RU2166792C1 - Protective systems of workstations, information and functional servers of computer systems and networks with dynamic lists of authorized events - Google Patents

Abstract

FIELD: computer engineering; data computing systems and networks. SUBSTANCE: system has memory unit, current check sum shaping unit, check sum comparison unit, M units for shaping lists of current-events, M units for shaping lists of current and authorized events, M units generating command for deleting (stopping) current event, check-sum comparison signal generating unit, M units for delimiting and checking event starting rights, M units for correcting authorized events list. System implements principles of data integrity check-up, asynchronous control of program and data integrity. EFFECT: improved protection level. 3 dwg

Description

 The invention relates to computer technology, namely to information computer systems and networks, and can be used to protect information resources in workstations, information and functional (for example, a dedicated security server. Proxy server, firewall, etc.) servers .

 The known system for protecting the information resources of a computing system and the Secret Net network (see. Secret Net Access Control System. User Guide, 1996). It is a software package that can be installed on a stand-alone computer, or on computers connected to a computer network. The system solves the problem of monitoring the integrity (undistorted) of programs and data when the system is turned on.

 The closest in technical essence to the claimed (prototype) is the Svinka-u information resource protection system (developed by Relcom-alpfa CJSC (Moscow)), described on the company’s website, located at http://WWW.alpha.ru/Products / Svinka-u.

 The system is shown in FIG. 1. The information security system 1 includes a memory unit 2, containing a functional software unit (FPO) 3, a data unit 4, a checksum storage unit, a FPO 5, a data checksum storage unit 6, in addition, a current checksum generation unit 7, a unit comparing checksums 8, wherein the output of the FPO block 3 (the first output of the memory block 2) is connected to the first input of the current checksum generation block 7, the output of the data block 4 (second output of the memory block 2) is connected to the second input of the current checksum generation block 7, third the input of which is connected to the control input for comparing checksums 9 (the first input of the information security system 1), the output of the checksum storage unit FPO 5 (third output of the memory unit 2) is connected to the first input of the checksum comparing unit 8, the output of the data checksum storage unit 6 (the fourth output of the memory unit 2) - with the second input of the checksum comparing unit 8, the third input of which is connected to the first, and the fourth input - with the second outputs of the current checksum generating unit 7, the fifth input of the control comparing unit sums 8 is connected to the control input for comparing checksums 10 (second input of the information security system 1), the output of the block for comparing checksums 8 is connected to the control output for the result of comparing checksums 11 (output of the security system 1).

 Information protection is carried out in terms of integrity control (undistorted) programs (FPO) and data, which is implemented as follows. In memory blocks 5 and 6, respectively, the checksums of the monitored blocks 3 and 4 are stored. By the command from the control input 9 by block 7, the current checksums of the information stored in blocks 3 and 4 are formed, and by the command from the control input 10, the current checksums received by block 7 are compared with the corresponding checksums in blocks 5 and 6. Block 8 compares the current and initial checksums, the result of the comparison is output to control output 11. When a fact of checksum mismatch is detected, the fixer The fact of unauthorized access to the information is available.

 The disadvantage of the system is the ineffective use of the integrity control mechanism, which is caused by the following - the fact of unauthorized access is recorded only when the attacker misrepresents the information (when reading information without distortion, the unauthorized access fact is not recorded), the use of this mechanism does not allow preventing unauthorized access. In addition, it is not efficient to use the mechanism for monitoring the integrity of programs and data in principle, because monitoring the corruption of the file system is time-consuming, which often does not allow it to be carried out in the system, while rare monitoring does not effectively counter threats. In addition, the system in question does not allow counteracting such types of threats as bookmarks and errors, including in software.

 The aim of the invention is to increase the level of security of workstations, functional and information servers, provided by a security system installed on them, which implements the principles of monitoring the integrity of information, by maximizing the ability to not only detect, but also prevent unauthorized access to information provided by the implementation of the dynamic list control method authorized events, while it becomes possible to detect the fact of unauthorized access and in the absence of distortion of information A recruiter, moreover, it also implements the possibility of detecting and preventing the fact of unauthorized access and when an attacker uses errors and bookmarks, as well as to increase the efficiency of monitoring the integrity of programs and data, through the use of secondary features that provide the ability to asynchronously control the integrity of programs and data.

