RU2540838C1 - Detector of remote computer attacks - Google Patents

Abstract

FIELD: electricity.

SUBSTANCE: detector of remote computer attacks comprises counters, decoding units, comparator units, control unit, display unit and memory units. The first memory unit is equipped with input message bus and its data output is connected to the first data inputs of the first, third, fourth, fifth, sixth, seventh, tenth, eighth, ninth, eleventh and twelfth decoding units, which control outputs are coupled to the respective control inputs of the control unit, which control outputs are coupled to the display unit and the first memory unit. Control outputs of counters are connected to control inputs of the respective decoding units. Data outputs of the fourth and fifth decoding units are coupled to the first comparing unit, which data output is coupled to the third memory unit. Data output of the twelfth decoding unit is connected to data input of the second comparing unit, which data output is coupled to the fifth memory unit. At that control inputs of the third, fourth and fifth memory units are jointed and form the control input of the device; the fourth memory unit is equipped with data output of connection to false network.

EFFECT: improved detection reliability of remote computer attacks.

7 dwg

Description

The invention relates to the field of telecommunications and is intended for use in technical means of protection for the rapid detection of remote computer attacks on the information and telecommunication network (ITKS) and their blocking.

A device for protecting information resources of a computer network according to the patent of the Russian Federation No. 2313127, publ. 12/20/2007. An analog device consists of servers with memory blocks, intermediate memory, a switch, connectors, data lines and a control unit.

The disadvantage of this method is the limited number of analyzed parameters of message packets.

A device for protecting information from unauthorized access for computers of information-computing systems according to the patent of the Russian Federation No. 2321055, publ. 03/27/2008. An analog device consists of a controller for exchanging information with an external storage medium, a controller for exchanging information with a computer, a user identification and authentication processor, a non-volatile memory unit, a common control and data exchange module blocking module for a computer, a power control device, an external device interface unit, a blocking module external devices, hardware random number sensor, microcontroller of tamper sensors and extract computer components with their own independent m power supply, random access memory device, module for continuous user authentication, module for checking the integrity and condition of hardware components of the protection device, module for managing keys for encryptor loading keys, module for managing network adapters, module for interacting with an access control system, and module for interacting with servers of an information-computing system .

The disadvantage of this method is the narrow scope, due to the fact that despite the possibility of detecting unauthorized access to computers, it does not provide the ability to prevent remote computer attacks.

The closest analogue (prototype) in its technical essence to the claimed device for detecting remote computer attacks is an information retrieval device according to the patent of the Russian Federation No. 2301443, publ. 06/20/2007.

The prototype device consists of a memory block, the input of which is the input of the device, and the output is connected to the information input of the first decryption unit, the second input of which is connected to the first counter, and the output to the input of the second counter, the first output of which is connected to the second input of the second decryption unit the first input of which is connected to the output of the first memory unit, the output of the second decryption unit is connected to the input of the second memory unit, and the output of the second counter through the third counter is connected to the first input of the third decoder unit ii, the second input of which is connected to the output of the first memory block, the first and second outputs of the third decryption block are connected through the fourth and fifth counters, respectively, to the first inputs of the fourth and fifth decryption blocks, the second inputs of which are connected to the output of the first memory block, and the outputs of the fourth and fifth decryption units are connected respectively to the first and second inputs of the first comparison unit, the inputs of the control unit are connected to the second output of the first decryption unit, to the third output of the third decryption unit, to the second output of the first comparison block, to the second output of the sixth decryption block, to the first output of the seventh decryption block, to the output of the eighth decryption block, to the output of the ninth decryption block, to the first output of the tenth decryption block, to the two outputs of the eleventh decryption block, and the eleventh output the control unit is connected to the input of the first counter and to the first memory unit, and the output of the second memory unit is connected to the first input of the sixth counter, the second input of which is connected to the output of the first comparison unit, and its one - to the input of the sixth decryption unit, the first output of which is connected to the input of the seventh counter, the output of which is connected to the input of the seventh decryption unit, the second output of which is connected to the input of the eighth counter, and the output of the eighth counter is connected to the first input of the eighth, ninth and tenth decryption units , the second inputs of each of which are connected to the output of the first memory block, to which the second inputs of the seventh, sixth and eleventh decryption units are also connected, and the second output of the tenth decryption unit is connected to the input of the ninth counter, the output of which is connected to the first input of the eleventh decryption unit.

