RU2318296C1 - Method for protection of local computing-network at transmission of electronic mail messages by means of global information network - Google Patents

Abstract

FIELD: electric communication, applicable in local computing networks for improvement of their safety at transmission of electronic mail messages, via the global information network.

SUBSTANCE: the method consists in forming of electronic mail messages in the local computing networks, where they are memorized. Then these messages are read ant and memorized in the intermediate recording means memory. The mentioned messages are removed from the server of the local computing network, read server of the local computing network, read out of the intermediate recording means memory and transmitted to the server of the global information network. In addition, a set of identifiers of the controlled message senders, fields of their head-lines, their admissible values and the rule of selection are preset. At a coincidence of the identifiers of the electronic mail messages with the preset indicators the fields of the controlled messages are modified by way of their replacement. The mentioned actions complicate the probability of destructive actions on the local computing networks, which enhances their safety of operation.

EFFECT: enhanced safety of the local computing network due to masking of its characteristics at transmission of electronic mail messages by means of the global information network.

2 cl, 4 dwg

Description

The invention relates to the field of telecommunications and can be used in computer networks to increase their security when transmitting e-mail messages through a global information network.

There is a method that facilitates the extraction of data in connection with the processing of unauthorized e-mails, according to the application for the invention No. 2004116904 "Lists and signs of sources / destinations for the prevention of unwanted e-mail messages", IPC G06F 12/00, stated. 2004.06.03. The method is that a message is received; extracting a set of features associated with the message source, or part of them and / or information that enables the intended recipient to contact, issue a response, or receive in connection with the message, and use a subset of the extracted features in connection with the creation of the filter.

The disadvantage of this method is the low level of protection of the local area network.

There is also a method of protecting email according to RF patent No. 2223540 "Method for transmitting and receiving secure emails and a system for implementing the method", IPC G06F 17/60, decl. 2001.04.26.

The known method includes the following sequence of actions. Pre-form a lot of conditions for processing emails, save the formed many conditions in the database of the client part of the sender system.

The address and decryption key of the intermediate mailbox of the sender are determined, and they are stored in the database of the server part of the system. The initial email is generated, sent to the client part of the system. The address of the recipient's mailbox of the source letter is compared with the recipient mailbox address patterns from a variety of processing conditions, the address and key of the sender's electronic intermediate mailbox are determined. Put the original message in the source file, encrypt the source file to obtain a new file. A new email is generated, it is sent to the sender’s intermediate email inbox through the Internet service provider. Using the server side of the system, an email is received at the sender's intermediate email inbox. Decrypt the file, form the original email and send it to the recipient's email inbox. Receive sent emails using a client email program.

The disadvantage of this method is the relatively low level of security of the computer network, which is due to the storage in the headers of messages transmitted between intermediate electronic mailboxes through the global information system of identification information of the computer network, its elements and functioning algorithms.

Closest in technical essence to the claimed one is “A method for protecting the information resources of a local area network connected to a global information network against unauthorized access of users of a global information network to a local area network when exchanging e-mail message signals” according to RF patent No. 2168757, IPC G06F 15/163, G06F 12/14, claimed 06/06/08.

The prototype method consists in generating an e-mail message in the local area network, transmitting the message, receiving the message on the server of the local area network, writing it to the server’s memory, reading the message from the memory of the local area network server, and writing it to the memory of the intermediate recording means , delete the message from the server memory of the local area network, read the message from the memory of the intermediate recording means and write it to the memory of the global information server network, transmit the message to the user of the global information network.

Compared with analogues, the prototype method is easier to implement, because does not require the use of intermediate electronic mailboxes.

The disadvantage of the prototype is the relatively low security of the local area network when transmitting e-mail messages through the global information network, due to the possibility of analyzing the headers of the e-mail messages, on the basis of which it is possible to reveal the characteristics of the local area network, its users and carry out a deliberate destructive effect.

The purpose of the claimed technical solution is to develop a method for protecting the local area network when transmitting e-mail messages through the global information network, which improves the security of the local area network by masking the characteristics of the computer network when transmitting e-mail messages through the global information network.

