RU2285287C1 - Method for protecting computer networks from computer attacks - Google Patents

Abstract

FIELD: electric communications engineering.

SUBSTANCE: result is achieved due to increased trustworthiness of detection of computer attacks by expanding sign space of protection system, which is performed by finding fragmented packets, incoming into computer network from communication channel and analysis of their parameters.

EFFECT: increased resistance of functioning of computer networks under conditions of unauthorized actions.

7 dwg, 1 app

Description

The invention relates to telecommunications and can be used in systems of protection against computer attacks by their prompt detection and blocking in information and computer networks (IVS). For example, in data transmission networks (SPDs) of the Internet type, based on the TCP / IP (Transmission Control Protocol / Internet Protocol) family of communication protocols and described in the book by Kulgin M. Corporate Network Technologies. Encyclopedia. - St. Petersburg: Publishing House "Peter", 1999. - 704 p.: Ill.

The claimed technical solution expands the arsenal of funds for this purpose.

A known method of protection against computer attacks, implemented in RF patent No. 2179738, "A method for detecting remote attacks (Interpretation of the terms used is given in Appendix 1) in a computer network", class G 06 F 12/14, decl. 04.24.2000. The known method includes the following sequence of actions. Monitoring the information flow of message packets addressed to the IVS subscriber, including continuously renewed counting of the number of packets performed within a series of packets arriving from the communication channel (CS) one after the other at intervals of no more than a specified time. At the same time, the incoming data packets are checked for compliance with the given rules each time the size of the next observed series reaches a critical number of packets.

The disadvantages of this method are the narrow scope, due to its purpose mainly to protect against the substitution of one of the participants in the connection, and lack of reliability when detecting other types of computer attacks. In the analogue, a limited set of indicative descriptions of computer attacks is used.

At the same time, they do not take into account the presence of a large number of types of computer attacks, in particular types of attacks that use fragmentation of packets transmitted between segments of the IVS, which creates the conditions for skipping the latter and, as a result, leads to a decrease in stability ^{3 of the} functioning of the IVS.

There is also a method that allows detecting computer attacks by changing the state of an IVS element, according to the patent of the Russian Federation No. 2134897, class G 06 F 17/40, "Method for the operational dynamic analysis of the states of a multiparameter object," 08/20/1999. In the known method, the results of the tolerance assessment of heterogeneous dynamic parameters are converted into corresponding information signals with a generalization over the entire set of parameters in a given time interval and the relative magnitude and nature of the change in the integral state of the multiparameter IVS element is determined.

The disadvantage of this method is the narrow scope, due to the fact that despite the possibility of operational diagnostics of the technical and functional states of the multiparameter IVS element, a limited set of attribute space is used in it, which creates the conditions for skipping remote computer attacks (see Medvedovsky I.D. and other attack on the Internet. - M .: DMK, 1999. - 336 pp., ill.) and, as a result, leads to a decrease in the stability of the functioning of the IVS.

Closest in its technical essence to the claimed is a method of protection against computer attacks, implemented in the device according to the patent of the Russian Federation No. 22199577, "Information Search Device", class G 06 F 17/40, stated. 04.24.2002. The prototype method consists in taking the i-th packet from the CS, where i = 1, 2, 3, ..., and remember it. Receive the (i + 1) th packet, remember it. Identification signs are extracted from the header of the i-th and (i + 1) -th packets, they are analyzed for consistency and, based on the results of the analysis, they decide on the fact of a computer attack.

Compared with analogs, the prototype method can be used in a wider field when a set of attribute space is used, which allows to determine a family of computer attacks of a certain type, which is necessary to increase the reliability of determining the fact of computer attacks on ITTs, which are manifested in a decrease in the stability of the functioning of an ITT.

The disadvantage of the prototype is the relatively low stability of the IVS functioning under the influence of computer attacks, due to the fact that by comparing two message packets - the next and the previous one, only one family of computer attacks is recognized - "storm ⁴ " of false requests for establishing a connection, while computer attacks of others types with high destructive capabilities are not recognized.

The purpose of the claimed technical solution is to develop a method of protecting an ITT from computer attacks, providing increased stability of the ITT's operation under unauthorized influences by increasing the reliability of detection (recognition) of computer attacks by expanding the sign space of the protection system, which is used to identify fragmented packets arriving at an ITT from COP, and analysis of their parameters. Achieving the stated goal is necessary for the timely provision of service capabilities to IVS subscribers, as well as to ensure the availability of ⁵ processed information.