The disadvantage of the prototype is the relatively low reliability of detection of computer attacks due to the ability to check only a small number of signs characterizing remote computer attacks, which leads to the possible omission of computer attacks using fragmentation of data packets.

The aim of the invention is to develop a device for detecting remote computer attacks, which increases the reliability of detection of computer attacks, due to the possibility of identifying more signs of attacks and their detection.

This goal is achieved by the fact that in the known device for detecting remote computer attacks containing a first memory block equipped with an input bus, and its information output is connected to the first information inputs of the first, third, fourth, fifth, sixth, seventh, tenth, eighth, ninth and the eleventh decryption blocks, the first control input of the first memory block is connected to the control input of the first counter, the control output of which is connected to the second control input of the first cheap block fractions, the control outputs of which are connected respectively to the first control input of the control unit and the control input of the second counter, the first control output of which is connected to the control input of the second decryption unit, the control output of which is connected to the control input of the second memory block, the information output of which is connected to the first information input the sixth counter, the second control input of which is connected to the second control output of the first comparison unit, the control output of the sixth with the sensor is connected to the second control input of the sixth decryption unit, the first control output of which is connected to the fourth control input of the control unit, the fifth control input of which is connected to the first control output of the seventh decryption unit, the second control output of which is connected to the control input of the eighth counter, the second control output of which connected to the second control inputs of the tenth, eighth and ninth decryption units, the first control output of which is connected to the sixth control the control unit input to it, the seventh and eighth control inputs of which are connected respectively to the first control output of the eighth decryption unit and the first control output of the tenth decryption unit, the second control output of which is connected to the control input of the ninth counter, the control output of which is connected to the first control input of the eleventh decryption unit , the first control output of which is connected to the tenth control input of the control unit, the second and third control inputs of which are connected correspondingly to the first control output of the third decryption unit and the first control output of the first comparison unit, the second information input of which is connected to the information output of the fifth decryption unit, the second control input of which is connected to the control output of the fifth counter, the information input of which is connected to the second information output of the third block decryption, the third information output of which is connected to the information input of the fourth counter, the control output of which is it is connected to the second control input of the fourth decryption unit, the information output of which is connected to the third information input of the first comparison unit, the second control output of the second counter is connected to the control input of the third counter, the control output of which is connected to the second control input of the third decryption unit, the second control output of the sixth block decryption is connected to the control input of the seventh counter, the control output of which is connected to the second control input of the seventh counter ifration, the first, second and third control outputs of the control unit are connected respectively to the first and second control inputs of the first memory unit, as well as to the control input of the display unit, characterized in that the second comparison unit, the twelfth decryption unit, the tenth counter, and third, fifth and fourth memory blocks. The first control output of the fourth memory unit is connected to the ninth control input of the control unit, the twelfth and thirteenth control inputs of which are connected respectively to the first and second control outputs of the second comparison unit. The first and second information inputs of the second comparison unit are connected respectively to the information outputs of the fifth memory unit and the twelfth decryption unit, the first control output of which is connected to the eleventh control input of the control unit. The first and second information inputs of the twelfth decryption unit are connected respectively to the information output of the first memory unit and the control output of the tenth counter, the control input of which is connected to the first control output of the eighth counter. The second and third information inputs of the fourth memory block are connected respectively to the second information output of the eleventh decryption block and the second information outputs of the eighth and ninth decryption blocks. The information output of the third memory unit is connected to the first information input of the first comparison unit. Moreover, the control inputs of the third, fourth and fifth memory blocks are combined and are the control input of the device, and the fourth memory block is equipped with an information output connecting to a false network.

Due to the new set of essential features in the claimed device, by monitoring a wide range of computer attacks by external intruders along trusted message packet transmission routes, it seems possible to more quickly predict the impact of computer attacks (SC) and to prevent their destructive effect in advance, which indicates the possibility of increasing validity of spacecraft detection.

The claimed device is illustrated by drawings, which show:

figure 1 is a structural diagram of a device for detecting remote computer attacks;

figure 2 is a structural diagram of a control unit;

figure 3 - structure of the header of the IP packet;

4 is a header structure of a TCP packet;

5 is a header structure of a UDP packet;

6 is a header structure of an ICMP packet;

figure 7 - dependence of the probability of detection of computer attacks on the amount of received message packets.

