RU2625045C1 - Method of modeling damage evaluation caused by network and computer attacks to virtual private networks - Google Patents

Abstract

FIELD: radio engineering, communication.

SUBSTANCE: method of modeling the damage caused by network and computer attacks to virtual private networks is that a communication system including N structural elements and connections between them, where n=1, 2,…, N, unfold to the working state, fix destabilizing effects on its structural elements, according to the obtained data, a simulation model of the communication system is formed, destabilizing effects are modelled thereon; according to the simulation results, the imitation model of the communication system is reconfigured and the probability of its functioning disturbing from destabilizing effects is calculated; the functioning of the system under conditions of exogenous destructive effect also the data are counted and stored on the m_n number of actions to the n-th element of the communication system, the number N_b of the communication system elements subjected to destructive external effects, and the simulation model is formed by the data obtained, reconfiguring it after each effect, the calculated reliability value of the communication system opening structure affecting a party with a predefined threshold confidence level is compared, when exceeding the values of the calculated reliability above the threshold a functioning network connection is proactively reconfigured. The parameters of the network traffic of the subscribers of the "White" List of IP addresses are measured, the parameters of functioning the virtual private network element are determined, in which it is possible to provide the subscriber with the required communication services, the measured parameter values are stored in memory cells, the maximum deviation from the statistical values of the measured parameters is set and the values of parameters of normal subscriber behavior from the "White" List of IP addresses are described, physical models of normal subscriber behavior of virtual private network, computer and network attacks and attack detection systems are created, the models in the database are stored, the places are determined and the sensors of the attack detection systems are placed, the desired values are defined for the speed attack detection systems, the "White" Lists of IP addresses of the virtual private network subscribers are defined and supplemented, the rules of the network traffic filtration are defined and supplemented, based on behavioral criteria, including analysis of the measured parameters of the attacks, options for reconfiguration of the virtual private network are developed, simultaneous effects of several different computer and network attacks of the virtual private network are simulated with different load network traffic of the virtual private network subscribers, the performance of the detection system is measured, the system performance of the effecr detection is evaluated.

EFFECT: increasing the reliability of simulation results by simultaneous simulating the destructive effects of several network and computer attacks, increasing the security of VPN elements, by evaluating the projected damage to the VPN element and conducting a proactive VPN reconfiguration based on this evaluation.

5 dwg

Description

The invention relates to the field of telecommunications, and in particular to the field of diagnosing and monitoring the technical condition of virtual private networks operating in conditions of computer and network attacks.

A subscriber is understood to be a user of communication services with whom an agreement has been concluded on the provision of such services when a subscriber number or unique identification code is allocated for these purposes (GOST - 53729-2009, clause 3.1).

Virtual Private Network (VPN) - a geographically distributed corporate logical network created on the basis of existing networks (local corporate network structures, public communication networks, the Internet, communication networks of telecom operators), which has a set of services similar to the main network and characterized by a high level of protection of identification data (GOST - 53729-2009 p. 3.2).

Network attack - this is a computer attack using internetworking protocols (Section 3.2.9 of the Standardization Recommendations. Technical protection of information. Basic terms and definitions of R 50.1.056-2005).

A computer attack is a targeted unauthorized impact on information, on the resource of an information system or gaining unauthorized access to them using software or hardware and software (paragraph 3.2.8 Recommendations for standardization. Technical protection of information. Basic terms and definitions R 50.1.056- 2005).

Damage refers to the ratio of failed communication network elements to the total number of network elements (Clause 5.19 of GOST R 53111-2008. Stability of functioning of a public communication network).

The "black" list of IP addresses is a user database of IP addresses from which messages will be blocked (Electronic resource. Access mode: http://support.gfi.com/manuals/ru/me2014/Content/Admini-strator/ Anti-Spam / Anti-Spam_Filters / IP_Blocklist.htm).

An alternative to the "Black" list is the "White" list of IP addresses (Electronic resource. Access mode: http://dic.academic.ru/dic.nsf/ruwiki/701664/Black_list).

