sent to the security server, where it is stored in the structural and identification arrays. A request is made for the i-th subscriber for a safe route to the j-th subscriber of the network, where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j, including the identifiers of the i-th ID _ai and j-th ID _aj subscribers. Send a request to the security server, where it is remembered. After that, a set of possible communication routes is formed between the ith and jth subscribers of the network in the form of N _ij trees of the graph of the communication network, each n-th, where n = 1, 2, ..., N _ij , the graph tree consists of z _n vertices corresponding to the number of network nodes belonging to it. Then, for each of the N _ij possible communication routes, average safety indicators are calculated

as the arithmetic mean of complex safety indicators

network nodes included in the nth communication route. As a secure communication route

choose the route with the highest value of its average safety indicator

. In this case, if several routes are found with equal average safety indicators, a route with the least number of nodes z _n included in it is selected. Compare Average Security

the selected route with a predefined acceptable safety indicator route k ^extra . When the condition is met

form and send to the i-th network subscriber a response about the absence of a safe route between the i-th and j-th network subscribers. And when the condition is met

, the selected safe route is remembered. Form a message including a stored route

and the IP address _{aj of the} jth subscriber. Send the generated message to the i-th subscriber of the network. To transfer messages between subscribers using the ID of the recipient of the message ID _aj, select his IP address _a and a safe route

and transmitting a message including information about the route used.

The complex security indicator k _xΣ for each x-th network node is calculated by summing or multiplying, or as the arithmetic average of its security parameters b _xy .

The number N _ij trees of the graph of the communication network between the i-th and j-th network subscribers is calculated by the formula

- транспонированная матрица к B_o.where B _o = M × K is the transformed adjacency matrix of the vertices of the graph of the communication network, and M = M _p -1, K is the number of rows and columns of the matrix, M _p is the number of rows of the original adjacency matrix equal to the total number of nodes of the communication network;

is the transposed matrix to B _o .

, для которого комплексные показатели безопасности

входящих в него узлов соответствуют равному или более высокому рангу R_ai i-го абонента сети. Запоминают безопасный маршрут

. Формируют сообщение, включающее запомненный маршрут

и адрес IP_aj j-ого абонента, и отправляют сформированное сообщение i-му абоненту сети. При отсутствии безопасного маршрута между i-м и j-м абонентами сети формируют и отправляют i-му абоненту сети ответ об отсутствии безопасного маршрута к j-му абоненту сети. Для передачи сообщений между абонентами по идентификатору абонента-получателя сообщения ID_а выбирают его адрес IP_а и безопасный маршрут

и передают сообщение, включающее информацию об используемом маршруте.In the fourth embodiment of the method, the goal is achieved by the fact that in the known method of choosing a safe route in the communication network, which consists in the fact that for a communication network containing X≥2 network nodes pre-set the initial data, remember information about the structure of the communication network, including the addresses of the nodes _CSS IP network and a link therebetween, forming a plurality N of possible communication routes, one of which is selected route and transmitting messages on it. The structural and identification arrays, an array of correspondence of ranks R _{a of} subscribers and complex security indicators k _xΣ of network nodes, address of a security server IP _SB , identifiers ID _a , IP _a addresses and corresponding ranks R _a ≥2 of subscribers are additionally specified in the predefined initial data, connected to the communication network. Set for each x-th node of the network, where x = 1, 2, ..., X, Y≥2 security parameters and their values b _xy , where y = 1, 2, ..., Y. A complex safety indicator is calculated k _xΣ for each _xth network node. Then, a network connectivity matrix of vertices of the graph, which is stored in the structural array network node addresses and IP addresses of subscribers _CSS IP _a network, and information of a link between the nodes and the subscribers of the network. The identifiers ID _a , _SB ID and the corresponding IP _a , IP _SB addresses of the network subscribers and the security server are stored in the identification array. When connecting a new subscriber to the communication network is formed message containing IP address of the network node _CSS connecting a new subscriber, his identifier ID and _an IP address of _an. After that, the generated message is sent to the security server, where it is stored in the structural and identification arrays. A request is made from the ith subscriber for a safe route to the jth subscriber of the network, where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j, including identifiers of the i-th ID _ai and j-th ID _aj subscribers. Send a request to the security server, where it is remembered. After that, a set of possible communication routes is formed between the ith and jth subscribers of the network in the form of N _ij trees of the graph of the communication network, each n-th, where n = 1, 2, ..., N _ij , the graph tree consists of z _n vertices corresponding to the number of network nodes belonging to it. Then from N _ij possible communication routes choose a safe route

for which comprehensive safety indicators

its nodes correspond to an equal or higher rank R _{ai of the} i-th subscriber of the network. Remember a safe route

. Form a message including a stored route

and the IP address _{aj of the} jth subscriber, and send the generated message to the i-th subscriber of the network. If there is no safe route between the i-th and j-th network subscribers, they form and send to the i-th network subscriber a response about the absence of a safe route to the j-th network subscriber. To transfer messages between subscribers by the identifier of the subscriber-recipient of the message ID _a, select his IP address _a and a safe route

and transmitting a message including information about the route used.

The complex security indicator k _xΣ for each x-th network node is calculated by summing or multiplying, or as the arithmetic average of its security parameters b _xy .

The number N _ij trees of the graph of the communication network between the i-th and j-th network subscribers is calculated by the formula

- транспонированная матрица к B_o.where B _o = M × K is the transformed adjacency matrix of the vertices of the graph of the communication network, and M = M _p -1, K is the number of rows and columns of the matrix, M _p is the number of rows of the original adjacency matrix, equal to the total number of nodes of the communication network;

is the transposed matrix to B _o .

, для которого комплексные показатели безопасности

входящих в него узлов соответствуют равному или более высокому рангу R_{инф i} передаваемой информации. Запоминают безопасный маршрут

. Формируют сообщение, включающее запомненный маршрут

и адрес IP_aj j-го абонента. Отправляют сформированное сообщение i-му абоненту сети. При отсутствии безопасного маршрута между i-м и j-м абонентами сети формируют и отправляют i-му абоненту сети ответ об отсутствии безопасного маршрута к j-му абоненту сети. Для передачи сообщений между абонентами по идентификатору абонента-получателя сообщения ID_a выбирают его адрес IP_a и безопасный маршрут

и передают сообщение, включающее информацию об используемом маршруте.In the fifth embodiment of the method, the goal is achieved by the fact that in the known method of choosing a safe route in the communication network, which consists in the fact that for a communication network containing X≥2 network nodes, initial data is pre-set, information about the structure of the communication network, including the addresses of nodes, is stored _CSS IP network and a link therebetween, forming a plurality N of possible communication routes, one of which is selected route and transmitting messages on it. In the predetermined initial data further define structural and tracking arrays, an array of corresponding rank R _inf, information transferred and integrated security parameters k _xΣ network nodes, the security server address IP _Security IDs ID _a, address IP _a subscribers connected to the communication network, and R _inf ≥2 ranks of the transmitted information. Set for each x-th node of the network, where x = 1, 2, ..., X, Y≥2 security parameters and their values b _xy , where y = 1, 2, ..., Y. A complex safety indicator is calculated k _xΣ for each _xth network node. Then, a network connectivity matrix of vertices of the graph, which is stored in the structural array network node addresses and IP addresses of subscribers _CSS IP _a network, and information of a link between the nodes and the subscribers of the network. And in the identification array the identifiers ID _a , _SB ID and the corresponding IP _a , IP _SB addresses of the network subscribers and the security server are stored. When connecting a new subscriber to the communication network is formed message containing IP address of the network node _CSS connecting a new subscriber, his identifier ID and _an IP address of _an. After that, the generated message is sent to the security server, where it is stored in the structural and identification arrays. A request is made from the ith subscriber for a safe route to the jth subscriber of the network, where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j, including identifiers of the i-th ID _ai and the j-th ID _{aj of the} subscribers, and the rank R _{inf i of the} transmitted information. Send a request to the security server, where it is remembered. Next, they form the set of possible communication routes between the ith and jth subscribers of the network in the form of N _ij trees of the graph of the communication network, each n th, where n = 1, 2, ..., N _ij , the graph tree consists of z _n vertices corresponding to the number of network nodes belonging to it. Then, from the N _ij possible communication routes between the i-th and j-th network subscribers, a safe route is selected

for which comprehensive safety indicators

its nodes correspond to an equal or higher rank R _{inf i the} transmitted information. Remember a safe route