The claimed device for detecting remote computer attacks, shown in figure 1, consists of a first memory unit 1 provided with an input message bus, and its information output 1.3 is connected to the first information inputs of the first 3, third 8, fourth 11, fifth 12, sixth 15, seventh 17, tenth 19, eighth 20, ninth 21 and eleventh 23 decryption units, the first control input 1.1 of the first memory unit 1 is connected to the control input 2.1 of the first counter 2, the control output 2.2 of which is connected to the second control input 3.2 of the first about the decryption unit 3, the control outputs 3.3 and 3.4 of which are connected respectively to the first control input 24.1 of the control unit 24 and the control input 5.1 of the second counter 5, the first control output 5.2 of which is connected to the control input 4.1 of the second decryption unit 4, the control output 4.2 of which is connected to information input 6.1 of the second memory block 6, information output 6.2 of which is connected to the first information input 14.1 of the sixth counter 14, the second control input 14.2 of which is connected to the second control output 13.5 the first comparison unit 13, the control output 14.3 of the sixth counter 14 is connected to the second control input 15.2 of the sixth, the decryption unit 15, the first control output 15.3 of which is connected to the fourth control input 24.4 of the control unit 24, the fifth control input 24.5 of which is connected to the first control output 17.3 of the seventh decryption unit 17, the second control output 17.4 of which is connected to the control input 18.1 of the eighth counter 18, the second control output 18.3 of which is connected to the second control inputs 19.2, 20.2, 21.2 of the tenth 19, eight On the 20th and ninth 21 decryption units, the first control output 21.3 of which is connected to the sixth control input 24.6 of the control unit 24, the seventh 24.7 and eighth 24.8 whose control inputs are connected respectively to the first control output 20.3 of the eighth decryption unit 20 and the first control output 19.3 of the tenth decryption unit 19, the second control output 19.4 of which is connected to the control input 22.1 of the ninth counter 22, the control output 22.2 of which is connected to the first control input 23.2 of the eleventh decryption unit 23, the first the control output 23.3 of which is connected to the tenth control input 24.10 of the control unit 24, the second 24.2 and third 24.3 control inputs of which are connected respectively to the first control output 8.3 of the third decryption unit 8 and the first control output 13.4 of the first comparison unit 13, the second information input 13.2 of which is connected to the information output 12.3 of the fifth decryption unit 12, the second control input 12.2 of which is connected to the control output 10.2 of the fifth counter 10, the information input 10.1 of which is connected to the second input formation output 8.4 of the third decryption unit 8, the third information output 8.5 of which is connected to the information input 9.1 of the fourth counter 9, the control output 9.2 of which is connected to the second control input 11.2 of the fourth decryption unit 11, the information output 11.3 of which is connected to the third information input 13.3 of the first comparison unit 13, the second control output 5.3 of the second counter 5 is connected to the control input 7.1 of the third counter 7, the control output 7.2 of which is connected to the second control input 8.2 of the third decryption unit 8, the second control output 15.4 of the sixth decryption unit 15 is connected to the control input 16.1 of the seventh counter 16, the control output 16.2 of which is connected to the second control input 17.2 of the seventh decryption unit 17, the first 24.14, the second 24.15 and the third 24.16 control outputs of the control unit 24 are connected respectively, to the first 1.1 and second 1.2 control inputs of the first memory unit 1, as well as to the control input 25.1 of the display unit 25, characterized in that a second comparison unit 32, the twelfth decryption unit, are additionally introduced AI 30, tenth counter 29, as well as third 26, fifth 31 and fourth 28 memory blocks. The first control output 28.4 of the fourth memory block 28 is connected to the ninth control input 24.9 of the control unit 24, the twelfth 24.12 and thirteenth 24.13 whose control inputs are connected respectively to the first 32.3 and second 32.4 control outputs of the second comparison unit 32. The first 32.1 and second 32.2 information inputs of the second block comparisons 32 are connected to the information outputs 31.2 of the fifth memory block 31 and 30.4 of the twelfth decryption unit 30, respectively. The first control output 30.3 of the twelfth decryption unit 30 is connected to eleven the control input 24.11 of the control unit 24. The first 30.1 and second information inputs 30.2 of the twelfth decryption unit 30 are connected respectively to the information outputs 1.3 of the first memory block 1 and 29.2 of the tenth counter 29. The information input 29.1 of the tenth counter 29 is connected to the first information output 18.2 of the eighth counter 18 The second 28.2 and third 28.3 information inputs of the fourth memory block 28 are connected respectively to the second information output 23.4 of the eleventh decryption unit 23 and the second information outputs 20.4, 21.4 in on the 8th and the ninth, 21 decryption blocks. The information output 26.1 of the third memory block 26 is connected to the first information input 13.1 of the first comparison unit 13. Moreover, the control inputs 26.2, 28.1 and 31.1 of the third 26, fourth 28 and fifth 31 memory blocks are combined and are the control input of the device. The fourth memory block 28 is provided with an information output 28.5 connecting to a false network.

