RU2359319C2 - Method of integrating information resources of heterogeneous computer network - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: present invention relates to computer engineering. The method involves the following: general-system software is installed on each computer installation; integrated means of intercomputer information exchange is provided for; guaranteed protected interaction is provided between terminal applications through a series of outgoing and incoming messages; on each computer installation, protective randomised data storage is created, referred to as a private safe; the series of outgoing and incoming messages is stored in the private safe; provision for creating and deleting information objects, referred to as links, with possibility of extracting these links to special information resources, referred to as DataMart; provision for guaranteed storage of data windows in the private safe in form of a set of links, referred to DataMarket; confidential data and credentials of the administrator are stored in the private safe; provision for mandate and discretional control of access of the administrator to the DataMarket; provision for guaranteed processing of links in the DataMarket; systematic verification of credentials of each administrator, given access to work with the DataMarket, and working session of any administrator is stopped there discrepancy of at least one parametre of the corresponding access profile, stored in the private safe in the computer installation.

EFFECT: realisation of a general protected transport medium with integration of information resources to provide for uniform data exchange between the Central information object (CIO) and complexes of automation equipment (CAE) for all purposes.

6 cl, 5 dwg

Description

FIELD OF THE INVENTION

The present invention relates to computer technology, and more particularly, to a method for integrating information resources of a heterogeneous computer network.

State of the art

Currently, there are several different proposals for providing remote access to information resources in heterogeneous computer networks for the integration of information resources and the implementation of a distributed computing process.

So, in the patent of the Russian Federation No. 2130643 (publ. 05/20/1999) a method for providing access to data in the database management system "Linter-VS" is disclosed. In this method, in the process of processing an access request, several checks are made to compare the user admission rank with the access rank of the requested data.

In patents of the Russian Federation No. 2143728 (publ. 12/27/1999), 2163727, 2163744 and 2163745 (all publ. 02/27/2001) various options for protecting a virtual channel of a corporate network built on communication channels and means of switching a public communication network for integrating information resources. In this system, which contains firewalls, a block for forming a closed protocol, a block for authenticating the client by IP address, and a block for allowing access by the logical name of the server are introduced. There are also client and server parts of the security system.

The RF patent No. 2279186 (published on June 27, 2006; see US patent No. 6986040, published on January 10, 2006) describes a system and method for using the security of a secure communication channel to protect an unsecured communication channel. A special service generates a ticket with an identifier and a session key and sends it to a client, who forwards the identifier to the application server via the application transfer channel. The server receives a copy of the session key from the special service and exchanges data encrypted with this session key with the client.

The RF patent No. 2289886 (published on December 20, 2006; see US patent No. 7177932, published on February 13, 2007) discloses a method, a gateway, and a system for transmitting data between a device on a public network and a device on the internal network. The internal network is connected to the public network through a gateway containing an exchange control unit that recognizes the destination of the data addressed to the public network based on the key identifier included in the data.

US Application No. 2005/0149757 (published 07.07.2005) discloses a system and method for providing secure network access, where a secure network device is connected to an authorized security tool and has a set of network communication interfaces.

In US patent No. 6631416 (publ. 07.10.2003) and in US applications No. 2002/0056008 (publ. 09.05.2002), 2004/0260941 (publ. 23.12.2004), 2005/0144474 (publ. 30.06.2005) and 2005/0160161 (publ. 21.07.2005) describes various mechanisms for creating "tunnels" between computers or processors with different degrees of protection (security).

Finally, US application No. 2007/0061870 (published March 15, 2007) describes a method and system for providing secure data transfer between points of creation and points of use. Virtual secure domains are created on computers, each of which includes a list of users, a secure network configuration, a unique encryption key for a domain, and a set of security strategies for accessing communication channels. Only a member of this domain with the appropriate privileges can enter a domain. Copying part of the content stored in the domain is only possible if you have permission.

All these and many other developments solve particular problems of integrating information resources in a computer network. But now the task of uniting, integrating disparate information resources, and building a single information space is very urgent. Therefore, the search unfolds around the general issues of building heterogeneous geographically distributed information systems, often having a pronounced branched structure with nodes in different regions.

The most important task of ensuring the functioning of any heterogeneous geographically distributed information structure is the availability in its governing bodies or controlling bodies of relevant information on the current (including economic, financial, industrial, managerial, etc.) state of enterprises and organizations operating in the interests of the structure. This information is necessary to ensure the effectiveness of the management or economic policy, to prevent crisis phenomena, to present the possibility of operational management of heterogeneous enterprises based on the analysis of relevant information on the state of economic entities.

Currently, the collection and processing of necessary information on the state of enterprises and organizations within the framework of current legislation is carried out in the interests of various state bodies, for example, the Federal Tax Service of the Russian Federation. Systems for collecting relevant information about the objects of an automated system (AS) were formed in the absence of a unified approach both in the normative and in the technological planes with complete inconsistency in the work of individual information systems created at specific enterprises.

In this regard, there are a number of problems inherent in all elements of the so-called "patchwork informatization":

- the general low level of informatization of both enterprises and organizations themselves, and of federal executive bodies;

- the lack of the ability to extract relevant information about the state of the nuclear power plant object due to software and hardware or other incompatibilities at the control level of the entire nuclear power plant as a whole;

- the impossibility of presenting relevant information about heterogeneous enterprises and organizations in a comparative form for the implementation of reliable analytical processing of the presented information in the interests of the owner of the nuclear power plant (federal body);

- the extreme complexity of the operational exchange of relevant data due to software and hardware or architectural incompatibility, as well as the features of workflow at the level of information infrastructure facilities;

- lack of uniform unified regulations (processes) that ensure the collection, storage and processing of heterogeneous data of the entire NPP infrastructure in the interests of its owner;

- the presence of various standards and implementations of information security systems that impede the transparent regulatory interaction of nuclear power plants.