 This is achieved by the fact that in the information protection system containing a memory unit containing a functional software unit (FPO), a data block, a checksum storage unit, a FPO storage unit, a data checksum storage unit, and in addition to a memory block, a current checksum generation unit, a block comparing checksums, with the output of the FPO block — the first output of the memory block being connected to the first input of the current checksum generation unit, the output of the data block — the second output of the memory block — with the second input of the current control sums, the third input of which is connected to the control input of the checksum comparison - the first input of the information security system, the output of the checksum storage unit FPO - the third output of the memory block is connected to the first input of the checksum comparison unit, the output of the data checksum storage unit - the fourth output of the block memory - with the second input of the checksum comparison unit, the third input of which is connected to the first, and the fourth input - with the second outputs of the current checksum generation unit, the output of the control comparison unit role sums is connected to the control output of the result of the checksum comparison - the output of the protection system, are additionally entered: in the memory block - M blocks of storage of lists of authorized events, M blocks of storage of checksums of lists of authorized events, in addition - M blocks of forming lists of current events, M blocks comparing lists of current and authorized events, M blocks for generating a command to “destroy” (terminate) the current event, block for generating a signal for comparing control with mm, M blocks of delineation and control of the rights of triggering events, M blocks of adjustment of the list of authorized events, and the outputs of the blocks of storage of lists of authorized events - outputs 5 through M + 4 of the memory block are connected to inputs 4 through M + 3 of the block for generating current checksums with The first inputs of the blocks comparing the lists of current and authorized events and the blocks generating a command to “destroy” (terminate) the current event, the first inputs of the blocks for generating lists of current events are connected to the M information inputs of the reg rations of current events - M third inputs of the information security system, second inputs connected to M control inputs for recording current events - M fourth inputs of the security system, outputs respectively connected to second inputs of blocks comparing lists of current and authorized events, the third inputs of which are connected to M control inputs comparison of current and authorized events - M fifth inputs of the protection system, outputs connected to M control outputs of the results of comparing lists of current and authorized events - M second outputs of the information security system, with second inputs of the blocks generating the command to "destroy" (terminate) the current event, with the first M inputs of the block generating the signal for comparing checksums, M + 1 input of which is connected to the control input for comparing the checksums - the second the input of the information security system, the output is connected to the fifth input of the checksum comparison unit, the outputs of the “destroy” (terminate) command generation blocks of the current event are connected to the “destroy” control outputs (termination) i) the current event, the outputs of the checksum storage blocks of the lists of authorized events are connected to the inputs 6 through M + 5 of the checksum comparison block, the inputs of the M blocks of differentiation and control of the triggering rights of the event are connected to the corresponding M inputs of the request and the coordination of the rights to trigger the event, the outputs are with the first inputs of M blocks for the correction of lists of authorized events, the second M inputs - with M inputs of notification of the completion of the event, the first M outputs - respectively with the inputs of M blocks of storage of authorized lists events, the second M outputs - with M outputs of the event triggering permission, the third M outputs - respectively with the fourth inputs of the M blocks for comparing the lists of current and authorized events.

