RU2459236C1 - Method and system for monitoring program execution using routing - Google Patents

Method and system for monitoring program execution using routing Download PDF

Info

Publication number
RU2459236C1
RU2459236C1 RU2011130014/08A RU2011130014A RU2459236C1 RU 2459236 C1 RU2459236 C1 RU 2459236C1 RU 2011130014/08 A RU2011130014/08 A RU 2011130014/08A RU 2011130014 A RU2011130014 A RU 2011130014A RU 2459236 C1 RU2459236 C1 RU 2459236C1
Authority
RU
Russia
Prior art keywords
trace
program
computer
identifiers
th
Prior art date
Application number
RU2011130014/08A
Other languages
Russian (ru)
Inventor
Владимир Игоревич Андрианов (RU)
Владимир Игоревич Андрианов
Александр Евгеньевич Балясов (RU)
Александр Евгеньевич Балясов
Владимир Владимирович Бухарин (RU)
Владимир Владимирович Бухарин
Валерий Алексеевич Липатников (RU)
Валерий Алексеевич Липатников
Юрий Иванович Стародубцев (RU)
Юрий Иванович Стародубцев
Original Assignee
Федеральное государственное военное образовательное учреждение высшего профессионального образования "Военная академия связи им. маршала Советского Союза С.М. Буденного" Министерства обороны Российской Федерации
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Федеральное государственное военное образовательное учреждение высшего профессионального образования "Военная академия связи им. маршала Советского Союза С.М. Буденного" Министерства обороны Российской Федерации filed Critical Федеральное государственное военное образовательное учреждение высшего профессионального образования "Военная академия связи им. маршала Советского Союза С.М. Буденного" Министерства обороны Российской Федерации
Priority to RU2011130014/08A priority Critical patent/RU2459236C1/en
Application granted granted Critical
Publication of RU2459236C1 publication Critical patent/RU2459236C1/en

Links

Images

Abstract

FIELD: information technology.
SUBSTANCE: in the method of monitoring program execution using routing, databases of identifiers of computers and programs installed thereon are created. After replacing routing text lines in a program module with corresponding identifiers, the identifier of the computer and programs installed thereon is read. Intervals for generating routing files for each computer are calculated. The routing files for executing the j-th program are transferred from the i-th computer to a control unit. The identifier of the computer and programs installed thereon is stored during program integration. A database of reference routing files for each j-th program executed on the i-th computer is created. Routing files are generated through defined time intervals. The routing files for executing the j-th program are transferred from the i-th computer to a control module. The obtained routing files are compared with reference values. If the routing file mismatch, an attack detection signal is transmitted to an automated system.
EFFECT: high reliability of generating routing files and high security of automated system.
2 cl, 2 dwg

Description

The invention relates to computer technology and can be used in attack detection systems to quickly detect unauthorized influences on an automated system.

There is a known method of generating and transmitting a trace file described in US Pat. No. 6,988,263 published Jan. 17, 2006 and US Pat. No. 6,754,890 published on June 22, 2004.

This method includes the following steps. The developer, on his side, develops the product and, as a result, collects an executable module that contains the data necessary to trace the operation of this module. Then the developer releases the product or transfers its modules to the user in another way. On the user side, trace data is readable. At runtime, the module creates a trace of its work. The user sends a trace to the developer, where the received data is analyzed.

The disadvantage of this method is that the trace data contains not only information about the actions performed during the operation of the module, but also about the sequence of their execution, and about the objects that were performed during the operation, as well as the relatively low reliability of the generation of trace files , since information about the implementation of the program if it is used on several computers is not taken into account.

Closest to the technical nature of the proposed method is a method of monitoring the execution of programs by tracing binary applications according to Pat. RU No. 2385485, IPC G06F 11/34, G06F 9/44. Publ. 03/27/2010, bull. No. 9.

The method of generating and transmitting the trace file is as follows. On the developer's side, in the compiled software module, the tracing text strings are replaced with the corresponding identifiers. The software module is transmitted to the user side. After the trace file is generated on the user side, this file is transferred to the developer side, where the text strings are restored by the identifiers contained in this file. The result is a text file that can be easily analyzed by the developer.

