RU2321052C2 - Method for detecting remote attacks against automated systems - Google Patents

Abstract

FIELD: computer engineering.

SUBSTANCE: in accordance to the method, standards of known attacks are set, as well as required coefficients, a set of N support packets is memorized, the graph of data packets addressed to client is observed, incoming data packets are checked for compliance with given rules, and in accordance to these rules a signal is dispatched for activating attack protection measures, before checking whether received data packets match rules, each packet is checked for compliance with fragmentation condition, while for each new type of IP-packet a queue of fragments is created, correctness of fragmentation of each packet in the queue is checked and in case of incorrect fragmentation of any packet in the queue a signal is dispatched to activate attack protection measures, and received fragment and all following and prior fragments of that type are dropped, and then incoming data packets are checked for compliance with defined rules.

EFFECT: improved probability of detection and prevention of remote attacks against automated systems.

4 dwg, 1 tbl

Description

A method for detecting remote attacks on automated systems (AS) relates to telecommunications, and in particular to a universal method for detecting all types of remote attacks, which are implemented using incorrectly fragmented IP packets, on computer network subscribers using network connections in global computer networks, whose communication between subscribers is carried out by transmitting data packets in accordance with the TCP / IP protocol, and can be used in information security tools.

A known method for detecting remote attacks according to the patent of the Russian Federation No. 2179738, "Method for detecting remote attacks", class G06F 12/14, from 02.20.2002 [1]. The known method includes the following sequence of actions. Observe the schedule of data packets addressed to the subscriber, calculate the number of packets within the series of packets, compare the number of packets in the series with the critical number of packets, check the incoming data packets for compliance with the given rules, give a signal for taking protection measures against attacks.

The disadvantage of this method is the narrow scope, due to its purpose mainly to protect against substitution of one of the participants in the connection. They do not take into account the class of attacks associated with improper packet fragmentation, which creates the conditions for skipping an attack and, as a result, for destructive effects on the speakers, which, in turn, leads to a decrease in the availability of speakers (see, for example, Medvedovsky I.D. . et al. Attack on the Internet. - M.: DMK, 1999. - 336 p.: ill. [2]).

A known method of detecting remote attacks on speakers, implemented in the device according to the patent of the Russian Federation No. 2219577, "Information Search Device", class G06F 17/40, decl. 04.24.2002 [3]. The method is that the i-th packet is received. Receive the (i + 1) th packet, remember it. Feature fields are extracted from the header of the i-th and (i + 1) -th packets. Then, the packets are compared for the unambiguous coincidence of the selected feature fields of the (i + 1) th packet with the highlighted feature fields of the i-th packet and, based on the results of the comparison, decide on the presence of a computer attack.

The disadvantage of this method is the relatively low probability of detecting and recognizing the type of attack on the AS, namely, only one type of remote attack is recognized - the "storm" of false requests for establishing a connection. This is determined by the fact that only two message packets are compared - the next and the previous, and the fact of the presence of a “storm” of false requests to create a connection is determined by the unambiguous coincidence of the selected signs of message packets, which is insufficient to reliably determine the fact of an attack on the speakers. The analogue does not take into account the class of attacks associated with improper packet fragmentation, which creates conditions for skipping an attack and, as a result, for destructive impacts on the AS, which, in turn, leads to a decrease in the availability of the AS.

Closest in its technical essence to the declared one is the "Method for detecting remote attacks on automated control systems", No. 2264649 class G06F 12/14, declared. 04/26/2004 [4]. The invention consists in setting the number N≥1 standards of possible attacks, the minimum acceptable value of the similarity index of the compared feature fields of packets K _cx.min , the maximum allowable number of matches of the characteristic fields of the i-th reference packet (reference) with the compared feature fields received from the channel connection to the analysis of the package K _sov.idop , where i = 1, 2, ... N and establish the number of matches K _sov.i = 0. In addition, a set of N reference packets containing patterns of predetermined attacks is previously stored. Then, the kth message packet is received from the communication channel, where k = 1, 2, ..., the feature fields are extracted from its header and their values are compared with the values of the feature fields of the reference N packets. According to the comparison results, similarity coefficients K _{cx.i are calculated} and compared with a predetermined value K _cx.min . When the condition K _cx.i ≥К _{cx.min is fulfilled} , K _{cx.i is stored} , the corresponding kth message packet is increased, and the value of K _{spp.i is increased} by one. When the condition K _cx.i <К _cx.min is _met , the (k + 1) th message packet is received. After this action, starting from the selection of the (k + 1) -th package of characteristic fields from the header, they are repeated until the condition K _match i _{≥K match} idop is _fulfilled , when it is concluded that the i-th attacks. This method is adopted as a prototype.