The first and most urgent task of creating a geographically distributed automated information system (AIS) for collecting and analyzing operational (or relevant) information about system objects is to ensure reliable information interaction between software systems and systems (applications) operated by enterprises and organizations, structural divisions of AIS objects using information infrastructure developed to one degree or another. The task of interaction between applications using various data formats, dictionaries and classifiers in a geographically distributed multi-platform information environment arises sooner or later before the designer of any AS. The choice of a particular technology for integrating disparate information resources is dictated by considerations of “capitalization” of early investments, the possibility of adapting “inherited” systems to the new (system-wide) requirements of AIS, and developing at least 10 years in advance. The emphasis is on the fact that any revolutionary ideas and methods must necessarily allow them to integrate into existing information systems exclusively in an evolutionary way. Otherwise, they can only mean another impasse in development. In addition, the important fact is postulated that the safety of a nuclear power plant should not be alienated from it, it should not be optional. Information security issues should be addressed initially as the fundamental functionality of the AU.

Thus, the main decision to create information and technology support for the AU, including on the basis of the above comments, is the decision on its unified architecture. It should be borne in mind that in foreign practice for many years not two-level, but three-level using the products of the "middle layer" architecture for building automated systems has been used. This means that all applied tasks of AS (subsystems) do not work directly with operating systems at specific workplaces, but through some additional “intermediate layer” (middleware), which not only eliminates the differences between them, not only performs the functions of information and logical interface heterogeneous applications, solving the problems of routing, guaranteed information delivery, access control, but also provides a unified security policy in a heterogeneous environment, creates a distributed data warehouse, fulfills general regulations, etc.

Such an architectural approach today is the most promising, allowing to solve the issues of joint functioning of heterogeneous systems, including external with respect to a particular speaker. This approach allows us to consider this solution as a possible basis for the implementation of a distributed storage system on a heterogeneous NPP infrastructure using any available means in the process of obtaining (“extracting”) the necessary information, including “legacy” system software (STR) operating in heterogeneous client-server architecture (database management system - DBMS).

In this regard, there are several approaches to the integration of disparate information resources, which are actively discussed and implemented in a number of structures and organizations. These approaches are related to the consideration of two levels of integration: the system level, where a number of non-connected operating systems (OS) are currently operating, and the execution level, where all application software (software) is “immersed”. Conventionally, these approaches can be depicted as a two-level integration model (see figure 1).

Consider the first level (lower part of figure 1) in more detail. The undisputed leaders in this area include the OS family of MS Windows. The following are: UNIX-like Linux OSs in different versions (RedHat, SuSE, TurboLinux, Mandrake, Debian and other foreign versions, as well as the MS aircraft, ASP and ALTLinux in Russia), UNIX systems - FreeBSD, Sun Solaris, HP-UX , IBM AIX, etc., IBM OS / 2 in various versions, an outdated but still used product Mac OS / X, IBM AS / 400, IBM VM / ESA, etc. There are a number of well-known products, such as outdated ones, for example MS DOS and its analogue of PTS DOS, as well as promising ones used in the mobile solutions sector - PalmOS, Simbian, Windows CE, Pocket PC, etc. All these OSs are conditionally named in Fig. 1 by the term “Lindows”. Note that integration at this level is associated with the organization of interaction at the OS level, which, due to their sufficient differences and organizational difficulties, is practically impracticable. Therefore, the general approach is as follows: the gradual “crowding out” of disparate OSs by some selected system, its comprehensive development, support and generation of new solutions on this new platform. At the same time, as a rule, they try to integrate a large number of functional tasks into a single information space based on the development of interface protocols at the level of the execution environment, and further develop systems based on the unification of both software and hardware. However, for the integration of thousands of tasks it is simply physically impossible to write, and then synchronize the work of more than 1,000,000 interface protocols. Therefore, without making changes to the architecture of already created systems, their integration is practically impossible.

Note that the choice of this approach can only be justified if the development of the “proper” OS is based on a wide coverage of new technological solutions, close ties with manufacturers of computer hardware, and widespread support in the distribution of the new OS in government agencies. In principle, such a task can be “pulled” by the Linux community with state support, when you can carefully select the necessary one and approve it as a new platform from a wide variety of open source software. All that remains is to solve the problem of the so-called "inherited" software, which at the same time needs to be transferred, "ported" to the new platform. Thus, the number of integration tasks remains equal to the number of AS tasks, but the complexity of transferring all the software to the new OS increases very much. This, first of all, refers to the software that was created a long time ago, and the interaction with the developer of which is difficult.

Another aspect in the integration of the “first level” is the correctness of the chosen solution. No one can be absolutely sure that this, and not any other platform, is the most promising today. In addition, the transfer of all tasks to the new platform will cause enormous difficulties, primarily in terms of human resources, hardware compatibility and time costs. This problem will be especially acute for permanently functioning speakers.

