RU2364933C2 - Network traffic analysis system - Google Patents

Abstract

FIELD: physics; computer facilities.

SUBSTANCE: invention concerns systems of safety of information networks. The system contains block of traffic filtering, the block of calculation of autocorrelative function, the block of calculation of coefficients of autoregression, the block of the filter of autoregression, keys, the block of keys management, the block of calculation of a coefficient of correlation, the decision box, thus these blocks allow to calculate parametres of real and standard profiles of behaviour of a source of load, to estimate a degree of a linear dependence of these profiles and to make of solution on attack presence.

EFFECT: detection of attacks in information networks, detection of attacks in information networks, and also detection of atypical behaviour of a loading source which can consist in a non-standard operating mode, change of network activity.

5 cl, 5 dwg

Description

The proposed system belongs to the field of computer technology and is designed to determine network attacks (Attack - the practical implementation of a threat or an attempt to implement it using one or another vulnerability [Koneev I.R., Belyaev A.V. Information security of an enterprise. - SPb .: BHV - Petersburg, 2003. - 752 pp., Ill. On p. 30]) in information and computer networks and can be placed on access nodes, packet switching devices, and data network routers.

It is known "Device for monitoring the security of automated systems" according to patent No. 2270478, class G06F 17/40 (G06F 12/14), 07.26.2004. This invention describes a device comprising a frequency divider, a receiving memory unit, a subtracting counter, first, second, third, fourth reference memory blocks, first, second, third decryption units, first, second, third, fourth and fifth counters, first, second , the third elements And, the first, second, third and fourth blocks for receiving the address, the first, second blocks of comparison, the first, second decoders, register and display unit. This device is designed to monitor the security of automated systems and the operational identification used in digital communication systems and, in particular, in a data transmission network of the Internet type of the TCP / IP communication protocol family.

This device has a restriction associated with the use of the signature method of attack detection and, as a result, recognition of only known types of attacks, as well as the ability to work only with the TCP / IP protocol stack.

The closest in technical essence to the claimed system is the invention "Method and device for traffic prediction in a communication system" - patent No. 2258316, class H04L 12/56, 04.25.2003, which solves the problem of forecasting network traffic.

The known device contains a traffic filtering unit, consisting of (i = 1 ... N) thinning logic circuits (G), (i = 1 ... N) elements AND, (i = 1 ... N-1) elements EXCLUSIVE OR, (i = 1 ... N-1) counters, a start-up block, the output of which is connected to the inputs of thinning logic circuits (i = 1,2 ... N), the output "pass" of the first thinning logic circuit is connected to the first and second inputs of the first element AND, in addition, the output the "transmission" (i = 2 ... N) of the thinning logic circuit is connected to the second input (i = 2 ... N) of the And element, the output of each i-th And element, except for the N-th, connected to the first inputs of the subsequent element AND, respectively, also the outputs of each (i = 1 ... N-1) th element AND are connected to the first input (i = 1 ... N-1) of the element EXCLUSIVE OR, respectively, in addition, the outputs ( i = 2 ... N) th element AND are connected to the second inputs (i = 1 ... N-1) of the th element EXCLUSIVE OR, respectively, the outputs of the i-th element EXCLUSIVE OR are the input of the i-th counter, the input of the start block is an information input devices, and also contains blocks of difference B (i = 1 ... N-1), multipliers X (i = 1 ... N-1), counter D, divider K, adder S, multiplier T, and the output of the start block is connected to the input of the counter D, the output of which is connected to the input of the divider K, the output of which is connected to the second input of the multiplier T, the second output of each i-th thinning logic circuit except the N-th one is connected to the first inputs i = 1 ... N-1 elements of difference blocks B, respectively, the second outputs of the 2nd ... Nth thinning logic circuit are connected to the second inputs i = 1 ... N-1st of the difference blocks B, respectively, the outputs of the difference blocks B are connected to the first inputs of the multipliers X, to the second input of which counter outputs (i = 1 ... N-1), outputs the multipliers X (i = 1 ... N-1) are connected to the inputs (i = 1 ... N-1) of the adder S, the output of which is connected to the first input of the multiplier T, and the information input of the traffic filtering unit is the trigger unit to which the communication channel is connected transiently connected to the second information output of the traffic filtering unit, and the output of the multiplier T is the first information output. The known device also comprises an autocorrelation function calculation unit, an autoregression parameter calculation unit, an autoregression filter unit, and the communication channel It is connected to the information input of the traffic filtering unit, the first information input of the autocorrelation function calculation unit and the second information input of the autoregressive filter unit, and the first information output of the traffic filtering unit is connected to the second input of the autocorrelation function calculation unit, the information output of the autocorrelation function calculation unit is connected to the information input of the unit calculation of autoregression parameters, and the information output of the autoregression parameter calculation block is connected to the second info the radiation input of the autoregressive filter unit, the output of which is the output of the system.