Network traffic sensors are devices that provide analysis of network interactions, attack signatures, attack models, and a number of other functions (the Cisco IPS 4300 series may be one of the possible sensors used).

Network traffic - the amount of information transmitted over a computer network over a certain period of time via IP packets. (A. Vinokurov Principles of IP traffic accounting. Electronic resource. Access mode: http://habrahabr.ru/post/136844).

Abnormal subscriber behavior - behavior that does not meet the specified requirements (Clause 3.3. GOST R 51904-2002 terminology: Embedded systems software. General requirements for development and documentation).

Network traffic filtering rules - a sequence of actions to block / pass IP packets, depending on: protocol, protocol parameters, connection direction or packet direction, packet source and destination addresses, packet transit time. The IP traffic filtering rules are the result of the anti-spoofing rules, the selected security mode for each network interface, the list of network filters for connections and the operation of the attack detection system (ViPNet Office Firewall. Administrator's Guide. Version 3.1 Infotex OJSC. M., 2015 , 91 s).

Authentication is understood as actions to verify the authenticity of the access subject in the information system (clause 3.5.11 of the Standardization Recommendation. Technical protection of information. Basic terms and definitions of R 50.1.056-2005).

The well-known "Method for modeling processes to ensure the technical readiness of communication networks during technical operation and a system for its implementation", RF patent No. 2336566, G06N 1/00, publ. 10/20/2008, bull. No. 29. The method consists in performing the following sequence of actions. The circuitry characteristics of the elements of the communication network are determined, their relationships are established, the structure of the communication network is described, all communications are divided into primary and backup, arbitrary combinations of damage to the communication network elements are set, the state of communications between the communication network elements is determined, and the process of technical readiness during operation is modeled communication networks, imitate various types of failures, damage and malfunctions of the main elements of a communication network, replace damaged communications with backup ones, about dictated by the value indicator disaster recovery networks, collect statistics, predict technical condition of the main elements of the communications network and calculate the main indicators of the functioning of communication networks.

The disadvantages of the method are the low reliability of the simulation results due to the lack of simultaneous modeling of the destructive effects of several network and computer attacks, the low protection of VPN elements from DDoS attacks due to the lack of an assessment of the damage caused to the VPN element and the timely reconfiguration of the VPN susceptible to a DDoS attack.

The closest in technical essence and functions performed analogue (prototype) to the claimed one is the method implemented in the invention "Method for ensuring the stable functioning of the communication system" (patent RU No. 2405184, G05B 23/00, G06F 17/50, 11/27/2010) consisting in the fact that the communication system, including N structural elements and the connections between them, is deployed in a working state, the destabilizing effects on its structural elements are recorded, according to the received data, a simulation model of the communication network is formed, and the destabilizer is modeled on it According to the simulation results, reconstructing the simulation model of the communication network and calculating the probability of disruption of its functioning from destabilizing effects, when the communication network operates in real operating conditions and only endogenous destructive influences affect it, the time of reconfiguration of the communication network after each destructive effect is measured. The time intervals after the completion of the reconfiguration to the next destructive impact are also measured. When a communication network is operating under exogenous destructive influences, data on the number of actions on each element of the communication network are also counted and stored, where n = 1, 2 ... N, the number N _in , elements of the communication network subjected to destructive external influences. Measure, calculate and remember the time intervals for reconfiguring the communication network after each external destructive impact, where j = 1, 2 ... M, M is the total number of destructive influences. The time intervals between the jth and (j + 1) th external destructive influences and the time intervals of the communication network functioning after the jth reconfiguration to the (j + 1) th destructive external influence are measured. The average reconfiguration time, the average operating time of the communication network and the average time between external destructive influences, as well as the ranking index R of the communication network elements are calculated from the obtained data. Using the ranking indicator, the affected elements of the communication network are ranked, after which the reliability of opening the communication network structure by the acting side D is calculated. In this case, a simulation model is formed according to the received data and with its help destructive external influences are modeled. Next, the number of actions on the corresponding elements of the communication network is calculated and reconfigured after each exposure. The average time interval between destabilizing external influences is calculated and the calculated reliability value D of opening the communication network structure by the acting party is compared with a predetermined threshold level of reliability D _pores . If the value of the calculated reliability D exceeds the threshold D _{then the} real-life communication network is proactively reconfigured in the time interval after the last reconfiguration, less than the calculated average time between the destabilizing external influences on the simulation model. Destructive external influences on the simulation model are modeled according to a random law.

