RU2712646C1 - Method of monitoring a distributed control and communication system with high stability - Google Patents

Abstract

FIELD: monitoring systems.

SUBSTANCE: invention refers to technical diagnostics. Method of monitoring consists in formation of structure and topology of monitoring system, deployment and activation of monitoring system elements, measurement of characteristics of real operating conditions of monitoring objects, determination of norms of values of all parameters and characteristics of n-th control objects taking into account actual conditions of their operation, generation of identification codes for a given time interval t₁ and time interval t₁+Δt based on prediction and normalization of values of all parameters and characteristics of n-th control objects, comparison of identification codes with reference values, transmission of identification codes to a control unit of cryptographic processing, implementation of necessary cryptographic transformations, arrangement of cryptographic secure control channel between network routers of control and controlled items for change and reconfiguration of monitoring system with due allowance for technical condition of control objects.

EFFECT: wider range of tools.

1 cl, 5 dwg

Description

The invention relates to the field of technical diagnostics and can be used in automated control systems of a distributed control and communication system.

A device for diagnosing channels for transmitting digital information based on probabilistic forecasting the possibility of failures in measured receivers and terminal equipment sets for a given time interval [RU patent No. 2473114 of 01/10/2013].

There is also a method for monitoring digital transmission systems (DSP) and a device that implements it [patent RU No. 2573266 of 10.17.2015], which allows diagnosing DSP channels due to the probabilistic prediction of failures, errors (malfunctions) for a given time interval and the ability to monitor several monitoring objects at the same time.

Closest to the technical nature of the claimed monitoring method is a monitoring method of a distributed control and communication system [patent RU No. 2619205 of 05/12/2017], which consists in the formation of the structure and topology of the monitoring system, deployment and operation of the elements of the monitoring system . Next, the characteristics of the actual operating conditions of the control objects are measured: the number of control objects, the distance between the control objects, the speed of information transfer depending on the digital hierarchy, the frequency and duration of the technical condition control, a combination of test signals is generated, generated test signals are fed to the inputs of the n-control objects. The parameters and characteristics of the nth test object are measured. Form a database of identification codes and reference values of all parameters and characteristics. Based on the information received, the technical state of the nth monitoring object is determined at time t ₁ . Information on the technical condition of the specified nx monitoring objects is transmitted to the automated workstation STU. The technical state of the nth monitoring object is predicted for a given time interval t ₁ + Δt. The response signals about the technical condition of the nth monitoring object at time t ₁ and the response signals of the predicted technical condition of the nth monitoring object to the time interval t ₁ + Δt, respectively, are transmitted to the AWS STU. Form identification codes for a given point in time t ₁ and the time interval t ₁ + Δt taking into account the prediction of the technical condition. Generated identification codes are transmitted to the automated workstation STU, identification codes are compared with reference values. If all parameters and characteristics coincide with the reference values, the monitoring system is reconfigured taking into account the technical condition of the objects under control. If the identification codes do not meet the requirements of the norms of parameters and characteristics, then the values of the norms of all

parameters and characteristics of nx control objects, taking into account the actual conditions of their operation. Identification codes are generated at a given point in time t ₁ and a time interval t ₁ + Δt taking into account forecasting and normalization of the values of all parameters and characteristics nx of the monitoring objects, identification codes are compared with reference values, the monitoring system is modified and reconfigured taking into account the technical condition of the monitoring objects. This method was chosen as a basis as a prototype for the claimed method.

A common drawback of the analogue and prototype is the relatively high probability of the enemy intercepting data on reconfiguring the monitoring system, which will lead to the enemy acting on individual control objects of the monitoring system, and opening the communication system as a whole. This is explained by the clear transmission of control (configuration) information on reconfiguring the monitoring system.

The purpose of the claimed method is to develop a monitoring method for a distributed control and communication system that provides increased resistance to compromise by the intruder due to a significant difficulty in the possibility of intercepting traffic control (configuration) information for reconfiguring the monitoring system.

The objective of the invention is to provide a method for monitoring a distributed control and communication system, which allows to increase the resistance to compromise by hiding information on reconfiguring the monitoring system by transmitting control (configuration) information traffic over a cryptographically secure channel.