. Form a message including a stored route

and the IP address _{aj of the} jth subscriber. Send the generated message to the i-th subscriber of the network. If there is no safe route between the i-th and j-th network subscribers, they form and send to the i-th network subscriber a response about the absence of a safe route to the j-th network subscriber. To send messages between subscribers on the identifier of the recipient user ID _a message choose its address and the IP _a safe route

and transmitting a message including information about the route used.

The complex security indicator k _xΣ for each x-th network node is calculated by summing or multiplying, or as the arithmetic average of its security parameters b _xy .

The number N _ij trees of the graph of the communication network between the i-th and j-th network subscribers is calculated by the formula

- транспонированная матрица к B_o.where B _o = M × K is the transformed adjacency matrix of the vertices of the graph of the communication network, and M = M _p -1, K is the number of rows and columns of the matrix, M _p is the number of rows of the original adjacency matrix equal to the total number of nodes of the communication network;

is the transposed matrix to B _o .

Thanks to a new set of essential features in each of the variants of the claimed method (s), by setting information about the structure of the communication network, initial data on the nodes and subscribers of the network, and calculating complex indicators of the safety of the network nodes, safe routes in the communication network are selected from the set of all possible routes communication between subscribers and bringing a safe route to network subscribers, which ensures the achievement of the formulated technical result - increasing the secrecy of communication due to management making routes of information exchange of subscribers in a communication network.

The analysis of the prior art made it possible to establish that analogues, characterized by a combination of features that are identical to all the features of the claimed method (options), are not available in known sources of information, which indicates the compliance of the claimed method (options) with the condition of patentability “novelty”.

Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed object from the prototype showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided by the essential features of the claimed invention, the transformations on the achievement of the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The claimed method (options) is illustrated by drawings, which show:

figure 1 is an example of a structure of a communication network;

figure 2 is a block diagram of a sequence of actions that implement the first variant of the claimed method of selecting a safe route in the communication network;

figure 3 - source data;

figure 4 - selection of a secure communication route;

5 is a table for calculating average route safety indicators;

6 - access matrix and matching arrays;

Fig. 7 is a flowchart illustrating a second embodiment of the claimed method for selecting a safe route in a communication network;

Fig. 8 is a flowchart illustrating a third embodiment of the claimed method for selecting a safe route in a communication network;

Fig.9 is a block diagram of a sequence of actions that implement the fourth variant of the claimed method of selecting a safe route in the communication network;

figure 10 is a block diagram of a sequence of actions that implement the fifth variant of the claimed method of choosing a safe route in the communication network;

11 is a drawing representing an example of selecting a safe route in a communication network.

The implementation of the claimed method is explained as follows. It is known that to ensure the information exchange of subscribers in a communication network, a communication route is selected from the set of possible routes between network subscribers. To choose a route for transmitting messages means to determine the sequence of transit network nodes through which messages must be transmitted in order to deliver them to the addressee. Determining a route is a difficult task, especially when there are many routes between a pair of subscribers. The task of determining routes is to select one or more routes from this whole set according to some criterion. However, in existing route selection methods, as a rule, the selection criteria are, for example, nominal throughput; congestion of communication channels; delays introduced by channels; number of intermediate transit network nodes; reliability of channels and transit network nodes. In this case, the route selection is carried out in network nodes (routers) of telecom operators. At each of the network nodes, the route is determined independently, and the initial route does not always coincide with the final one. The presence of transit network nodes with a low level of security creates the prerequisites for cybercriminals to intercept the information exchange of network subscribers, which leads to a decrease in communication secrecy. Thus, a contradiction arises between the requirement to ensure the secrecy of communication and the existing methods of selecting information exchange routes in the communication network. To eliminate this contradiction, the claimed method (options) is directed.

The first variant of the claimed method is implemented as follows. In the General case, the communication network (figure 1) is a combination of X nodes of the network 1, security server 2 and subscribers of the network 3, united by physical communication lines 4. The number of nodes in the network X is greater than or equal to two. All these elements are identified by identifiers, which are used in the most common TCP / IP protocol family by network addresses (IP addresses). If necessary, distributed processing of information and (or) its transmission, subscribers connect to the communication network. Many addresses of subscribers and network nodes connected to the communication network do not intersect.

Messages are transmitted between network subscribers through network nodes if there is communication between them, for which, from the totality of all possible communication routes (a communication route is a sequence of transit network nodes on the way from the sender to the recipient (see, for example, Olifer V.G. and Olifer N.A. "Computer networks. Principles, technologies, protocols", academic for universities, 2-ed .; - St. Petersburg: Peter, 2003, p.497)) choose one. Connections between network elements are characterized by only two values, the presence of communication and its absence. The remaining parameters of the communication lines are considered constant and are not taken into account, since the most likely and more easily implemented way of unauthorized interception of information exchange in the communication network is to connect to its nodes.

Figure 2 presents a block diagram of a sequence of actions that implement the first version of the claimed method of choosing a safe route in a communication network, in which the following notation:

{IP} - structural array;

{ID} - identification array;

IP _SB - network address of the security server;

ID _a - subscriber identifier;

IP _a - network address of the subscriber;

Y is the number of considered host security parameters;

b _xy is the value of the y-th security parameter of the x-th network node, where x = 1, 2, ..., X, y = 1, 2, ..., Y;

k _xΣ is a comprehensive security measure for each x-th network node;

N _ij is the number of communication network graph trees corresponding to the set of possible communication routes between the i-th and j-th network subscribers, where x = 1, 2, ..., j = 1, 2, ..., and i ≠ j ;

- средний показатель безопасности маршрута связи между i-м и j-м абонентами сети;

- the average indicator of the security of the communication route between the i-th and j-th network subscribers;

- безопасный маршрут связи между i-м и j-м абонентами сети;

- a secure communication route between the i-th and j-th network subscribers;

z _n is the number of vertices of the nth tree of the graph, where n = 1, 2, ..., N _ij , corresponding to the number of network nodes belonging to it;

SB - Security Server.

At the initial stage, in the security server (Fig. 1 — SB) initial data is set (bl. 1 in FIG. 2), including structural {IP} and identification {ID} arrays, the address of the security server IP _SB , identifiers ID _a and addresses IP _{a of} subscribers connected to the communication network, as well as for each x-th network node, where x = 1, 2, ..., X, Y≥2 security parameters and their values b _xy , where y = 1, 2, ..., Y, which are summarized in the table (figv). Structural array {IP} - array to store the IP address of the security server _Sa, IP addresses of nodes _FF and subscriber IP _a network and information about a link between them (3a), characterized by only two values, "1" - the presence of communication and "0" - its absence. Identification array {ID} - an array for storing the identifiers of the security server ID _SB , subscribers ID _{a of} the communication network and the corresponding addresses of subscribers of the network IP _a and the security server IP _SB (Fig.3b). The security parameters of network nodes are determined, for example, in accordance with GOST RISO / IEC 15408-2002 “Methods and means of ensuring security. Information Technology Security Assessment Criteria. ”

Values b _{x1 of the} parameter y = 1 of the security of the network nodes are determined, for example, by the characteristics of the equipment manufacturers of the network nodes, information about which can be obtained from the physical addresses of the network nodes. The physical addresses of network nodes are represented in hexadecimal notation, for example 00: 10: 5a: 3F: D4: E1, where the first three values determine the manufacturer (00: 01: е3 - Siemens, 00: 10: 5a - 3Com, 00:03: ba - Sun).