The blocks included in the device for detecting remote computer attacks (UOKA) have the following purpose:

The first 1 and second 6 memory blocks are intended respectively for storing and subsequent reading from them bytes (bits) of message packets arriving from a demodulating device and a decryption unit.

The third 26, fourth 28 and fifth 31 memory blocks are designed to record and store the corresponding reference values of IP address parameters (senders and recipients), signs of passive computer attacks and parameters of the Options field.

Their schemes are known and described in figure 2 of the patent of the Russian Federation No. 2115952.

The first counter 2 is designed to count 14 bytes in digital sequence to determine the IP packet (figure 3) and generate a control signal for the first decryption unit 3.

The second counter 5 is designed to count 4 bits to detect the field "Length of the header" message packet.

The third counter 7 is designed to count 8 bytes in order to detect the 24th byte of the packet and generate a control signal for the third decryption unit 8.

The fourth counter 9 is designed to count 3 bytes to the first byte of the sender address field in the header of the IP datagram and generate a control signal for the fourth decryption unit 11.

The fifth counter 10 is designed to count 4 bytes to the first byte of the recipient address field in the header of the IP datagram and generate a control signal for the fifth decryption unit 12.

The sixth counter 14 is designed to determine the field containing the port number of the sender of the message packet in the header of the TCP packet (figure 4).

The seventh counter 16 is used to determine the field containing the value of the reserve bits of the header of the TCP packet.

The eighth counter 18 is designed to determine the “Flags” field of the TCP packet header and generate control signals for the eighth 20, ninth 21, and tenth 19 decryption blocks.

The ninth counter 22 is designed to determine the ASK flag number field and generate a control signal for the eleventh decryption unit 23.

The tenth counter 29 is designed to determine the “Options” field and generate a control signal for the twelfth decryption unit 30.

The counter scheme is known and described in Fig.6 of the patent of the Russian Federation No. 2219577.

The first decryption unit 3 is designed to determine the sequence of incoming IP protocol data.

The second decryption unit 4 is intended to determine the value of the "Length of the header".

The third decryption unit 8 is designed to determine the TCP protocol by identifying the numeric value “six” in decimal form in the 24th byte.

The fourth 11 and fifth 12 decryption blocks are designed to record four bytes 27-30 and 31-34 of the sender address and recipient address fields, respectively.

The sixth decryption unit 15 is designed to determine the record of 35 and 36 bytes and determines the numerical value of “zero” (00) in decimal form.

The seventh decryption unit 17 is designed to determine the value of the reserve bit field.

The tenth decryption unit 19 is intended to determine the case of setting the ASK flag and generating a control signal supplied to the ninth counter 22.

The eighth decryption unit 20 is used to determine if all flags are set.

The ninth decryption unit 21 is used to determine if the SYN / FIN flags are set simultaneously.

The eleventh decryption unit 23 writes 4 bytes of the ASK number and generates a signal for writing the flag value to the fourth memory unit 28.

The twelfth decryption unit 30 is designed to write 4 bytes of the Options field to it.

The scheme of decryption blocks is known and described in figure 2 of the patent of the Russian Federation No. 22199577.

The first comparison unit 13 is designed to compare the values of the IP addresses of the sender and receiver with the corresponding reference values and generate control signals to the control unit 24.

The second comparison unit 32 is designed to compare the values of the Options field with the corresponding reference values and generate control signals to the control unit 24.

The comparator circuit is known and described in Fig.1.134 p.185 in the book Shilo V.L. “Popular Digital Chips”: Handbook - M: Radio and Communications, 1987.