The task is achieved by the fact that in the claimed monitoring method, which consists in the fact that they form the structure and topology of the monitoring system, deploy and include elements of the monitoring system. Next, the characteristics of the actual operating conditions of the control objects are measured: the number of control objects, the distance between the control objects, the speed of information transfer depending on the digital hierarchy, the frequency and duration of the technical condition control, a combination of test signals is generated, generated test signals are fed to the inputs of the n-control objects. The parameters and characteristics of the nth test object are measured. Form a database of identification codes and reference values of all parameters and characteristics. Based on the information received, the technical state of the nth monitoring object is determined at time t ₁ . Information on the technical condition of the specified nx monitoring objects is transmitted to the automated workstation STU. The technical state of the nth monitoring object is predicted for a given time interval t ₁ + Δt. Transmit technical condition response signals to the AWS STU

of the nth control object at time t ₁ and the response signals of the predicted technical state of the nth control object to the time interval t ₁ + Δt, respectively. Form identification codes for a given point in time t ₁ and the time interval t ₁ + Δt taking into account the prediction of the technical condition. Generated identification codes are transmitted to the automated workstation STU, identification codes are compared with reference values. If all parameters and characteristics coincide with the reference values, the monitoring system is reconfigured taking into account the technical condition of the objects under control. If the identification codes do not meet the requirements of the norms of parameters and characteristics, then the values of the norms of all parameters and characteristics nx of the monitoring objects are determined taking into account the actual conditions of their operation. Identification codes are generated at a given point in time t ₁ and a time interval t ₁ + Δt taking into account forecasting and normalization of the values of all parameters and characteristics nx of the monitoring objects, identification codes are compared with reference values, the monitoring system is modified and reconfigured taking into account the technical condition of the monitoring objects. Additionally, the following actions have been introduced: transmit identification codes to the control network router, transmit identification codes from the network router to the cryptographic processing control unit. In the cryptographic processing unit, the necessary cryptographic transformations are carried out, the encrypted identification codes are transmitted back to the network router, and a cryptographic secure control channel is organized between the network routers of the control and managed products.

The listed set of existing features provides increased resistance to compromise during diagnosis by hiding information on reconfiguring the monitoring system by transmitting control (configuration) information traffic over a cryptographically secure channel.

The analysis of the prior art made it possible to establish that analogues that are characterized by a combination of features that are identical to all the features of the claimed method are absent, which indicates the conformity of inventions with the patentability conditions of “novelty”.

The search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed invention from the prototype showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided by the essential features of the claimed invention transformations to achieve the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The "industrial applicability" of the introduced elements is due to the presence of the element base on the basis of which they can be made.

The claimed invention is illustrated by drawings, which show:

FIG. 1 - action algorithm for monitoring distributed control and communication systems;

FIG. 2 - a sequence of calculations when determining the norms of all parameters and characteristics of n-x control objects, taking into account the actual conditions of their operation;

FIG. 3 is a diagram of the organization of a cryptographically secure control channel between network routers of the control and managed products;

FIG. 4 - option for classifying service disciplines with priorities;

FIG. 5 - dependence of the average service wait time on the priority of the packet.

The management system is understood as the totality of people, software and hardware devices, providing the organization of a particular process in order to solve the tasks assigned to it (Fundamentals of communication management of the Russian Federation / VB Bulgak, L.E. Varakin, A.E. Krupnov and other / Under the editorship of A.E. Krupnov and L.E. Varakin. - M .: Radio and communications, 1998. - 184 p .; p. 8).

A communication system is understood as an organizational and technical association of communication facilities deployed in accordance with the tasks to be solved and the adopted management system for the exchange of all types of messages (information) between points (communication centers), control bodies and objects (A.G. Ermishyan Theoretical Foundations of Systems of military communications in associations and formations: A Textbook, Part 1. Methodological foundations for the construction of organizational and technical systems of military communications. St. Petersburg: VAS, 2005. - 740 p., p. 74).

Under the control object is understood the product and (or) their components subject to (subject to) diagnosis (control) (GOST 20911-89. Technical diagnostics. Terms and definitions. - M .: Publishing house of standards, 1989. - 9 p., P. 2).