 The circuit of the information security system 1 is shown in FIG. 2, it contains: a memory unit 2, comprising a functional software unit (FPO) 3, a data unit 4, a checksum storage unit, a FPO 5, a data checksum storage unit 6, M authorized event list storage units 12, M checksum storage units lists of authorized events 13, in addition, the information security system 1 contains: a block for generating current checksums 7, a block for comparing checksums 8, M blocks for generating lists of current events 14, M blocks for comparing lists of current and authorized events 15, M blocks generating a command to “destroy” (terminate) the current event 16, a block generating a signal for comparing checksums 17, M blocks for differentiating and controlling the rights to trigger events 18, M blocks for adjusting the list of authorized events 19, and the output of block FPO 3 - the first output of the memory unit 2 is connected to the first input of the current checksum generation unit 7, the output of the data block 4 - the second output of the memory unit 2 - with the second input of the current checksum generation unit 7, the third input of which is connected to the control unit the checksum comparison process 9 - the first input of the information security system 1, the output of the FPP checksum storage unit 5 - the third output of the memory unit 2 is connected to the first input of the checksum comparison unit 8, the output of the data checksum storage unit 6 - the fourth output of the memory unit 2 - with the second input of the checksum comparison unit 8, the third input of which is connected to the first, and the fourth input - with the second outputs of the current checksum formation unit 7, the output of the checksum comparison unit 8 is connected to the control output of the result tata comparison of checksums 11 - output of the security system 1, outputs of storage units for lists of authorized events 12 - outputs 5 through M + 4 of memory unit 2 are connected to inputs 4 through M + 3 of the unit for generating current checksums 7, with M first inputs of blocks comparing the lists of current and authorized events 15 and the blocks for generating a command to “destroy” (terminate) the current event 16, the first inputs of the blocks for generating lists of current events 14 are connected to M information inputs for recording current events 20 - M by the third inputs of the system information protection 1, the second inputs are connected to the M control inputs for recording current events 21- M fourth inputs of the security system 1, the outputs are respectively connected to the second inputs of the comparison blocks of the lists of current and authorized events 15, the third inputs of which are connected to the M control inputs for comparing the current and authorized events 22 - M fifth inputs of the security system 1, the outputs are connected to M control outputs of the results of comparing the lists of current and authorized events 25 - M second outputs of the security system information 1, with the second inputs of the blocks generating the command to “destroy” (terminate) the current event 16, with the first M inputs of the block generating the signal for comparing checksums 17, M + 1 whose input is connected to the control input for comparing the checksums 10 - with the second input of the protection system 1, the output is connected to the fifth input of the checksum comparing unit 8, the outputs of the blocks for generating a command to “destroy” (terminate) the current event 16 are connected to the M control outputs for the “destroy” (termination) of the current event 26, the outputs are block in the storage of the checksums of the lists of authorized events 13 are connected to the inputs 6 through M + 5 of the block for comparing the checksums 8, the inputs of the M blocks of differentiation and control of the rights to trigger events 18 are connected to the corresponding M inputs of the request and coordination of the rights to trigger events 23, the outputs to the first the inputs of the M blocks for the correction of the lists of authorized events 19, the second M inputs with the M inputs of the notification of the completion of the event 24, the first M outputs, respectively, with the inputs of the M blocks of the storage of the lists of authorized events 12, the second M output Dov - with M outputs of permission to trigger events 27, the third M outputs - respectively with the fourth inputs of M blocks for comparing lists of current and authorized events 15.

The system works as follows. The task of protecting information in the framework of the proposed method, implemented by the claimed device, is to control not distortion or integrity of the lists of authorized events, programs and data (i.e., the proposed approach is based on a multifunctional sequential integrity control). A feature of the approach is the formation and tracking of lists of authorized events in the process of functioning of the system. Here the lists are not set statically, but they are dynamic - events are allowed to run and are "destroyed" with continuous monitoring of their permission in the system. For example, we consider as an authorized event - the process of a network service, let FTP. Initially, this process is prohibited to run - it is not in the initial list of authorized events. Only after identification and authentication of the user and his intentions (the mechanism of differentiation and control of access rights is implemented, including one based on the mandatory management principle), is the process included in the list of authorized events - it is allowed to run in the system for one FTP session. The list of authorized events is adjusted, which is continuously monitored in the system. The control of lists of authorized events can be carried out synchronously (according to the schedule), or asynchronously, implemented on the basis of "provided that ...", but not at the time of their formation (change). In general, the idea of the approach is depicted in FIG. 3 and consists in the fact that when accessing information, a sequential quick analysis of non-distortion (integrity is monitored) of event lists, moreover, in this case, dynamic ones, is performed. The advantages of using dynamic lists of authorized events can include an increase in the level of security of the system, due to the fact that at every moment of its functioning, only really necessary events (for example, processes) are allowed to run in the system, and not allowed for all cases of the system’s functioning, which can be implemented with static lists. In case of unauthorized access, at least one event from the analyzed set of lists must be violated (otherwise we have authorized access to information) - be unauthorized. Such lists may include:
list of authorized users;
tables of user access rights (to files, directories, devices, servers, etc.), credentials;
list of processes allowed to run;
list of open ports;
a list of connected devices;
a list of IP addresses or DNS names allowed for interaction,
status of registry keys, etc.

