RU2668979C2 - Method for masking the structure of communication network - Google Patents

Abstract

FIELD: information technology.SUBSTANCE: invention relates to information security of digital communication systems, namely, to masking a structure of a communication network. In the method of masking a structure of a communication network, initial data including subscribers of the communication network and communication lines between them, aggregate of-addresses of senders and recipients of message packets, database for storageaddresses intended for true exchange between senders and recipients for each of the subscribers of the communication network, storage base ofaddresses intended for false exchange between senders and recipients for each of the subscribers of the communication network, the value of the counter of a number of transmitted false message packets. Connectivity matrixes of false and true exchange are formed and exchange of packets of messages between subscribers of the communication network is started. Intensity of false packets of messages, taking into account the priorities, creates sufficient contrast against the background of general traffic of a communication network for detection by a hacker, which is why the concealment of the communication network is achieved with imposition of false ideas on the structure of the communication network to the hacker.EFFECT: technical result is higher effectiveness of masking the original structure of a communication network.1 cl, 8 dwg

Description

The invention relates to the field of information communications, and in particular to ensuring information security of digital communication systems, and, in particular, the claimed method of masking the structure of a communication network is intended for use in distributed communication networks built on the basis of a public communication network (for example, the Internet).

A known method of protecting a virtual channel, implemented in the "Virtual channel protection system of a corporate network with the mandatory principle of access control to resources built on communication channels and switching means of a public communication network" according to RF patent No. 2163727 IPC G 06 F 13/00, F 12 / 14, publ. 02/27/2001

The method consists in the following actions: the client negotiates its access rights with the firewall, for which checks are performed on the firewall. If all the checks are passed, then a packet is sent that allows the connection between the client and the firewall. Next, the packet that allows the connection comes to the client, passing the transceiver unit and the encryption / decryption unit and electronic signature. Then it is transferred to the closed protocol generation unit. Then they send a packet that establishes a connection using a standard connection, but in each packet they replace the IP addresses of the destination server with the IP address of the corporate firewall.

The disadvantage of this method is the relatively low security of the distributed network due to the high probability of identification of corresponding subscribers and (or) devices and the violation of its normal functioning.

There is also a method of protecting information circulating in a distributed telecommunication system when transmitting it over public communication channels, implemented in the "Distributed telecommunication system for transmitting shared data intended for their separate transmission and reception" according to US patent No. 6912252 IPC H 04 L 12 / 56; H 04 L 12/28, publ. 11/08/2001 g.

The method consists in the following actions: the source data from the sender is divided into N parts. Further, from their combinations, intermediate data groups are formed. Then, intermediate data is transmitted independently over N communication channels. The recipient receives groups of intermediate data arriving via N communication channels and restores the original data.

The disadvantage of this method is the relatively low security of the transmitted information when using a distributed network due to its open transmission, and the relatively low level of security of the distributed network due to the increased likelihood of recognizing the structure of the distributed network due to an increase in the probability of detection of identifiers of its elements during information exchange as a result of an increase in the number of channels communication.

There is a method of protecting a corporate virtual private computer network from unauthorized exchange of information with a public transport network according to the patent of the Russian Federation No. 2182355 IPC G 06 F 12/14, 9/00, publ. 05/10/2002

The method consists in preliminarily generating tables of addresses of sources and recipients and their correspondence with identifiers, forming an initial data packet with the sender, including the current address of the sender and recipient in the data packet, and transmitting the generated packet. The received packet is received from the recipient, the addresses and identifiers of the sender and recipient of the messages are extracted from the received message packet, the addresses and identifiers of the sender and recipient of the messages extracted from the received message packet are compared with the pre-stored addresses and identifiers of the sender and recipient of the messages. Then, when they coincide, the encoded data is extracted from the received packet; if they do not match, the received message packet is not analyzed. Decode the received data.

The disadvantage of this method is the relatively low security of the distributed infocommunication system due to the high probability of recognizing its structure by identifying the addresses of correspondents when analyzing traffic at some point on the Internet.

Closest in its technical essence to the claimed one is a method for masking the structure of a communication network, implemented in the method of protecting a computer network according to RF patent No. 325694 IPC G 06 F 21/20 H 04 L 12/00, publ. May 27, 2008

и получателя

и запоминают их в качестве текущих адресов отправителя A _TO и получателя A _ТП . Заменяют у отправителя его текущий адрес A _TO на новый текущий адрес отправителя

и увеличивают номер шага i _O на единицу (i _O =i _O +1). Для формирования у отправителя пакета сообщений при отсутствии исходного пакета сообщений генерируют управляющий сигнал для формирования ложного пакета сообщений и формируют у отправителя ложный пакет сообщений. Затем кодируют ложный пакет сообщений, преобразуют закодированный ложный пакет сообщений в формат TCP/IP, включают в полученное значение ложного пакета сообщений в формате TCP/IP текущие адреса отправителя A _TO и получателя A _ТП . При включении в него текущих адресов отправителя и получателя, текущий адрес отправителя

определяют в соответствии с заданной функцией выбора адреса для ложных пакетов сообщений

. Передают от отправителя к получателю ложный пакет сообщений, из принятого у получателя пакета сообщений выделяют адреса отправителя A _O и получателя А _П и сравнивают их с текущими адресами отправителя A _TO и получателя А _ТП . При их несовпадении принятые пакеты не анализируют, а при их совпадении из принятого пакета сообщений выделяют кодированные данные и декодируют их. Формируют у получателя информацию о новых текущих адресах отправителя

и получателя

, для чего назначают у отправителя из заданной базы адресов в соответствии с функциями выбора новые текущие адреса отправителя

и получателя

и запоминают их в качестве текущих адресов, отправителя A _TO и получателя А _ТП . Заменяют у получателя его текущий адрес A _TO на новый текущий адрес получателя