Consider the integration of the second level (the upper part in figure 1). To organize the data turnover in the runtime, it is necessary to implement interface devices (software or hardware interaction interfaces, interfaces, etc.) of each application with each. This task not only moves to the organizational level, but also increases quantitatively quadratically (with the possible complexity of creating these devices or software modules). The biggest problem here lies not in the generation of a single medium of exchange, but in the integration of information security systems (SZI) of these heterogeneous systems. And although the previous task, although utopian, is in principle solvable, then the integration of SZI is practically unsolvable due to the specific nature of such solutions. In this case, the creation of a single secure information space also remains problematic.

From all the above considerations, the natural requirements for system-wide tools that implement a three-tier approach when implementing interaction in a heterogeneous distributed storage system created by local implementations of information storages at AS facilities follow:

- The functioning of system-wide integration platform tools on heterogeneous hardware-software devices of local storage systems.

- Unification of access to heterogeneous data of "inherited" information systems using system-wide tools.

- Setting up and managing an agreed information security policy when working with information objects (documents / files / messages) within the framework of a geographically distributed infrastructure of nuclear power plants.

- Support for guaranteed service requests (including to an external storage source) and storage of your own data at local speakers.

- Unification of means of monitoring the state of distributed storage facilities with system-wide tools.

The introduction of system-wide tools for organizing a three-level architecture of speakers is dictated by the following considerations. From a general point of view, a heterogeneous infrastructure of an information system with a Central Information Object (CIO), regional nodes and grassroots (enterprises, organizations, etc.) is a distributed three-level hierarchical network, the communication between objects of which is carried out through heterogeneous communications. For a number of objective and subjective reasons, the software and hardware of the system are initially heterogeneous: a wide range of special applications are used, working on different platforms and on equipment of a different class. Many AIS facilities have effective sustainable solutions; funds have been spent on staff training; in others, the applications used are clearly outdated and require replacement. All departments need to exchange information, and in order to avoid additional costs it makes sense to organize an exchange immediately at the application level. A picture is emerging, which can be schematically depicted as follows.

The traditional solution, based on the exchange of data through point-to-point converters and the operation of applications directly with transport protocols, “quadratically” comes to a standstill with an increase in the number of interacting applications and the number of transactions, as well as with the complication of the logic of application interaction. In the present conditions of the functioning of the NPP within the Russian Federation, the problem of territorial distribution is exacerbated by unstable communication channels, frequent contingencies, the presence of a large number of legacy applications that require integration into the general computing process to collect relevant information about the NPP objects. In this case, there is a risk of conflicts between developers of application software and software of the transport level.

In the interaction of information objects within the framework of an AS, it is necessary to ensure not only their “physical”, channel connectivity, but also the “logical” connectivity of system objects, i.e. create unified conceptual (linguistic) and logical spaces, realizing, on the one hand, the common language of “communication” of the processes (tasks) of the AU, and on the other hand, the general address space of the objects of the AU. In general, these are the stages of one process - the creation of a single information space of the AU.

Several technological implementations are possible, this is an important task, in particular, the implementation of speakers on a single functioning platform. Such solutions include, for example, the Oracle technology platform - e-Business Suite. At the same time, the task of unifying user interfaces at the level of WEB services, integration at the data level with the help of the wide possibilities presented by the connectors to various DBMSs, the user interface (portal), application server and transmission system is solved.

Given not only the high cost of such solutions, but also the high cost of ownership, the need for a significant reorganization of processes, modernization of the equipment fleet and porting of existing solutions to a new platform, this solution is not indisputable, despite a number of advantages.

Many information systems are initially built on a functional principle, assuming independent, "vertical", outgoing-descending information flows. Those. primary information is accumulated on complexes of automation means (CSA) of the lower level with the subsequent transfer of the changed (new) information “up” to a shared resource or shared storage. From there, after processing, information is sent to all subordinate KSA, including to that KSA where the change in question was made. Most often, this kind of interaction occurs on the basis of the client-server technology through synchronous blocking exchange. This imposes serious architectural restrictions on the system as a whole, assuming the presence of a multifunctional central object, which is the weakest link in the AC, because its failure leads to the failure of the entire system.

It is clear that in the presence of client-server interaction within each independent task (process), interaction is carried out according to well-known classifiers and dictionaries in a single conceptual data field. In this case, a single AIS classifier can be formed by combining the classifiers of each independent task. Changes in classifiers are carried out in a scheduled mode on a top-down basis on a transactional basis, i.e. it is impossible to complete a transaction without changing the classifier (client version) to a new one, while the data itself changes in both directions “on demand”.

Thus, the solution to the general problem of application interaction in this formulation is reduced only to regulations, to the use of independent transport capabilities of each task separately and to the “human factor” in the field and in the center. In addition, since the interaction of subsystems (tasks) occurs physically, i.e. the data are transferred in a consistent form via the available communication channels to the DBMS servers or other storage facilities, the main exchange requirements are imposed on the communication system, since it is necessary to ensure guaranteed data exchange between the central object and the KSA. Otherwise, there will be a mismatch of the data and software versions, which will lead to the shutdown of the entire system (or its part - KSA).

SUMMARY OF THE INVENTION

Thus, there is a need to implement a common secure transport environment with the integration of information resources to ensure a uniform data exchange between the TsIO and KSA for all tasks where the general regulations will be worked out, the staff will not need to study the features of different transport systems, and application programmers will to improve the processes of data generation, and not the methods of their delivery to the DSC.