The essence of the known invention consists in the reception by the traffic filtering unit of a sequence of traffic units, its filtering by decimating logic circuits in accordance with the established decimation parameters, determining an estimate of the distribution of traffic units by occurrence frequency by simultaneously computing estimates of the occurrence frequency in several ranges of values. Additionally, the mathematical expectation of the arrival time of traffic units is estimated by simultaneously subtracting the values of the traffic units of neighboring ranges with the subsequent multiplication of the results by the relative frequencies of occurrence of the corresponding distributions of traffic units. Then, in the block for calculating the autocorrelation function, based on the result obtained, the autocorrelation function of the random process characterizing the time of arrival of traffic units is calculated. In the block of calculating the autoregression parameters, the filter weighting coefficients are calculated, based on which, in the block of the autoregression filter, the time of arrival to + 1.2 ... n traffic units is predicted. Thus, the prediction of the values of the frequency of arrival of traffic units or the time between the arrival of its individual units.

The disadvantage of this device is the inability to use it to detect attacks in information and computer networks, since it is not able to distinguish between attacks in information and computer networks, that is, it has limited functionality.

The task solved by the system is to recognize attacks in information and computer networks, that is, to expand the functionality.

The solution to this problem is that the system contains a traffic filtering unit, an autocorrelation function calculation unit, an autoregressive parameter calculation unit, an autoregression filter unit, while the first information output of the traffic filtering unit is connected to the first information input of the autocorrelation function calculation unit, the information output of the calculation unit the autocorrelation function is connected to the information input of the autoregression parameter calculation unit, and the information output of the autoregress parameter calculation unit This is connected to the first information input of the autoregressive filter unit, and also contains four keys, a counter, a correlation coefficient calculation unit, a decision unit, a key management unit, and the communication channel and the information output of the autoregression filter unit are connected to the information inputs of the first key, and the first information the output of the traffic filtering unit is connected to the input of the second key and the first input of the fourth key, and the output of the second key is connected to the first input of the unit for calculating the autocorrelation function, while the information output of the traffic filtering unit through the counter is connected to the control input of the key management unit, the control input of the third key, and the information output of the third key is connected to the second information input of the autocorrelation function calculation unit and the second information input of the autoregression filter unit, the output of the first key is connected to the first information the input of the third key, the key management unit and the second information input of the fourth key, the outputs of which are connected with the coefficient calculation unit correlation factors, and the information output of the correlation coefficient calculation unit is connected to the information input of the decision unit, the outputs of which are system outputs, the output of the autoregressive filter unit is connected to the second information input of the third key, and the output of the key control unit is connected to the control inputs of the first, second and fourth keys.

The work of the proposed system is illustrated by drawings, which show:

figure 1 is a structural diagram of a traffic analysis system;

figure 2 is a structural diagram of a unit for calculating the correlation coefficient;

figure 3 is a structural diagram of a block adder;

figure 4 is a structural diagram of a block of the root adder;

5 is a block diagram of a decision block.