и увеличивают номер шага i _П на единицу (i _П =i _П +1). Затем повторно формируют у отправителя очередной пакет сообщений.The prototype method consists in performing the following steps: initial data is preliminarily set, including A subscribers of the communication network and communication lines between them, a set of M IP addresses of senders and recipients of message packets. Assign from the given set of M IP addresses of senders and recipients of message packets the current addresses of the sender A _TO and receiver A _TP and remember them. The function F ^S (i) of selecting the current sender address and the function F ^D (i) of selecting the current recipient address for true message packets, where i = 1,2,3, ..., according to which at the i- th step assign new addresses. The sender and receiver set the function G ^S (i) to select the current sender address and the function G ^D (i) to select the current receiver address for false message packets, where G ^S (i) ≠ F ^S (i) , G ^D (i) ≠ F ^D (i) , i = 1,2,3, ..., in accordance with which new addresses are assigned at the i- th step. Set equal to unity the number of steps of the change of addresses i _O = 1 and i _P = 1. Then the source message packet is formed at the sender, encoded, the encoded message packet is converted to the TCP / IP format, the current addresses of the sender A _TO and the receiver A _TP are included in it, and the generated information message packet is transmitted to the recipient. Assign the sender from a given address base in accordance with the selection functions the new current sender addresses

and the recipient

and remember them as the current addresses of the sender A _TO and receiver A _TP . Replace the sender's current address A _TO with the new current sender address

and increase the step number i _O by one ( i _O = i _O +1). To generate a message packet from the sender in the absence of the initial message packet, a control signal is generated to generate a false message packet and a false message packet is generated from the sender. Then a false message packet is encoded, the encoded false message packet is converted to TCP / IP format, and the current address of the sender A _TO and receiver A _{TP are} included in the received value of the false message packet in TCP / IP format. When including the current sender and recipient addresses, the current sender address

determined in accordance with a predetermined address selection function for false message packets

. A false message packet is transmitted from the sender to the receiver, the addresses of the sender A _O and the receiver A _P are extracted from the message packet received from the receiver and compared with the current addresses of the sender A _TO and receiver A _TP . If they do not match, the received packets are not analyzed, and if they match, the encoded data is extracted from the received message packet and decoded. Form the recipient with information about the new current addresses of the sender

and the recipient

, for which purpose the sender is assigned from the given address base in accordance with the selection functions the new current sender addresses

and the recipient

and remember them as current addresses, the sender A _TO and the receiver A _TP . Replace the recipient's current address A _TO with the new current recipient address

and increase the step number i _P by one ( i _P = i _P +1). Then the next message packet is re-formed at the sender.

The known prototype method eliminates some of the disadvantages of analogues by determining the functions of selecting the current address of the sender and recipient for true and false exchange of message packets, as well as the formation of false information directions of the communication network.

The disadvantages of the prototype method are the low efficiency of masking the original (true) structure of the SS and the narrow scope of the masking method. The low effectiveness of masking is due to the fact that the prototype does not specify the number of transmitted false message packets from the sender to the receiver, which determines the intensity of the generated false information directions. The narrow scope is due to the fact that at least two correspondents are used in the prototype to implement a disguised exchange, which is the transfer between false correspondence message packets between correspondents, which creates an additional load on the organization of communication to provide confirmation of receipt of a message packet by a correspondent and two-way exchange of message packets between correspondents .

The purpose of the claimed technical solution is to develop a method for masking the structure of the communication network, which ensures increased effectiveness of masking the initial (true) structure of the communication network by setting priorities for information directions that determine the intensity of the exchange of false message packets for each pair of correspondents. And the expansion of the scope is provided by the transmission of message packets between IP addresses formed by one correspondent.

и получателя

и запоминают их в качестве текущих адресов отправителя A _TO , и получателя A _ТП . Заменяют у отправителя его текущий адрес A _TO на новый текущий адрес отправителя

и увеличивают номер шага i _O на единицу (i _O =i _O +1). Для формирования у отправителя пакета сообщений при отсутствии исходного пакета сообщений генерируют управляющий сигнал для формирования ложного пакета сообщений и формируют у отправителя ложный пакет сообщений. Затем кодируют ложный пакет сообщений, преобразуют закодированный ложный пакет сообщений в формат TCP/IP, включают в полученное значение ложного пакета сообщений в формате TCP/IP текущие адреса отправителя A _TO и получателя A _ТП . При включении в него текущих адресов отправителя и получателя, текущий адрес отправителя определяют в соответствии с функцией выбора адреса для ложных пакетов сообщений

. Передают от отправителя к получателю ложный пакет сообщений, из принятого у получателя пакета сообщений выделяют адреса отправителя A _O и получателя А _П и сравнивают их с текущими адресами отправителя А _ТО и получателя А _ТП . При их несовпадении принятые пакеты не анализируют, а при их совпадении из принятого пакета сообщений выделяют кодированные данные и декодируют их. Формируют у получателя информацию о новых текущих адресах отправителя

и получателя

, для чего назначают у отправителя из заданной базы адресов в соответствии с функциями выбора новые текущие адреса отправителя

и получателя

и запоминают их в качестве текущих адресов отправителя А _ТО и получателя А _ТП . Заменяют у получателя его текущий адрес А _ТО на новый текущий адрес получателя

и увеличивают номер шага i _П на единицу (i_П=i_П+1). Затем повторно формируют у отправителя очередной пакет сообщений. В предварительно заданные исходные данные дополнительно включают базу для хранения IP-адресов, предназначенных для истинного обмена между отправителями

и получателями

для каждого из А абонентов сети связи, где А=а ₁,а ₂…, базу для хранения IP-адресов, предназначенных для ложного обмена между отправителями

и получателями

для каждого из А абонентов сети связи. Значение счетчика количества передаваемых ложных пакетов сообщений