This goal is achieved by the fact that in the method of protecting the IVS from computer attacks, which consists in accepting the i-th, where i = 1, 2, 3 ..., the message packet from the CS, remember it, receive (i + 1) -th message packet, remember it, select the parameters characterizing them from the stored message packets, compare them and, based on the results of the comparison, decide on the presence or absence of a computer attack, pre-set the array {P} to store P≥1 fragmented message packets and arrays for storing parameters extracted from stored message packets: S≥1 values of the data field "Total length", C≥1 values of the data field "Offset fragment", E≥1 sums of the values of the data fields "Total length" and "Offset fragment" of the stored message packets, respectively {S}, {C} and {E}. In addition, pre-set array {P _add } for storing additional P _add ≥1 fragmented message packets. Moreover, after receiving the i-th message packet from the CS, the value of the "Fragmentation flag" data field F _{i is} extracted from its header. With its value equal to zero, the i-th message packet is transmitted to the IVS, after which the (i + 1) -th message packet is received from the CS. If the value of the "Fagmentation Flag" data field of the i-th message packet is equal to one, the i-th message packet is remembered, the value of the "Identifier" N _i data field is extracted from its header, and it is stored. The values of the data fields "Total length" S _i and "Slice offset" C _i are extracted from the header. Remember them in the corresponding arrays {S} and {C}. The sum E _{i of the} stored i-th message packet E _i = S _i + C _{i is} calculated and stored in the array {E}. In addition, having received the (i + 1) th message packet from the CS, the value of the Identifier data field N _{i + 1 is} extracted from its header, compare it with the value of the Identifier data field N _{i of the} i-th message packet. If they do not match, the (i + 1) th message packet is transmitted to the IVS, after which the next message packet is received from the CS. If the values of the "Identifier" data fields of the i-th and (i + 1) -th message packets coincide, the (i + 1) -th message packet is remembered, the values of the "Total length" S _{i + 1} , "Offset data fields are extracted from its header fragment "C _{i + 1} and remember them in the corresponding arrays {S} and {C}. The sum E _{i + 1} = S _{i + 1} + C _{i + 1 is} calculated and stored in the array {E}. Read from the header of the (i + 1) th message packet the value of the Fragmentation Flag data field F _{i + 1} . If it is equal to unity, the steps are repeated, starting from the acceptance of the next message packet from the CS and comparison of the Identifier data fields, and these steps are repeated until the message packet belonging to the set N _{i of} fragmented message packets from the CS with the value of the fragmentation flag data field is received from the CS equal to zero. When the value of the "Identifier" data field of the (i + 1) th message packet is zero, the message packet Р _m , where m = 1, 2, 3, is read from the array {P} of fragmented message packets ..., with the smallest value of the Fragment Offset data field C _min . Delete this message packet from the {P} array and store it in the {P _add } array for additional fragmented message packets. After that, from the number of fragmented message packets remaining in the array {P}, the message packet P _{m + 1 is} again read with the smallest value of the "Fragment offset" data field C _min . Also delete this message packet P _{m + 1} from the array {P} and store it in the array {P _add }. After that, the sum E _m from the array {E} corresponding to the message packet P _m stored in the array {P _add } is compared with the value of the Fragment Offset data field C _{m + 1} belonging to the message packet P _{m + 1} last stored in the array {P _add }. If the values of E _m and C _{m + 1} are not equal, they decide on a computer attack, prohibit the transfer to the IVS of all message packets stored in the {P} array, and delete all values from the {P}, {P _add }, {S} arrays , {C} and {E}. If the values of E _m and C _{m + 1 are} equal, the message packet P _{m is} transmitted to the IVS from the array {P _add }. Then read from the header of the message packet P _{m + 1} remaining in the array {P _add }, the value of its data field "Fragmentation flag" F. If F is zero, the message packet is transferred from the array {P _add } to the IVS, and when F equal to one, from the array {P} of fragmented message packets, read the next message packet with the smallest value of the "Fragment offset" data field C _min . After that, the actions are repeated starting from storing the next message packet into the array {P _add }, and these actions are repeated with all packets from the set {P}.