The disadvantage of the prototype method is the relatively low reliability of the formation of trace files, since information about the execution of the program if it is used on several computers is not taken into account.

Closest in technical essence to the claimed system is the "System for monitoring the execution of programs using binary applications tracing" according to Pat. RU No. 2385485, IPC G06F 11/34, G06F 9/44. Publ. 03/27/2010, bull. No. 9. The system for monitoring the execution of programs using tracing contains a tool for generating an executable program module that contains the data necessary for tracing the operation of this module and a database for storing trace text strings and their identifiers. Means for replacing the existing text trace lines in the generated software module with the corresponding identifiers stored in the said database. The program transfer means with the generated software module, in which the trace lines are replaced with the corresponding identifiers. A tool for generating a trace file, which is designed to save information about the progress of a program into a trace file during program execution. Means of transferring the generated trace file to the developer's side. A means of replacing the line identifiers in said trace file with the corresponding text lines stored in the database. A means for outputting to the developer the received replaced text strings and said information stored in said trace file on the user side, for the developer to analyze these text strings and said information.

The disadvantage of the prototype system is the relatively low reliability of generating trace files. This drawback is due to the fact that when the automated system is functioning, programs are executed simultaneously on several computers. Moreover, for reliable formation of trace files when executing several programs on several computers, additional information will be required.

Reliability - the degree of objective correspondence of the results of diagnosis (control) to the actual technical condition of the object [Kuznetsov V.E. and other Telecommunications. Explanatory dictionary of basic terms and abbreviations. - St. Petersburg: Publishing House of the Ministry of Defense of the Russian Federation, 2001].

Protection of information from unauthorized exposure - protection of information aimed at preventing unauthorized access and exposure to protected information in violation of the established rights and (or) rules for changing information leading to destruction, destruction, distortion, malfunction, illegal interception and copying, blocking access to information, as well as the loss, destruction or malfunction of the information carrier.

One of the ways to determine the malfunction of the elements of an automated system is to generate trace files, since it allows you to log the program when it is run on a computer.

The purpose of the claimed technical solutions is to develop a method and system for monitoring the execution of programs using tracing, which allows to increase the reliability of generating trace files and increase the security of the automated system by determining additional information about the execution of programs when they are used on several computers and using trace files when an attack is detected .

In the claimed method, the goal is achieved by the fact that in the known method in the generated program module, the existing text trace lines are replaced with the corresponding identifiers stored in the database containing the program module database and the string database, the program with the program module is replaced in which the trace lines are replaced by corresponding identifiers, during the execution of the program, the mentioned program module stores information about the module’s progress, thereby forming a trace file, transmitting ie the trace file data is additionally formed a computer identifier database and installed on them programs available in the automated system in the control unit. After replacing the trace text lines in the program module with the corresponding identifiers, the identifier of the computer and the programs installed on them are read. The time intervals for generating trace files for each computer are calculated. The transfer to a computer of a controlled automated system of a program with a software module is carried out according to the identifiers of the computer and the programs installed on them. After executing the programs and generating trace files, the trace files are executed in front of the j-th program from the i-th computer of the automated system to the control unit. The identifier of the computer and the programs installed on them are remembered during program integration. A database of trace trace files is generated for each j-th program executed on the i-th computer.

Generate trace files at specific intervals. Trace files are transmitted about the execution of the j-th program from the i-th computer of the automated system to the control module. Compare the resulting trace files with reference values. Remember the j-th program executed by the i-th computer when the trace file does not match. They give an attack detection signal to the automated system.

In the claimed system, the goal is achieved by the fact that in the known system for monitoring the execution of programs using traces, containing a database for storing trace text strings and their identifiers and a database for storing program modules and their identifiers; means for replacing the existing text trace lines in the generated software module with the corresponding identifiers stored in said databases; program transfer means by the generated program module, in which the trace lines are replaced with the corresponding identifiers; means for generating a trace file, which is designed to save information about the progress of the program in a trace file during program execution; means of transmitting the generated trace file, an additional database of computers and programs installed on them, available in the automated system, and their identifiers, the information input and output of which is connected to the means for reading the identifiers of computers and programs installed on them, which is part of the control unit, is additionally introduced . A database for storing reference trace files and corresponding values for each program of each computer, the information input and output of which is connected to a means of comparing the reference values of trace files with the received values from each computer located in an automated system, which is also part of the control unit. The control unit, consisting of a means of comparing the reference values of the trace files with the values obtained when running computer programs, means for reading the identifiers of the computer and the programs installed on them, means for calculating the time intervals for generating trace files, means for issuing an attack signal to the automated system. The control unit allows detecting and issuing an attack signal in an automated system, the information inputs and outputs of which are respectively connected to the information outputs and inputs of the database of trace trace files, the database of computer identifiers and the programs installed on them, as well as to all computers included in automated system.