 The idea of the approach is that (studies have confirmed this) the background analysis of the lists of authorized events is carried out so quickly that it allows to prevent unauthorized exposure (for example, an unauthorized user, an unregistered process, etc.) until the attacker has access to information, which prevents an attempt NSD.

 The difference in using the proposed technology for alternative operating environments (operating systems) consists only in a set of lists (levels of integrity control) of unauthorized events that can be supported by specific operating systems.

 The difference in using the proposed technology for alternative options for implementing the enterprise’s information security policy consists only in a set of controlled lists (integrity control levels), in the sequence and frequency of their control.

 The aforesaid allows us to state that it is possible to unify the proposed approach for alternative applications, where the conditions of use of the system can be taken into account by means of adjusting its parameters, within the framework of a single unified approach, illustrated in FIG. 3.

 Now let us consider how the described method is implemented by the circuit shown in FIG. 2. The scheme involves the introduction in the protection system in the general case of M lists of authorized events. Blocks 12 store in memory the actual lists of authorized events. By a command from the control input 21 in a given sequence and at specified times (this is determined by the sequence and frequency of the signals to M inputs 21), blocks 14 from information inputs 20 form (register) current lists of authorized events (for example, registered user tables and tables are read differentiation of access rights, tables of connected devices, running processes, software open ports, etc.) are recorded, which are compared by a command from the system input 22 by blocks 15 with lists of authorized events located in blocks 12. Blocks 15 generate control signals to output 25, by which a response is then provided, for example, written in the corresponding batch file - the / bat / file of the operating system. In addition, these signals are received in blocks 16 and block 17. Blocks 16 generate signals at the output 26, designed to "kill" unauthorized actions, for example, a signal to complete an unauthorized process, a signal to restore the original table of authorized users, user access rights, a signal for software closing the corresponding port, etc. Block 17 generates a signal for comparing the current and initial checksums of the FPO, data and actually checksums of the lists of authorized events (which can also be changed) stored in blocks 13. Thus, two modes of monitoring the integrity of programs and data are allowed in the system under consideration - synchronously - when the system is turned on, according to the schedule - from input 10, and asynchronously - here the signal for checking the coincidence of checksums is the condition of distortion (integrity violation) of the list of authorized events - from the output of block 1 5. This feature of the functioning of the system is very important, because monitoring large volumes of data can take a lot of time (minutes), while monitoring a list of authorized events takes milliseconds. Using this approach allows you to significantly increase system performance with the asynchronous procedure for starting the integrity control of programs and data. In the formation of lists in blocks 12, M blocks 18 and M blocks 19 are used (respectively, in the general case, each block has its own blocks 12, 18, 19). When requesting the start of an event, for example, a process, the user enters its registration parameters to input 23, for example, identifier, password, requested service (process, file name, etc.), credential (when implementing mandatory access control). When allowing the launch of the requested process (block 18 solves the problem of differentiating access rights) through block 19, the contents of the corresponding block 12 are adjusted and after the end of the correction from output 27 it allows the event to be triggered (or does not allow, giving the user a negative answer). In this case, for the entire time the list of authorized events is adjusted from the output of blocks 19, comparisons on blocks 15 for the corresponding events of the current and authorized lists of events are prohibited. Upon completion of the event from input 24, the adjustment procedure of the subscription is carried out again, similarly, but already in terms of excluding the completed event from the original list (from the corresponding block 12). After completion of the adjustment of the lists, the comparison of the current and already adjusted event lists continues, controlling the correct functioning of the system.