задают равным нулю. Затем выделяют в предварительно заданной совокупности из М IP-адресов множество из S IP-адресов, предназначенных выбора адреса отправителя A _O , и множество из D IP-адресов, предназначенных выбора адреса получателя А _П . Из множества S IP-адресов выделяют множество адресов S ^И , предназначенных для истинного обмена пакетами сообщений между абонентами, где

, и множество адресов S ^Л , предназначенных для ложного обмена пакетами сообщений между абонентами, где

. Из множества D IP-адресов выделяют множество адресов D ^И , предназначенных для истинного обмена пакетами сообщений между абонентами, где

, и множество адресов D ^Л , предназначенных для ложного обмена пакетами сообщений между абонентами, где

. После этого запоминают

и

IP-адресов, предназначенных для истинного обмена,

и

IP-адресов, предназначенных для ложного обмена для каждого из А абонентов сети связи. Затем задают совокупность связей между

и

IP-адресами как матрицу связностей истинного обмена, а совокупность связей между

и

IP-адресами задают как матрицу связностей ложного обмена и запоминают их. Затем задают номера Р приоритета ложного обмена, где Р=1, 2, 3,… для каждой связи между

и

IP-адресами и запоминают их. Для каждого номера Р приоритета задают максимальное количество передаваемых

ложных пакетов сообщений и запоминают его. Затем, после установления равными единице номера шагов смены адресов i _O и i _П , проверяют наличие у отправителя пакетов сообщений для передачи. При их наличии выбирают новые адреса отправителя

и получателя

в качестве текущих адресов отправителя A _TO и получателя А _ТП и запоминают их. Увеличивают номер шага смены адресов отправителя на единицу (i _O =i _O +1), а после передачи сформированного истинного пакета сообщений получателю устанавливают значение счетчика

равным единице

. При отсутствии у отправителя пакетов сообщений для передачи сравнивают значение счетчика

с заданным максимальным количеством

, и если

, то выбирают у отправителя в качестве текущих адресов отправителя

и получателя

. Запоминают их и увеличивают номер шага смены адресов отправителя на единицу (i _O =i _O +1). После передачи от отправителя к получателю ложного пакета сообщений сравнивают значение текущего адреса получателя А _ТП с множеством адресов

, и если текущий адрес получателя А _ТП совпадает с подмножеством адресов

, то формируют ответный пакет сообщений и передают его, затем увеличивают на единицу текущее значение счетчика

.This goal is achieved by the fact that in the known method of masking the structure of the communication network, which consists in pre-setting the initial data, including A subscribers of the communication network and communication lines between them, a collection of M IP addresses of senders and recipients of message packets. Assign from the given set of M IP addresses of senders and recipients of message packets the current addresses of the sender A _TO and the receiver A _TP and remember them. The function F ^S (i) of selecting the current sender address and the function F ^D (i) of selecting the current recipient address for true message packets, where i = 1,2,3, ..., according to which at the i- th step assign new addresses. The sender and receiver set the function G ^S (i) to select the current sender address and the function G ^D (i) to select the current receiver address for false message packets, where G ^S (i) ≠ F ^S (i) , G ^D (i) ≠ F ^D (i) , i = 1,2,3, ..., in accordance with which new addresses are assigned at the i- th step. Set equal to unity the number of steps of the change of addresses i _O = 1 and i _P = 1. Then the source message packet is formed at the sender, encoded, the encoded message packet is converted to TCP / IP format. Include the current addresses of the sender A _TO and the receiver A _TP , and transmit the generated information packet of messages to the recipient. Assign the sender from a given address base in accordance with the selection functions the new current sender addresses

and the recipient

and remember them as the current addresses of the sender A _TO and the receiver A _TP . Replace the sender's current address A _TO with the new current sender address

and increase the step number i _O by one ( i _O = i _O +1). To generate a message packet from the sender in the absence of the initial message packet, a control signal is generated to generate a false message packet and a false message packet is generated from the sender. Then a false message packet is encoded, the encoded false message packet is converted to TCP / IP format, and the current address of the sender A _TO and receiver A _{TP are} included in the received value of the false message packet in TCP / IP format. When the current sender and recipient addresses are included in it, the current sender address is determined in accordance with the address selection function for false message packets

. A false message packet is transmitted from the sender to the receiver, the addresses of the sender A _O and the receiver A _P are extracted from the message packet received from the receiver and compared with the current addresses of the sender A _TO and receiver A _TP . If they do not match, the received packets are not analyzed, and if they match, the encoded data is extracted from the received message packet and decoded. Form the recipient with information about the new current addresses of the sender

and the recipient

, for which purpose the sender is assigned from the given address base in accordance with the selection functions the new current sender addresses

and the recipient

and remember them as the current addresses of the sender A _TO and the recipient A _TP . Replace the recipient's current address A _TO with the new current address of the recipient

and increase the step number i _P by one (i _P = i _P +1). Then the next message packet is re-formed at the sender. The predefined source data additionally includes a base for storing IP addresses intended for true exchange between senders

and recipients

for each of A subscribers of the communication network, where A = a ₁ , a ₂ ..., a base for storing IP addresses intended for false exchange between senders

and recipients

for each of A subscribers of the communication network. False Message Packet Counter

set equal to zero. Then, a plurality of S IP addresses intended to select a sender address A _O and a plurality of D IP addresses intended to select a recipient address A _P are isolated in a predetermined set of M IP addresses. From the set of S IP addresses, a plurality of S ^And addresses are allocated for the true exchange of message packets between subscribers, where

, and many addresses S ^L , intended for the false exchange of message packets between subscribers, where

. From the set of D IP addresses, a plurality of D ^AND addresses are allocated for the true exchange of message packets between subscribers, where