A new set of essential features of the method and system allows to achieve the specified technical result by determining additional information about the execution of programs when they are used on several computers and using trace files when an attack is detected.

The claimed method is illustrated by drawings, in which:

figure 1 is a block diagram of an algorithm for monitoring the implementation of programs using tracing;

figure 2 is a diagram explaining the procedure for monitoring the implementation of programs using tracing.

The implementation of the claimed method is illustrated by the algorithm (figure 1), the circuit (figure 2) and is explained as follows:

1. Form a database of identifiers for program modules (PM)

Figure 00000001
where N is the number of PM; S j - identifiers of PM corresponding programs.

2. Form a database of string identifiers for each program module

Figure 00000002
where
Figure 00000003
- identifiers of the k-th row of the j-th PM; M is the number of lines in the j-th PM.

3. Form a database of identifiers for computers and software modules installed on them

Figure 00000004
where L is the number of computers in the automated system,
Figure 00000005
- identifiers of computers and programs installed on them.

4. Replace the text strings in the software module

Figure 00000006
using PM identifier databases and row identifiers.

5. Read identifiers of computers and programs installed on them

Figure 00000005
and related databases. IDs received
Figure 00000005
are used to determine the correspondence of trace files and the j-th PM executed on the i-th computer.

6. Calculate the time intervals Δt the formation of trace files. The definition of these time intervals depends on the number of computers (L) and the number of programs installed on them (M).

7. Transfer to the i-th computer of the j-th PM program.

8. Execute the j-th program on the i-th computer and trace files are generated at the input of the program.

9. Check whether the control of all programs on all computers is carried out during the integration of programs in an automated system. If i = L and j = N, then trace files are generated and transmitted

Figure 00000007
j-th program module with i-th computer. If i ≠ L and j ≠ N, the remaining programs are executed on the corresponding computers.

Integration is the process of combining programs with an object computer (computer) in order to create an integrated system. The integration process is completed when the programs are correctly downloaded to the object computer taking into account information about editing the links in the system [GOST R 51904-2002 “Embedded systems software. General requirements for development and documentation ”, pp.21-22].

10. Remember and form the database of trace standard files

Figure 00000008
j-th PM with the i-th computer, which will later be used to detect attacks on the automated system.

11. Form a trace file after time Δt.

12. Transfer the trace file

Figure 00000007
on the implementation of the j-th program from the i-th computer to the control unit during the operation of the automated system.

13. Compare received trace files

Figure 00000007
with reference
Figure 00000009
If
Figure 00000010
, then check whether the control of all programs on all computers. If i ≠ L and j ≠ N, then trace files are generated when all programs on all computers are executed after a time Δt.

14. If

Figure 00000010
, then the identifier of the j-th program module of the i-th computer, the trace file of which did not match, is stored, and an attack detection signal is issued to the automated system.

The method for monitoring the execution of programs using tracing described above is implemented using a system for monitoring the execution of programs using tracing.

This system contains an interconnected database for storing trace text strings and their identifiers, as well as a database for storing PM and their identifiers; means for replacing the existing text trace lines in the program module with the corresponding identifiers stored in said databases; means for transmitting a program with a software module in which trace lines are replaced with corresponding identifiers; means for generating a trace file, which is designed to save information about the progress of the program in a trace file during program execution; means for transmitting the generated trace file to the control unit.

After that, as can be seen from the drawing (Fig. 2), a database of computers and the programs installed on them, available in the automated system, and the corresponding identifiers is formed, the information input and output of which are connected to the means for reading the identifiers of the computer and the programs installed on them, included in the control unit.