Reconfiguration of the monitoring system consists in changing its structure, topology, operating modes (putting redundant channels (lines) and monitoring objects into operation, restoring damaged and failed monitoring objects, changing transmission frequencies, reception, transmission power, types of signal processing, channel paths ( paths), azimuths of antennas, noise immunity modes, etc.). Fundamentals of building systems and networks for the transfer of information. (Textbook for universities / V.V. Lomovitsky, A.I. Mikhailov, K.V. Shestak, V.M. Shchekotikhin / Ed. By V.M. Shchekotikhin - M .: Hot line - Telecom, 2005. - 382 p.).

The algorithm of actions when monitoring distributed control and communication systems is presented in figure 1, where in block 1 the structure and topology of the system are formed

периодичность (T₁…T_n) и продолжительность контроля технического состояния (t₁…t_n). (И.Г. Бакланов. Методы измерений в системах связи. М.: Эко-Трендз, 1999. - 204 с. стр. 56). В блоке 4 формируют комбинацию тестовых сигналов. В блоке 5 передают сформированные тестовые сигналы и комбинации опросных сигналов на входы n-объектов контроля. В блоке 6 измеряют параметры и характеристики n-го объекта контроля. В блоке 7 формируют базу данных эталонных значений всех параметров и характеристик. В блоке 8 определяют на основании полученной информации техническое состояние n-го объекта контроля в момент времени t₁. В блоке 9 передают информацию о техническом состоянии заданных n-x объектов контроля на АРМ СТУ. В блоке 10 прогнозируют техническое состояние n-го объекта контроля на заданный интервал времени t₁+Δt. В блоке 11 передают на АРМ СТУ сигналы отклика о техническом состоянии n-го объекта контроля в момент времени t₁ и сигналы отклика прогнозируемого технического состояния n-ого объекта контроля в момент времени t₁+Δt. В блоке 12 формируют идентификационные коды на заданный момент времени t₁ и интервал времени t₁+Δt с учетом прогнозирования технического состояния. В блоке 13 передают сформированные идентификационные коды в АРМ СТУ. В блоке 14 сравнивают идентификационные коды с эталонными значениями, в случае совпадения всех параметров и характеристик с эталонными значениями их передают на управляющий сетевой маршрутизатор (блок 19). В блоке 20 передают идентификационные коды с сетевого маршрутизатора на блок криптографической обработки, где осуществляют криптографические преобразования (блок 21) и передают обратно на управляющий сетевой маршрутизатор (блок 22). В блоке 23 организуют криптографический защищенный канал между сетевыми маршрутизаторами управляющего и управляемого изделий, после чего в блоке 24 реконфигурируют систему мониторинга с учетом технического состояния объектов контроля, если идентификационные коды не соответствуют требованиям норм параметров и характеристик, то определяют нормы значений всех параметров и monitoring and its control objects and lines between them, taking into account the construction of a distributed control and communication system, assuming its presentation by quantitative indicators through the relevant parameters, as well as a description of the composition, configuration and relationship of the individual elements (Fundamentals of the construction of information transmission systems and networks. manual for universities / V.V. Lomovitsky, A.I. Mikhailov, K.V. Shestak, V.M.Schekotikhin / Under the editorship of V.M.Schekotikhin - M .: Hot line - Telecom, 2005. - 382 p. 57). The structural and topological construction of the monitoring system is carried out taking into account several n-objects of control. In block 2, the elements of a monitoring system are deployed and put into operation. In block 3, measurements are made of the characteristics of the actual operating conditions of the control objects: the number of control objects (1 ... n), the distance between the control objects (r ₁ ... r _n ), information transfer rate

the frequency (T ₁ ... T _n ) and the duration of the monitoring of the technical condition (t ₁ ... t _n ). (IG Baklanov. Measurement methods in communication systems. M: Eco-Trends, 1999. - 204 p. 56). In block 4, a combination of test signals is formed. In block 5, the generated test signals and combinations of interrogation signals are transmitted to the inputs of n-objects of control. In block 6, the parameters and characteristics of the nth monitoring object are measured. In block 7 form a database of reference values of all parameters and characteristics. In block 8, based on the information received, the technical state of the nth monitoring object is determined at time t ₁ . In block 9 transmit information about the technical condition of the specified nx objects of control on AWS STU. In block 10, the technical state of the nth monitoring object is predicted for a given time interval t ₁ + Δt. In block 11, the response signals about the technical condition of the nth monitoring object at time t ₁ and the response signals of the predicted technical condition of the nth monitoring object at t ₁ + Δt are transmitted to the AWS STU. In block 12, identification codes are generated for a given time t ₁ and time interval t ₁ + Δt taking into account the forecasting of the technical condition. In block 13, the generated identification codes are transmitted to the AWS STU. In block 14, identification codes are compared with reference values; if all parameters and characteristics coincide with reference values, they are transmitted to the control network router (block 19). In block 20, identification codes are transmitted from the network router to the cryptographic processing unit, where cryptographic transformations are performed (block 21) and transmitted back to the control network router (block 22). In block 23, a cryptographic secure channel is organized between the network routers of the controlled and controlled products, after which, in block 24, the monitoring system is reconfigured taking into account the technical condition of the objects under control, if the identification codes do not meet the requirements of the parameters and characteristics, then the norms of the values of all parameters are determined and