For example, for US1 (x = 1 in FIG. 5a), whose physical address is 00: 01: e3: 3F: D4: E1, the first three values determine the manufacturer Siemens, which corresponds to the value of the security parameter b ₁₁ = 0.3. Similarly, the values b _{x1 of the} parameter y = 1 of the security of the network nodes US2-US5 are determined, as well as the values of b _{xy of} all the given Y≥2 security parameters (Fig. 5a).

As the other security parameters of the network node, one can consider the type of equipment, the version of the software installed on it, the ownership of the node of a state or private organization.

For each x-th node of the network, the complex safety _factor k _{xΣ is} calculated from the values of b _{xy of} its security parameters (Bl.2 in FIG. 2). The calculated indicators are presented in the table (figg).

, или перемножения

, или как среднее арифметическое значение

его параметров безопасности b_xy.The complex safety indicator k _xΣ for each _xth network node is calculated by summing

, or multiplication

, or as the arithmetic mean

its security settings b _xy .

Fundamentally, the method of calculating k _xΣ does not affect the result of choosing a safe route. For example, the values of the calculated complex security indicators k _xΣ for each x-th node of the considered variant of the communication network (Fig. 1) by the above methods for the given values of the security parameters b _{xy of the} nodes are shown in the table (Fig. 5a).

Further formed adjacency matrix network of vertices (bl.3 in Figure 2), which is stored in the structural array (3a) addresses network nodes IP address and _CSS subscribers IP _a network and information about a link between the nodes and subscribers network.

The methods for generating adjacency matrices of graph vertices are known (see, for example, Finite graphs and networks. Basaker R., Saati T., M., 1973, 368 pp.). For the considered graph of the communication network, the adjacency matrix of the vertices has the form:

After that, the identifiers ID _a , _SB ID and the corresponding IP _a , IP _SB addresses of the network subscribers and the security server are stored in the identification array (FIG. 3b).

A set of possible communication routes is formed between the ith and jth subscribers of the network (block 4 in FIG. 2), where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j , in the form of N _ij graph trees of the communication network (Fig. 4a). Each nth, where n = 1, 2, ..., N _ij , the graph tree consists of z _n vertices corresponding to the number of network nodes. The order of formation of graph trees is known and described; see, for example, Christofides N. Graph Theory: Algorithmic Approach. Per. from English - M.: Mir, 1978, - 432 p.

The total number N _ij trees of the graph of the communication network between the i-th and j-th subscribers of the network can be determined by various methods. In the claimed method, the total number N _ij of graph trees is found using the adjacency matrix.

:Removing any row of the matrix B, for example, row 1, we obtain the matrix B _о and the matrix transposed to it

:

The procedure for obtaining the transposed matrix is known and described (see, for example, G. Korn, T. Korn. Handbook of mathematics for scientists and engineers. - M .: Nauka, 1977).

, и последующего нахождения его определителя, т.е.:The number N _ij trees of the graph of the communication network between the i-th and j-th subscribers of the network is obtained by the product of the matrices B _about and

, and the subsequent finding of its determinant, i.e.:

The construction of communication routes between subscribers based on the trees of the graph of the communication network ensures the finding of all possible communication routes and their openness, i.e. eliminates closed routes unacceptable for messaging.

(бл.5 на фиг.2) как среднее арифметическое комплексных показателей безопасности

узлов сети, входящих в n-й маршрут связи

.To justify and objectively choose a safe communication route from the set N _ij = 5 possible communication routes between the i-th and j-th network subscribers, average safety indicators are calculated

(bl.5 in figure 2) as the arithmetic mean of complex safety indicators

network nodes included in the nth communication route

.

маршрутов связи сформированных между i-м и j-м абонентами сети (фиг.4а). Результаты сведены в таблицу (фиг.5б).Using the results obtained when calculating the complex indicators of the security of network nodes in different ways (figa), calculated average security

communication routes formed between the i-th and j-th network subscribers (figa). The results are summarized in table (figb).

между i-м и j-м абонентами сети выбирают маршрут с наибольшим значением его среднего показателя безопасности

. Возможен случай, когда будут найдены несколько маршрутов с равными средними показателями безопасности. В таком случае выбирают из найденных маршрутов самый короткий маршрут, т.е. маршрут с наименьшим количеством входящих в него узлов z_n (бл.6 на фиг.2). После этого выбранный маршрут запоминают. Из полученных результатов приведенных в таблице (фиг.4б) видно, что при всех рассмотренных способах вычисления второй маршрут n=2 имеет наибольшие значения среднего показателя безопасности

, которые выделены полужирным шрифтом на фиг.4а. Можно сделать вывод, что способ вычисления k_xΣ не влияет на результат выбора безопасного маршрута. Таким образом, формируют множество маршрутов между всеми абонентами сети.As a secure communication route

between the i-th and j-th network subscribers choose a route with the highest value of its average security indicator

. It is possible that several routes with equal average safety indicators will be found. In this case, the shortest route is selected from the found routes, i.e. a route with the smallest number of nodes z _n included in it (block 6 in FIG. 2). After that, the selected route is remembered. From the results obtained are shown in the table (Fig. 4b), it can be seen that for all the calculation methods considered, the second route n = 2 has the highest values of the average safety indicator

which are shown in bold in Fig. 4a. We can conclude that the method of calculating k _xΣ does not affect the result of choosing a safe route. Thus, many routes are formed between all network subscribers.

между i-м и всеми j-ми абонентами, идентификаторы ID_aj и адреса IP_aj всех j-х абонентов (бл.7 и 8 на фиг.2). После этого отправляют сформированные сообщения всем i-м абонентам сети (бл.9 на фиг.2). Таким образом, каждого абонента сети уведомляют о безопасных маршрутах ко всем остальным абонентам.Next, messages are generated that include stored routes.

between the i-th and all j-th subscribers, identifiers ID _aj and IP _aj addresses of all j-th subscribers (Blocks 7 and 8 in FIG. 2). After that, the generated messages are sent to all i-th network subscribers (bl.9 in figure 2). Thus, each subscriber of the network is notified of safe routes to all other subscribers.

к нему, после чего передают сообщение абоненту-получателю по заданному маршруту (бл.10 на фиг.2). Известные протоколы маршрутизации (routing protocols), такие как RIP, OSPF, NLSP, BGP предназначены для передачи пользовательской информации и обеспечивают в способе маршрутизации от источника (source specified routing) обмен информацией по заданному маршруту (см., например, Олифер В.Г. и Олифер Н.А. «Компьютерные сети. Принципы, технологии, протоколы», уч. для Вузов, 2-изд.; - СПб.: Питер, 2003, с.497). Таким образом, у абонентов имеется возможность передачи сообщений именно по заданному безопасному маршруту.To send messages between subscribers on the identifier of the recipient user ID _a message choose its address and the IP _a safe route

to him, after which they transmit the message to the subscriber-recipient along the specified route (bl.10 in figure 2). Known routing protocols, such as RIP, OSPF, NLSP, BGP, are designed to transmit user information and provide a method for routing from source (source specified routing) the exchange of information along a given route (see, for example, Olifer V.G. and Olifer N.A. "Computer networks. Principles, technologies, protocols", academic for universities, 2-ed .; - St. Petersburg: Peter, 2003, p.497). Thus, subscribers have the opportunity to send messages exactly on a given safe route.

