RU2682108C1 - Method of using options of countermeasure of network and stream computer intelligence and network attacks and system therefor - Google Patents

Abstract

FIELD: computer equipment.SUBSTANCE: invention relates to the computer equipment. Method comprises increasing the protection of communication network nodes from network attacks (NA) by increasing the effectiveness of existing solutions for applying existing methods of countermeasure against NA, assessment of activation time and weakening abilities of the available options for protection from NA, as well as dynamic prediction of the communication network node state taking into account the provision of a different number of communication services to various categories of subscribers under conditions of countermeasure against NA, achieved by introducing parameters of NA into the prediction unit system, distributed monitoring system control unit, unit for prediction of the communication network element state under conditions of NA, unit for simulation of joint use of methods and countermeasures.EFFECT: technical result is the increased protection of communication network nodes from network and stream computer intelligence.2 cl, 5 dwg, 14 tbl

Description

The invention relates to systems for detecting and counteracting information and technical influences, namely counteracting technical computer intelligence and DDoS attacks.

A communication service is understood as a product of the activity on the reception, processing, transmission and delivery of mail items or telecommunication messages (Federal Law of 16.02.95 N 15-ФЗ, Art.2).

Network computer intelligence refers to the receipt and processing of data about a client’s information system, information system resources, used devices and software and their vulnerabilities, security features, and also about the penetration into the information system (Zapechnikov S.V. Miloslavskaya N.G., Tolstoy A. I., Ushakov D. V. Information Security of Open Systems, 2 vol. Volume 1. Threats, vulnerabilities, attacks and approaches to protection, Moscow: Hot Line - Telecom, 2006. - 536 p.) .

Stream computer intelligence - intelligence that provides information and data by intercepting, processing and analyzing network traffic (communication systems) and identifying computer network structures and their technical parameters (Varlamov O. O. "Protection of personal data and analysis of ten types of technical computer intelligence" , Actual problems of information technology security: a collection of materials of the III international scientific and practical conference, Under the general editorship of O. N. Zhdanov, V. V. Zolotarev, Siberian State Aerospace matic University).

Information and technical impact (ITV) - the application of methods and means of information impact on the information and technical facilities of the country, on the equipment and weapons of the opponent in the interests of achieving the goals. In this invention, ITV refers to a combination of computer intelligence and network attacks.

Attack - an attempt to destroy, disclose, modify, block, steal, gain unauthorized access to an asset or its unauthorized use (GOST R ISO / IEC 27000-2012).

An asset is defined as “anything that has value to the organization” (GOST R ISO / IEC 27000-2012).

Computer intelligence is an activity aimed at obtaining information from electronic computer databases included in open-type computer networks, as well as information about the features of their construction and functioning. The purpose of computer intelligence is to obtain information about the subject, end results, forms and methods of activity of entities that are users of the information and computer network, and the used hardware and software, control and information interaction protocols and the means and methods of information protection used (https: // studopedia .su / 10_119257_kompyuternaya-razvedka.html).

A DDoS attack refers to a distributed denial of service attack, which is one of the most common and dangerous network attacks. As a result of the attack, the service of legitimate users, networks, systems and other resources is violated or completely blocked (http://www.securitylab.ru/news/tags/DDoS/).

Damage refers to the ratio of failed communication network elements to the total number of network elements (paragraph 5.19 GOST
P 53111-2008. Sustainability of the functioning of the public communication network).

Network traffic sensors are devices that provide analysis of network interactions, attack signatures, attack models, and a number of other functions (the Cisco IPS 4300 series may be one of the possible sensors used).

Network traffic - the amount of information transmitted through a computer network over a certain period of time via IP packets. (A. Vinokurov Principles of organizing IP traffic accounting. Electronic resource. Access mode: http://habrahabr.ru/post/136844).

A known method for diagnosing communication means of telecommunication systems (RF patent No. 2345492 C2, H04B 17/00 (2006/01). Published January 27, 2009 Bull. No. 3), which consists in the fact that among the parameters of a complex technical object, individual parameters are distinguished that are signs of its technical condition, compare them with the reference signs of the original alphabet of state classes and, based on the results of comparison, determine the group of classes of the possible technical state of the diagnosed object, in which they determine the sign with the maximum Gnostic value, for all state signs of the selected group, signals are repeatedly measured and the communication intensity indicator is determined - the empirical correlation ratio of the signal value with the maximum diagnostic value to the signal values of the remaining state signs, the average values of the empirical correlation ratio for each class are calculated and the class in the selected group of classes is determined states with the maximum average value of the empirical correlation ratio, which is I am the actual class of state, it is introduced that the entire set of both internal parameters and output parameters that determine the technical condition of telecommunication systems communications is reduced by identifying a strong correlation separately between internal parameters, separately between output parameters of telecommunications systems, the specified reliability of the control of the technical condition, taking into account the dynamics of changes in the selected controlled parameters, predict predotkazovogo time of occurrence of the state of communications telecommunication systems.