Improving the stability of the functioning of ITTs under the impact of computer attacks using fragmented message packets in the claimed method is provided by a new set of essential features by increasing the reliability of detection (recognition) of computer attacks of this type by expanding the attribute space of the protection system and identifying from the totality of incoming message packets from CS in the IVS of fragmented message packets, preliminary verification of the correct assembly and of computer attacks of a certain type, which is necessary to ensure the availability of the processed information in the IVS, since most intrusion detection systems and message packet filters do not support checks of fragmented packets or do not perform their correct assembly and therefore are not able to detect computer attacks (and, therefore, block dangerous schedule), distributed among several fragmented message packets.

The analysis of the prior art made it possible to establish that analogues that are characterized by a combination of features identical to all the features of the claimed technical solution are absent, which indicates the compliance of the claimed device with the patentability condition of "novelty". Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed object from the prototype showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided by the essential features of the claimed invention, the transformations on the achievement of the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The claimed method is illustrated by drawings, which show:

figure 1 - MTU values for various technologies for the construction of IVS;

figure 2 - the header of the IP datagram;

figure 3 - Block diagram of an algorithm that implements the claimed method of protecting an ITT from computer attacks;

figure 4 - The process of identifying fragmented message packets belonging to the same sequence;

5 - The process of determining the correct assembly of fragmented message packets;

6 is a diagram of the IVS used in the experiment;

7 - The user interface of the software layout of the protection system of the ITT from computer attacks with the results of the experiment.

It is known that fragmentation is used when it is necessary to transmit an IP datagram ⁶ through an IVS segment in which the maximum transmission unit (maximum transmission unit - MTU ⁷ ) is smaller than the size of this datagram. If the size of the datagram exceeds this value, then fragmentation must be performed on the router that transmits this datagram.

Fragments are transmitted to the destination address, where the host ⁸ receiver must reassemble them. On the way to the delivery of fragmented packets, they can undergo further fragmentation if they need to be transmitted through a network segment with an even lower MTU. MTU values for various technologies for constructing IVS are presented in table 1 (figure 1). Practically in all protocol stacks there are protocols responsible for fragmentation of application-level messages into such parts that fit into data link frames. In the TCP / IP stack, the TCP protocol solves this problem, which splits the stream of bytes transmitted to it from the application layer into segments of the required size. The IP protocol on the sending host, as a rule, does not use its packet fragmentation capabilities. But on the router, when a packet needs to be sent from a network with a higher MTU to a network with a lower MTU, the ability of the IP protocol to perform fragmentation becomes popular.

From the table presented in figure 1 shows that the MTU values for the most popular technologies are significantly different, which means that in the IVS, which should be characterized by heterogeneity, fragmentation is not a rare occurrence.

IP protocol functions include splitting an unacceptably long packet during transmission into shorter fragment packets, each of which must be equipped with a full IP header. Some of the header fields — identifier N, fragmentation flag F, offset C — are directly intended for subsequent assembly of fragments into the original message.

The fragmentation and assembly procedures of the IP protocol are designed so that the message packet can be broken down into almost any number of parts that could subsequently be reassembled. The fragment receiver uses the Identifier field N to identify all fragments of the same packet. The router, on which the message packet is split (parsed) into a set of packets, sets a value in the Identifier field that must be unique for this sequence of fragmented packets.

The Fragment Offset field tells the destination host the location of the fragment in the original message packet. The sum of the values of the Fragment Offset and Total Length data fields determines the portion of the original packet brought by this and previous fragments.

The fragmentation flag F indicates the appearance of the last fragment. In all fragmented packets of one population, the fragmentation flag is equal to one, with the exception of the latter (the fragmentation flag is zero).

A description of the process of message packet fragmentation is well described in the literature (see, for example, Olifer V.G., Olifer N.A. Computer networks. Principles, technologies, protocols: textbook for high schools. - St. Petersburg: Peter, 2003. - 864 p.: ill.), and fragmentation itself is absolutely normal, but there is the possibility of creating packet fragments that, when assembled on the receiving host, will allow for attacking actions (for example, the Teardrop attack described in the book Nortkan S, Novak D Detecting Network Security Violations, 3rd Edition: P R. from English - M .: Publishing house "William", 2003. - 448 p .: ill., p. 71, evelPing and Boink attacks described in Northcan S., Cooper M, Firnou M., Frederick K. Analysis of typical security breaches in networks.: Transl. From English. - M .: Publishing House "Williams", 2001. - 464 p.: Ill., P.336-348). Intruders also use fragmentation at different stages of their attacks to conceal their actions and probe networks, as well as to launch malicious programs. Denial of service attacks are based on the use of a large number of fragmented packets, which leads to excessive waste of resources of the attacked ITT.