To solve this problem, a method is proposed for integrating the information resources of a heterogeneous computer network, which includes at least two computing units connected by a communication network, at least one of which is equipped with a different operating system (OS), and in the context of this OS, the final application functions of this computing installation, which consists in installing system-wide software (OSPO) on each computing installation to obtain a single secure master whether information exchange between all computing facilities; provide on each computing installation unified unified means of inter-machine information exchange that implement the physical connectivity of computing installations within the framework of a secure information exchange highway; provide guaranteed secure interaction between end-applications of computing installations through means of inter-machine exchange within a computer network through the automatic interaction of each end application operating in the context of OSPO, through created queues of outgoing and incoming messages; create on each computing installation a secure randomized data warehouse, called a personal safe; save the queues of outgoing and incoming messages in the personal safe of each computing installation both to the address of the computing installation and the final application operating on it, and to the address of another computing installation of the computer network; provide the ability to create (publish) in the context of the functioning of the OSPO and the ability to remove information objects called links from the context of the functioning of the OSPO, with the ability to resolve / retrieve these links to specialized information resources called data showcases, of the aforementioned or other computing installation in a personal safe ; provide guaranteed storage of data showcases in a personal safe in the form of a collection of links called DataMarket and representing an ordered register of heterogeneous data of a computer network, which is a protected information resource of a computer network; save confidential data and authority of any official who is allowed to work with DataMarket computer network display windows in the personal safe of each computing installation in the form of an access profile for that person; provide mandatory and discretionary control of an official’s access to DataMarket data, thereby implementing independent mechanisms for the identification and authentication of an official; they ensure guaranteed processing of the link to DataMarket by indicating the number of the final application-handler, by which the message body with the request to retrieve data should be opened, and not only the processing confirmation is sent to the address of the sending host, but also the data of the remote receiving host in an agreed format; provide the ability to select the extracted data and place them in a specialized module of analytical express processing with the possibility of subsequent manipulations with the data; systematically check the credentials of each official who is allowed to work with the DataMarket computer network, and stop the session of a specific official if at least one parameter from the corresponding access profile stored in the personal safe of the computing installation does not match.

A feature of the method of the present invention is that it generates system-wide software by adding each of the operating systems with a basic set of transport protocols designed for node addressing and packet routing, as well as a set of formats or a single application-level data exchange format; form a unified secure information space of a computer network by streamlining information exchange between end applications by providing an intermediate reassignment of information flows, recoding classifiers of information support, automatically matching formats of extracted data for a uniform presentation in the interests of joint operation of applications; provide a uniform implementation of the system for presenting and transmitting data within the framework of a computer network, including in conditions of pronounced heterogeneity of software and hardware implementations of the computer network settings; conduct analytical processing of uniform data regardless of the features of the functioning of end applications on various network computing installations; provide contextual search and morphological and linguistic analysis of DataMarket data through global data exchange within a computer network.

Another feature of the method of the present invention is that the interaction of end applications using client-server technology is carried out by reconfiguring the interfaces of each of these end applications to exchange data with other end applications by redirecting information flows between end applications through the corresponding proxy connections available in OSPO funds; implement a mechanism of independent data extraction with abstracting from the method of obtaining this data on the host of the information resource indicating the type of handler program on this node in the so-called locator of the information resource from the DataMarket structure; the reconfiguration of the interfaces of the final software applications in this operating system is carried out by redirecting information flows between software applications through the appropriate mechanisms of inter-task interaction available in the OSPO tools; they implement the mechanism of information interaction of end applications through an intermediate file storage, when OSPO tools control the status of the exchange file (s) and automatically start the process of sending / downloading the mentioned file (s) in the interests of another end application.

Finally, another feature of the method of the present invention is that they implement a distributed data storage system in the form of all links to protected information resources published in the DataMarket computer network and stored in a personal safe OSPO on each computing unit, with the ability to retrieve published data by regulations, upon request or upon the occurrence of a specific event; provide guaranteed the ability to extract heterogeneous data stored under the control of various database management systems (DBMS), functioning both in the context of OSPO and in the context of each operating system of a network of computing facilities; provide the possibility of a personalized analysis of the extracted data based on the creation of custom processing models, including qualitative (non-quantitative) data.

At the same time, information resources are selected from the group including at least: data, files, queries, data links, extraction scripts, executable modules, and subsequent data manipulations are performed to perform actions from the group including identification of reliable dependencies, statistical processing, building forecasts, creating processing models, issuing analytical reports.

Brief Description of the Drawings

The invention is illustrated by the following drawings:

Figure 1 shows a conditional model of two-level integration;

Figure 2 shows a conditional model of three-level integration;

Figure 3 shows the integration technology of DataMarket presented in the present invention;

Figure 4 represents the integration technology in the method of the present invention;

Figure 5 shows an example of the integration of industrial systems using the method of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

If the so-called “horizontal” exchange takes place at each specific speaker object, i.e. independent tasks established at KSA are obliged to carry out a routine exchange among themselves of predetermined parameters, linking certain processes within each of the tasks. In this case, a single classifier can belong to each KSA and can be the intersection of all classification features of each of the tasks. It can be created on the basis of the “information concentrator” principle, since the intersections of the classifiers “each with each” are not empty. Then the common unified classifier of AS as a whole will be nothing more than a union of local classifiers (intersections), which is again an attribute of AS.

If the structure of the ACT AS is sufficiently pronounced the range of “inherited” tasks, to ensure the overall connectivity of the AS it is necessary, first of all, to provide a solution to the problem of creating a basic unified transport environment, which is based on the software of the “intermediate layer” of the MOM class - Message-Oriented Middleware message-oriented software).

Thus, the implementation of the system is achieved in a single technological vein, while at the same time ensuring the solution of basically the same targets as through the use of a more powerful solution that actually unreasonably raises the bar for achieving integration goals.