Compared with analogs, the prototype method can be used in a wider area, when not only the type of protocol is determined, the state of the monitored object is analyzed, the rules for establishing and maintaining a communication session are taken into account, but the likelihood of detecting and recognizing various types of attacks on speakers is also increased by introducing attack standards, comparing several packets with each other, taking into account the introduced similarity coefficients, which is necessary to increase the stability of the functioning of automated systems in the conditions of nktsionirovannogo impact.

The disadvantage of this method is the inability to take into account the correct fragmentation of IP packets on the recipient side. The prototype method analyzes the contents of packets of the TCP transport protocol, the proposed solution involves checking IP packets, which allows it to analyze the correctness of fragmented packets. The prototype uses a limited set of attribute space - it does not take into account the features of the IP protocol, expressed in the absence of integrity control of the encapsulated data, the possibility of packet fragmentation and the fact that the final assembly of the packets is performed only by the final recipient, which makes it possible to implement a series of attacks related to the class of incorrectly fragmented packets on IP network resources.

The technical problem solved by the invention is to increase the likelihood of detection and protection against remote attacks on automated systems associated with improper packet fragmentation.

The essence of the technical task to be solved is that they set the standards of known attacks, the necessary coefficients, remember the set of N reference packets, observe the schedule of data packets addressed to the subscriber, check the incoming data packets for compliance with the given rules, and in accordance with them they send a signal for acceptance protection against attacks, before checking the received data packets for compliance with the given rules, check each packet for compliance with the fragmentation condition, while for each new like an IP packet, a queue of fragments is created, the fragmentation of each packet in the queue is checked correctly and, if any packet is improperly fragmented, the queue sends a signal to take measures to protect against attack, and the incoming fragment and all subsequent and previous fragments of this type are discarded, and then incoming data packets for compliance with specified rules.

The invention is illustrated by the drawings shown in figure 1, figure 2, figure 3, figure 4, which shows:

figure 1 - algorithm of the proposed method for detecting remote attacks;

figure 2 - General algorithm for verifying the fragmentation of the IP packet;

figure 3 - algorithm for checking the conditions of fragmentation;

4 is a diagram explaining the principle of fragmentation of IP packets.

The algorithm of the proposed method for detecting remote attacks, presented in figure 1, consists of the following blocks:

Block No. 1 - The task N> 1 of the standard of attack, the task of the coefficients.

Block No. 2 - The kth message packet is received.

Block No. 3 - The packet fragmentation is verified.

Block No. 4 - Check the incoming package according to the given rules.

Block No. 5 - Make a conclusion about the presence of an attack.

The general algorithm for verifying the fragmentation of the IP packet of Fig.2. consists of the following:

Block No. 1 - The next packet is accepted.

Block No. 2 - Analyzes the packet for fragmentation. For a fragmented IP packet, the field is FO ≠ 0 or the field FI = 001. If the package is not fragmented, it is not subjected to further verification.

Block No. 3 - The existence of a queue for fragments of one message is checked. If such exists, the packet is transferred to it Block No. 4.

If the queue of this type of packet does not exist, it creates Block No. 5.

Block No. 4 - If there is a fragment queue for the corresponding type of packet, place the fragment in the fragment queue of the corresponding type.

Block No. 5 - In the absence of a fragment queue for this type of packet, a fragment queue is created for this packet, in which information about the incoming fragment is placed.