However, the prototype method has the following disadvantages: the low reliability of the simulation results due to the lack of simultaneous modeling of the destructive effects of several network and computer attacks, the low protection of VPN elements from DDoS attacks due to the lack of prediction of the degree of damage to the VPN element and not timely VPN reconfiguration, subject to a DDoS attack.

The objective of the invention is to provide a method "A method for modeling the assessment of damage caused by network and computer attacks to virtual private networks." The technical result of the invention is to increase the reliability of simulation results by simultaneously simulating the destructive effects of several network and computer attacks, increasing the security of VPN elements by assessing the predicted damage to the VPN element and performing proactive VPN reconfiguration based on this assessment.

The objective of the invention is solved in that in the method of "Modeling the assessment of damage caused by network attacks VPN" the following sequence of actions.

The parameters of the network traffic of the subscribers of the "White" list of IP addresses are measured (GOST 28871-90 Linear path equipment for digital fiber-optic transmission systems. Methods of measuring the main parameters. Standardinform 2005. 8 pp.) And the statistics and parameters of computer and network attacks are measured and generalized ( for communication networks operating in the Unified Telecommunications Network, one of the criteria for the onset of information and technical impact may be the appearance of errors 403 and 500, a sharp increase in traffic (http://www.setup.ru/client/subscription/68). The acceptable values of the damage are set in which the VPN element is able to provide the subscriber with the required communication services. The VPN element functioning parameters are determined at which it is possible to provide the subscriber with the required communication services. Save the measured values of the parameters in memory cells (chap. 5.4 p. 133-146, chap. 7 p. 168-233, Galitsina OL, et al. Databases: Textbook. Forum-Infra-M. M., 2006, 352 p.).

Perform a sequence of actions to simulate the functioning of the VPN element in the context of computer and network attacks. Set the maximum deviation from the statistical values of the measured parameters and describe the values of the parameters of normal behavior of subscribers from the "White" list of IP addresses.

Physical models of normal behavior of VPN subscribers are created (“A New Approach to Information Protection - Computer Threat Detection Systems”, Jet Infosystems corporate magazine No. 4 2007. Electronic resource. Access mode: http://www.jetinfo.ru/sta -ti / novyj-podkhod-k-zaschite-informatsii-sistemy-obna-ruz-heniya-kompyuternykh). Physical models of computer and network attacks are created (O. Varlamov, “On a systematic approach to creating a computer threat model and its role in ensuring information security in key systems of information infrastructure”). Izvestiya TRTU / Thematic issue // No. 7 / Volume 62/2006 P. 218). Physical models of the system for detecting attacks and placing sensors of this system are created (ViPNet Office Firewall. Administrator's Guide. Version 3.1 Infotex OJSC. M., 2015, 91 pp.). Save models to the database.

Define and supplement the “White” lists of IP addresses of subscribers to this network (ViPNet Office Firewall. Administrator's Guide. Version 3.1 of Infotex OJSC. M., 2015, 91 pp.). Define or supplement the rules for filtering network traffic, based on behavioral criteria, including analysis of measured attack parameters.

Reconfiguration options are being developed (the essence of the reconfiguration process is described in "On the reliability of the application layer, taking into account the possibility of reconfiguring the MPLS network" / http://nauchebe.net/2013/01/o-nadyozhnosti-prikladnogo-urovnya-s-uchyotom-vozmozhnosti-rekonfiguracii- seti-mpls 2013) or VPN re-switching, (the essence of the process of switching is described in "Virtual LANs. Creating VLANs allows to increase the performance of each of them and isolate the networks from each other ..." / http://www.osp.ru/lan / 2002/12/136942 // "Journal of network solutions / LAN", No. 12, 2002).