The control unit 24 is designed to generate control signals when implementing the required algorithm of the device for detecting remote computer attacks. The circuit of the control unit 24 can be implemented in various ways, in particular as shown in FIG.

The control unit 24 contains the elements OR 24.1 and 24.3, a delay device 24.2 and encoders 24.4-24.7. Schemes of OR elements are known and are shown in Fig. 167 p. 78 in the book by S. Yakubovsky. “Digital and analog integrated circuits”: Reference. - M .: Radio and communications, 1990.

As a delay device 24.2, one of the known microcircuits can be used, for example, shown in Fig. 1.78 p. 111 in the book Shilo V.L. “Popular Digital Chips”: Handbook - M: Radio and Communications, 1987.

As encoders 24.4-24.7, one of the known microcircuits can be used, for example, shown in Fig.1.101 p.141 in the book Shilo V.L. “Popular Digital Chips”: Handbook - M: Radio and Communications, 1987.

The display unit 25 is designed to visually display the decision. The indicator schemes are known and described in Fig. 7.1 on p. 97 in the book Veniaminov V.N., Lebedev O.N., Miroshnichenko A.I. “Chips and their application”: Reference manual. - M.: Radio and Communications, 1989.

The bit depth of the bus "Input bus messages" is determined by the bit depth of the analyzed message packets, due to the fact that the device processes bytes, the bus is eight-bit.

Declared UOKA works as follows.

Upon receipt of write permission from the control unit 24 output (logical “1”), the cells of the random access memory of the first memory block are filled with 1 byte of packet received from the demodulating device (channel controller). After all the bytes of the next packet of the analyzed protocol are recorded, the output of the control unit 24 generates a permission for byte-by-line reading of information (logical “0”).

From the output of the first memory block 1 bytes of packets are sequentially fed to the information inputs of the first 3, second 4, third 8, fourth 11, fifth 12, sixth 15, seventh 17, eighth 20, ninth 21, tenth 19, eleventh 23 and twelfth 30 decryption units .

When 2.1 of the first counter 2 receives a signal from the control unit 24 (logical “0”), 14 bytes are read to determine the value “six” (06) in decimal form in the signal digital sequence, which corresponds to the IP protocol packet. It should be noted that the application considers the frame format Ethernet 802.3 // LLC. In the case of other types of frames, for example, for Ethernet DIX (Ethernet II), the length of this field is 2 bytes and its value corresponds in decimal to the number “eight” (0800) (Kulgin M. Corporate Network Technologies. Encyclopedia. - St. Petersburg: Publishing House: "Peter", 1999. - 704 p.).

If the value of "six" is not found, at the first output 3.3 of the first decryption unit 3, a signal is generated that arrives at the first input 24.1 of the control unit 24.

At the second output 3.4 of the first decoder 3, a control signal is generated, which arrives at the second counter 5, which counts 4 bits to detect the value of the “Header Length” field and generates at the first output 5.2 a control signal for allowing these bits to be written to the second decryption unit 4, which serves to determine the value of the "Heading Length" field. At the output of the second decryption unit 4, a signal is generated to record the value of the “Header Length” field in the second memory unit 6.

At the second output 5.3 of the second counter 5, a control signal is generated, which arrives at the third counter 7, which counts 8 bytes to detect the 24th byte of the packet and generates a control signal for writing this byte to the third decryption unit 8. The decryption unit 8 is designed to determine this Give the decimal number six. In this case, the protocol used is TCP. (Kulgin M. Technologies of corporate networks. Encyclopedia. - St. Petersburg: Publishing House "Peter", 1999. - 704 p.).

If the value of "six" is not found, then at the first output 8.3 of the third decryption unit 8, a signal is generated that arrives at the second input of the control unit 24.

At the third output 8.5 of the third decryption unit 8, a signal is generated that arrives at the fourth counter 9, which counts 3 bytes until the first byte of the sender address field appears in the header of the IP datagram and generates at the output 9.2 a control signal for recording the next four bytes of signal digital sequences (27 -30) to the fourth decryption block 11. At the second output 8.4 of the third decryption block 8, a signal is generated that arrives at the fifth counter 10, which counts 4 bytes to the first field of the recipient address in the header An IP-datagram is generated and generates at the output 10.2 a control signal for recording the next four bytes of signal digital sequences (31-34) in the fifth decryption unit 12.