 The relevance of the modern problem of combating errors and bookmarks is due to the fact that, on the one hand, they are almost impossible to identify, on the other hand, in particular for errors, in view of the high intensity of software changes in the information technology market, as a result, reducing development time, characterized by an increase in their share in modern software. The probability of having bookmarks in software is probably a relatively constant value, more dependent on the area of practical use of the system. To search for errors today, before putting the system into operation, appropriate tester programs are used that contain some database of errors known for tools like the analyzed for several years. The disadvantage of this approach is the inability to search for new errors, but only an analysis of the existence of known ones. Therefore, from the point of view of searching for errors, we can say that, unfortunately, most of them are detected precisely during the functioning of systems, by the way, this is fully illustrated by the constantly appearing “patches” on operating systems widely used today and other software tools . In other words, it seems impossible to talk about a high level of protection against threats associated with errors in modern software tools. From the point of view of the considered threats, programs become safe only after some (sometimes quite long) time of their operation and their "testing" by attackers. And only when the attackers finally “run out of steam”, which can be estimated from the relevant statistics of attacks and hacks, can we talk about the relative security of the software from the point of view of the threats under consideration. Unfortunately, at this point, this tool is already outdated and requires replacement with a new one, even more complex and, as a rule, developed in a shorter time frame, and, as a result, containing even more errors. Probably no more comforting is the situation with the search for bookmarks, despite the fact that their number in the software is limited. These threats, unlike errors, are almost impossible to find at the stage of testing a technical tool prior to its implementation. This is due to the fact that bookmarks are usually set by qualified programmers, while taking all the necessary measures to complicate their search. Unfortunately, despite the ongoing research in the field of bookmark search, today it can be argued that there are no effective approaches to bookmark search, the authors of the study do not even know any reasonable mathematical apparatus that allows us to formalize this process and quantify the result of research.

Thus, the most important issue is the information protection method implemented in the system - a method that allows you to effectively deal with errors and bookmarks in software. In general, two options are possible:
The first is the discovery of the fact of unauthorized access to information (changing data, files, programs, etc.). In this case, the main burden falls on the integrity system. The disadvantage of this approach is that only the fact of changing the information can be recorded, note that it does not matter how it is produced - through the use of an error or a bookmark.

 The second is the prevention (prevention) of unauthorized access by analyzing indirect signs (the appearance of suspicious processes, attempts to change memory, register new users, etc.). A major role here is given to the audit of events. The idea of using this method is as follows. Whether the attacker uses an error, or a bookmark in the software, he must perform some illegal actions (otherwise, he is an authorized user, operating within the framework of the rights allowed to him), for example, get a new user, assign higher access rights to himself, launch unauthorized process, open a port, change some registry settings, etc. The method consists in monitoring the lists of authorized events in the background, restoring them in case of detection of distortions with the corresponding functional reactions (for example, terminate the process, close the port, restore the state of the registry, database of user access rights, etc.). With the high efficiency of such control (note that these lists are usually small), it becomes possible to prevent an attacker from acting regardless of the nature of his unauthorized access to information, including using errors and bookmarks.

 The blocks used in the inventive protection system can be implemented as follows.

 Blocks 3, 4, 5, 6, 12, 13 represent the area, or separate memory blocks: either operational or located on external media - represent stored data arrays.

 Block 7 is a software or hardware checksum calculation tool. This block stores the current value of the checksum until the next command to calculate the current checksum.

 Block 8 is a software or hardware pairwise comparison of checksum values.

 Block 14 is a software or hardware block for reading or analyzing lists of current events, for example, a program for reading tables from the required memory areas, standard programs for detecting open ports, running processes, etc.

 Block 15 is a software or hardware tool for line-by-line comparison of two tables (authorized and current events) with fixing mismatches.

 Blocks 16 are software or hardware blocks for generating a command to “destroy” an unauthorized event - here, depending on the events being monitored, various implementations are possible, for example, restoring the original row of a table in the tables of authorized users, access rights, connected devices, etc. ., or start processing a standard program to complete an unauthorized process, close a port programmatically, etc.

 Block 17 is a software or hardware tool for generating a signal for comparing checksums. A certain rule of "Mathematical Logic" is implemented, in the simplest case - the rule "OR", then the detection of distortion of any list leads to a comparison of checksums.

 Block 18 is a software or hardware tool that solves the problem of delimiting access rights with the generation of appropriate control signals (a similar block is implemented in any system of delimiting access rights, in particular, in an analogue) - the Secret Net system.

 Block 19 is a software or hardware management tool for writing information to memory.

 Thus, the implementation of all used blocks is achieved by standard means based on the classical principles of implementing the foundations of computer technology.