characteristics of nx objects of control, taking into account the actual conditions of their operation (block 15). In block 16, the norm values of all parameters and characteristics produced in block 15 are measured. In block 17, identification codes are generated for a given time interval t ₁ and time interval t ₁ + Δt taking into account the normalization of all parameters and characteristics. In block 18, the identification codes are compared with the reference values, if the identification codes correspond to the reference values, they are transmitted to the control network router (block 19). In block 20, identification codes are transmitted from the network router to the cryptographic processing unit, where cryptographic transformations are performed (block 21) and transmitted back to the control network router (block 22). In block 23, a cryptographic secure channel is organized between the network routers of the control and managed products, after which, in block 24, the monitoring system is reconfigured taking into account the technical condition of the objects under control. In case of discrepancy between the identification codes and the reference values, they return to measurements of the characteristics of the actual operating conditions (block 3).

периодичность (T₁…T_n) и продолжительность контроля технического состояния (t₁…t_n) (И.Г. Бакланов Методы измерений в системах связи. -М.: Эко-Трендз, 1999. - 204 с., стр. 56.).The sequence of calculations when determining the norms of all parameters and characteristics nx of the monitoring objects, taking into account the actual operating conditions, is shown in figure 2, where in block 1 the input data are entered: the number of monitoring objects (1 ... n), the distance between the monitoring objects (r ₁ ... r _n ), information transfer rate

the frequency (T ₁ ... T _n ) and the duration of the monitoring of the technical condition (t ₁ ... t _n ) (I.G. Baklanov Measurement methods in communication systems. -M .: Eco-Trends, 1999. - 204 p., p. 56 .).

In block 2, a norm is determined for the performance of the objects of control (PO). To do this, determine the bit rate in the path. Norms for operating characteristics by the path bit data rate for a second with errors - PO _es or norms for operating characteristics of an erroneous second - PO _ses , norms for operating characteristics of a background block error - PO _bbe , norms for operating characteristics of an error-affected period - PO _sep (Performance limit values for commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003, 44 pp., P. 15).

In block 3, the path distribution, A%, is calculated. All basic path elements (PCEs) for the entire path are determined and n is set to the total number of PCE elements. The length d of each element of PCE _{n is} determined. The length d is either the actual path length, or can be estimated by the length in a large circle between its end points, multiplied by the corresponding routing coefficient. The distribution value, a _n %, is considered for the PCE _n element. It should be noted that

distribution values are maximum values; according to a bilateral or multilateral agreement, more “strict” meanings may be used. The path distribution is calculated, A%, A% = %a% (Performance limit values for commissioning maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003, 44 pp., P. . fifteen).

In block 4, a Distributed Quality Score (APO) is calculated. The required test period (T) is determined, where T = 15 min, 2 hours or 24 hours.

The distributed performance norm for a second with errors is calculated using the following formula (Performance limit values for commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003, 44 pp., P. . 16):

The distributed performance standard for an error-affected second is calculated by the formula (Performance limit values for commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003, 44 p. 16 ):

The distributed performance norm for the background error of n-objects is calculated according to the following formula (Performance limits for commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003, 44 pp. , p. 16):

The distributed performance norm for the background error of the block is calculated by the formula (Limit values of the operating characteristics during commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003, 44 pp., P. 16):

In block 5, the norm for quality indicators during commissioning (BISPO) is calculated.