This goal is achieved by the fact that in the known method of protecting the local area network when transmitting e-mail messages through the global information network, which consists in generating an e-mail message in the local area network, transmit it to the server of the local area network, where it is stored, except In addition, the recorded e-mail message is read and stored in the memory of the intermediate recording means, after which the e-mail message is deleted from the server’s memory locally computer network, read the message from the memory of the intermediate recording means and transfer it to the server of the global information network, after which the steps for generating and transmitting the e-mail message in the local computer network are repeated, the set of identifiers of the senders of the controlled messages is pre-set. The controlled fields of message headers, the set of valid field values and the rule for selecting field values from the set of valid fields are also defined. After deleting the message from the memory of the server of the local area network, in addition to the means of the intermediate recording, the identifier of the stored message is isolated and compared with a predetermined set of identifiers of the senders of the controlled e-mail messages. If there is a match, the monitored header fields of the email message are modified. (A message modification is an undetectable change in the contents of a program, which leads to some unauthorized result [State Technical Commission of Russia. Information Security and Information Protection. Collection of terms and definitions].) To do this, select a header and controlled fields from the message, select it according to a predefined rule the values of the header fields from the set of valid ones and replace with them the values of the controlled header fields. If the identifiers of the sender of the email message do not match the predefined set of identifiers of the senders, the message is transmitted without changes to the server of the global information network. The selection of new values of the controlled fields of the header of the email message is performed according to a random law.

Due to the new set of essential features in the claimed method, by modifying the true values of some fields of the message header, the characteristics of the local computer network and its users are hidden from cybercriminals when transmitting e-mail messages through the global information network, which significantly complicates the opening of the parameters and characteristics of the local computer network and, therefore, complicates the deliberate destructive impact on the local area network. Thus, it is possible to achieve the formulated technical result: improving the security of the local computer network by masking the characteristics of the computer network when transmitting e-mail messages through the global information network.

The analysis of the prior art made it possible to establish that analogues, characterized by a combination of features that are identical to all the features of the claimed technical solution, are absent in known sources of information, which indicates compliance of the claimed device with the patentability condition of "novelty".

Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed object from the prototype showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided by the essential features of the claimed invention, the transformations on the achievement of the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The claimed method is illustrated by drawings, which show:

figure 1 - the hierarchy of the TCP / IP protocols;

figure 2 is a drawing explaining methods of obtaining identification information;

figure 3 - structure of a computer network that implements the claimed method;

4 is a block diagram of an algorithm that implements the method.

For the preparation and implementation of a deliberate destructive impact on computer networks, the stage of preliminary collection of identification information about the local computer network is necessary. At the same time, various methods are used, including analysis of the information contained in the headers of e-mail messages, which are transmitted using known protocols presented in figure 1.

There are many implementations of the email service for almost all versions of operating systems (Q-MAIL, EXIM, Postfix, Sendmail, etc.). The email service implements application layer protocols. The email user communicates with the user agent (Email client). A user agent is a mail service for a specific computing network (POP3 (RFC-1460), IMAP (RFC-2060), Sendmail (Unix), Pine, Elm, Mush, MH, Berkeley Mail, etc.). It works as a “post office”, which receives mail messages, determines the delivery option by address and passes it to the transport agent (Mail Transfer Agent). The transport agent implements the well-known SMTP protocol, UUCP (or another email delivery protocol).

The SMTP protocol is the most common, it allows the use of various transport environments and can deliver messages even on a network that does not support TCP / IP protocols. The SMTP protocol provides transportation of messages to one recipient and reproduction of copies of messages for delivery to different addresses. One of the SMTP protocols (RFC-822) defines the format of the email message, the second (RFC-821) controls their forwarding. RFC (Request for SentInternet) is a document that has the status of an international standard and recognized as such by the Internet Engineering Task Force [http://elib.org.ua/www.ietf.org/default.htm]. SMTP has spooling mechanisms and mechanisms to improve delivery reliability. E-mail addresses are unique and uniquely determine the addressee, even having some redundancy [Yu. A. Semenov (SSTC ITEF), book.itep.ru].

The headers of e-mail messages may contain service information about the local area network, which is not required for reliable and timely delivery of messages to the addressee.