Sensors of an attack detection system are deployed (An architecture version of an attack detection system is described in Technology Overview: “Network Data Center Security” Cisco Systems Inc. pp. 14-15; D. Frolov Installation and configuration of the traffic counting system Ipcad + Flow-tools + MySQL. ), determine the required values of the reliability of measuring the parameters of computer and network attacks, and also determine the required values by the speed of the attack detection system.

Simulate the simultaneous effect of several different computer and network attacks on the VPN element with different loading of network traffic by VPN subscribers (O. Varlamov "On a systematic approach to creating a computer threat model and its role in ensuring information security in key information infrastructure systems" Izvestiya TRTU / Thematic issue // No. 7 / volume 62/2006, p. 218).

The parameters of the simulated attacks received from the sensors of the detection system are processed and the speed of the detection system is measured (Using performance counters for monitoring http://www.osp.ru/win2000/2010/04/13003220/).

The reliability of detection of computer and network attacks, as well as the speed of attack detection are evaluated (Using performance counters for monitoring http://www.osp.ru/win2000/2010/04/13003220/). If the reliability of the measured parameters or the speed of the attack detection system does not meet the specified values, they install additional remote sensors of the detection system and re-model the attacks (the process of additional sensors installation is identical to the installation of Frolov D. sensors. Installation and configuration of the traffic counting system Ipcad + Flow-tools + MySQL Electronic resource Access mode: http://system-administrators.info/?p=2613#comment). If the reliability of the measured parameters satisfies the given values, then the VPN damage is calculated.

The values of damage caused by various attacks to the VPN element are determined (the operational readiness coefficient, etc. may be possible damage assessment. Tikhonov BN Technical support of communications. Part 1. Fundamentals of technical operation of communications. Eagle: OVVKUS. 1989. - 139 p. ) Estimate the values of the damage parameters with acceptable VPN functioning values (the criteria for assessing the damage to the communication network are presented in clauses 5.19-5.24; the criteria for assessing damage to the elements of the communication network are presented in clauses 5.49-5.51 GOST-R 53111-2008. "The stability of the functioning of the communication network use. Requirements and verification methods "). If the damage caused exceeds the permissible values, then the rules for filtering network traffic are supplemented and changed. If the values of the damage do not exceed the permissible values, then deploy a VPN, install and configure the sensors of the attack detection system, set the rules for filtering network traffic (ViPNet Office Firewall. Administrator's Guide. Version 3.1 Infotex OJSC. M., 2015, 91 sec. .).

Perform the functioning of the VPN and determine the end of the VPN.

Monitor network traffic, parameters characterizing the conduct of computer and network attacks (for computer attacks - “A New Approach to Information Protection - Computer Threat Detection Systems”, Jet Infosystems corporate magazine No. 4 of 2007, http: //www.jetinfo. com / sta-ti / novyj-podkhod-k-zaschite-informatsii-sistemy-obnaruz-heniya-kompyuternykh. For network attacks ViPNet Office Firewall firewall. Administrator's guide. Version 3.1 Infoteks OJSC. M., 2015, 91 sec. .). Collect statistics on the network traffic of the VPN element and forward the measured values for analysis.

Based on the given criteria, a decision is made to start conducting network and computer attacks. If there are no signs of attack, then continue monitoring the functioning of the VPN, network and computer attacks.

When signs of the onset of a computer or network attack are detected, attack parameters are distinguished (network attack can be used as parameters characterizing the conduct of a computer attack. Based on the selected attack parameters, they decide whether they belong to a network or computer attack class. If a network attack is detected, the effect of a network attack is simulated VPN element (Grechishnikov E.V., Dobryshin M.M. Proposals for assessing the damage caused by DDoS attacks to network resources. Proceedings of the XVI All-Russian Scientific and Practical conferences "Problems of the development and use of air defense systems at the present stage. Air defense systems of Russia and other countries of the world, comparative analysis." Yaroslavl Higher Military School of Air Defense, Yaroslavl. 550 pp. 346-348). Assess possible damage (p. 5.19-5.22 GOST R 53111-2008. Stability of the functioning of the public communication network) caused by a detected network attack, using existing network attack models.