When connecting a new subscriber (Fig. 1 - Ab n) to the communication network, they form a message with the address of the network node of the network US 4 IP _y4 to which he is connected, his ID ID _en and IP _en address (Bl.11 and 12 on figure 2). The generated message is sent to the security server, where it is stored in the structural and identification arrays (blocks 13 and 14 in FIG. 2), thus supplementing (updating) information on the structure of the communication network and the network subscribers.

In the security server, similarly to the method described above, secure communication routes between the new subscriber and all j-th subscribers are selected and stored (blocks 15 and 16 in FIG. 2). A message is generated that includes information on stored secure communication routes to all jth subscribers of the network and is sent to a new subscriber. Messages are generated, including information about the stored safe communication routes from each j-th network subscriber to the new subscriber, and sent to the j-th network subscribers (blocks 17 and 9 in FIG. 2). Thus, the new network subscriber is notified of the safe routes to all subscribers of the network, and the remaining subscribers are notified of the safe routes to the new subscriber.

Thus, in the first variant of the method, by setting information on the structure of the communication network, initial data on the nodes and subscribers of the network, and calculating complex indicators of the security of the nodes of the network, safe routes in the communication network are selected from the set of all possible communication routes between subscribers and bringing a safe route to network subscribers, which ensures the achievement of the formulated technical result - increasing communication secrecy by managing the routes of information exchange of subscribers in the communication network .

The difference between the second variant of the method and the first is as follows. As well as in the first embodiment, to achieve the formulated technical result, i.e. increase the secrecy of communication, set the source data about the nodes and subscribers of the network. Additionally, rules are set for access control between network subscribers, which determine the availability of access between each pair of subscribers. The choice of a safe route between network subscribers is carried out only at the request of the subscriber, and only if it is allowed by access rules predefined on the security server. Otherwise, the subscriber is denied access.

Figure 7 presents a block diagram of a sequence of actions that implement the second variant of the claimed method of choosing a safe route in a communication network, in which the following notation:

{SP} - an array of access control rules.

The remaining notation has the same meaning as in the first version considered.

At the initial stage, in the same way as in the first embodiment of the method, the source data is set in the security server (Fig. 1 - SB) (bl.1 in Fig. 7, Fig. 3a, b, c).

In the initial data (block 1 in Fig. 7), in contrast to the first variant of the method, an array of {SP} access control rules and data on access control between the ith and jth subscribers of the network are additionally set, where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j.

After setting the initial data, in the same way as in the first version of the method, for each x-th network node, the complex safety _factor k _{xΣ is} calculated from the values of b _{xy of} its security parameters (Bl.2 in Fig. 7). The calculated indicators are presented in the table (figg).

Further, unlike the first embodiment of the method, the matrix is formed access (bl.3 in Figure 7), which is stored in the array {SP} rules restricting access ID _a subscriber IDs and corresponding access data delimitation, which are characterized by only two values , "1" - the presence of access of the i-th subscriber to the j-th subscriber of the network and "0" - the lack of access (figa).

Further, similarly, as in the first embodiment of the method, form an adjacency matrix of the vertices of the network graph (block 4 in Fig.7).

When connecting a new subscriber (1 - n Ab) to the communications network, as well as in the first embodiment of the method, it is formed message containing the network address of the node US4 IP _v4, to which it is connected, its ID identifier and _an IP address _en (bl.5 and 6 in Fig.7). The generated message is sent to the security server, where it is stored in the structural and identification arrays (Blocks 7 and 8 in FIG. 7), thus supplementing (updating) the information about the structure of the communication network and the network subscribers.

In contrast to the first variant of the method, in order to transfer messages from the i-th network subscriber to the j-th one, it is necessary to obtain permission to transfer from the security server and, if there is permission, a safe route. In this regard, a request is made from the i-th subscriber about the possibility of access to the j-th subscriber of the network, including the identifiers of the i-th ID _ai and j-th ID _{aj of the} subscribers. A request is sent to the security server, where it is remembered (blocks 9 and 10 in FIG. 7). Check the availability of the requested access using the access matrix (Fig. 6a), and if it is absent, form and send the response to the i-th network subscriber about the lack of access to the j-th network subscriber (Bl.12 and 13 in FIG. 7).

(бл.15 на фиг.7). Выбирают безопасный маршрут связи

между i-м и j-м абонентами сети и запоминают его (бл.16 и 17 на фиг.7). Таким образом, формируют безопасный маршрут связи между i-м и j-м абонентами по запросу i-го абонента сети.If the i-th subscriber has access to the j-th subscriber of the network (Bl.11 in Fig. 7), similarly as in the first embodiment of the method, a set of possible communication routes between the i-th and j-th subscribers of the network is formed in the form of N _ij trees of the graph of the communication network (bl.14 in Fig.7), calculate the average security

(bl.15 in Fig.7). Choose a secure communication route

between the i-th and j-th subscribers of the network and remember it (bl.16 and 17 in Fig.7). Thus, a secure communication route is formed between the i-th and j-th subscribers at the request of the i-th network subscriber.

между i-м и j-м абонентами, и адрес IP_aj j-го абонента (бл.18 на фиг.7). После этого отправляют сформированное сообщение i-му абоненту сети (бл.19 на фиг.7). Таким образом, i-го абонента сети уведомляют о безопасном маршруте связи к j-му абоненту сети.Next, a message is generated including the stored route.

between the i-th and j-th subscribers, and the IP address _{aj of the} j-th subscriber (block 18 in FIG. 7). After that, the generated message is sent to the i-th subscriber of the network (bl.19 in Fig.7). Thus, the i-th subscriber of the network is notified of a safe communication route to the j-th subscriber of the network.

к нему, после чего передают сообщение абоненту-получателю по заданному маршруту (бл.20 на фиг.7).To transfer messages between subscribers by the identifier of the recipient of the message ID _{a, in the} same way as in the first embodiment of the method, select its IP address _a and a safe route

to him, after which they transmit the message to the subscriber-recipient along a given route (bl.20 in Fig.7).

Thus, in the second variant of the method, the achievement of the formulated technical result is also achieved - increasing the secrecy of communication.

The difference between the third variant of the method and the second is as follows. As well as in the second embodiment, to achieve the formulated technical result, i.e. increase the secrecy of communication, set the source data about the nodes and subscribers of the network. Additionally, a valid route safety indicator is specified. The choice of a safe route between network subscribers is also carried out only at the request of the subscriber. However, they notify the subscriber about a safe communication route only if there is a route that satisfies a predefined acceptable safety indicator. Otherwise, the subscriber is denied access.

On Fig presents a block diagram of a sequence of actions that implement the third version of the claimed method of choosing a safe route in the communication network, in which the following notation:

k ^add - a valid indicator of route safety.

The remaining notation has the same meaning as in the first version considered.

At the initial stage, similarly as in the second embodiment of the method, the source data is set in the security server (in FIG. 1 — SB) (block 1 in FIGS. 8, 3).

The initial data, unlike the second variant of the method, do not specify an {SP} array of access control rules and data on access control between network subscribers. Additionally, in comparison with the second option, set a valid route safety factor k ^ext .

After setting the initial data, in the same way as in the second version of the method, for each x-th network node, the complex safety indicator k _{xΣ is} calculated from the values of b _{xy of} its security parameters (Bl.2 in Fig. 8). The calculated indicators are presented in the table (figg).