The search for effective technical solutions to increase the stability of the functioning of the IVS in the conditions of distributed computer attacks can be carried out by increasing the efficiency of the protection system, which can be achieved by increasing the reliability of detection (recognition) of computer attacks using fragmentation of message packets, by expanding the attribute space of the protection system, which carried out by analyzing the information stored in the fragments of message packets necessary for successful assembly to its original state on the receiving host:

- Each fragment of a single message package is associated with another fragment using a common identification number for all fragments. This number is copied from the "Identifier" field of the IP datagram header, and if the packet is fragmented, it is called the fragment identifier (fragment ID);

- Each fragment stores information about its place, i.e. about the offset relative to the original (unfragmented) message packet. Each fragment indicates the size of the data transmitted in it.

- Each fragment notifies of the presence of fragments following it. For this purpose, the fragmentation flag F (More Fragments - the next fragment) serves.

The claimed method is implemented as follows. The structure of message packets is known (see, for example, Kulgin M. Technologies for corporate networks. Encyclopedia. - St. Petersburg: Piter Publishing House, 1999. - 704 pp., Ill.), As well as the principle of transferring packets to the IVS, which makes it possible analysis of identification features. For example, FIG. 2 shows the header structure of an IP datagram. Bold font indicates the data fields of the message packet header, which determine the correct assembly of fragmented packets.

Figure 3 presents a block diagram of an algorithm that implements the claimed method of protecting an ITT from computer attacks. This algorithm allows you to identify and analyze one sequence of fragmented packets. If several sequences of fragmented packets are detected in the communication channel, this algorithm will be executed for each of the detected sequences.

The following notation is used in the block diagram:

{P} - an array for storing fragmented message packets;

{S} - an array for storing the values of the data fields "Total length", selected and stored fragmented message packets;

{C} - an array for storing the values of the data field "Fragment offset", selected and stored fragmented message packets;

{E} - an array for storing the sum of the values of the data fields "Total Length" and "Slice Offset", selected and stored fragmented message packets;

{P _add } - an array for additional storing fragmented message packets;

F is the value of the fragmentation flag data field;

N is the value of the "Identifier" data field.

Pre-set (see block 1 in figure 3) array {P} to store P≥1 fragmented message packets. The maximum dimension of this array will depend on the MTU relationship of the transmitted IVS segment and the received one, i.e.

For example, when a message packet is transferred from a segment constructed using Token Ring technology (IBM, 16 Mbps) (MTU = 17914 bytes) to a network segment constructed using DIX Ethernet technology (MTU = 1500 bytes), the maximum dimension of the array is twelve discharges.

Arrays are also pre-set for storing the parameters extracted from the stored message packets, S≥1 values of the data field "Total length", C≥1 values of the data field "Offset fragment", E≥1 sums of the values of the data fields "Total length" and "Offset fragment "stored message packets {S}, {C}, {E}, respectively. The capacity of these arrays will be equal to the capacity of the array that stores fragmented message packets of the same sequence. And also set the array {P _add } for storing additional P _add ≥1 fragmented message packets. The capacity of this array will be equal to two bits. In addition, the set data will initially be empty.

From the CS, the i-th message packet is received (see block 2 in FIG. 3), where i = 1, 2, 3 ..., and the value of the data field is extracted (see block 3 in FIG. 3) from the header of the received packet "Flag of fragmentation" F _i . Then find out (see block 4 in figure 3), whether the value of the data field "Flag fragmentation" to zero. Equality in this check means that the received message packet is not fragmented. In this case, the message packet received from the CS is transmitted to the IVS (see block 5 in Fig. 3), and the next (i + 1) -th message packet is received from the CS, and the Flag field is subsequently extracted and analyzed. fragmentation "F _{i + 1} . This check is carried out in order to identify the fact of receipt of fragmented packets from the CS in the IVS.