This approach allows us to solve a very important problem: to reduce the exchange between tasks to virtual (non-physical) interaction within the framework of one AS object. At the same time, there is no need for a "database overflow" procedure on servers. The interaction between tasks takes place on the basis of a single AC classifier, which is a conversion table (propagator) between the classifiers of each task only in terms of the data needed for exchange. Those. the KSA classifier is not a union, but the intersection of the task classifiers. It is much narrower than the general classifier and is placed on the data display in the "IVK Jupiter ™" highway. It makes no sense to build a classifier for a specific object based on data that is not used on this CSA. If there are few applied problems, then it makes sense to build an “information hub” of the object according to the “each with each” type. Such a concentrator will consist of a set of paired propagators of all KSA tasks. Its construction is possible in two ways: by making major changes to all the tasks of the CSA with writing a specialized application responsible for the inter-task exchange, as well as creating it as an attribute of the trunk (with the routing task already solved). If the number of tasks is large, then it is impossible to do without a unified classifier.

As shown in FIG. 2, the introduction of a secure transport medium as a result of implementing the method of the present invention requires only one installation task at the first (lower in FIG. 2) level and a total of n registration tasks at the second (upper in FIG. 2) level, t .e. immeasurably less compared to similar levels in figure 1.

The proposed method of integrating information resources is intended for implementation in a heterogeneous computer network, which includes at least two computing units connected by a communication network, while at least one of these computing units has an operating system (OS) that is different from the OS of other computing units of this computer network, and in the context of this OS, the final application of this computing installation is functioning. The method of integrating information resources in such a heterogeneous computer network is carried out by performing the following actions (steps).

First, for each computing installation in a heterogeneous computing network, system-wide software (OSPO) is installed to obtain a single secure backbone of information exchange between all computing installations of a given computing network. An example of such an OSPO is the information and computing complex IVK Jupiter ™, developed by the rights holder for this application. The main functional capabilities of this complex are described in the journal "Open Systems" No. 7-8 for 2003.

The aforementioned system-wide software is formed, in particular, by adding each of the operating systems in the computing facilities that make up the heterogeneous computer network, with a basic set of transport protocols designed to address nodes in this heterogeneous computer network and route packets between these nodes. In addition, each of the source operating systems is supplemented (built-in) by a set of application-level data exchange formats. For example, the XML format is chosen as the exchange format between heterogeneous platforms. As a mechanism for exchanging data in the form of a file, the exchange of .txt (.xml) files is selected, which are constantly stored in some agreed directory (s) of the file systems of the source OS. As an interaction between clients and DBMS servers, a php script execution mechanism is selected on a specially allocated information object stored in the secure storage of each OS.

In addition, on each computing installation, they provide uniform unified means of inter-machine information exchange, similar to e-mail, realizing the physical connectivity of computing installations within the framework of a secure information exchange highway.

Next, they form a single protected information space of a heterogeneous computer network by streamlining information exchange between all end applications. This is achieved by providing an intermediate reassignment of information flows, recoding classifiers of information support, automatic coordination of the formats of the extracted data for a uniform presentation in the interests of the joint functioning of applications.

In addition, they provide a uniform implementation of the system for presenting and transmitting data throughout the entire computer network, including under conditions of pronounced heterogeneity of software and hardware implementations of the network computing installations, i.e. in the case when the network consists of various computers (computing devices), each of which has its own software installed that does not coincide with the software of the other computers, or at least most of them.

In this case, regardless of the features of the functioning of the end applications on various network computing installations, the uniform data is analytically processed (i.e., they carry out statistical, correlation, qualitative analysis, including modeling and forecasting), as well as provide contextual search and morphological and linguistic analysis of DataMarket data provided through the global presentation and exchange of data within a single computer network AS.

In addition, they provide a uniform representation of the powers of all officials who are allowed to work with protected information resources of a heterogeneous computer network of AS, implemented by various DBMSs, which also have their own systems for restricting access of officials (users) to storage resources.

For inter-machine communication, standard transport protocols (IP, SLIP, PPP, X.25, TCP, UDP, etc.) are used, provided by the source OS through the settings of each computing installation. These settings include not only changing the corresponding software, but also matching signal levels, synchronizing and using a certain order of signal exchange when establishing communication between computing settings (the so-called OSI / ISO transport model for each protocol). Non-standard transport protocols (the so-called channel-forming tasks) implemented by connecting means of communication via standard interfaces (for example, RS-232, USB, etc.) can be used for interaction between computing facilities.

Further, in each computing installation of a heterogeneous computing network, guaranteed secure interaction between the end applications of the computing installations is provided through the created means of inter-machine exchange within the framework of the computing network. This is achieved through the automatic interaction of each end application with another application, process and AS official operating in the context of OSPO, through the created queues of outgoing and incoming messages stored in a specialized repository of OSPO. Such interaction is ensured through the automatic exchange of messages from the incoming / outgoing queue at each interacting node.

The mentioned guarantee of information exchange is ensured by the following built-in mechanisms (technologies).

1) Guaranteed delivery of messages within the computer network by returning to the address of the sending node a service message (receipt) about the delivery of the outgoing message to the receiving node and thereby completing the transmission process.

2) Guaranteed storage of incoming and transit messages in a secure repository until the completion of the guaranteed delivery process (acknowledgment).

3) Guaranteed processing of the message body by indicating the number of the final application handler, with which the message body should be opened (to process), and sending upon processing to the address of the sending node of the service message (processing confirmation), which completes the processing cycle of the delivered message.