Unlike the second variant of the method, the formation of an access matrix is not required, therefore, an adjacency matrix of the vertices of the network graph is further formed (block 3 in Fig. 8).

When connecting a new subscriber (Fig. 1 - Ab n) to the communication network, as well as in the second variant of the method, they generate a message containing the address of the network node US 4 IP _U4 to which it is connected, its identifier ID _en and address IP _en (bl. 4 and 5 in FIG. 8). The generated message is sent to the security server, where it is stored in the structural and identification arrays (blocks 6 and 7 in Fig. 8), thereby supplementing (updating) the information on the structure of the communication network and the network subscribers.

Similarly, as in the second variant of the method, a request is made for the i-th subscriber for a safe route to the j-th subscriber of the network, including the identifiers of the i-th ID _ai and j-th ID _{aj of the} subscribers. Send a request to the security server, where it is remembered (bl.8 and 9 in Fig.8).

(бл.11 на фиг.8) и выбирают безопасный маршрут связи

между i-м и j-м абонентами сети (бл.12 на фиг.8). Таким образом, формируют безопасный маршрут связи между i-м и j-м абонентами по запросу i-го абонента сети.Then, as in the second variant of the method, a set of possible communication routes between the i-th and j-th network subscribers is formed in the form of N _ij trees of the communication network graph (block 10 in Fig. 8), average security indicators are calculated

(bl.11 in Fig.8) and choose a secure communication route

between the i-th and j-th network subscribers (block 12 in Fig. 8). Thus, a secure communication route is formed between the i-th and j-th subscribers at the request of the i-th network subscriber.

выбранного маршрута с предварительно заданным допустимым показателем безопасности маршрута k^доп (бл.13 на фиг.8). Например, пусть допустимый показатель безопасности маршрута k^доп=0,9. Тогда для выбранного n=2 безопасного маршрута связи

между i-м и j-м абонентами сети, представленного на фиг.4а, выполняется условие

. При выполнении этого условия формируют и отправляют i-му абоненту сети ответ об отсутствии безопасного маршрута между i-м и j-м абонентами сети (бл.14 и 15 на фиг.8).Compare, in contrast to the second variant of the method, the average safety indicator

the selected route with a predefined acceptable safety indicator of the route k ^add (bl.13 in Fig.8). For example, let a valid route safety factor k ^add = 0.9. Then, for the selected n = 2 safe communication path

between the i-th and j-th subscribers of the network shown in figa, the condition

. When this condition is met, an answer is formed and sent to the i-th subscriber of the network about the absence of a safe route between the i-th and j-th subscribers of the network (blocks 14 and 15 in Fig. 8).

, например, допустимый показатель безопасности маршрута k^доп=0,7 выбранный n=2 безопасный маршрут связи между i-м и j-м абонентами, также как и во втором варианте способа, запоминают и формируют сообщение, включающее запомненный маршрут

и адрес IP_aj j-го абонента (бл.16 и 17 на фиг.8).When the condition is met

for example, a valid route safety indicator k ^add = 0.7, selected n = 2 safe communication route between the i-th and j-th subscribers, as well as in the second variant of the method, memorize and form a message including the stored route

and the IP address _{aj of the} jth subscriber (blocks 16 and 17 in FIG. 8).

After that, the generated message is sent to the i-th subscriber of the network (block 18 in Fig. 8). Thus, the i-th subscriber of the network is notified of a safe communication route to the j-th subscriber of the network.

к нему, после чего передают сообщение абоненту-получателю по заданному маршруту (бл.19 на фиг.8).To transfer messages between subscribers by the ID of the recipient of the message ID _{a, in the} same way as in the second version of the method, select its IP address _a and the safe route

to him, after which they transmit the message to the subscriber-recipient along the specified route (bl.19 in Fig.8).

Thus, in the third variant of the method, the achievement of the formulated technical result is also achieved - increasing the secrecy of communication.

The difference between the fourth variant of the method and the third is as follows. As well as in the third embodiment, to achieve the formulated technical result, i.e. increase the secrecy of communication, set the source data about the nodes and subscribers of the network. Additionally set the ranks of network subscribers. The choice of a safe route between network subscribers is carried out only at the request of the subscriber and in accordance with predefined ranks of network subscribers. In the absence of a secure communication route, the subscriber is informed about this.

Figure 9 presents a block diagram of a sequence of actions that implement the fourth version of the claimed method of choosing a safe route in a communication network, in which the following notation:

{R} - an array of correspondence of ranks R _{a of} subscribers and complex safety indicators k _xΣ network nodes;

R _a - the rank of network subscribers.

The remaining notation has the same meaning as in the first version considered.

At the initial stage, in the same way as in the third variant of the method, the source data is set in the security server (in FIG. 1 — SB) (bl.1 in FIG. 9, FIG. 3).

In the initial data, unlike the third variant of the method, the admissible route safety indicator k ^ext . Additionally, in comparison with the second variant of the method, an array of correspondence {R} of ranks R _{a of} subscribers and complex safety indicators k _xΣ of network nodes is set. The ranks R _a ≥2 subscribers and the corresponding values of the complex safety indicators k _xΣ network nodes are _entered into the array {R}. For example, the subscriber rank R _a = 1 corresponds to the values of complex security indicators k _xΣ network nodes from 0 to 0.2 (figb).

After setting the initial data, in the same way as in the third version of the method, for each x-th network node, the complex safety indicator k _{xΣ is} calculated from the values of b _{xy of} its security parameters (Bl.2 in Fig. 9). The calculated indicators are presented in the table (figg).

Further, as in the third variant of the method, an adjacency matrix of the vertices of the network graph is formed (block 3 in Fig. 9).

When connecting a new subscriber (Fig. 1 - Ab n) to the communication network, as well as in the third embodiment of the method, they generate a message containing the address of the network node of the network US 4 IP _y4 to which it is connected, its identifier ID _an and the address IP _en (bl. 4 and 5 in Fig. 9). The generated message is sent to the security server, where it is stored in the structural and identification arrays (blocks 6 and 7 in Fig. 9), thereby supplementing (updating) the information on the structure of the communication network and the network subscribers.

Similarly, as in the third embodiment of the method, a request is made for the i-th subscriber of the network for a safe route to the j-th subscriber, including the identifiers of the i-th ID _ai and j-th ID _{aj of the} subscribers. Send a request to the security server, where it is remembered (bl.8 and 9 in Fig.9).

Further, as in the third embodiment of the method, a set of possible communication routes between the i-th and j-th network subscribers is formed in the form of N _ij , trees of the communication network graph (block 10 in Fig. 9).

между i-м и j-м абонентами сети, для которого комплексные показатели безопасности

входящих в него узлов, соответствуют равному или более высокому рангу R_ai i-го абонента сети (бл.11 на фиг.9). Например, для i-го абонента сети с R_ai=1 комплексные показатели безопасности

узлов входящие в выбранный безопасный маршрут связи

находятся в диапазоне значений от 0 до 0,2 (фиг.6б). Таким образом, выбирают безопасный маршрут связи между i-м и j-м абонентами по запросу i-го абонента сети и в соответствии с предварительно заданными рангами абонентов сети.Unlike the third variant of the method, choose a secure communication route

between the i-th and j-th network subscribers, for which comprehensive security indicators

the nodes included in it correspond to an equal or higher rank R _{ai of the} i-th subscriber of the network (Bl.11 in Fig.9). For example, for the i-th subscriber of the network with R _ai = 1, complex safety indicators

nodes included in the selected secure communication route

are in the range of values from 0 to 0.2 (figb). Thus, a secure communication route between the ith and jth subscribers is selected at the request of the i-th network subscriber and in accordance with the predefined ranks of the network subscribers.