, and many addresses D ^L , intended for the false exchange of message packets between subscribers, where

. After that, remember

and

True IP addresses

and

IP addresses intended for false exchange for each of A subscribers of the communication network. Then set the relationship between

and

IP addresses as a matrix of connections of true exchange, and the totality of connections between

and

IP- addresses are set as a matrix of connections of false exchange and remember them. Then set the numbers P priority of the false exchange, where P = 1, 2, 3, ... for each connection between

and

IP addresses and remember them. For each priority number P , the maximum number of transmitted

false message packets and remember it. Then, after setting the number of steps for changing the addresses i _O and i _P equal to unity, the sender checks for the presence of message packets for transmission. If available, select new sender addresses

and the recipient

as the current addresses of the sender A _TO and receiver A _TP and remember them. Increase the step number of changing the sender addresses by one ( i _O = i _O +1), and after transmitting the generated true message packet to the recipient, set the counter value

equal to one

. If the sender does not have message packets for transmission, the counter value is compared.

with a given maximum quantity

, and if

, then select from the sender as the current address of the sender

and the recipient

. Remember them and increase the step number of the change of sender addresses by one ( i _O = i _O +1). After transmitting from the sender to the recipient a false message packet, the value of the current address of the recipient A _{TP is} compared with many addresses

, and if the current address of the recipient A _TP coincides with a subset of addresses

then form a response message packet and transmit it, then increase by one the current counter value

.

The values of S and D addresses of the sender and receiver are selected in the range of S = 2-64, D = 2-64.

,

, а в качестве функции выбора ложного адреса отправителя G ^S (i) и получателя G ^D (i) используют последовательность чисел Люка:

,

As a function of selecting the address of the sender F ^S (i) and the recipient F ^D (i) use a sequence of Fibonacci numbers:

,

, and as a function of choosing a false address, the sender G ^S (i) and the recipient G ^D (i) use a sequence of Luc numbers:

,

.

.

Thanks to the new set of essential features in the claimed method, along with a change in the message packets of their identification structure, by setting priorities for information directions that determine the rate of exchange of false message packets for each pair of correspondents, an increase in the effectiveness of masking the initial (true) structure of the communication network is achieved, which makes it is almost impossible to identify message packets with respect to a specific network user and open the network structure, and due to This allows the transmission of message packets between IP addresses formed by a single correspondent, and the scope of application is expanded when it is impossible (impractical) to create an additional load on the organization of communication during masking.

The claimed objects of the invention are illustrated by drawings, which show:

FIG. 1 - an example of a scheme for organizing communication between automated systems via the Internet;

FIG. 2 - message packet structure;

FIG. 3 - structure of the IP- header of the message packet;

FIG. 4 is a flowchart of an algorithm implementing a masking method;

FIG. 5 is an example illustrating the representation of matrices of connections of true and false exchange;

FIG. 6 is an illustration of the original unmasked and masked structure of a communication network without taking into account the intensity of masking information directions between subscribers;

FIG. 7 - illustration of the assignment of priorities of masking information areas and their reflection on the structure of the communication network;

FIG. 8 is an illustration of the results of a network scanning experiment of the original unmasked and masked communication network structures.

The implementation of the claimed method is explained as follows. When combining automated systems (AS) through public communication networks (for example, the Internet), it becomes more difficult to solve the problem of ensuring information security of AS. This is due to the emergence of an almost unlimited range of potential security threats associated with either unauthorized access to information or its interception in the process of transmission through communication channels, or destructive effects on nuclear power plants. The task of protecting the information part of message packets is quite effectively solved by cryptography. However, it is impossible to conceal the fact of transmission of message packets over a public communication network, and even if there is no possibility of decoding the intercepted information, an attacker, by analyzing the identification structure of message packets, can open the communication network structure and take destructive actions on telecommunication equipment, that is, disrupt the normal functioning of the AS. This is due to the fact that the addresses of senders and recipients of message packets are transmitted in clear text.

Thus, a contradiction arises between the need for open transmission of the addresses of senders and recipients of message packets over communication channels and the requirement for ensuring the safety of the speakers, because identifying the true addresses of the corresponding entities by an attacker at some point on the Internet creates the prerequisites for the implementation of destructive effects on the AU or for disruption of its normal functioning. The claimed technical solution is aimed at eliminating this contradiction.

In the General case, each speaker is a combination of a PC, peripheral and communication equipment, combined by physical communication lines (Fig. 1A). All these elements are defined by network identifiers, which are used in the most common TCP / IP protocol family by network addresses ( IP addresses). If necessary, distributed processing of information and (or) its transmission, remote speakers are combined, for example, via the Internet, forming a communication network. With this combination, the terminal communications equipment is also identified by network addresses, and the sets of addresses of the terminal communications equipment and AC elements do not intersect.

To transfer information between remote speakers (for example, AC ₁ and AC ₂ in Fig. 1a) using the interaction protocols, a connection is established, which, in this case, is understood as the information flow from the sender to the receiver.

The information stream from AC ₁ to AC _{2 is} transmitted through the respective routers and the Internet (Fig. 1a). In the general case, this model can be simplified and presented in the form of a communication network structure including terminal communication equipment of subscribers (sender and receiver of message packets), as well as a communication channel between them (Fig. 1b).

For secure data transmission through a public communication network (for example, the Internet), cryptographic protection of the information part of message packets is used (highlighted by shading in Fig. 2).

When using such mechanisms, only the IP header of the message packet is transmitted in clear text. The IP header structure is known and shown in FIG. 3, where the fields of the addresses of the sender and recipient of the message packet are highlighted by shading. External (so-called “public”) IP addresses of terminal equipment are unique for each subscriber, which is a necessary and sufficient condition for an attacker to reconstruct the communication network structure having access to an arbitrary point in the communication network through which the information flow between subscribers passes (presentation format The IP address in decimal form is known and described, for example, in the book by Olifer VG and Olifer N. A. "Computer Networks. Principles, Technologies, Protocols.", Academic for Universities, 2nd ed.; - St. Petersburg. : Peter, 2003.497 s.).