If the values of the damage caused to the VPN element subject to a network attack according to the simulation results satisfy the required values, then continue monitoring network traffic and collect statistics about it.

If the values of the damage caused to the VPN element subject to a network attack according to the simulation results are lower than the required values, reconfigure the VPN according to the available reconfiguration options. The measured network attack parameters are sent for analysis and collection of statistical data.

If a computer attack is detected, the effect of the computer attack on the VPN element is simulated. The possible damage caused by a detected computer attack is assessed using the available models of computer attacks (Klimov S.M., Sychev M.P., Astrakhov A.V. “Experimental assessment of counteraction to computer attacks at a test site.” Electronic educational publication. - M. : MSTU named after N.E.Bauman, 2013 .-- 114 p.). If the values of the damage caused to the VPN element subject to a computer attack according to the simulation results satisfy the required values, then they continue monitoring network traffic and collect statistics about it.

If the values of the damage caused to the VPN element subject to a computer attack according to the simulation results are lower than the required values, the incoming traffic is filtered according to the sequence for the VPN to function in the conditions of the attack. Compare the IP address with the list of “White” IP addresses (ViPNet Office Firewall. Administrator's Guide. Version 3.1 Infotex OJSC. M., 2015, 91 pp.). If the received packets are not received from the list of “White” IP addresses, then they block the connection (ViPNet Office Firewall. Administrator's guide. Version 3.1 Infotex OJSC. M., 2015, 91 pp.). If the received packet is received from the subscriber from the list of “White” IP addresses, then additional identification algorithms are used. Verify the authenticity of subscribers using additional identification algorithms. If, according to the results of the additional identification, the subscriber could not confirm his membership in the VPN, then the connection is blocked.

If, based on the results of additional identification, the subscriber confirms his membership in the VPN, then the process of establishing a connection with the subscriber is carried out or they continue to work with the subscriber if the connection is already established.

Using the model of normal behavior of network traffic, the abnormal behavior of the connection and the presence of signs of computer attacks are controlled by the specified criteria.

If signs of abnormal behavior of the connection and the presence of signs of computer attacks are not detected, continue monitoring until the end of the connection. If signs of abnormal behavior of the connection and / or the presence of signs of computer attacks are detected, the connection is broken.

They analyze statistical data on the parameters of network traffic, network and computer attacks. They process statistical values of the parameters of VPN network traffic operating under normal conditions. The selected attack parameters are compared with similar parameters available in the database.

If the values of the selected parameters differ from the available parameters, statistics on the attack are collected. If the selected parameters do not differ from the existing attack parameters, they evaluate the correctness and number of installed sensors, evaluate the performance of the attack detection and reaction system (Using performance counters for monitoring http://www.osp.ru/win2000/2010/04/13003220/). Based on the given criteria, the fact of the end of the attack is recorded and statistics on the attack are sent.

After assessing the correct placement and number of installed sensors, as well as evaluating the speed of the detection and anti-attack system, a decision is made to supplement the values of the network and computer attack parameters, and the operating system of the detection and anti-attack system is refined.

The analysis of the prior art allowed us to establish that analogues, characterized by sets of features that are identical to all the features of the claimed method, are absent. Therefore, the claimed invention meets the condition of patentability "novelty."

The listed new set of essential features provides an extension of the prototype method’s capabilities by simulating the functioning of the VPN under the conditions of computer and network attacks conducted simultaneously, increasing the security of VPN elements by monitoring the network traffic of subscribers, countering network and computer attacks, as well as assessing the damage caused by network and computer attacks of the attacker to the provided communication services to subscribers.

Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed invention from the prototypes showed that they do not follow explicitly from the prior art. From the prior art determined by the applicant, the influence of the provided by the essential features of the claimed invention on the achievement of the specified technical result is not known. Therefore, the claimed invention meets the condition of patentability "inventive step".

The "industrial applicability" of the method is due to the presence of an element base, on the basis of which devices can be made that implement this method with the achievement of the destination specified in the invention.