4) Guaranteed identification of outgoing / incoming (transit) messages through the use of a built-in mechanism for identifying officials in a computer network based on electronic digital signature (EDS) technology, thereby achieving the legal significance of information exchange.

The implementation of all these mechanisms guarantees the official of the computer network one hundred percent processing of his one-time request to the information system and the return of an appropriate response to his request.

At the same time, the body of each message to be exchanged along a single secure trunk is randomized in accordance with a predetermined algorithm to ensure that the contents of this message are protected from unauthorized access and modification, encapsulated in accordance with the addressing and routing rules in the trunk. The randomization algorithm can be either any well-known encryption algorithm (DES, RSA, etc.), or specially designed for this. Such an algorithm may be permanent or interchangeable, symmetric or asymmetric. The specified randomization can be carried out both by hardware methods (for example, using a register with switchable feedbacks - see, for example, USSR author's certificate No. 1249512, published 07.08.1986), and using the appropriate programs compiled according to the selected algorithm on the appropriate programming language.

In each operating system (on each computing installation of a heterogeneous computing network), all system interfaces for exchanging data for specific end applications are reconfigured to the corresponding data exchange mechanisms of the installed system-wide software. Note that such a reconfiguration of the exchange interfaces is much simpler than reinstalling the entire OS on each computing installation. The OSPO data exchange mechanisms mentioned above are, for example, the creation of exchange files in the agreed catalogs of the source OS (type “in / out”). To work out the interaction of “thin” DBMS clients with servers, it is necessary to reconfigure the external addresses of the DBMS servers to their own local addresses with further redirection (proxying) of the request with the development of a php script to extract the data and present it in a consistent format. For other end applications, it is possible to use the software interfaces implemented in them (for example, COM, COM +, J2EE objects, etc.) to redirect these objects in the interests of the data exchange backbone.

The specified reconfiguration of the interfaces of each operating system or end application for exchanging data with other computing facilities in a heterogeneous computing environment is carried out by redirecting information flows between computing settings through the appropriate proxy connections available in the OSPO tools. Such proxy compounds can be performed in the same manner as described in the aforementioned US Pat. No. 5,898,784. Thus, a controlled launch of the award-winning DBMS client is carried out, as without running OSPO tools, interaction with the DBMS server is impossible. As a proxy server, the so-called LAN segment gateway is usually involved in the general computing process of the AS.

Reconfiguration of the interfaces of each operating system for the exchange of data between the final software applications in this operating system, i.e. on this computing installation, without access to a heterogeneous computer network, they are carried out by redirecting information flows between software applications through the appropriate mechanisms of inter-task interaction available in OSPO tools. Such mechanisms are similar to those described in the aforementioned US application No. 2004/0260941.

The independent data extraction mechanism is implemented abstracting from the method of obtaining this data on the host of the information resource indicating the type of handler program on this node in the so-called locator of the information resource from the specified DataMarket. The handler program automatically converts the source data to be retrieved into an intermediate format of the secure trunk (XML) with its subsequent parsing (parsing) and presentation (conversion) on the receiving node in the format it needs. The mechanism of information interaction of end applications is implemented through an intermediate file storage (an agreed directory on a dedicated file server), when OSPO tools control the state of exchange files and automatically start the process of sending / downloading these files in the interests of another end application.

On each computing installation in a heterogeneous computing network, a secure randomized data warehouse, called a personal safe, is created. The body of each document placed in this personal safe is randomized according to the same algorithm as the body of the message to be exchanged, as described above. All elements of the DataMarket integration mechanism are stored in the specified storage.

In addition, the checksum of each configuration file of each OS after switching the system interfaces of this OS and the executable files of each end application are stored in a secure storage (i.e., personal safe) of each computing installation in a heterogeneous computer network. In other words, after reconfiguring a particular OS in a particular computing installation, the checksum of not only the files of the new (reconfigured) OS configuration, but also the executable modules of the OSPO itself and software applications, is written to the personal safe of this computing installation.

In addition, the identifier of each final software application operating in the context of the OSPO, together with its checksum, the incoming / outgoing queue, as well as the confidential data and credentials of any authorized officer, are stored in a secure data warehouse of each computing installation in a heterogeneous computer network with the protected information resources of a heterogeneous computer network, in the form of an access profile of this person. Thus, in the personal safe of a particular computing installation, all the information is recorded, with which you can subsequently check the integrity of the OSPO and the STR, conduct version control (including the OS).

The proposed method further provides the ability to create (publish) in the context of the functioning of the OSPO and the ability to remove information objects from the context of the operation of the OSPO, referred to as links. A link to a published information resource means a standard hypertext string in Russian (or another language), double-clicking on it with the left mouse button automatically sends a request to retrieve the information resource placed on the link (file, document, script, etc.) and calls the program -processor of extracted data, which is also associated with the specified link. If a link means a method of extracting data from a remote data source without placing the data itself on the same resource where the link itself is located, then such a data extraction technology is called a “showcase” of data and is implemented using DataMarket tools. The method has the ability to resolve or retrieve these links to specialized information resources, referred to as "data marts" of both the aforementioned and other computing installations in a personal safe.

For "data marts" they provide guaranteed storage in a personal safe in the form of a collection of links called DataMarket, which is an ordered register of heterogeneous data of a computer network, which is a protected information resource of a computer network. In addition, the confidential data and credentials of any official authorized to work with DataMarket windows of this computer network are stored in the personal safe of each computing installation in the form of an access profile for this person. An access profile may include information on the access of a specified official to DataMarket in general (as such, located on a particular node of the AS computer network), to information with a certain level (stamp) of confidentiality (up to 4 stamps), to specific links to data with a certain level of confidentiality.