Block No. 6 - Check the correct fragmentation of the packet (the Algorithm for checking the fragmentation conditions is presented in figure 3). The queue of packet fragments is analyzed for overlapping neighboring fragments. At this stage, the set of received packet fragments is analyzed, which are stored in the corresponding queue of fragments, while checking the possibility of combining two fragments into one, as well as the presence of overlap of two fragments. A decision is made based on an analysis of the fragment queue about whether fragmentation is broken or not. Fragmentation is considered violated if the analysis of the fragment queue revealed the presence of fragment overlaps or the fragment data field exceeded 64 Kbytes — the maximum IP packet length (see, for example, Nogl M. TCP / IP. Illustrated textbook. - M.: DMK Press, 2001. - 480 p .: ill. [7]).

Block No. 7 - In case of improper fragmentation of the packet, a signal is sent to take protective measures.

Block No. 8 - The incoming fragment and all subsequent and previous fragments of this type are discarded.

The algorithm for verifying the correct fragmentation of the IP packet is shown in Fig.3.

Block No. 1 - An IP packet is retrieved from the queue of fragments of the corresponding type.

Block No. 2 - Verification of the condition "fragment X does not overlap the previous fragment in the list (if any)" by the formula:

Block No. 3 - Verification of the condition "fragment X does not overlap the next fragment in the list (if any)":

Block No. 4 - Verification of the condition on the "maximum permissible packet length":

Block No. 5 - Verification of the condition “previous fragment is not the last”:

Block No. 6 - In case of failure to fulfill any of these conditions, a signal is sent to take protective measures, for example, a notification to the subscriber, and this IP packet should be marked as discarded, and the incoming and all subsequent fragments of this packet should be discarded.

An explanation of the IP protocol data fields used when checking for fragmentation is shown in Table 1.

Table number 1 Field length Designation Explanation 4 bits Hl Header length (number of 32-bit words in the IP header) 16 bits Fl The length of the packet (fragment) in bytes (header and data) 13 bits Fo Fragment offset (offset in bytes of the fragment data field relative to the general data field of the initial fragmented packet) (value is a multiple of 8 bytes; for the first fragment = 0)

It is known that to ensure information security, it is highly likely to determine the facts of remote attacks on nuclear power plants. Existing technical solutions do not allow to achieve the necessary probability of detection and protection against remote attacks aimed at unauthorized access, as well as reducing the availability and disruption of communication networks and AS. The destructive capabilities of remote attacks are related to the fact that most of them are directly aimed at weaknesses of security features, vulnerabilities in operating systems and system applications (see, for example, Chirillo J. Protection against hackers. - St. Petersburg: Peter, 2002. - 480 p. .: ill. [5, 6]), and automated systems that process service requests from authorized subscribers have limited processing power for processing requests and a limited request queue length, lack of a mechanism for verifying packet fragmentation. In addition, the high throughput of modern SPDs significantly expands the destructive capabilities of remote attacks.

The search for effective technical solutions to increase the probability of detection and protection against attacks on the speakers can be carried out by introducing the verification of the correct fragmentation of IP packets of the remote attack detection system for speakers.

The claimed method is implemented as follows.

The necessary coefficients, standards of known N. attacks are set.

A packet is received from the communication channel. It checks for fragmentation. Suppose there is an IP packet of 8 kbytes (For simplicity, we take 1 kbyte = 1000 bytes). Suppose that on the route it sequentially passes through networks with the values MTU1 = 4 kbytes and MTU2 = 2 kbytes. The number and sizes of the resulting correctly fragmented IP packets are shown in FIG. 4 i.e. the subscriber checking the fragments of IP packets according to the algorithm shown in figure 2, will perform the following actions: (consider the example of a network with MTU1 - 4 kbytes)

1. An IP packet is received (with the following significant fields FL = 3996, FI = 001, FO = 0) (Fig. 2. Block No. 1)

2. The received IP packet is analyzed for fragmentation. Block No. 2 of FIG. 2. At the received IP packet, the field FI = 001 means the packet is fragmented, the transition to block No. 3 of FIG. 2 is carried out.