Where indicated:

1, 3, 5, 10 - keys that switch communications between the blocks of the system.

Traffic filtering unit 2 receives a sequence of traffic units and calculates the mathematical expectation of the arrival time of traffic units by simultaneously subtracting the values of traffic units from neighboring ranges, followed by multiplying the results by the relative frequencies of occurrence of the corresponding distributions of traffic units.

Counter 4 calculates the number of received traffic units and, after the arrival of the hundredth unit, gives a logical unit, which is the control command to turn on the key management unit and the third key.

The calculation unit of the autocorrelation function 6 performs the calculation according to the formula

where x _t is the value of the arrival time of the current unit of traffic;

x _tk is the value of the arrival time of a unit of traffic shifted backward by k intervals;

- математическое ожидание времени прихода единиц трафика.

- the mathematical expectation of the arrival time of traffic units.

The unit for calculating the autoregressive parameters 7 is intended for calculating the weight coefficients of the autoregressive filter according to the formulas

.or

.

Here r ₁ ... r _p-1 are the coefficients of the normalized autocorrelation function.

The solution of a system of linear equations allows us to calculate the autoregression coefficients φ ₁ ... φ _p .

The autoregressive filter block 8 is designed to obtain a predictive estimate of the arrival time of the next traffic unit. This becomes possible after determining the nature of the dependence of a given quantity on its previous values. This dependence is defined as an autoregressive process and represents the following linear difference equation with complex coefficients

where x _t is the sequence at the output of the filter, in this example, this value represents the value of the arrival time of the current unit of traffic;

φ ₁ ; φ ₂ ; φ _p are the values of the weight coefficients of the autoregressive filter of order p;

x _tp - values of the time of arrival of a traffic unit shifted backward by p intervals.

The forecast is carried out as follows: let the value of the arrival time of the traffic unit x _t arrive at the autoregression filter. The variable x _t passes the delay line of the digital filter and is multiplied by the autoregression coefficients φ ₁ , φ _p , where p = 2, the values of which came from the unit for calculating the autoregression parameters. The results of the product are summed, and the final value x _{t + 1} goes to the output of the autoregressive filter. The variable x _{t + 1} is a forecast of the arrival time k = 1,2, ... n traffic units.

The key management unit 9 provides a control command to the first, second and fourth keys with a frequency twice as high as the frequency of arrival of traffic units. The need for frequency doubling arises to solve the synchronization problem, namely, the device needs to calculate the real image for the first half-cycle and the reference image for the second half-cycle for one interval of the arrival of traffic units. This unit can be implemented on a frequency converter with an electronic key (switch) [A.A. Bokunyaev, N.M. Borisov, R.G. Varlamov and others. Ed. N.N. Chistyakova. - M .: Radio and communications, 1990. - 624 p.: Ill.].

The unit for calculating the correlation coefficient 11, calculates the Pearson correlation coefficient in accordance with the formula

- его математическое ожидание; y_i - значения, принимаемые в выборке Y;

- его математическое ожидание.where x _i are the values taken in the sample X;

- his mathematical expectation; y _i are the values taken in the sample Y;

- his mathematical expectation.

Thus, the x values represent the reference value of the image, and y the values of the samples coming from the information input of the system. This correlation coefficient allows us to assess the degree of similarity between the reference and real images. The output of this block is the numerical value of the correlation coefficient, which is input to the decision block.

The correlation coefficient calculation block comprises an adder block 11-1, a root adder block 11-2 and a divider 11-3, while the inputs of the adder block 11-1 and the root adder block 11-2 are combined and are inputs of the correlation coefficient calculation block, and the outputs of the block the adder 11-1 and the block of the root adder 11-2 are connected to the inputs of the divider 11-2, the output of which is the output of this block (figure 2).

The adder block contains two subtractors 11-1-1 and 11-1-2, a multiplier 11-1-3 and a product adder 11-1-4, while two inputs of the first subtractor 11-1-1 are two inputs of the second subtractor 11-1 -2 are the inputs of this block, and the outputs of the first and second subtractors 11-1-1 and 11-1-2 are connected to the multiplier 11-1-3, the output of which is connected to the adder of the product 11-1-4, the output of which is the output of this block (figure 3).