Thus, to access information resources, they provide mandatory and discretionary control of access for each of the mentioned officials not only to the data of its secure data warehouse, but also to the AC resources (files, folders, scripts, etc.) published on the DataMarket nodes AC. In other words, they provide identification and authentication of each user, for example, by assigning each official an identification number to provide mandatory access control and a personal code (password) for discretionary access control. This control can be carried out in the same way as in the above-mentioned patent of the Russian Federation No. 2130643.

The method further provides guaranteed processing of the link to the DataMarket by indicating the number of the final application handler, by which the message body with the request to retrieve the data should be opened, and not only the processing confirmation is sent to the address of the sending host, but also the data of the remote destination node in a consistent format. At the same time, it is possible to select the extracted data and place it in a specialized analytical express-processing module with the possibility of carrying out the indicated subsequent data manipulations.

During the operation of a heterogeneous computer network, the authority of each official who is allowed to work with the information resources of this computer network is systematically checked, and the session of a specific official is stopped if at least one parameter from the corresponding access profile is stored in the protected storage of the computing installation.

The aforementioned distributed data storage system is implemented in the form of all links to protected information resources published in the DataMarket computer network and stored in the personal safe of the OSPO at each computing installation. Published data can be extracted according to the regulations, upon request or upon the occurrence of a certain event, for example, every month on the 15th day. They provide a guaranteed opportunity to extract heterogeneous data stored under the control of various database management systems (DBMS), functioning both in the context of the mentioned OSPO and in the context of each operating system of a network of computing facilities. In addition, they provide the possibility of a personalized analysis of the extracted data based on the creation of custom processing models, including qualitative (non-quantitative) data. User models for processing the incoming data stream are connected with the tools available in the DataMarket to build their own mathematical modeling functions with the ability to adjust models in accordance with the results of processing current data for a certain period.

The information resources mentioned here can be any resources selected from a group that includes at least the following: data, files, queries, data links, extraction scripts, executable modules.

The mentioned subsequent manipulations with data are intended to carry out actions from a group of comparable data, including the following: identifying reliable dependencies (correlations), statistical processing, building forecasts (approximations), creating processing models, issuing analytical reports, including for presenting to DataMarket.

DataMarket ™ of the IVK Jupiter ™ platform

The physical placement of the unified classifier and other system-wide AIS resources occurs on the DataMarket ™ platform, in the registry of links to system-wide resources and heterogeneous AIS storage resources, as shown in FIG. 3.

Classifiers and directories are located in secure repositories at AIS facilities. A link to relevant information (current classifiers) in XML format is placed on the DataMarket ™ of the IVK Jupiter ™ platform on the necessary node within the departmental network, organized on the principles of addressing the IVK Jupiter ™. If necessary, the user in accordance with his "profile of the official (access)" can independently or automatically update the specified data.

This integration technology at the data level allows you to abandon the physical centralization of resources and move to its logical centralization within a distributed system: to maintain a single distributed classifier representing heterogeneous data from all nodes in a single format (XML), providing access to classifiers of heterogeneous applications registered in the speaker.

Figure 4 illustrates the technology of integration of various SZI AS (classifiers, dictionaries, scenarios, etc.), and figure 5 the same technology is shown for the case of integration of industrial storage systems implemented by various DBMSs. The main idea is to introduce some arbiter who will deal with the comparison of vultures and profiles of officials. This arbitrator works in the legal field of the Russian Federation in accordance with the law and the usual ranking for us. In this and in the following drawings, the abbreviations KOM and OBI mean respectively the communication subsystem and the information security subsystem. Figure 5 also introduces the following notation: MS SQL Server, Oracle and Informix - the names of foreign-language database management systems (DBMS), ADO (ActiveX Data Objects) and ODBS (Open DataBase Connectivity) - universal interfaces for connecting to a DBMS, XML ( eXtensible Markup Language) is a universal extensible markup language for hypertext data.

Thus, in the method of the present invention, the OSPO solves the following problems:

- Creation of a system-wide operating environment with the provision of standard services for data exchange and operational management of the computing process in local and global networks of NPP facilities;

- Ensuring the interaction and control of the computing process (solving functional problems) and routing flows in the AS through a single unified interface (s);

- ensuring the interaction of an arbitrary number of objects of a geographically distributed heterogeneous (heterogeneous) information system based on the use of relevant methods of resource allocation and access, a modern information protection and coding system, providing the user with the maximum number of necessary web services for organizing management of both external and internal information space using various mechanisms and arbitrary communication channels (digital, analog);

- ensuring the protection of information within a heterogeneous distributed network of nuclear power plants with the possibility of creating a single consistent security policy of nuclear power plants with the organization of safe access of nuclear power facilities to communication channels, including open ones;

- organization of access to the unified information space of the AS based on job profiles and powers, implementation of measures (including organizational ones) to close data transmission channels, as well as possible information leakage channels;

- transfer of confidentiality labels within a secure superimposed AS network implemented by OSPO;

- storage of the general information of the system based on the construction of a single "data store" of data, i.e. distributed datastore storage, which is an ordered register of hypertext links to distributed AS resources, equipped with a presentation, search interface and working with OBI.