The claimed method is illustrated by drawings, which show:

figure 1 is a generalized structural and logical sequence of a method for assessing the damage caused by network attacks to virtual private networks;

FIG. 2 - structural and logical sequence of modeling the functioning of the VPN;

FIG. 3 - structural and logical sequence of VPN operation in the conditions of attacks;

FIG. 4 - the structural and logical sequence of collecting statistical data on the normal functioning of the VPN, attack parameters and VPN in the conditions of attacks;

FIG. 5 is a graphical representation of the process of restoring the health of a VPN element;

The claimed method is illustrated by the structural-logical sequence (Fig. 1), where they measure and summarize the statistics of network attack parameters.

In block 1, the network traffic parameters of subscribers of the “White” list of IP addresses are measured. The VPN element functioning parameters are determined at which it is possible to provide the subscriber with the required communication services. Save the measured values of the parameters in memory cells.

In block 2, the parameters of known network attacks are measured. Save the measured values of the parameters in memory cells. Gaining statistics.

In block 3, a sequence of simulating the functioning of the VPN in terms of conducting computer and network attacks is performed (Fig. 2).

In block 3.1, the maximum deviations from the statistical values of the measured parameters are set and the values of the parameters of possible abnormal behavior of subscribers from the "White" list of IP addresses are described.

In block 3.2, physical models of the normal behavior of subscribers and VPN elements are created. Save models to the database.

In block 3.3, physical models of computer and network attacks are created. Store attack models in the database.

In block 3.4, “White” lists of IP-addresses of subscribers of this network are defined and supplemented.

In block 3.5, the rules for filtering network traffic are determined or supplemented based on behavioral criteria, including an analysis of the measured attack parameters. VPN reconfiguration options are being developed.

In block 3.6, physical models of the system for detecting attacks and placing sensors of this system are created. Save models to the database.

In block 3.7, the sensors of the attack detection system are placed, the required reliability values for measuring parameters of computer and network attacks are determined, and the required values are determined by the speed of the attack detection system.

In block 3.8, they simulate the simultaneous effect of several different computer and network attacks on one of the VPN elements with different loading of network traffic by VPN subscribers.

In block 3.9, the values of the parameters of the simulated attacks received from the sensors of the detection system are processed, the values of the controlled parameters and the speed of the detection system are measured.

In block 3.10, the reliability of detecting computer and network attacks, as well as the speed of attack detection, are evaluated.

If the reliability of the measured parameters or the speed of the attack detection system does not meet the specified values, in block 3.11, additional remote sensors of the detection system are installed and re-simulate the attacks in block 3.8.

If the reliability of the measured parameters satisfies the given values, then the VPN damage is calculated.

In block 3.12, the values of damage caused by various attacks to the VPN element are determined.

In block 3.13, the values of the damage parameters are evaluated with acceptable VPN functioning values.

If the values of the damage caused exceed the permissible values, then in block 3.5 the rules for filtering network traffic are supplemented and changed.

If the values of the damage done do not exceed the permissible values, then in block 4, deploy a VPN, place and configure the sensors of the attack detection system, and establish rules for filtering network traffic.

In block 5, the functioning of the VPN.

In block 6, the VPN shutdown time is determined.

Block 7 monitors network traffic, parameters characterizing the conduct of computer and network attacks. Collect statistics on the network traffic of the VPN element and send the measured values to block 17 for analysis.

In block 8, on the basis of the given criteria, a decision is made to start conducting network and computer attacks.

If there are no signs of attack, then continue monitoring the functioning of the VPN, network and computer attacks.

If signs of the onset of a computer or network attack are detected in block 9, the parameters of the attack are isolated and controlled.

In block 10, based on the selected attack parameters, a decision is made whether they belong to network or computer attack classes.

If a network attack is detected, in block 11 the effect of the network attack on the VPN element is simulated.

In block 12, the possible damage caused by the identified network attack is evaluated using existing network attack models.

If the values of the damage caused to the VPN element subject to a network attack, according to the simulation results, satisfy the required values, then in block 7 they continue monitoring the network traffic and collect statistics about it.