(бл.15 на фиг.9). Формируют сообщение, включающее запомненный маршрут

и адрес IP_aj j-го абонента, и отправляют сформированное сообщение i-му абоненту сети (бл.16 и 17 на фиг.9).Further, as in the third embodiment of the method, a safe route is stored.

(bl.15 in Fig.9). Form a message including a stored route

and the IP address _{aj of the} jth subscriber, and send the generated message to the i-th subscriber of the network (blocks 16 and 17 in Fig. 9).

In the absence of a safe route between the ith and jth subscribers of the network, i.e. in the case when there is no route among the possible communication routes between subscribers, in which the complex safety indicators of the nodes included in it correspond to the subscriber’s rank, they form and send to the i-th network subscriber a response about the absence of a safe route to the j-th network subscriber (bl. 13 and 14 in FIG. 9).

к нему, после чего передают сообщение абоненту-получателю по заданному маршруту (бл.18 на фиг.9).To send messages between subscribers using the ID of the recipient of the message ID _{a, in the} same way as in the third version of the method, select its IP address _a and the safe route

to him, after which they transmit the message to the subscriber-recipient along a given route (bl.18 in Fig.9).

Thus, in the fourth variant of the method, the achievement of the formulated technical result is also achieved - increasing the secrecy of communication.

The difference between the fifth variant of the method and the fourth is as follows. As well as in the fourth embodiment, to achieve the formulated technical result, i.e. increase the secrecy of communication, set the source data about the nodes and subscribers of the network. Additionally, the ranks of the transmitted information are set. The choice of a safe route between network subscribers is carried out only at the request of the subscriber and in accordance with the predefined ranks of the transmitted information. In the absence of a secure communication route, the subscriber is informed about this.

Figure 10 presents a block diagram of a sequence of actions that implement the fifth variant of the claimed method of choosing a safe route in a communication network, in which the following notation:

{R} - an array of correspondence of ranks R _{inf of the} transmitted information and complex security indicators k _xΣ network nodes;

R _inf is the rank of the transmitted information.

The remaining notation has the same meaning as in the first version considered.

At the initial stage, similarly as in the fourth embodiment of the method, the source data is set in the security server (in FIG. 1 — SB) (bl.1 in FIG. 10, FIG. 3).

In the initial data, unlike the fourth variant of the method, the ranks of network subscribers are not set. Additionally, in comparison with the fourth option, an array {R} of ranks R _{inf of the} transmitted information and complex security indicators k _xΣ network nodes is _specified .

The ranks R _inf ≥2 of the transmitted information and the corresponding values of the complex safety indicators k _xΣ network nodes are _entered into the array {R}. For example, the rank of the transmitted information R _inf = 1 corresponds to the values of complex safety indicators k _xΣ network nodes from 0 to 0.2 (pigv).

After setting the initial data, similarly as in the fourth embodiment of the method, for each x-th network node, the complex safety _factor k _{xΣ is} calculated from the values of b _{xy of} its security parameters (Bl.2 in FIG. 10). The calculated indicators are presented in the table (figg).

Next, in the same way as in the fourth embodiment of the method, an adjacency matrix of the vertices of the network graph is formed (block 3 in FIG. 10).

When a new subscriber is connected (in Fig. 1 - Ab n) to the communication network, as well as in the fourth embodiment of the method, they form a message containing the address of the network node US 4 IP _y4 to which he is connected, his identifier ID _en and address IP _en (Bl 4 and 5 in FIG. 10). The generated message is sent to the security server, where it is stored in the structural and identification arrays (blocks 6 and 7 in FIG. 10), thus supplementing (updating) the information on the structure of the communication network and the network subscribers.

Similarly, as in the fourth embodiment of the method, a request is made for the i-th subscriber for a safe route to the j-th subscriber of the network, including the identifiers of the i-th ID _ai and j-th ID _{aj of the} subscribers. Additionally, unlike the fourth variant of the method, the rank of the transmitted information R _{inf i is} included (block 8 in FIG. 10).

Further, as in the fourth embodiment of the method, a request is sent to the security server, where it is stored (bl. 9 in FIG. 10). Forming a plurality of possible communication routes between i-th and j-th subscribers of the network as a graph N _ij communication network trees (bl.10 in Figure 10).

между i-м и j-м абонентами сети, для которого комплексные показатели безопасности

входящих в него узлов, соответствуют равному или более высокому рангу R_{инф i} передаваемой информации (бл.11 на фиг.10). Например, для i-го абонента сети с R_{инф i}=1 комплексные показатели безопасности

узлов входящие в выбранный безопасный маршрут связи

находятся в диапазоне значений от 0 до 0,2 (фиг.6в). Таким образом, выбирают безопасный маршрут связи между i-м и j-м абонентами по запросу i-го абонента сети и в соответствии с предварительно заданными рангами передаваемой информации.Unlike the fourth variant of the method, choose a secure communication route

between the i-th and j-th network subscribers, for which comprehensive security indicators

the nodes included in it correspond to an equal or higher rank R _{inf i of the} transmitted information (Bl.11 in FIG. 10). For example, for the i-th subscriber of the network with R _{inf i} = 1, complex safety indicators

nodes included in the selected secure communication route

are in the range of values from 0 to 0.2 (pigv). Thus, a secure communication route between the ith and jth subscribers is selected at the request of the i-th network subscriber and in accordance with the predefined ranks of the transmitted information.

All subsequent actions of the fifth variant of the method are similar to the actions of the fourth variant.

Thus, in the fifth embodiment of the method, the achievement of the formulated technical result is also achieved - increasing the secrecy of communication.

узлов входящих в сформированные маршруты связи дают основание для объективной оценки выбранных безопасных маршрутов связи между абонентами сети и позволяют учитывать необходимые и достаточные условия для выбора безопасного маршрута в сети связи.Computed Comprehensive Security Indicators

nodes included in the formed communication routes provide the basis for an objective assessment of the selected safe communication routes between network subscribers and allow you to take into account the necessary and sufficient conditions for choosing a safe route in the communication network.

узлов сети 3 и их значения параметров безопасности b_xy представлен в таблице (фиг.11б). Из представленного примера видно, что при использовании заявленного способа (вариантов) выбора безопасного маршрута, достигается исключение транзитных узлов сети, обладающих низким уровнем безопасности, который указывает на высокую вероятность несанкционированного перехвата передаваемых абонентами сообщений. В данном примере УС5, имеющий комплексный показатель безопасности k_5Σ и значения параметров безопасности b_5y выделенные полужирным шрифтом в таблице на фиг.11б. Таким образом, выбранный безопасный маршрут связи, выделенный жирными линиями 4 на фиг.11а, между i-м и j-м абонентами 2 проходит через транзитные узлы сети, обладающие максимально высокими уровнями безопасности, что снижает вероятность перехвата злоумышленниками информационного обмена абонентов сети.The figure (figa) presents an example of choosing a safe route in the security server 1 between the i-th and j-th subscribers 2 in the communication network. An example of calculated complex safety indicators

network nodes 3 and their values of security parameters b _{xy are} presented in the table (Fig.11b). It can be seen from the presented example that when using the claimed method (options) for choosing a safe route, the exclusion of transit network nodes with a low level of security is achieved, which indicates a high probability of unauthorized interception of messages transmitted by subscribers. In this example, US5 having a comprehensive safety score of k _5Σ and the values of the security parameters b _5y in bold in the table in FIG. 11b. Thus, the selected secure communication route, highlighted in bold lines 4 in Fig. 11a, between the i-th and j-th subscribers 2 passes through the transit nodes of the network with the highest possible security levels, which reduces the likelihood of cybercriminals intercepting the information exchange of network subscribers.