и получателями

для каждого из А абонентов сети связи, где А=а ₁,а ₂…, базу для хранения IP-адресов, предназначенных для ложного обмена между отправителями

и получателями

для каждого из А абонентов сети связи. Значение счетчика количества передаваемых ложных пакетов сообщений

задают равным нулю. Использование счетчика необходимо для достижения требуемой интенсивности генерируемых ложных информационных направлений.Protection of the structure of the communication network from reconstruction is carried out by its masking. To do this, pre-set (bl. 1 in Fig. 4) the initial data, including A subscribers of the communication network and communication lines between them, a set of M IP addresses of senders and recipients of message packets, a base for storing IP addresses intended for true exchange between senders

and recipients

for each of A subscribers of the communication network, where A = a ₁ , a ₂ ..., a base for storing IP addresses intended for false exchange between senders

and recipients

for each of A subscribers of the communication network. False Message Packet Counter

set equal to zero. Using a counter is necessary to achieve the required intensity of the generated false information directions.

In a predefined set of M IP addresses, a plurality of S IP addresses for selecting a sender address A _O and a plurality of D IP addresses for selecting a recipient address A _P are selected from M IP addresses (bloc 2 in FIG. 4).

From the set of S IP addresses, a plurality of addresses is allocated (bl. 3 in FIG. 4)

, и множество адресов S ^Л , предназначенных для ложного обмена пакетами сообщений между абонентами, где

. Из множества D IP-адресов выделяют множество адресов D ^И , предназначенных для истинного обмена пакетами сообщений между абонентами, где

, и множество адресов D ^Л , предназначенных для ложного обмена пакетами сообщений между абонентами, где

. Выделение подмножеств адресов, предназначенных для истинного и ложного обмена пакетами сообщений между абонентами позволяет задавать как графически, так и в матричной форме навязываемую маскированную (ложную) структуру сети связи. После этого запоминают (бл. 4 на фиг. 4)

и

IP-адресов, предназначенных для истинного обмена,

и

IP-адресов, предназначенных для ложного обмена для каждого из А абонентов сети связи. Затем задают (бл. 5 на фиг. 4) совокупность связей между

и

IP-адресами как матрицу связностей истинного обмена, а совокупность связей между

и

IP-адресами задают (бл. 6 на фиг. 4) как матрицу связностей ложного обмена и запоминают их. S ^And , intended for true exchange of message packets between subscribers, where

, and many addresses S ^L , intended for the false exchange of message packets between subscribers, where

. From the set of D IP addresses, a plurality of D ^AND addresses are allocated for the true exchange of message packets between subscribers, where

, and many addresses D ^L , intended for the false exchange of message packets between subscribers, where

. The selection of subsets of addresses intended for true and false exchange of message packets between subscribers allows you to specify both graphically and in matrix form the imposed masked (false) structure of the communication network. After that, remember (bl. 4 in Fig. 4)

and

True IP addresses

and

IP addresses intended for false exchange for each of A subscribers of the communication network. Then set (bl. 5 in Fig. 4) a set of relations between

and

IP addresses as a matrix of connections of true exchange, and the totality of connections between

and

IP- addresses are set (bl. 6 in Fig. 4) as a matrix of connections of false exchange and remember them.

An example illustrating the representation of the true exchange connectivity matrix is presented in the table in FIG. 5a, and an example illustrating a representation of a matrix of connections of a false exchange is represented by the table in FIG. 5 B. For convenience and as an example, true addresses differ from false ones by the number of bits - the last two bits for true and three for false IP addresses. The matrices shown in FIG. 5 reflect the structures of the communication network depicted in FIG. 6, where in FIG. 6a shows the original unmasked structure of the communication network (corresponds to the connectivity matrix in FIG. 5a), which is a communication channel between routers with IP addresses 200.168.2.1 and 200.168.2.2 implemented via the Internet, and in FIG. 6b - masked structure of a communication network without taking into account the intensity of masking information directions between subscribers (corresponds to the connectivity matrix in Fig. 5b), which is a collection of communication channels between routers with changed IP addresses. In figures 6 and 7, a shortened form for recording IP addresses is used, illustrating only the distinguishing part to the right of the last separator (dot). To the left of the last separator (dot), the bit values for all IP addresses are the same: 200.168.2.X.

и

IP-адресами и запоминают их (бл. 7 на фиг. 4). В табличном виде иллюстрация назначения приоритетов маскирующих информационных направлений представлена на фиг. 7а, а их отражение на структуре сети связи представлено на фиг. 7б. Для каждого номера Р приоритета задают максимальное количество передаваемых

ложных пакетов сообщений и запоминают его (бл. 8 на фиг. 4). Пример задания количества ложных пакетов сообщений для приоритетов №№1…3 представлен таблицей на фиг. 7в. Управление интенсивностью ложных пакетов сообщений необходимо для того, чтобы маскирующие информационные направления имели достаточную контрастность на фоне общего трафика сети связи и были обнаружены злоумышленником, чем и достигается замысел маскирования сети связи с навязыванием злоумышленнику ложных представлений о структуре сети связи.Then set the numbers P priority of the false exchange, where P = 1, 2, 3, ... for each connection between

and

IP addresses and remember them (bl. 7 in Fig. 4). In tabular form, an illustration of the priority assignment of masking information directions is presented in FIG. 7a, and their reflection on the structure of the communication network is shown in FIG. 7b. For each priority number P , the maximum number of transmitted

false message packets and remember it (bl. 8 in Fig. 4). An example of setting the number of false message packets for priorities No. 1 ... 3 is presented in the table in FIG. 7c. The control of the intensity of false message packets is necessary so that the masking information directions have sufficient contrast against the background of the general traffic of the communication network and are detected by the attacker, thereby achieving the idea of masking the communication network by imposing false ideas on the structure of the communication network to the attacker.