Standards for quality indicators when commissioning n-test objects for a second with errors are calculated according to the following formula (Limit values of operating characteristics for commissioning and maintenance

international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003, 44 p., P. 16):

Standards for quality indicators during commissioning for a second affected by errors are calculated according to the following formula (Performance limits for commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003 44 s , p. 16):

Standards for quality indicators during commissioning for the background error of the unit are calculated according to the following formula (Performance limits for commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003, 44 p. 16):

In block 6, the values of the limit value (S) are calculated: the limit values for a second with errors are calculated by the formula (Performance limit values for commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003 ., 44 s, p. 16): where D is the coefficient taking into account BISPO, which is necessary for further calculation of the limiting value of S:

The limit values for the second affected by errors are calculated (Limit values of operating characteristics during commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003, 44 s, p. 16):

Limit values for the background error of the block (Limit values of operating characteristics during commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003, 44 p. 16):

In block 7, all values of S are rounded to the nearest integer value less than or equal to zero. (Performance limit values for commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003 44 p. 16).

In some cases, the limit values of S for BBE are nonzero, while the limit values for ES are zero or unreliable (i.e. there is no 95% confidence that BISPO will be performed in the long run). Assume that a longer test is used, where the limit values for ES are unreliable. The BBE test cannot be accepted if there is more than one ES.

In block 7, the norms of the values of all parameters and characteristics of n-objects of control are determined (Limit values of operating characteristics during commissioning and maintenance of international multioperator paths and multiplex sections SDH-Recommendation ITU-T / M. 2101; 2003, 44 p. . 16).

The organization scheme of a cryptographically secure control channel between network routers of the control and managed products for reconfiguring the monitoring system is shown in Figure 3, where, to protect the control (configuration) information transmitted from the administrator's workstation of the monitoring and network management center (CMUS) to the technological control server of the slave node, the following interaction algorithm:

1. Identification codes from the administrator's workstation through the switch are sent to the network router.

2. In order to increase the security system on the network router, an incoming traffic filtering system must be configured. Permission must be given to pass control commands only from the IP address of the AWS STU TsMUS (i.e., filtering by IP addresses at the network level), only via TCP (filtering at the transport level), and also indicating the specific application service port For example: Telnet, SNMP, etc. (filtering at the application level).

3. Having passed the filtration system, configuration parameters are sent to the cryptoblock, where they are encrypted and placed in the control tunnel. The design bureau should be configured in such a way as to allow only datagrams coming from the network administrator's workstation to be placed in the tunnel.

4. The encrypted data is sent back to the network router as outgoing traffic. As well as for incoming control commands on the router, three filtering levels must be configured (at the network, transport, and application levels), and then "closed" traffic is transmitted to the managed node through the external network.

5. When a connection is established between the network routers of the control and managed products, a cryptographically secure control channel is organized. The entire telecommunication exchange between control and managed products during the implementation of the considered algorithm is performed using cryptographically secure channels - encryption is performed on the keys of the control channel.

6. The managed network router receives closed information that passes through the filtering system and passes it to the crypto block.

7. The receiving cryptoblock is configured in such a way that it processes incoming traffic received only from the control product. Having received closed information, it performs the necessary cryptographic transformations and transmits open control information to the network router.

8. On the network router, the information passing through the traffic filtering system, through external interfaces, enters the process control server.

The hardware configuration must be configured in such a way as to prohibit the reverse passage of control commands from the managed node to the CMC.

The control product can remotely (via a secure control channel) receive the integrated database of parameters of the managed product, upgrade it, and then transfer the changed configuration to the remote managed product.

We make the assumption that the edge router in FIG. 3 provides queue servicing using the M / G / 1 system with priorities, where M is the distribution of the incoming demand stream - Markov stream, G is the arbitrary distribution of service time, 1 is the single-channel service system.

Arbitrary distribution (G) - distribution randomly (randomly), random selection, when a random variable takes several values with unequal probabilities. For the M / G / 1 system, it is impossible to give the distribution of the number of requirements or the service system in explicit form, as for the M / M / 1 system, however, one can find transformations of these distributions.

The most famous result for the M / G / 1 system is the Pollachek-Khinchin formula, which gives the following compact expression for the average waiting time in the queue in equilibrium (Textbook / V.V. Sazonov, I. B. Parashchuk, V.A. Loginov, V.V. Elizarov / Under the editorship of IB Parashchuk - St. Petersburg: YOU, 2018 .-- 256 p.):

The Pollachek-Khinchin formula is designed to calculate the probability distribution of the number of requirements in a single-line queuing system (QS) with a Poisson input stream and an arbitrary law of distribution of service time.