Next, the means of reading the identifiers of computers and programs installed on them determines the corresponding identifier

Figure 00000005
by available computer number
Figure 00000011
and identifier of PM and strings
Figure 00000012
.

A means of reading the identifiers of computers and programs installed on them can be implemented in the form of a selection block given in Pat. RU No. 2313128, IPC G06F 17/30, H04L 12/56. Publ. December 20, 2007, bull. Number 35.

After the transmission medium, programs from the PM are transmitted to certain computers. The tool for generating a trace file when executing the j-th program on the i-th computer saves information about the progress of the program in the trace file

Figure 00000007
. The data of the trace file will be the reference, as it is formed at the integration stage (the initial stage of the functioning of the automated system), which are used in the database of reference trace files
Figure 00000013
.

Subsequently, trace files are generated at certain time intervals due to the work of the means for calculating the time intervals for generating trace files, which calculates time intervals depending on the number of computers (L) and the number of programs installed on them (M).

The tool for calculating time intervals can be implemented in the form of a shaper of time intervals described in Pat.RU No. 2313128, IPC G06F 17/30, H04L 12/56. Publ. December 20, 2007, bull. Number 35.

After the trace files are generated, the transmission means transfers the data of the trace files to the comparison means.

Further, in the control unit by means of comparison, the reference and received trace files are compared as a result of the execution of computer programs.

The comparison tool can be implemented on comparison devices known and widely covered in the literature (Veniaminov VN, Lebedev ON, etc. Microcircuits and their application. Reference manual, 3rd ed. M., “Radio and communication ", 1989 - 235 p.).

If, as a result of the comparison, it is determined that the trace files do not match the obtained values, then they are memorized and an attack detection signal is issued to the automated system by means of an attack signal.

A means of issuing an attack signal to an automated system can be implemented in the form of indicating devices known and widely covered in the literature (Veniaminov V.N. et al. Microcircuits and their application. Reference manual, 3rd ed. M., “Radio and communications ", 1989 - 235 p.).

Thus, the claimed method and system by determining additional information about the execution of programs when using them on several computers and using trace files when an attack is detected allows to increase the reliability of generating trace files and increase the security of the automated system.

Claims (2)

1. A method for monitoring the execution of programs using tracing, which consists in replacing the existing text lines of the trace with the corresponding identifiers stored in the database containing the database of program modules and the database of strings in the generated program module, transferring the program with the program module, in which tracing lines were replaced with corresponding identifiers; during program execution, the said program module saves information about the module’s progress, thereby forming a trace file and transmit a trace file, characterized in that they generate a database of identifiers for computers and programs installed on them that are available in the automated system in the control unit, after replacing the text lines of the trace in the program module with appropriate identifiers, read out the identifier of the computer and programs installed on them, calculate the time intervals for generating trace files for each computer, the transfer to a computer of a controlled automated system of a program with a software module, is carried out according to a certain identifiers of computers and programs installed on them, after executing programs and generating trace files, transfer trace files about the execution of the j-th program from the i-th computer of the automated system to the control unit, remember the identifier of the computer and the programs installed on them during program integration, form the base data of the reference trace files for each j-th program running on the i-th computer, trace files are generated at certain intervals of time, transmit trace files about the execution of the j-th program s from the i-th computer of the automated system to the control module, compare the received trace files with the reference values, remember the j-th program executed by the i-th computer when the trace file does not match, give an attack detection signal to the automated system.
2. A system for monitoring the execution of programs using tracing, containing a database for storing trace text strings and their identifiers and a database for storing program modules and their identifiers; means for replacing the existing text trace lines in the generated software module with the corresponding identifiers stored in said databases; program transfer means with the generated program module, in which the trace lines are replaced with the corresponding identifiers; means for generating a trace file, which is designed to save information about the progress of the program in a trace file during program execution; means for transmitting the generated trace file, an additional database of computers and programs installed on them, available in the automated system and the corresponding identifiers, the information input and output of which is connected to the means for reading the identifiers of computers and programs installed on them, which is part of the control unit; a database for storing reference trace files and corresponding values for each program of each computer, the information input and output of which is connected to the means for comparing the reference values of trace files with the received values from each computer located in the automated system, which is also part of the control unit; control unit, consisting of: means for comparing reference values of trace files with values obtained when running computer programs, means for reading identifiers of computers and programs installed on them, means for calculating time intervals for generating trace files, means for issuing an attack signal to an automated system; the control unit allows for the detection and generation of an attack signal in an automated system, the information inputs and outputs of which are respectively connected to the information outputs and inputs of the database of trace trace files, the database of computer identifiers and the programs installed on them, as well as to all computers included in automated system.
RU2011130014/08A 2011-07-19 2011-07-19 Method and system for monitoring program execution using routing RU2459236C1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
RU2011130014/08A RU2459236C1 (en) 2011-07-19 2011-07-19 Method and system for monitoring program execution using routing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
RU2011130014/08A RU2459236C1 (en) 2011-07-19 2011-07-19 Method and system for monitoring program execution using routing