After that, from the given set of M IP addresses of the senders and recipients of the message packets, the current addresses of the sender A _TO and receiver A _TP are assigned and stored (block 9 in FIG. 4). When installing and configuring systems that implement the method, system administrators can assign current addresses either strictly according to the instructions, or by coordinating their actions by phone.

The function F ^S (i) of selecting the current sender address and the function F ^D (i) of selecting the current recipient address for true message packets, where i = 1,2,3, ..., according to which at the i- th step assign new addresses (bl. 10 in Fig. 4).

The sender and receiver set the function G ^S (i) to select the current sender address and the function G ^D (i) to select the current receiver address for false message packets, where G ^S (i) ≠ F ^S (i) , G ^D (i) ≠ F ^D (i) , i = 1,2,3, ..., according to which at the i- th step, new addresses are assigned (bl. 11 in Fig. 4), and they are set equal to the unit of the number of steps of the address change i _O = 1 and i _P = 1 (bl. 12 in Fig. 4).

и получателя

в качестве текущих адресов отправителя A _TO и получателя А _ТП , запоминают их и увеличивают номер шага смены адресов отправителя на единицу (i _O =i _O +1). Затем формируют у отправителя исходный пакет сообщений и кодируют его (бл. 15 на фиг. 4) любым из известных способов (см., например, книгу Молдовян Н.А. и др. «Криптография: от примитива к синтезу», СПб.: БВХ - Петербург, 2004, с. 301-337).Next (bl. 13 in Fig. 4), the sender checks for the presence of message packets for transmission and, if available, selects (bl. 14 in Fig. 4) new sender addresses

and the recipient

as the current addresses of the sender A _TO and the receiver A _TP , remember them and increase the step number of the change of sender addresses by one ( i _O = i _O +1). Then the source message packet is formed at the sender and encoded (block 15 in Fig. 4) using any of the known methods (see, for example, the book by N. A. Moldovyan and others. “Cryptography: from primitive to synthesis”, St. Petersburg: BVH - Petersburg, 2004, p. 301-337).

After that, the encoded message packet is converted to TCP / IP format, the current addresses of the sender A _TO and the receiver A _TP are included in it, and the generated information message packet is transmitted to the receiver (block 16 in FIG. 4). Converting to TCP / IP format is to add an IP header to the encoded data packet.

равным единице

. Передача пакетов сообщений между удаленными АС происходит только тогда, когда необходима передача данных, а при отсутствии данных пакеты сообщений не формируются и не передаются. Паузы между передачей пакетов сообщений могут дать злоумышленнику определенные разведывательные признаки, в частности могут характеризовать оперативный фон распределенной АС, т.е. по тому, есть передача пакетов сообщений или нет, можно определить степень активности распределенной АС в данный момент. Все это может позволить злоумышленнику в случае раскрытия замысла защиты осуществить попытки нарушить нормальное функционирование распределенной АС именно в важный для АС момент. Вследствие этого, в моменты, когда у отправителя нет данных для передачи, в заявленном способе формируют и передают ложные пакеты сообщений: при отсутствии у отправителя пакетов сообщений для передачи сравнивают (бл. 18 на фиг. 4) значение счетчика

с заданным максимальным количеством

. Если

, то (см. бл. 19 на фиг. 4) выбирают у отправителя в качестве текущих адресов отправителя

и получателя

, запоминают их и увеличивают номер шага смены адресов отправителя на единицу (i _O =i _O +1). В противном случае, т.е. при

, вновь проверяют наличие у отправителя пакетов сообщений для передачи.After transmitting the generated true message packet to the receiver, the counter value is set (bl. 17 in Fig. 4)

equal to one

. The transmission of message packets between remote speakers occurs only when data transmission is necessary, and in the absence of data message packets are not formed and not transmitted. The pauses between the transmission of message packets can give an attacker certain intelligence features, in particular, they can characterize the operational background of a distributed AS, i.e. by whether there is a transmission of message packets or not, it is possible to determine the degree of activity of a distributed speaker at a given moment. All this can allow an attacker to attempt to disrupt the normal functioning of a distributed speaker system at an important moment for the speaker if the protection plan is revealed. As a result of this, at times when the sender does not have data to transmit, false message packets are generated and transmitted in the claimed method: if the sender does not have message packets for transmission, they compare (block 18 in Fig. 4) the counter value

with a given maximum quantity

. If

, then (see bl. 19 in Fig. 4) is selected from the sender as the current address of the sender

and the recipient

, remember them and increase the step number of the change of sender addresses by one ( i _O = i _O +1). Otherwise, i.e. at

, again check if the sender has message packets for transmission.

определяют в соответствии с заданной функцией выбора адреса для ложных пакетов сообщений

. Передают от отправителя к получателю ложный пакет сообщений.To generate a message packet from the sender in the absence of the initial message packet, a control signal is generated to generate a false message packet, a false message packet is generated from the sender, and a false message packet is encoded (block 20 in Fig. 4). Next (block 21 in Fig. 4), the encoded false message packet is converted to TCP / IP format, and the current address of the Sender A _TO and receiver A _{TP are} included in the received value of the false message packet in TCP / IP format. When including the current sender and recipient addresses, the current sender address

determined in accordance with a predetermined address selection function for false message packets

. A false message packet is sent from the sender to the receiver.