Upon receipt of a fragmented message packet from the CS (the value of the "Fragmentation flag" data field is one), the received message packet is stored in the array {P} (see block 7 in FIG. 3). In this case, regardless of which of the messages received from the CS and the analyzed message packets it was the first, second or i-th, it is stored in the first cell of the array {P} (see Fig. 4). Messages are extracted from the header of the saved message packet (see block 8 in FIG. 3) and the value of the Identifier data field is stored, and the values of the Fragment Offset and Total Length data fields are stored in {C} and {S} arrays, respectively ( see block 9 in figure 3). Moreover, the values are stored in the first cells of the arrays, because the message packet is saved in the first cell. Then, the sum of the values of the Fragment Offset and Total Length data fields of the stored message packet E is found. This sum indicates how much the next received fragmented packet belonging to this packet set should be shifted. The resulting value is stored in the first cell of the array {E} (see block 10 in figure 3).

Next, the next message packet is received from the COP (see block 11 in FIG. 3). Having established the presence of fragmented message packets arriving at the IVS, we select and store message packets from the incoming sequence from the CS packets belonging to this set of fragmented packets. For this, from the received message packet, select the value of the data field "Identifier" N _{i + 1} (see block 12 in figure 3). Compare its value with the value of the data field "Identifier" N _i of the message packet stored earlier (see block 13 in Fig. 3). If there is no coincidence of the values of the “Identifier” data fields of the received message packet and the previously stored message packet, the first is transmitted to the IVS (see block 14 in FIG. 3), and the next message packet is received from the CS in order to establish membership in the analyzed set of fragmented packages.

In case of revealing the belonging of the received message packet to the totality of the analyzed sequence of fragmented packets (the values of the “Identifier” data fields of the received and previously stored message packets are equal), regardless of how the given message packet was received and analyzed from the CS (for example, (i + k) - th message packet), the received message packet is stored in the next (second, third, etc.) cell of the array {P} (see block 16 in FIG. 3). The values of the data fields “Total length” and “Slice offset” are selected from the header of the received message packet (see block 17 in FIG. 3) and their values are stored in the arrays {S} and {C} in the cells with numbers corresponding to the cell number into which the analyzed message packet was saved (see block 18 in FIG. 3). Then calculate and remember the sum of the values of the data fields "Fragment offset" and "Total length" of the stored message packet (see block 19 in figure 3) and save in the corresponding cell of the array {E}. For example, if a second message packet was found that belongs to a given set of fragmented message packets (the (i + k) th message packet), it is placed in the second cell of the array {P}, and the values of its data fields and the sum of these values are also placed in the second cells of the corresponding arrays. The same placement procedure is carried out with the third (for example, with (i + k + t) -m), and with the fourth (for example, with (i + k + t + q) -m) messages. The process of identifying a fragmented message packet consisting of four fragments belonging to the same sequence is shown in FIG. 4.

To determine whether the received message packet is the last of the analyzed fragmented packets, the value of the "Fragmentation flag" data field is extracted from the header of the received message packet (see block 17 in FIG. 3), it is stored (see block 18 in FIG. 3 ) and find out (see block 20 in FIG. 3) whether the value of the fragmentation flag data field F is equal to zero. Inequality in this check means that the received message packet is not the last message packet belonging to the analyzed set of fragmented message packets. In this case, the steps are repeated, starting from the adoption of the next message packet from the CS (see block 11 in FIG. 3) and comparing the Identifier data fields (see block 13 in FIG. 3), and these steps are repeated until receipt from the CS a message packet belonging to the set N _{i of} fragmented message packets with a value of the fragmentation flag data field equal to zero (see block 20 in figure 3). In this case, they begin to analyze the stored message packets into the {P} array in order to determine the correct assembly of the entire set of identified fragmented message packets.

To analyze the stored message packets in the array {P} in order to determine the correct assembly of the entire set of fragmented message packets from the set of stored message packets, the message packet Р _{m is} read from the number of previously stored message packets, where m = 1, 2, 3 ..., which corresponds to the smallest value of the data field "Fragment offset" With _min . The selected message packet is deleted from the {P} array and stored in the {P _extra } array for fragmented message packets allocated additionally (see block 22 in FIG. 3). Then, from the number of fragmented message packets remaining in the array {P}, the message packet P _{m + 1 is} again read with the smallest value of the “Fragment offset” data field C _min , and this message packet is also deleted from the array {P} and stored in the array { P _add } (see block 23 in figure 3).