In order to obtain identification information and prepare a deliberate destructive effect, the intruder can analyze not only user messages, but also mail server response messages to specific commands coming from the global information network. Specialized programs have been developed and are being applied that make it possible to extract this information using pre-prepared statistical data (UST.IEviaOLE [ustinfo.ru]). In this case, "legal" interaction with the user of the local area network or unauthorized interception of a message transmitted through the global information network is possible (Fig. 2). In "legal" interaction with a user of a local area network, the intruder sends and receives messages from the network of interest to him, then analyzes the contents and headers of the received messages.

In the field "Received" (see figure 2), each transport agent during the route adds a line with the domain name and IP address of the mail server that relays the message. Also in this field indicate the version of the software that implements the email service.

Field "Reply-To" (see figure 2) contains the address to which you want to send a response, if it differs from the address of the sender of the message.

In the field "SS" (see figure 2) indicate the addresses of additional recipients, if the message is multicast. It happens that information about the additional recipients of this message is confidential.

"Bss" - a field in which indicate the address of the blind copy. There may be situations in which message recipients may inadvertently disclose information about recipients of blind copies of the message.

“Apparently-to” - a field in which the e-mail server indicates a possible recipient, if the sender specifies an incorrect or incorrect recipient address.

In the field "Sender" (see figure 2) indicate the address of the sender, if it differs from the address to which you want to send a response to this electronic message (Reply-To).

The Return-Path field can be used to identify the return path to the sender. It is used in troubleshooting and e-mail service malfunctions.

In the field "Message-Id" (see figure 2) indicates a unique number for subsequent reference to this message.

Field "MIME-Version" (see figure 2) identifies the version of the mail protocol.

The following message header fields are defined by the sending user. They indicate user information and any information about the company, website, provider, software used and other data: X-Phone, X-Mailer, X-Mime OLE. The X-Originating-IP header field displays the user's IP address. The Subject field is the subject of the message, it may contain confidential information specified by the sender.

In case of illegal interaction, the attacker can organize interaction with the mail server using the telnet protocol and analyze the server’s responses to the correct and incorrect EXPN, VRFY, and other commands. Responses to these commands can contain the fully qualified domain names and IP addresses of all email users registered with this mail server . Using other commands, you can determine the version of the mail service you are using.

In addition, the intruder may use unauthorized interception of e-mail messages transmitted through the global information network.

Figure 3 presents a diagram of a computer network that implements the claimed method.

In the claimed method, in order to achieve a technical result, the email message header fields are modified containing service information (Io), which identifies the parameters and characteristics of the local area network (LAN) (Fig. 3).

The modification may consist in deleting the header field, replacing it with a constant value, replacing it with one of the pre-prepared false values of the header fields. After modification, the message header will carry false identification information (Il) about the local area network (LAN). Thus, the potential intruder is misled about the parameters of the local computer network, which complicates the deliberate destructive impact on the network.

Figure 4 presents a block diagram of an algorithm that implements the claimed method of protection, in which the following notation:

IDo - identifier of the sender of the email message;

{IDo} - a set of identifiers of senders of controlled emails;

Zк - controlled field of the message header;

{Zк} - the set of controlled message header fields;

Pk is the value of the header field;

{Рл} - the set of valid values of the message header fields;

F - the rule for selecting the values of the message header fields from the set of valid;

SEP - email message;

LAN - local area network;

SDR - means of intermediate recording;

GIS is a global information network.

The claimed method is implemented as follows.

The following initial data is preliminarily set:

{IDo} - a set of identifiers of senders of controlled e-mail messages (for example, the values of the From, Sender, Received, Subject header fields);

{Zк} - a lot of controlled message header fields (fields that generally contain identification information, for example Received; Reply-To; CC; Bcc; Apparently-to; Sender; Subject; Return-Path; Message-Id; MIME-Version In-Reply-To; References; Keywords; X-Phone; X-Mailer; X-Mime OLE; Content-Type, etc.). With changes in the e-mail protocols, the appearance of new fields in the header, the list of controlled fields can be supplemented;

{Рл} - the set of valid values for each of the fields of controlled headers of e-mail messages. The set is formed on the basis of statistical data on various software versions;

F - the rule for choosing the values of the header fields from the set of acceptable values (block 1 in the diagram).

The source data is stored in the SDR database (Fig.3.), Which can be updated and adjusted.