If the values of the damage to the VPN element that is subject to a network attack according to the simulation results are lower than the required values, in block 13 reconfigure the VPN according to the available reconfiguration options. The measured network attack parameters are sent to block 17 for analysis and collection of statistical data.

If a computer attack is detected in block 10, the effect of the computer attack on the VPN element is modeled in block 14.

In block 15, the possible damage caused by the detected computer attack is evaluated using the available computer attack models.

If the values of the damage caused to the VPN element subject to a computer attack according to the simulation results satisfy the required values, then in block 7 they continue monitoring network traffic and collect statistics about it.

If the values of the damage to the VPN element subject to a computer attack according to the simulation results are lower than the required values, in block 16 the incoming traffic is filtered according to the sequence for the VPN to function in the conditions of the attack (Fig. 3).

In block 16.1, the IP address is compared with the list of White IP addresses.

If the received packets are not received from the list of “White” IP addresses, then in block 16.6 the connection is blocked.

If the received packet is received from the subscriber from the list of “White” IP addresses, then in block 16.2 additional identification algorithms are used.

In block 16.3, the authenticity of subscribers is verified using additional identification algorithms.

If, based on the results of the additional identification, the subscriber could not confirm his belonging to the VPN, then in block 16.6 the connection is blocked.

If, based on the results of additional identification, the subscriber confirms his membership in the VPN, then in block 16.4 the process of establishing a connection with the subscriber is carried out or continue to work with the subscriber if the connection is already established.

In block 16.5, using the model of normal behavior of network traffic according to the specified criteria, the abnormal behavior of the connection, the presence of signs of computer attacks are controlled.

If signs of abnormal behavior of the connection and the presence of signs of computer attacks are not detected, continue monitoring until the end of the connection.

If signs of abnormal behavior of the connection or the presence of signs of computer attacks are detected, then in block 16.6 the connection is blocked.

In block 17, statistics are collected and analyzed on the parameters of the normal functioning of the VPN, the parameters of the attacks and the VPN susceptible to attack (Fig. 4).

In block 17.1, the statistical values of the parameters of the VPN network traffic operating under normal conditions are processed.

In block 17.2, the selected attack parameters are compared with similar parameters available in the database.

If the selected parameters differ from the available parameters, in block 17.3 the statistics on the attack are collected.

If the selected parameters do not differ from the existing attack parameters, in block 17.5, the correctness and number of installed sensors and the speed of the detection and reaction system are evaluated.

In block 17.4, based on the specified criteria, the fact of the end of the attack is recorded and statistics on the attack are sent to block 17.5.

In block 17.5, after evaluating the correct placement and number of installed sensors, as well as evaluating the speed of the attack detection and reaction system, a decision is made to add the parameters of network or computer attacks in block 2, and the functioning of the detection and reaction system will be refined.

The stated objective of the invention is confirmed by the presented calculation of the claimed method.

Evaluation of the effectiveness of the claimed method was carried out as follows.

The process of restoring the operability of a VPN element subject to network or computer attacks is described in well-known sources (Fig. 5) (clause 4.1, p. 168 General principles for constructing a monitoring system. VV Velichko Models and methods for increasing the survivability of modern communication systems. Hot line - Telecom p. 270 - 2014), which consists of:

where t _bp is the recovery time of the VPN element;

t _obn - time to detect signs of network or computer attacks;

t _pr.sost - time to predict the damage caused by an identified attack;

t _pr.res - the time required to make a decision on how to counter the attack;

t _vs. - time required by the network administrator to eliminate threats of the virtual private network;

t _{eastern connection} - time required to restore the connection (synchronization of equipment, operating system, applications, etc.).

Based on the features of the developed method, it is obvious that the time to detect signs of conducting a network or computer attack (t _detection ), the time required to make a decision on how to counteract the attack (t _solution ), as well as the time required by the network administrator to eliminate VPN threats ( t _against ) are equal to the same parameters as the prototype method. _Due to the insignificant values, as well as the fact that it occurs during the attack, it is possible to neglect the time of predicting the damage caused by an identified attack (t _av.sost ) and neglect it when evaluating effectiveness.