In the first comparison unit 13, the selected values of the address parameters are compared with the corresponding reference values stored in the third memory unit 26 and, if they coincide, a control signal is generated in the form of a logical “1” at the second output of the unit 13 and fed to the third input of the control unit 24. If the addresses did not match, a control signal is generated - a logical "0".

At the second output 13.5 of the first comparison unit 13, a control signal is generated that is supplied to the second input 14.2 of the sixth counter 14, which searches for a field containing the source port number in the TCP header. At the output 14.3 of the sixth counter 14, a control signal is generated to enable the next two bytes of the signal digital sequences to be written to the sixth decryption unit 15. The sixth decryption unit 15 is used to determine the numerical value “zero” (00) in this byte in decimal form. In this case, at the second output of block 15, a control signal is generated that is fed to the fourth input of control unit 24.

From the first output of the sixth decryption unit 15, a control signal is supplied to the seventh counter 16, which searches for a field containing the value of the reserve bits of the TCP packet header. The seventh counter 16 generates control signals for writing to the seventh decryption unit 17 of the next 6 bits. The seventh decryption unit 17 is designed to determine the value of the reserve bit field. If this value is other than "zero" (00) in decimal form, a control signal is generated at the first output of the decoder 17, which is fed to the fifth input of the control unit 24.

From the second output 17.4 of the seventh decryption unit 17, a control signal is generated, which arrives at the eighth counter 18, which searches for the “Flag” field in the header of TCP packets and generates control signals for recording the next 6 bits in the eighth 20, ninth 21, and tenth 19 decryption blocks. The eighth 20, ninth 21, tenth 19 decryption units are designed to determine the state of the Flags field by adding to a specific mask.

The eighth decryption unit 20 is used to determine the case of setting all flags, in this case, at its first output, a control signal is generated in the form of a logical "1", which is fed to the sixth input of the control unit 24, otherwise a logical "0" is generated. In addition, a control signal is generated for writing the flag value to the fourth memory block 28.

The ninth decryption unit 21 is used to determine the case of the simultaneous setting of SYN / FIN flags, in this case, a control signal is generated at its first output - logical "1", which is fed to the sixth input of control unit 24, otherwise a logical "0" is generated. In addition, a control signal is generated for writing the flag value to the fourth memory block 28.

The tenth decryption unit 19 is used to determine the case of setting the ASK flag, in this case, a control signal is generated at its second output, which arrives at the ninth counter 22. If the flag is not set, the control signal is generated at the first output of block 19 and is input to the control unit 24 The ninth counter 22 searches for the ACK number field and generates control signals for writing to the eleventh decryption unit 23 of the 4 bytes of the ACK number. If the value of this field is different from "zero" (00) in decimal form, then a control signal is generated at the first output of block 23 - a logical "1", which is input to the control unit 24, otherwise a logical "0" is generated. In addition, a control signal is generated for writing the flag value to the fourth memory block 28.

In the fourth memory block 28, statistics are collected on the number of message packets in order to identify the impact of passive computer attacks.

The following are accepted as signs indicating the fact that passive computer attacks have affected ITKS:

sequentially receiving UDP packets in the time interval (FIG. 5);

consecutive receipt in the time interval of ICMP requests (Fig.6);

consecutive receipt in the time interval of TCP packets with one of the types of flags SYN, FIN, ASK, XMAS, NULL set.

This is argued as follows. When a TCP connection is established, the first MS sent to ITKS is the MS with the SYN flag set. Depending on whether a personal computer and / or server is present in ITKS and / or a server with the specified address on which the necessary service is enabled, three situations are possible. In the event that a PC is present and the requested port is functioning on it, the response will be the PS with the ASK and SYN flags indicating that a connection can be established on this port. Analyzing this answer, the intruder can not only establish the fact of the presence of a PC and / or server in ITKS, but also determine the presence of a certain network service on them.

If the PC and / or server is present, but the requested port is closed on it, a TCP packet with ASK and RST flags is sent in response, indicating that the connection cannot be established on the requested port. Upon receiving such a response, the intruder decides on the presence in the ITKS of the personal computer and / or server with the IP address of interest, but the unavailability of the requested port. If ITKS does not have the required PC and / or server, then nothing will be returned in response [standard Request for Comments, http://tools.ietf.org/html/rfc793 (accessed 07.29.2013)].