An email message (So) is formed on the local area network with an envelope (Co) and a header (Zo). A message can be generated both by the LAN user and by the LAN mail server in response to a request (command) from another server or if it is not possible to deliver an incoming message to the addressee (NDR report on non-delivery of a message). The message header (Zo) contains service information (Io) identifying the local area network (LAN) parameters.

Send an e-mail message to the LAN server. In this case, signals are generated in accordance with the TCP / IP protocol stack (block 3 of the algorithm).

Receive an e-mail message on the LAN server and write it to the server’s memory (block 4, 5 of the algorithm).

The e-mail message is read from the memory of the server of the local area network and the e-mail message is recorded in the memory of the intermediate recording means (blocks 6, 7).

Delete the e-mail message from the memory of the server of the local area network (block 8).

The sender identifier IDo is extracted from the e-mail message and the sender identifier of the message is compared with a predetermined set of sender identifiers of monitored e-mail messages {IDo} (verification of the condition IDo∈ {IDo}). Thus, controlled e-mail messages are filtered out from other messages and information signals (blocks 9, 10 of the algorithm).

Modify, if identifiers match, the fields of the monitored headers of the email message, for which:

select the controlled header fields Zк from the email message (block 11);

select according to a predefined rule from the set of valid values of the header fields new values of Rl (block 12);

replace the field values of the monitored Pk headers with new values (block 13). The envelope of the Ko message does not change.

A modified e-mail message (Sm) with the header Zm is read from the memory of the intermediate recording means (block 14) and an e-mail message is transmitted to the global information network server (block 15). After modification, the message Sm contains the header Zm and the values of the RL fields that carry identification information that is not characteristic of the LAN.

If the IDo∈ {IDo} condition is not met, the e-mail message without changes (So) is read from the intermediate recording means and transmitted to the global information network server.

Next, repeat the steps from the formation of the message (So) in the local area network.

The intermediate recording tool can be implemented as an application layer gateway on any of the intermediate servers of the global information network. Moreover, to achieve the result, the reciprocal part of the same means on the receiving side is not required, which determines the wider scope of the method in comparison with analogues and the relative ease of implementation.

The feasibility of implementing the formulated technical result was tested by creating a mock-up of a software package and conducting a full-scale experiment. During the experiment, the following message header fields were modified: Message-ID; MIME-Version; Subject X-Pfone; X-Mailer X-Originating-IP; From; Received Reply-to. The experiment revealed a significant difficulty in recognizing the characteristics of the local computer network and its users by identification information in the headers of e-mail messages.

From the presented results, the following conclusions follow: the claimed method provides increased security for the local computer network by masking the characteristics of the computer network when transmitting e-mail messages through the global information network and complicates the deliberate destructive effects.

Additional positive properties of the claimed method are the ability to register signs of unauthorized collection of information about the computer network by the intruder through the email service and its warning. For example, fixing debug commands EXPN and VRFY. These commands can be tracked by the responses of the LAN mail server to them, if the identifiers of these responses are pre-set. A large number of reports on non-delivery of messages to recipients can serve as a signal of an NDR attack, in this case, it is necessary to set an alarm threshold for the number of NDRs.

Claims (2)

1. A method of protecting a local area network when transmitting e-mail messages through a global information network, which consists in generating an e-mail message in a local area network, transmitting it to a server of the local area network, where it is stored, in addition, a recorded e-mail message read and additionally store in memory the means of intermediate recording, and then delete the message from the memory of the server of the local area network, read the message electronically e-mail from the memory of the intermediate recording means and transfer it to the server of the global information network, after which the steps for generating and transmitting e-mail messages in the local computer are repeated, characterized in that the set of identifiers of the senders of the controlled e-mail messages, the controlled message header fields are pre-set, valid field values and the rule for selecting the specified field values, and after deleting the e-mail from the server’s memory, In the secondary network, in addition to the intermediate recording means, the identifier of the remembered message is extracted and compared with a predefined set of identifiers of senders of controlled e-mail messages and, if they match, the controlled fields of the header of the email message are modified, for which the controlled fields are selected from the header, the values are selected according to a predefined rule controlled header fields from the set of valid ones that replace values header fields, and if the identifiers of the senders of the controlled e-mail messages do not match, the header is not modified, and the message is transmitted without changes to the server of the global information network. 2. The method according to claim 1, characterized in that the selection of new field values for the header of the email message is performed according to random law.

Images