 The advantages of the proposed information protection system may include the following.

 1. Implementation of a fundamentally new approach to information protection, which is based on the implementation of the principle of integrity control.

 2. A significant increase in the effectiveness of protection when using the proposed approach, through the implementation of dynamic lists of authorized events, which leads to their minimization (optimal task) at each moment of the system’s functioning.

 3. The emergence of a fundamentally new ability to protect information not only from attempts by an attacker to bypass the built-in means of information protection, but also from attempts to use errors and bookmarks in software and hardware. Essentially, it is not important for the claimed protection system how the attacker tries to overcome the protection.

 4. A fundamentally new ability to effectively control the integrity of programs and data, due to the possibility of asynchronously starting this slow control procedure, provided that attempts to detect unauthorized access by indirect signs are detected - attempts to distort lists of authorized events whose integrity is controlled thousands of times faster than monitoring programs and data . This advantage should not be considered as an opportunity to increase the effectiveness of the integrity control procedure, but as an opportunity to use it in principle, because otherwise, when using a similar procedure, the information system begins to work on its own protection.

Claims (1)

 An information security system comprising a memory block containing a functional software block (FPO), a data block, a checksum storage block of a FPO, a data checksum storage block, and in addition to a memory block, a current checksum generation block, a checksum comparison block, and an output FPO block - the first output of the memory block is connected to the first input of the current checksum generation unit, the data block output is the second output of the memory block - with the second input of the current checksum generation unit, the third input which is connected to the control input of the checksum comparison - the first input of the information security system, the output of the FPP checksum storage unit - the third output of the memory unit is connected to the first input of the checksum comparison unit, the output of the data checksum storage unit - the fourth output of the memory unit - with the second the input of the checksum comparison unit, the third input of which is connected to the first, and the fourth input - with the second outputs of the current checksum generation unit, the output of the checksum comparison unit is connected to the output of the result of the checksum comparison - the output of the protection system, additionally entered: in the memory block - M blocks of storage of lists of authorized events, M blocks of storage of checksums of lists of authorized events, in addition, M blocks of forming lists of current events, M blocks comparing lists of current and authorized events, M blocks for generating a command to “destroy” (terminate) the current event, block for generating a signal for comparing checksums, M blocks for demarcation and control of the rights to trigger the event, M blocks for adjusting the list of authorized events, and the outputs of the blocks for storing lists of authorized events — outputs 5 through M + 4 of the memory block are connected to inputs 4 through M + 3 of the block for generating current checksums, with M first inputs of blocks comparing the lists of current and authorized events and the blocks for generating a command to “destroy” (terminate) the current event, the first inputs of the blocks for generating lists of current events are connected to the M information inputs for recording current events d - M by the third inputs of the information security system, the second inputs are connected to the M control inputs for recording current events - M are the fourth inputs of the security system, the outputs are respectively connected to the second inputs of the comparison blocks of the lists of current and authorized events, the third inputs of which are connected to the M control inputs of the comparison of current and authorized events - M fifth inputs of the protection system, outputs connected to M control outputs of the results of comparing lists of current and authorized events - M second outputs dams of the information security system, with the second inputs of the blocks generating the command to “destroy” (terminate) the current event, with the first M inputs of the block for generating the checksum comparison signal, M + 1 input of which is connected to the control input of the checksum comparison, the second input of the information protection system , the output is connected to the fifth input of the checksum comparison unit, the outputs of the blocks for generating a command for “destroying” (terminating) the current event are connected to the M control outputs for “destroying” (terminating) the current event, you the odes of the blocks for storing the checksums of the lists of authorized events are connected to the inputs 6 through M + 5 of the block for comparing the checksums, the inputs of the M blocks of differentiation and control of the rights to trigger the event are connected to the corresponding M inputs of the request and coordination of the rights to trigger the event, the outputs are to the first inputs of the M blocks adjustments to the lists of authorized events, the second M inputs - with M inputs of notification of the completion of the event, the first M outputs - respectively with the inputs of M blocks of storage of lists of authorized events, the second M output Dov - with M outputs of permission to trigger an event, the third M outputs - respectively with the fourth inputs of M blocks for comparing lists of current and authorized events.

Images