After comparing the sum of parameters Е _m from the array of sums of parameters {Е} corresponding to the previously memorized message packet Р _m , in the array of additionally memorized message packets {Р _ext } with the value of the data field "Slice offset" С _{m + 1} from the array of data field values " The offset of the fragment "{C} corresponding to the later memorized message packet Р _{m + 1} in the array of additionally memorized message packets {Р _additional } (see block 24 in Fig. 3), if the values are not equal, then after deciding on the presence of a computer attack prohibit the transmission of packets with messages in the IVS (see block 30 in Fig. 3) and delete all fragmented message packets belonging to this set of fragmented message packets, and also delete all data from arrays containing parameter values of stored message packets (see block 31 in Fig. 3) .

In case of equality of the values of E _m and C _{m + 1} from the array {P _add }, the message package P _{m is} transmitted to the IVS (see block 25 in FIG. 3), then it is read from the message packet header P _{m + 1} remaining in the array { P _add }, the value of its data field "Flag fragmentation" F (see block 26 in figure 3), and when F is equal to zero, from the array {P _add } transmit a message packet to the IVS (see block 28 in FIG. 3), and at F equal to one, from the array {P} of fragmented message packets, read the next message packet with the smallest value of the "Fragment offset" data field (see block 23 in Fig. 3), and then repeat actions begin from storing this next message packet into the array {P _add }, and these actions are repeated with all packets from the set {P}. The process of determining the correct assembly of the message packet, consisting of four fragments, is presented in figure 5.

The proposed method of protecting the IVS from computer attacks allows you to recognize computer attacks, given that fragments of the message packet due to delays in the CS (when following the fragments of the message packet in different routes) can arrive at the recipient host in an arbitrary order (Fig. 5 shows option, when the third fragment of the message packet was extracted from the COP before the second fragment).

The feasibility of implementing the formulated technical result was tested by creating a mock-up of a software package and conducting a full-scale experiment.

The experiment was carried out as follows: using software and hardware, three segments of the IVS built using Token Ring technologies (IBM, 16 Mbps) (MTU = 17914 bytes) (one segment) and built using DIX Ethernet technology (MTU = 1500 byte) (two segments). Moreover, the union was made so that the attacked host received not only fragmented message packets, but also message packets that were not subject to fragmentation (see Fig. 6).

During the experiment, a message flow was modeled on the input of the attacked host of the ITT, including sets of fragmented message packets subject to computer attacks such as Teardrop and Teardrop 2, described in the book Nortkan S., Novak D. Detection of network security violations, 3rd edition .: Per. from English - M .: Publishing House "William", 2003. - 448 p.: Ill.

During the experiment, the following types of message packets arriving at the attacked host were identified:

- Unfragmented message packets - message packets received on the attacked host built using DIX Ethernet technology from a segment built using the same technology through a segment built using Token Ring technology;

- Fragmented message packets that are not subject to unauthorized influences coming from a segment built using Token Ring technology;

- Fragmented message packets subject to unauthorized influences characterizing computer attacks like Teardrop;

- Fragmented message packets subject to unauthorized influences characterizing computer attacks like Teardrop 2.

During the experiment, in the first case, the recognition unit (detection) of a computer attack that implements the proposed method of protecting the ITT from computer attacks was disabled. As a result, attacks of this type were not detected, and the operating system of the recipient host failed (attack Teardrop), in the second case (attack Teardrop 2), the host recipient was blocked (attack type "Denial of service"). Experimental results when disabled recognition unit shown in figa.

When the experiment was repeated, with the recognition unit turned on, all simulated sequences of fragmented message packets carrying unauthorized influences were identified and blocked (see Fig. 7b).

From the presented results, the following conclusions follow: to increase the reliability of detection (recognition) of computer attacks by expanding the sign space of the protection system, the claimed method provides increased stability of the functioning of the ITT under the influence of computer attacks using fragmented message packets.