In order to determine the presence of open TCP ports in the PC and / or servers that are part of the ITKS, violators work in the following sequence:

send to the PC port and / or the PS server with the SYN flag in order to establish a connection, and wait for a response. The presence in the response of the MS with the ASK flag means that the port is open, and the receipt of the MS with the RST flag in response means that the port is closed;

sent to the port of the PC and / or the PS server with the FIN flag. The PS with the RST flag must respond to the arriving MS with the FIN flag to the closed PC port and / or the server; if the port is open, then the MS with the FIN flag is ignored;

send to the port of the PC and / or server PS with the flag ASK. The PC and / or server must respond with an RST packet to the arriving MS with the ASK flag and the server must respond with an RST packet; if the port is open, then the MS with the ASK flag is ignored;

send to the PC and / or PS server with all XMAS flags set or NULL flags cleared. The PS with the RST flag should respond to the arriving MS with these flag values to the closed PC port and / or server. The specified packets directed to open ports are ignored.

In order to detect open UDP ports in a PC and / or server, intruders send a UDP packet. If the port is open, then in response to the PC and / or the server, either they do not send anything, or they send a response UDP packet. If the port is closed, then the tested PC and / or server respond with an ICMP message. Depending on the response received, violators draw appropriate conclusions.

ICMP is used to determine the availability of PCs and / or ITKS servers. Sequential execution of ICMP requests with enumeration of addresses from a certain range is a spacecraft.

In addition, according to the received ICMP response, namely, the code of the ICMP packet, violators determine the types of PC operating system and / or servers.

The implementation of passive spacecraft is the first stage of the attack on ITKS and is aimed at studying the topology of the attacked ITKS, determining the type and version of the PC operating system and / or servers, identifying available network and other services in the attacked ITKS.

When three or more message packets with the same flags or protocols are received within one minute, subsequent message packets with the same “Flag” and / or protocol type are redirected to the false network. The operation of the false network is known and described in the article by Smorchkov E.V., Nakonechny B.M., Nizhnikovsky A.V. The mechanism of functioning of false network information objects in local area networks // News of the Institute of Engineering Physics, No. 3, 2011. - pp. 7-10. In this case, a control signal is generated - a logical “1”, which is fed to the tenth input of the control unit 24, otherwise a logical “0” is generated.

At the second output of the eighth counter 18, a control signal is generated, which arrives at the tenth counter 29, which reads 4 bytes to determine the value of the "Options" field and generates a control signal for the storage of these bytes to the twelfth decryption unit 30, which serves to determine the field parameters at the first output "Options."

The Options field is optional and has a variable length. Support for options should be implemented in all IP modules (nodes and routers). The standard defines 8 options. The proposed device uses the option “route recording” and / or “security” [RFC 791, Internet Protocol, 1981, September, pp. 14-22].

In the second comparison block 32, the selected parameters of the Options field are compared with the reference values stored in the fifth memory block 31 and, if they coincide, the control signal is generated in the form of a logical “1” at the thirteenth input of the control unit 24 at the first output of the comparison block 32 If the values of the "Options" field did not match, a control signal is generated at the first output - a logical "0", which is received at the twelfth input of the control unit 24.

Upon receipt of the control signal at the first input of the control unit 24, a control signal is generated at its fourteenth output.

Upon receipt of the control signal at the second input of the control unit 24, a delay line is turned on until the signal arrives at its third input, after which a control signal is generated at the fourteenth output of the control unit 24.

Upon receipt of the control signal at the inputs from the third to eleventh control unit 24, the corresponding encoder is connected. The encoder is needed to convert the signals received at its information input into a code combination corresponding to the message that is transmitted to the fifteenth output of the control unit 24.

Upon receipt of the control signal at the twelfth input of the control unit 24, a control signal is generated at its fifteenth output, which is transmitted to the first memory unit 1, through which the memory cells are reset. The device is ready for analysis of the newly incoming digital input sequence.