Using prediction of possible damage and assessing its impact on the services provided contributes to timely decision making and timely reconfiguration of the VPN and leads to the fact that the reconfiguration process is carried out in advance and the time required to restore the connection (t _{eastern connection} ) is not required.

An analysis of the features of the functioning of network attacks shows that the duration of the attacks can be equivalent to a disconnection of the VPN (Kaspersky Lab: DDoS attacks in the third quarter of 2015. Statistics of DDoS attacks using botnets in the first quarter of 2015). According to statistics from well-known companies involved in protecting against network and computer attacks, the average time required to reconnect (t _connection ) is from 30 minutes to 4 hours (Kaspersky Lab: DDoS attacks in the third quarter of 2015. DDoS statistics botnet attacks in the first quarter of 2015. Qrator Labs: The number of DDoS attacks increased in Runet in 2015. A study of DDoS attacks and vulnerabilities in web applications in the first half of 2015). This is a gain in evaluating the effectiveness of the proposed method.

Based on this, it follows that the claimed method for modeling the assessment of damage caused by network VPN attacks provides increased security for VPN elements by assessing the likely damage caused to the VPN element and proactive VPN reconfiguration.

Claims (1)

A method for modeling the assessment of damage caused by network and computer attacks to virtual private networks, which consists in the fact that the communication system, including N structural elements and the connections between them, where n = 1, 2 ... N, is deployed in a working state, the destabilizing effects on it are recorded structural elements, according to the received data form a simulation model of a communication system, model destabilizing effects on it, according to the simulation results reconfigure the simulation model of a communication system and calculate the probability of the disruption of its functioning from destabilizing influences, when the system functions under exogenous destructive influences, the number of influences m _n on the nth element of the communication system is also counted and stored, the number N _{in the} elements of the communication system subjected to destructive external influences, and the simulation model is formed by the received data, reconfigure it after each exposure, compare the calculated value of the reliability of opening the structure of the communication system by the acting party with With a predetermined threshold level of confidence, when the value of calculated reliability is higher than the threshold, a real-life communication network is preliminarily reconfigured, characterized in that it measures the network traffic parameters of the White List of IP addresses, determines the functioning parameters of the virtual private network element, at which it is possible to provide the subscriber the communication services they require, store the measured values of the parameters in memory cells, set the maximum values of the deviation from statistical values, and measured parameters and describe the values of normal behavior parameters of subscribers from the White List of IP addresses, create physical models of normal behavior of subscribers of a virtual private network, computer and network attacks, attack detection systems, save models in a database, determine locations and place sensors of a detection system attacks, determine the required values according to the speed of the attack detection system, set and supplement the “White” lists of IP addresses of virtual private network subscribers, determine or supplement the rules for filtering network traffic, based on behavioral criteria, including analysis of measured attack parameters, develop options for reconfiguring a virtual private network, simulate the simultaneous effects of several different computer and network attacks of a virtual private network element with different loading of network traffic by virtual private network subscribers, measure the performance of the detection system, evaluate the speed of the attack detection system, install additional remote sensors of the system detection, calculate the damage caused to the virtual private network, evaluate the values of the parameters of the damage with acceptable values of the functioning of the virtual private network, add and change the rules for filtering network traffic, configure the sensors of the attack detection system, set the rules for filtering network traffic, monitor network traffic, parameters characterizing conducting computer and network attacks, collect statistics on network traffic of a virtual private network element, on Based on the specified criteria, they decide to start conducting network and computer attacks, select attack parameters, based on the selected attack parameters make a decision on whether they belong to network or computer attack classes, assess the possible damage caused by the detected network or computer attack, measure the network attack parameters and send them to analyze and collect statistical data, compare the IP address with the list of “White” IP addresses, block illegitimate connections, use additional algorithms for identifying locations, analyze statistical data on network traffic parameters, network and computer attacks, according to the results of detection and counteraction to attacks, evaluate the correctness and number of installed sensors, the speed of the detection and reaction system, supplement filtering rules and options for reconfiguring a virtual private network, supplement the values of network and computer attacks.

Images