The numerator in this expression, W0 = λx2 / 2, is equal to the mathematical expectation of the time during which the newly arriving request must wait in line until the service of the request that was in the service device when the new request arrived was completed.

Moreover, x is the average service time. Using this formula and the equality T = x + W, we find the average number of requirements in the system (Textbook / V.V. Sazonov, I. B. Parashchuk, V. A. Loginov, V. V. Elizarov / Ed. .B. Parashchuk - St. Petersburg: YOU, 2018 .-- 256 p.):

Thus, the Pollachek-Khinchin formula allows one to determine the characteristics of the M / G / 1 systems, and using the z-transform and the Laplace transform one can obtain expressions for the times of servicing the requirements.

Bright examples of equipment using the queuing system M / G / 1 are the Juniper or Cisco border routers, which are used to organize most communication systems.

Dividing the set of service requirements into classes into classes is called prioritization. Recall that priority is the pre-emptive right to enter (in the buffer, in the drive, etc.) or select from the queue (for servicing in the serving device) applications of one class with respect to applications of other classes.

There are various approaches to the classification of service disciplines with priorities. One of the classification options is shown in FIG. 4.

This option reflects the main disciplines of service and, if necessary, can be easily supplemented.

The possibility of changing the priority, the possibility of interruption of service and the destination of priorities of this discipline in the network are accepted as classification signs.

It should be noted that disciplines with relative and absolute priorities have found the greatest application, since they are simple to implement and quite effective.

In a discipline with relative priorities (without interruption), each message packet is assigned a priority when it enters the network, determined by the urgency category of the message. In the process of transmitting a packet over the network, the priority does not change. If there are several packets of the same priority in the queue, they are served in the order of arrival. When a packet of a higher priority arrives, it waits for the end of service of the previous packet, even if it has a lower priority. This leads to the fact that even with a small load on the automatic switching center (ACC) of the data network

with high priority packets, the length of time they wait for service can remain significant.

In a discipline with absolute priorities (with interruption), each packet of the highest priority received on the network interrupts the service of the previous packet. This allows you to achieve a minimum waiting time for service packages of the highest categories of urgency, but increases the waiting time for service packages of all other categories. A package whose service has been interrupted may be serviced or serviced first. At the same time, the duration of after-service or re-maintenance of each package should also be taken into account when calculating the time characteristics of the data transmission network.

The disadvantage of this discipline is the increase in the number of packages requiring additional maintenance or re-maintenance, which leads to an increase in the internal network load.

A discipline with mixed absolutely relative priorities implies the possibility of interrupting the servicing of packets of some priorities, while servicing packets of other types of priorities cannot be interrupted. For such a discipline, the advantages and disadvantages of the first two disciplines are characteristic.

Interrupt resolution conditions can be specified in the form of a matrix || X _p ||, the number of rows and columns of which is determined by the number of received priorities.

Matrix elements determine the possibility of interruption of packet service. This discipline allows more flexible queue management compared to other types of priorities.

More difficult to implement are service disciplines with changing priorities, called disciplines with dynamic priorities.

Priority can be changed linearly or exponentially. In particular, a packet arriving at the data network at time t0 receives priority p (tt), defined as follows:

where tt is the time spent by the packet on the network, varying from t0 until the packet is finished serving, and the importance of the packet bp determines the rate of priority growth.

In the general case, the average delay time of a packet (message) of priority p in the ACC - data transmission channel (PD) - ACC system is described by the expression:

Consider the second term on the right side of this expression. After arriving for service in the ACC data network, the packet takes a place in the queue in accordance with priority.

Before it will be serviced all packets of higher priorities received before him and while he is in the queue. In addition, before it will be served all packets of equal priority with him, received in the queue earlier.

The average number of packets of equal and higher priority that are in the queue at the time the packet arrives is found using the Little formula:

where ƒ = p, p-1, p-2, ..., 1.

During the stay of the considered packet in the queue, packets of higher priority will arrive in it in the amount of:

where ƒ = p, p-1, p-2, ..., 1.

Let Toast be the average delay time associated with the availability of the previous package at the time a new one arrives.