Through the control input of the device, the administrator updates the reference values of the message packet parameters. To do this, the administrator in the test mode of ITKS operation measures the real values of the data fields of message packets for the route between each pair of trusted addresses of the recipient and sender. After the message packet is transmitted via ITKS from the sender to the receiver of the message, along a certain route, the sender and receiver addresses (fields “IP address of the sender”, “IP address of the receiver”) and the route of the packet (field “options”) will have the same value for all message packets passing along this route. These values are stored in the corresponding memory blocks. After all the reference values of the checked parameters are collected and recorded in the corresponding memory blocks, the ITKS is transferred to the real mode of operation.

Thus, by monitoring a wide range of essential signs of computer attacks and detecting passive spacecraft, the reliability of their detection, characterized by the probability of detection (P _obn ), has increased. Using modeling, the relationship between the probability values of detecting computer attacks and the volume of received message packets is obtained.

The achievement of the technical result is illustrated as follows. For the prototype method, due to checking a small number of signs characterizing remote computer attacks, the probability of detecting computer attacks (P1 _obn ) is lower than that of the prototype (P2 _obn ) by 0.78 times.

Moreover, the difference in the probability of detecting computer attacks is greater, the greater the volume of message packets, which is achieved by the formulated technical result, i.e. increase the reliability of detection of computer attacks.

The obtained calculation results confirm the possibility of achieving the specified technical result when using the claimed device.

Claims (1)

A device for detecting remote computer attacks containing a first memory block equipped with an input message bus, and its information output is connected to the first information inputs of the first, third, fourth, fifth, sixth, seventh, tenth, eighth, ninth and eleventh decryption blocks, the first control input the first memory block is connected to the control input of the first counter, the control output of which is connected to the second control input of the first decryption block, the control outputs of which are connected respectively, to the first control input of the control unit and the control input of the second counter, the first control output of which is connected to the control input of the second decryption unit, the control output of which is connected to the control input of the second memory block, the information output of which is connected to the first information input of the sixth counter, the second control input which is connected to the second control output of the first comparison unit, the control output of the sixth counter is connected to the second control input of the decryption unit, the first control output of which is connected to the fourth control input of the control unit, the fifth control input of which is connected to the first control output of the seventh decryption unit, the second control output of which is connected to the control input of the eighth counter, the second control output of which is connected to the second control inputs of the tenth , the eighth and ninth decryption blocks, the first control output of which is connected to the sixth control input of the control unit, the seventh and eighth control the control inputs of which are connected respectively to the first control output of the eighth decryption unit and the first control output of the tenth decryption unit, the second control output of which is connected to the control input of the ninth counter, the control output of which is connected to the first control input of the eleventh decryption unit, the first control output of which is connected to the tenth the control input of the control unit, the second and third control inputs of which are connected respectively to the first control output the third decryption unit and the first control output of the first comparison unit, the second information input of which is connected to the information output of the fifth decryption unit, the second control input of which is connected to the control output of the fifth counter, the information input of which is connected to the second information output of the third decryption unit, the third information output of which connected to the information input of the fourth counter, the control output of which is connected to the second control input of the fourth block decryption, the information output of which is connected to the third information input of the first comparison unit, the second control output of the second counter is connected to the control input of the third counter, the control output of which is connected to the second control input of the third decryption unit, the second control output of the sixth decryption unit is connected to the control input of the seventh counter, the control output of which is connected to the second control input of the seventh decryption unit, the first, second and third control outputs the control unit are connected respectively to the first and second control inputs of the first memory unit, as well as to the control input of the display unit, characterized in that a second comparison unit, a twelfth decryption unit, a tenth counter, as well as a third, fifth and fourth memory blocks, the first the control output of which is connected to the ninth control input of the control unit, the twelfth and thirteenth control inputs of which are connected respectively to the first and second control outputs of the second block avonii, the first and second information inputs of which are connected respectively to the information outputs of the fifth memory block and the twelfth decryption block, the first control output of which is connected to the eleventh control input of the control unit, the first and second information inputs of the twelfth decryption block are connected respectively to the information output of the first memory block and the control output of the tenth counter, the control input of which is connected to the first control output of the eighth counter, the second and third the information inputs of the fourth memory block are connected respectively to the second information output of the eleventh decryption block and the second information outputs of the eighth and ninth decryption blocks, the information output of the third memory block is connected to the first information input of the first comparison block, and the control inputs of the third, fourth and fifth memory blocks are combined and are the control input of the device, the fourth memory block is equipped with an information output connecting to a false network.

Images