It should be specially noted that, although some of the actions of the method of the present invention are organizational in nature, such operations as installing system-wide software on each computing installation, reconfiguring interfaces, and creating personal safes are actions on material objects using material means. Those. The claimed method cannot be considered a program as such. In addition, its implementation provides increased protection of information resources in a heterogeneous computer network, which is certainly a technical result. And since in the current level of technology there are no sources describing such a method, and no sources have been identified, the information from which together could make such a method, the present invention satisfies the conditions of novelty and inventive step.

In the present description, the present invention is disclosed by way of examples of its possible implementation. However, these examples are illustrative only and not limiting, and the scope of the invention is defined by the appended claims taking into account any possible equivalents.

Claims (6)

1. A method of integrating information resources of a heterogeneous computer network, which includes at least two computing installations connected by a communication network, at least one of which is equipped with a different operating system (OS), and in the context of this OS, the final application of this computing installation functions consisting in the fact that:
install system-wide software (OSPO) on each computing installation to obtain a single secure backbone of information exchange between all computing installations;
provide on each computing installation unified unified means of inter-machine information exchange, realizing the physical connectivity of the mentioned computing installations within the framework of the aforementioned secure line of information exchange;
provide guaranteed secure interaction between the end applications of computing installations through the said means of inter-machine exchange within the framework of the said computer network through the automatic interaction of each of the mentioned end applications operating in the context of OSPO, through the created queues of outgoing and incoming messages;
create on each of the mentioned computing installation a secure randomized data warehouse, called a personal safe;
in the said personal safe of each said computing installation, the queues of outgoing and incoming messages are saved both to the address of the said computing installation and the end application operating on it, and to the address of another computing installation of the said computing network;
provide the ability to create (publish) in the context of the functioning of the said OSPO and the ability to remove from the context of the functioning of the said OSPO information objects called links, with the possibility of resolving / retrieving these links to specialized information resources called data showcases, of the aforementioned or other computing installation in said personal safe;
ensure guaranteed storage of said data showcases in said personal safe in the form of a collection of links called DataMarket and representing an ordered register of heterogeneous data of a computer network, which is a protected information resource of the said computer network;
save in the said personal safe of each said computing installation the confidential data and authority of any official authorized to work with DataMarket windows of the said computer network in the form of an access profile of that person;
provide mandatory and discretionary control of access of the said official to DataMarket data, thereby implementing independent mechanisms for the identification and authentication of the official;
ensure guaranteed processing of the link to DataMarket by indicating the number of the final application-handler, by which the message body with the request to retrieve data should be opened, and not only the confirmation of the processing, but also the data of the remote recipient node are sent to the address of the sending node in an agreed format;
provide the ability to select the extracted data and place them in a specialized module of analytical express processing with the possibility of subsequent manipulations with the data;
systematically check the credentials of each official authorized to work with DataMarket of the mentioned computer network, and stop the session of a particular official if at least one parameter from the corresponding access profile stored in the personal safe of the said computing installation does not match. 2. The method according to claim 1, in which:
form the aforementioned system-wide software by adding each of the mentioned operating systems with a basic set of transport protocols designed for node addressing and packet routing, as well as a set of formats or a single application-level data exchange format;
form a unified secure information space of the aforementioned computer network by streamlining information exchange between the mentioned end applications by providing an intermediate reassignment of information flows, recoding classifiers of information support, automatic coordination of the formats of the extracted data for their uniform presentation in the interests of joint functioning of the applications;
provide a uniform implementation of the data presentation and transmission system within the framework of the aforementioned computer network, including in conditions of pronounced heterogeneity of the software and hardware implementations of the aforementioned computer network settings;
conduct analytical processing of uniform data regardless of the features of the functioning of the mentioned end applications on various computing installations of the network;
provide contextual search and morphological and linguistic analysis of DataMarket data through global data exchange within the framework of the mentioned computer network. 3. The method according to claim 1, in which:
said interaction of end applications using client-server technology is carried out by reconfiguring the interfaces of each of these end applications to exchange data with other end applications by redirecting information flows between end applications through the corresponding proxy connections available in the means of the said OSPO;
implement a mechanism for independent data extraction with abstracting from the method of obtaining this data on the host of the information resource, indicating the type of handler program on this node in the so-called locator of the information resource from the DataMarket structure;
the said reconfiguration of the interfaces of the final software applications in this operating system is carried out by redirecting information flows between the software applications through the appropriate mechanisms of inter-task interaction available in the means of the said OSPO;
implement the mechanism of information interaction of end applications through an intermediate file storage, when the means of the mentioned OSPO control the state of the file (s) of exchange and automatically start the process of sending / downloading the mentioned file (s) in the interests of another end application. 4. The method according to claim 1, in which:
implement a distributed data storage system in the form of all links to protected information resources published in DataMarket of the aforementioned computer network and stored in the aforementioned personal safe OSPO at each computing unit, with the ability to retrieve published data according to the regulations, upon request or upon the occurrence of a certain event;
provide guaranteed the ability to extract heterogeneous data stored under the control of various database management systems (DBMS), functioning both in the context of the mentioned OSPO and in the context of each operating system of the mentioned network of computing facilities;
provide the possibility of a personalized analysis of the extracted data based on the creation of custom processing models, including qualitative (non-quantitative) data. 5. The method according to claim 1, in which information resources are selected from the group including at least: data, files, queries, data links, extraction scripts, executable modules. 6. The method according to claim 1, in which the aforementioned subsequent data manipulations are performed to perform actions from the group including: identifying reliable dependencies, statistical processing, building forecasts, creating processing models, issuing analytical reports.

Images