Since ρ _ƒ is the fraction of the time during which the ACC of the data transmission network processes the ƒ-th priority packet, it can be taken as the probability that a new incoming packet will catch the пакет priority packet in service.

In accordance with the Pollachek-Khinchin formula, the average remaining service time (Study Guide / VV Sazonov, IB Parashchuk, VA Loginov, VV Elizarov / Edited by IB Parashchuk - St. Petersburg .: YOU, 2018 .-- 256 s.):

- дисперсия времени обслуживания пакета приоритета р. Таким образом любой пакет приоритета р будет находиться в очереди в среднем (Учебное пособие / В.В. Сазонов, И.Б. Паращук, В.А. Логинов, В.В. Елизаров/ Под. ред. И.Б. Паращука - СПб.: ВАС, 2018. - 256 с.):Where

- variance of the service time of the priority packet r. Thus, any priority package p will be in the queue on average (Study Guide / VV Sazonov, IB Parashchuk, VA Loginov, VV Elizarov / Edited by IB Parashchuk - SPb .: YOU, 2018 .-- 256 p.):

Solving this equation with respect to Identity p, we obtain:

where p = 1, 2, ..., P.

This equation can be solved recursively, i.e., successively finding Ident 1, then Ident 2, and so on.

Given the variance of the service time:

we get:

In the denominator, (1-σ _p ) takes into account the influence of packets of equal and higher priorities, and (1-σ _p-1 ) takes into account the influence of packets of higher priorities that entered the queue while the packet in question is in it.

An important conclusion that follows from expression (25) is the independence of Tozhr from the availability of packets of lower priorities, except through Toast.

Figure 5 shows the results of calculations of the average delay time of message packets of four priorities in the ACC data network.

As follows from the graph (Fig. 5), the increase in the average waiting time for the service is non-linear. The processing time of traffic with the 1st (highest) priority is much less than traffic with the 4th priority (without priority).

Thus, on the basis of the M / G / 1 system, an assessment was made of the effectiveness of the proposed method for monitoring the communication and control system, which allows us to say that while maintaining the reliability of the monitoring system, it increases not only its resistance to the alleged attacks of the intruder, but also that the proposed The method allows to solve the problems of prioritization of control traffic during reconfiguration of the monitoring system. Since when tunneling for control traffic packets, a TNL label appears, which has the 1st (highest) priority when servicing a queue with an edge router. (RFC 2983 - Differentiated Services and Tunnels, RFC 2475 - An Architecture for Differentiated Services).

Claims (2)

1. A method for monitoring a distributed control system and communication with increased stability, namely, that they form the structure and topology of the monitoring system, deploy and include elements of a monitoring system, measure the characteristics of monitoring objects in real operating conditions: the number of monitoring objects, the distance between objects control, the speed of information transfer depending on the digital hierarchy, the frequency and duration of monitoring the technical condition, form a combination of tests x signals generated test signals fed to the inputs of n-control objects, features and characteristics measured n-th object monitoring time is determined based on the technical condition of n-th object control information received at the time t _1, information is transmitted about the technical condition specified n- x control objects at the automated workstation STU, predict the technical condition of the nth control object for a given time interval t ₁ + Δt, transmit response signals to the automated workstation STU about the technical condition of the nth control object at time t ₁ and open signals the predicted technical state of the nth monitoring object for the time interval t ₁ + Δt, respectively, the identification codes are generated for a given time t ₁ and the time interval t ₁ + Δt taking into account the forecasting of the technical condition, the generated identification codes are transmitted to the automated workstation STU, the identification codes are compared codes with reference values, switch to the nth control object that has the best parameters and characteristics, determine the norms of all parameters and characteristics of the nth control objects la with the actual conditions of operation, form identification codes in a given time t ₁ and the time interval t ₁ + Δt with the prediction and normalizing the values of all parameters and characteristics of n-x of objects of control, compared identification codes with the reference values, change and reconfigure monitoring system taking into account the technical condition of the objects of control. 2. The method according to p. 1, characterized in that the identification codes are transmitted to the control network router, they are transmitted from the network router to the cryptographic processing control unit, the necessary cryptographic transformations are carried out in the cryptographic processing unit, the encrypted identification codes are transferred back to the network router, cryptographic secure control channel between the network routers of the managing and managed products.

Images