3. The existence of the queue for the corresponding type of fragmented packet is checked. Block No. 4 of Fig. 2., which is necessary to determine whether the packet belongs to already created queues of IP packets of the same type, for this, the PaID field in the IP packet header is analyzed. 4, PaID = 20 for MTU1. It is concluded that there is no queue for this IP packet, a transition is made to block No. 5 of FIG. 2.

4. For an IP packet with PaID = 20, a queue is created and this packet is placed there. The transition to the block No. 6 of figure 2.

5. Verifies the correct fragmentation of the IP packet, the algorithm in Fig. No. 3 is executed.

6. The package is checked for compliance with the given rules Block No. 4 of figure 1.

7. If the conditions of the previous block are met, a conclusion is drawn about the presence of an attack. Block No. 5 of FIG. 1.

8. The received packet is checked according to the given rules. Block No. 4 of FIG. 1.

9. In the case of a positive test result, a conclusion is made about the presence of an attack - Block No. 5 of FIG. 1.

The method for detecting remote attacks on a computer network is implemented as a dynamically loaded kernel module of the Linux operating system, which implements the function of checking the correct fragmentation of incoming IP packets in the packet filter of the Linux OS.

Thus, by checking each IP packet for the correct fulfillment of the fragmentation condition, in this case, for each new type of IP packet, a queue of fragments is created, the correct fragmentation of each packet is checked and, in case of incorrect fragmentation, they signal to take measures to protect against attack, and the fragment and all subsequent and previous fragments of this type are discarded. This achieves the formulated task - increasing the likelihood of detection and protection against remote attacks on speakers, remote sensing detection systems on speakers, which is necessary to ensure the stable functioning of the speakers, which consists in providing service capabilities to authorized subscribers.

Bibliography

1. RF patent No. 2179738, Method for detecting remote attacks, class G06F 12/14, dated 20.02.2002.

2. Medvedovsky I.D. and others. Attack on the Internet. - M.: DMK, 1999 .-- 336 p .: ill.

3. RF patent №2219577, Information retrieval device, class G06F 17/40, decl. 04.24.2002.

4. RF patent No. 2264649, Method for detecting remote attacks on automated control systems, class G06F 12/14, decl. 04/26/2004.

5. Cirillo J. Protection from hackers. - SPb .: Peter, 2002 .-- 480 p .: ill.

6. A.A. Novikov, G.N. Ustinov. Vulnerability and information security of telecommunication technologies. - M .: Radio and communication. 2003 .-- 296 pp., Ill.

7. Nogl M. TCP / IP. Illustrated tutorial. - M.: DMK Press, 2001 .-- 480 p .: ill. Page 76-79.

Claims (1)

A method for detecting remote attacks on automated systems, which consists in setting the standards of known attacks, the necessary coefficients, storing a set of N reference packets, observing the schedule of data packets addressed to the subscriber, checking the incoming data packets for compliance with the given rules and submitting them in accordance with it signal for taking protective measures against attack, characterized in that before checking the received data packets for compliance with the given rules, check the fragment offset fields (FO), flag fr segmentation (FI), total packet length (FL), header length (HL) of each IP packet for compliance with the fragmentation condition by checking the fields of incoming IP packets with fragmentation conditions (FO ≠ 0 or FI = 001), for each new type of IP packet create a queue of fragments, check the correct fragmentation of each packet by analyzing the sequence of fragments for compliance with the conditions "fragment X does not overlap the previous fragment in the list (FO _x-1 · 8 + FL _x-1 -HL _x-1 · 4 <FO _x · 8) "," fragment X does not overlap the next fragment in the list (FO _x · 8 + FL _x -HL _x · 4 <FO _{x + 1} · 8) "," the maximum allowable packet length (FO _x · 8 + FL _x -HL _x · 4 <2 ¹⁶ bytes) "," the previous fragment is not the last (FL _x-1 = 001) "and in case of incorrect fragmentation of any packet in the queue, they signal to take measures of protection against attack, and the incoming fragment and all subsequent and previous fragments of this type are discarded, and then the incoming data packets are checked for compliance with the given rules.

Images