Additional positive properties of the claimed method are: the ability to detect distributed computer attacks not only at the stage of the attack, but also, which is very important (see, for example, A. Lukatsky. Detection of attacks. - St. Petersburg: BHV - Petersburg, 2001. - 624 p.: ill.), at the stage of collection by the intruder of information about the IVS.

Claims (1)

A way to protect information and computer networks from computer attacks, which is that they take the i-th, where i = 1, 2, 3 ..., a message packet from a communication channel, remember it, receive the (i + 1) -th packet messages, remember it, extract parameters characterizing them from the stored message packets, compare them and, based on the results of the comparison, make a decision about the presence or absence of a computer attack, characterized in that the array {P} is preliminarily set for storing P≥1 fragmented message packets and arrays to memorize pairs meters selected from the stored message packets: S≥1 values of the data field "Total length", S≥1 values of the data field "Offset fragment", E≥1 sums of the values of the data fields "Total length" and "Offset fragment" of the stored message packets { S}, {C}, {E}, respectively, as well as an array of {P _add } for storing additional P _add ≥1 fragmented message packets, and after receiving the i-th message packet from the communication channel, the value of the “Flag” data field is extracted from its header fragmentation ”F _i and with its value equal to zero, transmit the i-th packet with communication to the computer network, after which they receive the (i + 1) th message packet, and when the value of the "Fragmentation flag" data field of the i-th message packet is equal to unity, the i-th message packet is remembered, the field value is extracted from its header Identifier data N _i and store it, extract the values of the data fields “Total length” S _i and “Slice offset” C _i from the header and store them in the corresponding arrays {S} and {C}, calculate the sum E _{i of the} stored i- Motherboard BIOS th packet E _i = S _i + C _i and storing it in the array {E}, in addition, by adopting communication channel from communication (i + 1) th message packet from its header field value recovered data "identifier» N _{i + 1,} it is compared with the value of the data field "identifier» N _{i i-th} message packet and transmit them mismatch (i + 1) the message packet to the computer network, after which the next message packet is received from the communication channel, and if the values of the “Identifier” data fields of the ith and (i + 1) th message packets are the same (i + 1) -th message packet, the values of the data fields “Total Length” S _{i + 1} , “Slice Offset” C _{i + 1,} and omit them in the corresponding arrays of {S} and {C} values of the data fields, calculate the sum E _{i + 1} = S _{i + 1} + C _{i + 1} and store it in the array {E}, read from the header (i + 1) - of the first message packet, the value of the “Fragmentation flag” data field is F _{i + 1} and, if it is equal to unity, the actions are repeated starting from the acceptance of the next message packet from the communication channel and comparison of the “Identifier” data fields, and these steps are repeated until the message packet is received from the communication channel belonging to the set N _{i of} fragmented message packets with the value of the data field “Flag f segmentation ”equal to zero, and when the value of the“ Identifier ”data field of the (i + 1) -th message packet is zero, the message packet Р _{m is} read from the number of previously stored message packets from the array {P} of fragmented message packets, where m = 1, 2, 3 ..., with the smallest value of the Fragment Offset data field C _min remove this message packet from the {P} array and store it in the {P _add } array for additional fragmented message packets, after which from the number remaining in an array of {P} fragmented message packets read the packet again with Communication P _{m + 1} with the smallest value of the data field "fragment offset" C _min and also remove the message packet from the array {P} and storing it in the array {P _ext}, and then compares the sum E _m of the array {E} corresponding to stored in the array {P _add } message packet P _m , with the value of the data field "offset fragment" With _{m + 1} , belonging to the last message packet P _{m + 1} , stored in the array {P _add }, and with an inequality of values of E _m and C _{m + 1} decide on the presence of a computer attack and prohibit the transfer of information to the computer network ex saved message packages, delete all values from the arrays {P}, {P _add }, {S}, {C} and {E}, and if the values of E _m and C _{m + 1 are} equal from the array {P _add } in the information - the computing network is sent a message packet P _m , then it is read from the header of the message packet P _{m + 1} remaining in the array {P _add }, the value of its data field "Fragmentation flag" F and when F is zero, from the array {P _add } transmit the message packet to the computer network, and at F equal to one, the next message packet is read from the array {P} of fragmented message packets with the smallest value of the data field "fragment offset", and then repeat the procedure from memory the next message packet to the array {P} _additional, and these steps are repeated with all the packets in the set {P}.

Images