. Если текущий адрес получателя А _ТП совпадает (бл. 23 на фиг. 4) с подмножеством адресов

, то формируют ответный пакет сообщений и передают его, затем увеличивают на единицу текущее значение счетчика

(бл. 24 на фиг. 4). Это необходимо в связи с тем, что при передаче пакетов сообщений между IP-адресами, формируемыми одним абонентом, требуется отправлять и принимать подтверждающие пакеты сообщений (так называемые квитанции).After transmitting from the sender to the recipient a false message packet, compare (bl. 22 in Fig. 4) the value of the current address of the recipient A _TP with many addresses

. If the current address of the recipient A _TP matches (bl. 23 in Fig. 4) with a subset of addresses

then form a response message packet and transmit it, then increase by one the current counter value

(bl. 24 in Fig. 4). This is necessary due to the fact that when sending message packets between IP addresses formed by one subscriber, it is necessary to send and receive confirmation message packets (so-called receipts).

, то увеличивают на единицу текущее значение счетчика

без формирования ответного пакета сообщений и его передачи.If the current address of the recipient A _TP does not match the subset of addresses

, then increase by one the current counter value

without forming a response message packet and transmitting it.

и получателя

, для чего назначают у отправителя из заданной базы адресов в соответствии с функциями выбора новые текущие адреса отправителя

и получателя

и запоминают их в качестве текущих адресов отправителя А _ТО и получателя А _ТП . Заменяют у получателя его текущий адрес A _TO на новый текущий адрес получателя

и увеличивают номер шага i _П на единицу (i _П =i _П +1). Затем повторно формируют у отправителя очередной пакет сообщений.Next (bl. 25 in Fig. 4) from the message packet received from the recipient, the addresses of the sender A _O and the recipient AP are _selected and compared (bl. 26 in Fig. 4) with the current addresses of the sender A _TO and the receiver A _TP . If they do not match (bl. 27 in Fig. 4), the received packets are not analyzed (ignored), and if they match, the encoded data is extracted from the received message packet and decoded (bl. 28 in Fig. 4). Next (bl. 29 in Fig. 4) form the recipient information about the new current addresses of the sender

and the recipient

, for which purpose the sender is assigned from the given address base in accordance with the selection functions the new current sender addresses

and the recipient

and remember them as the current addresses of the sender A _TO and the recipient A _TP . Replace the recipient's current address A _TO with the new current recipient address

and increase the step number i _P by one ( i _P = i _P +1). Then the next message packet is re-formed at the sender.

The values of S and D addresses of the sender and receiver are selected in the range of S = 2-64, D = 2-64.

,

, а в качестве функции выбора ложного адреса отправителя G ^S (i) и получателя G ^D (i) используют последовательность чисел Люка:

,

.As a function of selecting the address of the sender F ^S (i) and the recipient F ^D (i) use a sequence of Fibonacci numbers:

,

, and as a function of choosing a false address, the sender G ^S (i) and the recipient G ^D (i) use a sequence of Luc numbers:

,

.

The ability to implement the claimed method and its effectiveness was verified by conducting an experiment. Automated systems AC ₁ and AC ₂ are interconnected, as shown in FIG. 1a. The communication network diagram corresponds to that shown in FIG. 6a, which shows: 1 - routers

M-1 and M-2, which implement the expansion of the address space of IP- addresses; 2 - access switches to the public communication network; 3 - router in the network of the communication operator (provider) MP; 4 network scanner of an attacker reconstructing the structure of a communication network. Using a network scanner, an attacker recognizes the structure of a communication network by identifying the addresses of correspondents when analyzing traffic at a point on the Internet, for example, when connecting to the equipment of a communication operator (provider).

The address space of IP addresses is expanded on the external interfaces of the M-1 and M-2 routers (see Fig. 6a). Evaluation of the effectiveness of address space expansion during the experiment is carried out using the nmap network scanner, which operates on an attacker's PC. The principle, sequence of operation of the nmap network scanner and the methodology for interpreting scan results are known (see, for example, https://nmap.org/).

At the first stage of the experiment, the external IP addresses of routers M-1 and M-2 are fixed (Fig. 6a). Using a nmap network scanner, the IP addresses of routers that are initialized on the routers services and the version of the operating system are detected. In FIG. Figure 8a shows the protocol of the results of operation of a network scanner that detected a network device with an IP address 200.168.2.1, where the results of identification of the device ports and the type of its operating system are circled. These identification results are the source data for deliberate destructive actions by an attacker on a network device.

At the second stage of the experiment, the address space is expanded on the external IP addresses of routers M-1 and M-2 by initializing a computer program that implements the claimed method. The structure of the communication network corresponding to the connection matrices of the true and false exchanges shown in FIG. 5. The selection (change) of addresses is carried out using a pseudo-random number generator. Then, as in the first stage of the experiment, using the nmap scanner, attempts are made to identify the IP addresses of the routers, the services initialized on the routers, and the version of the operating system.

In FIG. Figure 8b shows the protocol of the results of operation of a network scanner that scanned the range of IP addresses 200.168.2.0/24, excluding the scanner's own IP address 200.168.2.254. Since, as a result of the expansion of the address space, the IP addresses of network devices dynamically change, the network scanner records one of the IP addresses 200.168.2.12 in its report, however, all the studied ports were filtered (the message “All 1000 scanned ports on 200.168.2.12 are filtered because of 1000 no-responses ”means that“ all 1000 scanned ports of the network device were filtered out because they do not respond ”) and the operating system version could not be determined (the message“ Many fingerprints match this host to give specific OS details ”means that “Too many fingerprints Calls the network device to drill down on the operating system ”). These scanner overhead messages framed in FIG. 8a, it is said that an attacker fails to obtain reliable information about any particular network device.

With a short duration of the contact time of the attacker with the communication channel (less than 1 minute in the experiment) or with a low traffic intensity between subscribers, when the claimed methods implement only false information exchange, the attacker can only use IP addresses and message packets of masking (false) exchange, which creates an incorrect idea about the structure of the communication network in an attacker.