The root adder block contains two subtractors 11-2-1 and 11-2-2, two squares 11-2-3 and 11-2-4, two blocks of the sum of squares 11-2-5 and 11-2-6, the multiplier 11 -2-7 and the square root block 11-2-8, while the first and second inputs of the root adder block, as well as the third and fourth inputs of the root adder block, are connected to the first and second difference blocks 11-2-1 and 11-2 -2, respectively, are the inputs of this block, and the outputs of the first block of difference 11-2-1 through the square 11-2-3 and the block of the sum of squares 11-2-5 are connected to the first input of the multiplier 11-2-7, the outputs of the second block the difference 11-2-2 through the squared 11-2-3 and the block of the sum of squares 11-2-6 is connected to the second input of the multiplier 11-2-7, the output of the multiplier is connected to the input of the square root block 11-2-8, the output of which is the output of this block (figure 4).

The decision block 12 consists of four comparison blocks 12-1, 12-2, 12-3 and 12-4, while the value from the block for calculating the correlation coefficient is input to the first block of comparison 12-1. It compares the input value with a constant of 0.5. If the value is greater than 0.5, then the value is transmitted to the comparison unit with a constant of 0.7 12-2. If the value of 0.7 is exceeded, a decision is made on strong correlation, or on the average - values in the range from 0.5 to 0.7. If the value is less than 0.5, then it is transmitted to the comparison unit with a constant of 0.13 - 12-3. If the value is less than 0.13, then a decision is made about a very weak correlation, if more, then the value is transmitted to the comparison unit with a constant of 0.3 - 12-4. When exceeding the value of 0.3, a decision is made on moderate correlation, otherwise - on a weak correlation (Fig. 5).

The Box-Jenkins autoregression model, which is an autoregression filter, expression 3, is used as a mathematical model. Thus, the task of obtaining a mathematical model is reduced to the problem of calculating the weight coefficients of the autoregression filter. The process of obtaining a mathematical model includes the following steps. Calculation of the mathematical expectation of the arrival time of traffic units. To calculate this parameter, the "№ class H04L 12/56, 04.25.2003, known from the prior art.

Thinning logic circuits and counters that underlie this device allow the formation of a variation series. In the simplest case, the variation series can be represented by a table, the first column of which contains all possible values (variants) x _{i of the} general population, and in the second - numbers n _i , i.e. the frequency of occurrence of the i-th value.

A description of such a series, for example, is given in the source [J.K. Kolde "Workshop on Probability Theory and Mathematical Statistics". - M .: Higher school, 1991, p.157]. An example of a variation series is presented in the table.

x _i n _i n _i / n 5 four 0.4 10 5 0.5 fifteen one 0.1 Σ 10 1,0

The ratio n _i / n is the relative frequency and reflects the weight of a particular value in the sample. The sum of the relative frequencies is equal to one.

To calculate the mathematical expectation, if there is a variational series, the following formula is used:

where n is the sample size and m is the number of options.

- среднее для n отсчетов, полученное из выражения (5).The next step is the calculation of the autocorrelation function. The autocorrelation function for the process x (t), presented in a discrete form as a series of values x _i , is called a nonrandom function of two arguments: x _t , x _tk , where x _tk is the value of the series with a lag of k samples. Due to the specifics of the problems being solved, to calculate the autocorrelation function, expression (6) was used for a sample of n samples, where

is the average for n samples obtained from expression (5).