Publications (1)

Publication Number Publication Date
RU2459236C1 true RU2459236C1 (en) 2012-08-20

Family

ID=46936785

Family Applications (1)

Application Number Title Priority Date Filing Date
RU2011130014/08A RU2459236C1 (en) 2011-07-19 2011-07-19 Method and system for monitoring program execution using routing

Country Status (1)

Country Link
RU (1) RU2459236C1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6754890B1 (en) * 1997-12-12 2004-06-22 International Business Machines Corporation Method and system for using process identifier in output file names for associating profiling data with multiple sources of profiling data
US6988263B1 (en) * 2000-07-10 2006-01-17 International Business Machines Corporation Apparatus and method for cataloging symbolic data for use in performance analysis of computer programs
RU2385485C1 (en) * 2008-07-29 2010-03-27 ЗАО "Лаборатория Касперского" System and method of control over programs execution with help of binary applications tracing

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6754890B1 (en) * 1997-12-12 2004-06-22 International Business Machines Corporation Method and system for using process identifier in output file names for associating profiling data with multiple sources of profiling data
US6988263B1 (en) * 2000-07-10 2006-01-17 International Business Machines Corporation Apparatus and method for cataloging symbolic data for use in performance analysis of computer programs
RU2385485C1 (en) * 2008-07-29 2010-03-27 ЗАО "Лаборатория Касперского" System and method of control over programs execution with help of binary applications tracing

Similar Documents

Publication Publication Date Title
Halfond et al. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Walden et al. Predicting vulnerable components: Software metrics vs text mining
CN104081361B (en) The run-time optimizing based on tracker of dynamic programming language
US9430644B2 (en) Systems, methods, and apparatus to enhance the integrity assessment when using power fingerprinting systems for computer-based systems
Luo et al. Semantics-based obfuscation-resilient binary code similarity comparison with applications to software plagiarism detection
US9298924B2 (en) Fixing security vulnerability in a source code
JP2009087355A (en) System and method for providing symbolic execution engine for validating web application
Shar et al. Defeating SQL injection
US7340475B2 (en) Evaluating dynamic expressions in a modeling application
US7854002B2 (en) Pattern matching for spyware detection
US9659042B2 (en) Data lineage tracking
Krotofil et al. The process matters: Ensuring data veracity in cyber-physical systems
Wasicek et al. Aspect-oriented modeling of attacks in automotive cyber-physical systems
Bekrar et al. Finding software vulnerabilities by smart fuzzing
CN101571828B (en) Method for detecting code security hole based on constraint analysis and model checking
CN104424354A (en) Detecting Anomalous User Behavior Using Generative Models of User Actions
Medeiros et al. Automatic detection and correction of web application vulnerabilities using data mining to predict false positives
US20120023486A1 (en) Verification of Information-Flow Downgraders
Pham et al. Detection of recurring software vulnerabilities
US20130340076A1 (en) Code repository intrusion detection
Antonopoulos et al. Decomposition instead of self-composition for proving the absence of timing channels
Pewny et al. Leveraging semantic signatures for bug search in binary programs
US8701186B2 (en) Formal analysis of the quality and conformance of information flow downgraders
CN102622536B (en) Method for catching malicious codes
Rahimi et al. Vulnerability scrying method for software vulnerability discovery prediction without a vulnerability database

Legal Events

Date Code Title Description
MM4A The patent is invalid due to non-payment of fees

Effective date: 20130720