Based on these results, we can conclude that in the claimed method, using any of the options for choosing a safe route in the communication network, it is possible to increase the secrecy of communication by managing the routes of information exchange of subscribers in the communication network, i.e. realizes the stated goal of creating the claimed inventions.

Claims (15)

1. A method for selecting a route in a secure communication network comprising the steps of that communication network comprising a plurality of network nodes x, setting an initial data storing information about the structure of a communication network comprising network nodes IP address _CSS and the connection between them, they form a set of N possible communication routes, from which one route is selected and messages are sent along it, characterized in that the initial data is given to the structural and identification arrays, the address of the security server IP _SAT identifiers ID _a and addresses I P _a subscribers connected to the communication network, set for each x-th network node, where x = 1, 2, ..., X, the set Y of security parameters and their values b _xy , where y = 1, 2, .. ., Y, is calculated integrated security parameter k _xΣ for every xth network node formed adjacency matrix vertices network graph, which is stored in the structural array network node addresses IP _CSS and subscriber address IP _and the network, and information of a link between nodes and network subscribers, and in the identification storage array IDs ID _a, ID and _{Security and the} corresponding IP address, IP _Security and network and security server subscribers, after which they form a set of possible communication routes between the i-th and j-th network subscribers, where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j, in the form of N _ij trees of the graph of the communication network, with each nth, where n = 1, 2, ..., N _ij , the graph tree consists of z _n vertices corresponding to the number of network nodes belonging to it, then for each of N _ij possible communication routes calculate the average security

as the arithmetic mean of complex safety indicators

network nodes included in the nth communication route and as a safe communication route

choose the route with the highest value of its average safety indicator

and moreover, if several routes with equal average safety indicators are found, a route is selected from them with the least number of nodes z _n included in it, after which the selected safe route is stored and messages are generated, including the stored routes

between the i-th and all j-th subscribers, the identifiers ID _aj , and the IP _aj addresses of all jx subscribers send the generated messages to all the i-th network subscribers, and to transfer messages between the subscribers using the identifier of the recipient of the message ID _a, select its address IP and _a safe route

and send a message that includes information about your route, and when a new subscriber to the communications network, forming a message containing the address of the network host's IP _FF connect a new subscriber, his ID to _an address IP _en, and then sends the generated message to the security server, where it is stored in the structural and identification arrays, then the secure communication paths between the new subscriber and all j-th subscribers are selected in the security server and stored, and then messages are generated, including information about stored secure communication routes, and send them to all network subscribers. 2. The method according to claim 1, characterized in that the complex security indicator k _xΣ for each x-th network node is calculated by summing, or multiplying, or as the arithmetic average of its security parameters b _xy . 3. The method according to claim 1, characterized in that the number N _{ij of} trees of the graph of the communication network between the i-th and j-th subscribers of the network is calculated by the formula:

where B _about = M × K is the transformed adjacency matrix of the vertices of the graph of the communication network, and M = M _p -1, K is the number of rows and columns of the matrix, M _p is the number of rows of the original adjacency matrix; equal to the total number of nodes in the communication network;

- transposed matrix to In _about . 4. The method of choosing a safe route in the communication network, which consists in the fact that for a communication network containing X network nodes the initial data is pre-set, information about the structure of the communication network, including the addresses of the IP network nodes _US and the presence of communication between them, is formed, form a set N possible communication routes, from which one route is selected and messages are sent along it, characterized in that the initial data sets the structural and identification arrays, an array of access control rules, the IP address of the security server IP _SB , identifier Katori ID _a, and IP addresses _and subscribers connected to the communication network, access information on the division between the i-th and j-th subscribers of the network, where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j, set for each x-th node of the network, where x = 1, 2, ... X, Y security parameters and their values b _xy , where y = 1, 2, ..., Y, calculate the complex security indicator k _xΣ for every x-th network node, form a matrix of access, which are stored in the array of rules restricting access identifiers ID _a subscriber and the corresponding data access control, and then form an adjacency matrix of the graph vertices network , Which is stored in the network structural array node addresses IP _CSS and subscriber address IP _and the network, and information of a link between the nodes and network subscribers, and in the ID array stored identifiers ID _a, ID _Sa and corresponding addresses IP _and, IP _Sa subscribers and security server when a new subscriber to the communication network is formed message containing IP address of the network node _CSS connecting a new subscriber, his identifier ID and _an address of _an IP, then sends the generated message to the security server, where ez stored in a structured and identification arrays formed at the i-th subscriber's request for access to the j-th subscriber to the network, including IDs of i-th ID _ai, and the j-th ID _aj subscribers, send a request to the security server, where it is stored, by the access matrix, the presence of the requested access is checked and if it is absent, they form and send to the i-th subscriber of the network a response about the lack of access to the j-th subscriber of the network, and if there is access, they form a set of possible communication routes between the i-th and j-th subscribers of the network in the form of N _ij trees a communication network graph, with each nth, where n = 1, 2, ..., N _ij , the graph tree consists of z _n vertices corresponding to the number of network nodes belonging to it, then for each of N _ij , possible communication routes between i-th and j-th network subscribers calculate the average security

as the arithmetic mean of complex safety indicators

network nodes included in the nth communication route and as a safe communication route

choose the route with the highest value of its average safety indicator

moreover, if several routes with equal average safety indicators are found, a route is selected from them with the least number of nodes z _n included in it, after which the selected safe route is remembered, a message is generated including the stored route

and the IP address _{aj of the} jth subscriber, send the generated message to the i-th subscriber of the network, and to transfer messages between the subscribers by the identifier of the recipient of the message ID _a, select his IP address _a and the safe route

and transmitting a message including information about the route used. 5. The method according to claim 4, characterized in that the complex security indicator k _xΣ for each x-th network node is calculated by summing, or multiplying, or as the arithmetic average of its security parameters b _xy . 6. The method according to claim 4, characterized in that the number N _{ij of} trees of the graph of the communication network between the i-th and j-th subscribers of the network is calculated by the formula:

where B _about = M × K is the transformed adjacency matrix of the vertices of the graph of the communication network, and M = M _p -1, K is the number of rows and columns of the matrix, M _p is the number of rows of the original adjacency matrix; equal to the total number of nodes in the communication network;

- transposed matrix to In _about . 7. A method of selecting a safe route in a communication network, comprising the steps that a pre-set initial data communication network comprising network nodes X, storing information about the structure of a communication network comprising network nodes IP address _CSS and the connection between them, forming a plurality N possible communication routes, from which one route is selected and messages are sent along it, characterized in that the initial and data are assigned structural and identification arrays, a valid route safety factor k ^ext , the address of the security server IP _Security IDs _and ID and IP addresses _and subscribers connected to the communication network, is defined for each x-node of the network, where x = 1, 2, ..., X, Y security parameters and their values b _xy, where y = 1, 2, ..., Y, is calculated integrated security parameter k _xΣ for every xth network node then formed adjacency matrix network graph vertices, which are stored in the structural array network node addresses and IP addresses _CSS IP network _and subscribers as well as information on whether communication between the nodes and the network subscribers, and in the identification storage array IDs _and ID, ID and _Security Correspondingly uyuschie their IP address _and, IP _Security Network users and server security, if you connect a new subscriber to the communications network, forming a message containing the address of the network host's IP _FF connect a new subscriber, his ID to _an address IP _en, and then sends the generated message to the the security server, where it is stored in the structural and identification arrays, form a request from the i-th subscriber for a safe route to the j-th subscriber of the network, where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j, including identifiers of the i-th ID _ai and j-th ID _{aj of} subscribers, send a request to server b security, where it is remembered, and then a set of possible communication routes is formed between the i-th and j-th network subscribers in the form of N _ij communication network graph trees, each n-th, where n = 1, 2, ..., N _ij , the graph tree consists of z _n vertices corresponding to the number of network nodes belonging to it, then, for each of the N _ij possible communication routes, average safety indicators are calculated

as the arithmetic mean of complex safety indicators

network nodes included in the nth communication route and as a safe communication route

choose the route with the highest value of its average safety indicator

and moreover, if several routes with equal average safety indicators are found, a route with the least number of nodes z _n included in it is selected from them, the average safety indicator is compared

of the selected route with a predefined acceptable safety indicator of the route k ^additional and if the condition

form and send to the i-th network subscriber a response about the absence of a safe route between the i-th and j-th network subscribers, and when the condition