For further calculations, it is necessary to normalize the autocorrelation function by the formula

Autoregressive parameters and the autocorrelation sequence are connected by a system of linear equations (2). Thus, if an autocorrelation sequence is specified, then the autoregressive parameters can be found as a solution to a system of linear equations, which are called Yule-Walker equations. The algorithm and the subroutine for solving equations, for example, are given in the source [S.L. Marple. Digital spectral analysis and its applications: Per. from English - M .: Mir, 1990. - 584 p.]. The number of computational operations required to solve the system of linear equations of equations is proportional to p ² ; therefore, at this stage it is necessary to determine how many autoregression parameters should be present in an effective and economical process model. In practice, as a rule, a second-order model is used, which makes it possible to obtain an acceptable ratio between calculation accuracy and computational costs. As a result, the system of equations (2) will have the form

After the values of the parameters of the autoregression model are determined on the observation interval, it becomes possible to obtain a predictive estimate of the time of arrival to + 1.2 ... n traffic units. To obtain the forecast, a second-order autoregression filter is used, since p = 2. Physically, this model implements a recursive digital filter of order p, called the IIR filter, i.e. filter with infinite impulse response. A description of such a filter, for example, is given in the source [Gustav Olsson, Dzhanguido Piani. Digital automation and control systems. - St. Petersburg: Nevsky dialect, 2001. - 557 p.].

To obtain a predictive estimate of the arrival time of the next traffic unit, an IIR filter can be used, described by the following expression

The process of functioning of the system includes three stages.

First step. The reference load profile is being formed (image formation), that is, the training of the moving average autoregression system is carried out.

To obtain a predictive estimate of the time of arrival of traffic units, a certain time interval is required for the collection of statistical data and training of the system. The time interval during which the system is configured depends on the speed of the traffic and should be sufficiently large in relation to the speed of the slowest traffic possible. For a high-quality tuning of the autoregressive model, it is necessary that the observation interval includes one hundred or more counts of the arrival time of traffic units. The load profile is formed on the basis of a statistical sample including, for example, time intervals of arrival of traffic units.

In the initial state, after the power is turned on, traffic units (for example, a stream of ATM system data cells) are sent to the input of the network traffic analysis system. The keys are the first, second, third and fourth - in the initial state. One hundred traffic samples come through the first key 1 to the traffic filtering unit 2, where the mathematical expectation of the time of their arrival is calculated in accordance with formula (5), where x _i are the values of the traffic units samples, n _i is the frequency of occurrence of the i-th value, n - sample size, am - number of options.

The mathematical expectation of these samples from the first information output of the traffic filtering unit 2 through the second key 3 goes to the first information input of the calculation unit of the autocorrelation function 6, the second input of which through the third key 5 receives the current values of these samples from the output of the first key 1, simultaneously the second information input of the autoregressive filter unit is the learning process of the system. The autocorrelation function calculation unit calculates the value of the autocorrelation function in accordance with formula (6), where x _tk is the value of the series with a lag in k samples, x _t is the value of the current sample. Next, in the block for calculating the autoregression parameters, the autocorrelation function is normalized according to formula (7). The autoregressive parameters are determined using a system of linear equations, which are called Yule-Walker equations. There is an implementation of this block directly calculating the autoregressive parameters based on the digital processor TMS320C [Korneev V.V., Kiselev A.V. Modern microprocessors. - M .: Nolidzh, 2000. - 320 p.]. After the values of the parameters of the autoregression model are determined on the observation interval, it becomes possible to obtain a predictive estimate of the time of arrival to + 1.2 ... n traffic units.

Physically, this model implements a recursive digital filter of order p with an infinite impulse response.

At the second information output of the traffic filtering unit 2, a counter 100 of pulses 4 is installed, which is triggered once upon the arrival of a hundredth unit of traffic (completion of the learning phase of the moving average autoregressive system). Its zeroing is possible only after turning off the power in the system.

The values of the mathematical expectation of traffic units from the first information output of the traffic filtering unit 2, as well as from the output of the first key 1, are transmitted through the fourth key 10 to the unit for calculating the correlation coefficient 11, but no operations are performed with them.

After receiving one hundred samples at the output of the autoregressive filter unit 8, a 100 + 1 predicted sample of the traffic unit will appear, which is fed to the second information input of the first key 1.