For a long time (from 1 minute or more in the experiment), the attacker, analyzing the communication network and logging the appearance of message packets including the addresses of the sender and recipient, graphically interprets the received information using the program for visualizing the network environment (see, for example, the Dude software , https://mikrotik.com/thedude) or manually, fixing IP addresses and connections between them. The visualization results are the same as in FIG. 6b, which means achieving the goal of masking.

Thus, in the considered method, by continuously changing the identifiers of network subscribers in the transmitted message packets, setting priorities for information directions that determine the rate of exchange of false message packets for each pair of correspondents, the achieved technical result is achieved - increasing the effectiveness of masking the initial (true) structure of the communication network . And the expansion of the scope is provided by the transmission of message packets between IP addresses formed by one correspondent.

Claims (2)

1. The method of masking the structure of the communication network, which consists in pre-setting the initial data, including A subscribers of the communication network and the communication lines between them, a set of M IP addresses of senders and recipients of message packets, assigned from a given set of M IP addresses senders and recipients of message packets current addresses of the sender A _TO and receiver A _TP and remember them, set the sender and receiver function F ^S (i) to select the current address of the sender and the function F ^D (i) to select the current address of the recipient for true message packets, where i = 1, 2, 3, ..., according to which at the i-th step, new addresses are assigned, the function G ^S (i) of selecting the current sender address and the function G ^D (i) are set at the sender and recipient selecting the current recipient address for false message packets, where G ^S (i) ≠ F ^S (i), G ^D (i) ≠ F ^D (i), i = 1, 2, 3, ..., in accordance with which i th step assigns new addresses are set to one address numbers change steps i _O = 1 and i = 1 _n, formed from the original sender's message packet, encode it, converts the encoded message packet in TCP / IP format, Luciano in his current address of the sender and _even recipient A _TA transmits the information packet messages to the recipient, the sender is assigned from the specified base address, in accordance with the functions of the new selection the current address of the sender

and the recipient

and remember them as the current addresses of the sender A _TO and the receiver A _TP , replace the sender's current address A _TP with the new current address of the sender

and increase the step number i _O by one (i _O = i _O +1), to generate a message packet from the sender in the absence of the original message packet, generate a control signal to generate a false message packet, form a false message packet from the sender, encode a false message packet, they convert the encoded false message packet into TCP / IP format, include the current address of the Sender A _TO and the receiver A _TP in the received value of the false message packet in TCP / IP format, when the current address of the sender and receiver is included in it, those existing sender address

determined in accordance with the address selection function for false message packets

Is transmitted from the sender to the recipient a false message packet from the received recipient message packet isolated sender address A _O and destination _AP, compare them to the current address of the sender or _even recipient A _TA when noncoincidence received packets are analyzed, and the coincidence encoded data is extracted from the received message packet and decoded, and the recipient receives information about the new current address of the sender

and the recipient

, for which purpose the sender is assigned from the given address base in accordance with the selection functions the new current sender addresses

and the recipient

and remember them as the current addresses of the sender A _TO and the recipient A _TP , the recipient replaces his current address A _TO with the new current address of the recipient

and increment the step number i _P by one (i _P = i _P +1), after which they re-form the next message packet at the sender, characterized in that the predefined source data additionally includes a base for storing IP addresses intended for true exchange between senders

and recipients

for each of A subscribers of the communication network, where A = a ₁ , a ₂ , ..., the base for storing IP addresses intended for false exchange between senders

and recipients

for each of A subscribers of the communication network, and the value of the counter of the number of transmitted false message packets

set to zero, allocate in a predefined set of M IP addresses a set of S IP addresses intended to select a sender address A _O , and a set of D IP addresses intended to select a recipient address A _P are isolated from a plurality S IP -addresses is a set of S ^And addresses intended for true exchange of message packets between subscribers, where

, and many addresses S ^L , intended for the false exchange of message packets between subscribers, where

, and from the set of D IP addresses, a plurality of D ^AND addresses are allocated for the true exchange of message packets between subscribers, where

, and many addresses D ^L , intended for the false exchange of message packets between subscribers, where

remember

and

True Exchange IP Addresses

and

IP addresses intended for false exchange for each of A subscribers of the communication network, after which the set of connections between

and

IP addresses as a matrix of connections of true exchange, and the totality of connections between

and

IP addresses are set as a matrix of false exchange connections and stored, then numbers P of false exchange priority are set, where P = 1, 2, 3, ... for each connection between

and

IP addresses and remember them, and for each priority number P set the maximum number of transmitted

false message packets and remember it, then after setting the number of steps for changing the addresses i _O and i _П equal to unity, check if the sender has message packets for transmission and, if any, select new sender addresses

and the recipient

as the current addresses of the sender A _TO and the receiver A _TP , remember them, increase the step number of the change of sender addresses by one (i _O = i _O +1), and after transmitting the generated true message packet to the receiver, set the counter

equal to one

, and if the sender does not have message packets for transmission, the counter value is compared

with a given maximum quantity

, and if

, then select from the sender as the current address of the sender

and the recipient

and remember them, increase the step number of the change of the sender's address by one (i _O = i _O +1), and after transmitting from the sender to the recipient a false message packet, compare the value of the current address of the receiver A _TP with many addresses

, and if the current address of the recipient A _TP coincides with a subset of addresses

then form a response message packet and transmit it, then increase by one the current counter value

. 2. The method according to p. 1, characterized in that the values S and D of the addresses of the sender and recipient are selected within S = 2-64, D = 2-64, as a function of selecting the address of the sender F ^S (i) and the recipient F ^D (i) use a sequence of Fibonacci numbers:

,

, and as a function of choosing a false address, the sender G ^S (i) and the recipient G ^D (i) use a sequence of Luc numbers:

,

,

Images