, the selected safe route is remembered, a message is generated including the stored route

and the IP address _{ai of the} jth subscriber, send the generated message to the i-th subscriber of the network, and to transfer messages between the subscribers using the ID of the recipient of the message ID _aj, select its IP address _a and the safe route

and transmitting a message including information about the route used. 8. The method according to claim 7, characterized in that the complex security indicator k _xΣ for each x-th network node is calculated by summing, or multiplying, or as the arithmetic average of its security parameters b _xy . 9. The method according to claim 7, characterized in that the number N _{ij of} trees of the graph of the communication network between the i-th and j-th subscribers of the network is calculated by the formula:

where B _about = M × K is the transformed adjacency matrix of the vertices of the graph of the communication network, and M = M _p -1, K is the number of rows and columns of the matrix, M _p is the number of rows of the original adjacency matrix; equal to the total number of nodes in the communication network;

- transposed matrix to In _about . 10. A method of selecting a safe route in a communication network, comprising the steps that a pre-set initial data communication network comprising network nodes X, storing information about the structure of a communication network comprising network nodes IP address _CSS and the connection between them, forming a plurality N possible communication routes, from which one route is selected and messages transmitted over it, characterized in that the structural and identification arrays, the correspondence array of the ranks of R _a subscribers and complex safety indicators are specified in the initial data and k _xΣ network nodes, the address of the security server IP _SB , identifiers ID _a , IP addresses _a and their corresponding ranks R _a ≥2 subscribers connected to the communication network, set for each x-th network node, where x = 1, 2, ..., X, Y of the security parameters and their values b _xy , where x = 1, 2, ..., Y, calculate the complex security indicator k _xΣ for each x-th network node, then form the adjacency matrix of the vertices of the network graph, what is stored in the structural array network node addresses and IP addresses _CSS IP network _and subscribers, and information of a link between the nodes and the subscribers of the network, and identification array stored identifiers ID _{a, Security} ID and corresponding IP _and address, IP _Security Network users and server security, if you connect a new subscriber to the communications network, forming a message containing the node's IP address _FF connect a new subscriber, his ID to _an and IP _en address, after which the generated message is sent to the security server, where it is stored in the structural and identification arrays, a request is made from the ith subscriber for a safe route to the jth subscriber of the network, where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j, I include s identifiers i-th ID _ai, and the j-th ID _aj subscribers, send a request to the security server, where it is stored, and then forming a plurality of possible communication paths between i-th and j-th network subscribers in the form of N _ij network graph tree communications, and each nth, where n = 1, 2, ..., N _ij , the graph tree consists of z _n vertices corresponding to the number of network nodes belonging to it, then a safe route is selected from N _ij possible communication routes

for which comprehensive safety indicators

the nodes included in it correspond to an equal or higher rank R _{ai of the} i-th subscriber of the network, remember the safe route

form a message including a stored route

and the IP address _{aj of the} jth subscriber, and send the generated message to the i-th subscriber of the network, and in the absence of a safe route between the i-th and j-th subscribers of the network, they form and send to the i-th subscriber of the network a response about the absence of a safe route to j subscriber of the network, and to transfer messages between subscribers using the identifier of the subscriber-recipient of message ID _a select his IP address _a and a safe route

and transmitting a message including information about the route used. 11. The method according to claim 10, characterized in that the complex security indicator k _xΣ for each x-th network node is calculated by summing, or multiplying, or as the arithmetic average of its security parameters b _xy . 12. The method according to claim 10, characterized in that the number N _{ij of} trees of the graph of the communication network between the i-th and j-th subscribers of the network is calculated by the formula: where B _about = M × K is the transformed adjacency matrix of the vertices of the graph of the communication network, and M = M _p -1, K is the number of rows and columns of the matrix, M _p is the number of rows of the original adjacency matrix; equal to the total number of nodes in the communication network;

- transposed matrix to In _about . 13. A method of selecting a safe route in a communication network, comprising the steps that a pre-set initial data communication network comprising network nodes X, storing information about the structure of a communication network comprising network nodes IP address _CSS and the connection between them, forming a plurality N possible communication routes, one of which is selected route and transmitting messages on it, characterized in that the original data set identification and structural arrays array appropriate rank R _inf transmitted information and display complex k _xΣ firs security network nodes IP address of the security server _Sa, identifiers ID _a, IP addresses _and subscribers connected to the communication network, and R _inf ≥2 ranks transmitted information is defined for each x-node of the network, where x = 1, 2, ..., X, Y security parameters and their values b _xy , where y = 1, 2, ..., Y, calculate the complex security indicator k _xΣ for each x-th network node, then form the adjacency matrix of the graph vertices network, which is stored in a structured array IP addresses of network nodes _CM and subscriber IP addresses _and networks, as well as information about the presence in the relationship between Lamy and network subscribers, and in the identification storage array IDs ID _a, ID _{Security Council} and their corresponding IP addresses _{as well,} IP _Security Network users and server security, if you connect a new subscriber to the communications network, forming a message containing the node's IP address _FF connect a new the subscriber’s identifier, ID _en and IP _en , and then send the generated message to the security server, where it is stored in the structural and identification arrays, form a request for a safe route to the jth subscriber from the ith subscriber, where i = 1, 2, ..., j = 1, 2, ..., and i ≠ j, including identifiers of the i-th ID _ai and j-th ID _{aj of} subscribers, and the rank R _{inf i of the} transmitted information, send a request to the security server, where it is stored, and then a set of possible communication routes is formed between the i-th and j-th subscribers of the network in the form of N _ij trees of the graph of the communication network, each n-th, where n = 1, 2, ... , N _ij , the graph tree consists of z _n vertices corresponding to the number of network nodes belonging to it, then from the N _ij possible communication routes between the i-th and j-th network subscribers choose a safe route

for which comprehensive safety indicators

the nodes included in it correspond to an equal or higher rank R _{inf i the} transmitted information, remember the safe route

form a message including a stored route

and the IP address _{aj of the} jth subscriber, and send the generated message to the i-th subscriber of the network, and in the absence of a safe route between the i-th and j-th subscribers of the network, they form and send to the i-th subscriber of the network a response about the absence of a safe route to j- subscriber of the network, and to transfer messages between subscribers using the ID of the recipient of the message ID _a, select his IP address _a and a safe

and transmitting a message including information about the route used. 14. The method according to item 13, wherein the complex security indicator k _xΣ for each x-th network node is calculated by summing, or multiplying, or as the arithmetic average of its security parameters b _xy . 15. The method according to item 13, wherein the number N _{ij of} trees of the graph of the communication network between the i-th and j-th subscribers of the network is calculated by the formula:

where B _about = M × K is the transformed adjacency matrix of the vertices of the graph of the communication network, and M = M _p -1, K is the number of rows and columns of the matrix, M _p is the number of rows of the original adjacency matrix; equal to the total number of nodes in the communication network;

- transposed matrix to In _about .

Images