Since the circuit contains a counter of 100 pulses 4, after the arrival of the hundredth traffic count, it will issue a control command to the third key 5, as well as an enable command to the key management unit 9. The third key 5 is activated once after receiving a logical unit from the counter 4. The key management unit 9 is an electronic key operating at a frequency twice as high as the frequency of incoming pulses, operating twice in a single time period. This is necessary in order to calculate the parameters of the reference image for the first half-cycle, and to calculate the parameters of the real image for the second half-cycle. The key management unit 9 provides a control command to the first 1, second 3 and fourth 10 keys.

Second phase. The first half-stroke. At the end of the system learning process, the predicted one hundred and first unit of traffic is located on the second information input of the first key 1. The keys 1, 2, 3 and 4 are in the initial state. The third key is 5 - switched.

One hundred and first traffic counting comes through the first key 1 to the information input of the traffic filtering unit 2, from the first information output of which the expectation value of the arrival time of the one hundred and first traffic unit goes through the first information input of the fourth key 10 to the input of the correlation coefficient calculation unit 11. Also, one hundred the first traffic sample from the output of the first key 1 through the second information input of the fourth key enters the block for calculating the correlation coefficient 11.

Thus, the arrival time of the real one hundred and first traffic count and the value of its mathematical expectation are recorded in the block for calculating the correlation coefficient. These parameters constitute a real image of the load source.

- его математическому ожиданию, x_{i образ} соответствует y_i - значению эталонного трафика,

- его математическому ожиданию.The third stage. The second half-cycle. The keys first 1, second 3 and fourth 10 are switched. From the second input of the first key 1, the predicted value of the arrival time of the one hundred and first count goes to the traffic filtering unit 2 and simultaneously through the second information input of the fourth key 10 is written to the block for calculating the correlation coefficient 11. The mathematical expectation of the arrival time of this unit of traffic through the second key 3 goes to the first the information input of the unit for calculating the autocorrelation function 6 and simultaneously through the fourth key 10 to the unit for calculating the correlation coefficient 11. Since the second information input of the autocorrelation function calculation unit 6, the predicted value of the hundred and first reference point was found, then at the moment the mathematical expectation of the predicted hundred and first reference point appears on the first information input of this block, the forecasting process of the hundred and second reference is carried out. From the output of the autoregressive filter unit 8, the predicted value of one hundred and second counts will go to the second information input of the first key 1, to the second information input of the autocorrelation function calculation unit 6 and to the second information input of the autoregression filter unit. Thus, after the second half-cycle, in the block for calculating the correlation coefficient 11, the real parameters recorded on the first half-cycle and the parameters of the reference traffic obtained on the second half-cycle will be found. The unit for calculating the correlation coefficient 11 performs the calculation in accordance with the formula (4), where x _i corresponds to x _i - the values of real traffic,

- its mathematical expectation, x _{i image} corresponds to y _i - the value of the reference traffic,

- his mathematical expectation.

The output of this block receives the value of the correlation coefficient, which is then transferred to the decision block 12, where it is compared with the threshold value of the comparison blocks and a decision is made on the conformity of the reference and real profile. The following options are possible: Strong correlation; Medium Moderate Weak Very weak.

A strong correlation indicates a high degree of similarity between the images of real and reference traffic - there is no attack, the average value indicates a low probability of an attack, moderate indicates a possible attack, a weak one indicates a probable attack, and a very weak one indicates an attack or a change in the legal behavior of the load source.

The advantage of the proposed scheme is the use of standard schemes and algorithms used to thin out traffic in switching nodes. However, some refinement of these schemes allows you to get a new quality, namely a statistical traffic analyzer, which allows you to determine the atypical behavior of the load source, which may be the result of a hacker attack.

Thanks to the new set of essential features due to the introduction of new elements and the relationships between them, it becomes possible to detect attacks in information and computer networks. New elements allow you to build images of the reference and real traffic, determine the correlation coefficient of these images, and also decide on the degree of their linear dependence.

The analysis of the prior art by the applicant made it possible to establish that there are no analogues that are characterized by sets of features identical to all the features of the claimed network traffic analysis system. Therefore, the claimed invention meets the condition of patentability "Novelty."

Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed invention from the prototype have shown that it does not follow explicitly from the prior art. From the prior art determined by the applicant, the influence of the provided by the essential features of the claimed invention on the achievement of the specified technical result is not known. Therefore, the claimed invention meets the condition of patentability "Inventive step".

The proposed system can be installed on switching equipment as a means of protection against attacks in information and computer networks.

Claims (5)

1. A network traffic analysis system comprising a traffic filtering unit for calculating a mathematical expectation of arrival time of traffic units, an autocorrelation function calculation unit, an autoregressive parameter calculation unit, an autoregressive filter unit, wherein the first information output of the traffic filtering unit is connected to the first information input of the autocorrelation calculation unit functions, and the second information output of the traffic filtering unit is connected to the second information input of the autocorrelation function calculation unit the second information input of the autoregressive filter unit, the information output of the autocorrelation function calculation unit is connected to the information input of the autoregression parameter calculation unit, and the information output of the autoregression parameter calculation unit is connected to the first information input of the autoregression filter unit, the output of which is the system output, characterized in that four keys are entered, a counter, a correlation coefficient calculation unit, a decision making unit, a key management unit, and information the inputs of the first key are connected to the communication channel and the information output of the autoregressive filter unit, and the first information output of the traffic filtering unit is connected to the input of the second key and the first input of the fourth key, and the output of the second key is connected to the first input of the autocorrelation function calculation unit, while the second information output of the block filtering traffic through the counter is connected to the control input of the key management unit, the control input of the third key, and the information output of the third key is connected to the second by the input of the autocorrelation function calculation unit and the second information input of the autoregressive filter unit, the output of the first key is connected to the first information input of the traffic filtering unit, to the first information input of the third key, the key management unit and the second information input of the fourth key, the outputs of which are connected to the coefficient calculation unit correlation, and the information output of the unit for calculating the correlation coefficients is connected to the information input of the decision unit, the outputs of which are I system outputs, the output of the autoregressive filter unit is connected to the second information input of the third key, and the output of the key control unit is connected to the control inputs of the first, second and fourth keys. 2. The system according to claim 1, characterized in that the correlation coefficient calculation block comprises an adder block, a root adder block and a divider, while the inputs of the adder block and the root adder block are combined and are inputs of the correlation coefficient calculation block, and the outputs of the adder block and block the root adder associated with the inputs of the divider, the output of which is the output of this block. 3. The system according to claim 1, characterized in that the decision block consists of four comparison blocks, while the input of the first comparison block is the input of this block, and one output of the first comparison block is connected to the second input of the comparison block, the outputs of which are the first and the second outputs of this block, and the second output of the first block is connected to the input of the third comparison block, one output of which is the third output of the decision block, and the second output is connected to the input of the fourth comparison block, the outputs of which are the fourth and fifth outputs of the decision block. 4. The system according to claim 2, characterized in that the adder block contains two subtractors, a multiplier and a product adder, while the two inputs of the first subtractor, the two inputs of the second subtractor are the inputs of this block, and the outputs of the first and second subtractors are connected to the multiplier, the output which is connected to the adder of the product, the output of which is the output of this unit. 5. The system according to claim 2, characterized in that the block of the root adder contains two subtractors, two quadrators, two blocks of the sum of squares, a multiplier and a square root extraction unit, while the first and second inputs of the root adder block, as well as the third and fourth inputs connected to the first and second difference blocks, respectively, and are the inputs of this block, and the outputs of the first difference block through the quadrator and the sum of squares block are connected to the first input of the multiplier, the outputs of the second difference block through the quadrator and the sum of square block connected to a second input of the multiplier, the multiplier output connected to an input of a square root extraction unit, whose output is the output of this block.

Images