The closest in technical essence and performed functions analogue (prototype) to the claimed one is the method implemented in the invention "Method for monitoring communication networks in the conditions of network intelligence and information and technical effects (RF patent No. 2612275, H04B 17/00 (2015.01), published: March 6, 2017, Bulletin No. 7). The indicated method consists in the fact that among the parameters of the communication network (SS), network intelligence (SR) and information and technical influences (ITV), individual parameters are distinguished that are signs of the technical condition of the SS, tests of SR and ITV, compare the values of the selected parameters with the reference features of the initial alphabet of state classes and, according to the results of comparison, determine the group of classes of the possible state in the conditions of conducting SR and ITV, reduce the number of controlled state parameters of the SS in the conditions of conducting SR and ITV by identifying a strong correlation between the parameters of the technical condition of the SS, between the parameters of SR and ITV, control the parameters of the SS, SR and ITV, taking into account the dynamics of changes in the allocated controlled the parameters carry out prediction of the time of the onset of the critical (pre-failure) state of the SS, characterized in that they additionally measure the parameters of operational failures and failures on the same functioning communication networks, measure the parameters of SR and ITV on the same functioning communication networks, store the measured values in the data storage unit, enter the measured the values in the data processing unit form the physical model of the SS taking into account operational failures and failures, based on the topology of the created SS, determine the The location of monitoring points for monitored parameters of SS, SR and ITV, form a physical model of a distributed monitoring system (RSM) of the technical condition of the SS, reduce the number of monitoring points of RSM in the conditions of SR and ITV by identifying a strong correlation between the values of the parameters of the technical state of the SS in monitoring points in the conditions of operational failures and failures and the parameters of SR and ITV, for a given reliability of the control of the technical condition, control the parameters C C, SR and ITV for cases of normal operation of the SS, cases of operational failures and failures, maintaining SR, ITV, change the number of monitoring points for normal operation, form physical models of the SR and ITV of the attacker, simulate the functioning of the SS and PCM in the conditions of operational failures and failures, conducting SR and ITV, calculate and evaluate the reliability of the measured PCM parameters, change the number and location of monitoring points, calculate the performance parameters of a distributed monitoring system to detect operational failures and malfunctions, as well as the facts of managing the SR and ITV, develop measures to counteract the SR and ITV, implement the deployment and operation of the communication network, deploy and operate the PCM for normal operating conditions of the SS, establish connections with the PCM of the provider of the communication service and other independent ITV detection systems, during the operation of the SS, they monitor the technical state of the SS, the parameters of the SR and ITV, if operation is detected In the event of failures and failures, measures are taken to reconfigure the communication network and eliminate the causes of the failure, when recording the fact of the SR management, include all monitoring points and increase the number of monitored SR and ITV parameters, based on the available statistical data, the SR and ITV parameters are predicted, as well as the SS parameters in conditions of ITV, when fixing the fact of ITV management reconfigure the PCM by reducing the monitored parameters and turning off some monitoring points, based on the data received from the PCM on the ITV parameters and forecast the measured values of the SS are carried out by a set of measures to counteract ITV, on the basis of the specified criteria, the fact of ITV termination is recorded, at the end of the impact, the measured ITV parameters and the parameter values obtained from independent third-party monitoring systems are compared, the reliability of the measured PCM parameters, the PCM speed to detect operational failures and failures , detecting the actions of SR and ITV, on the basis of the calculations of the reliability and speed of the PCM evaluate the correctness of the dot to monitoring and controlled parameters, when deviating deviations in the reliability and speed of PCM from the required values, the number of controlled parameters is changed and PCM is reconfigured.

A known system for making decisions (RF patent No. 2216043, G06N 1/00, 2000) containing a data processing device including a data processing control device, a synthesis device for a virtual working version of the system and a device for selecting the optimal solution, interconnected, a storage device data, including a database management device connected to a data processing management device, a database that stores a list of types of problems corresponding to each type of mathematical problem models for calculating the values of parameters describing the problem, and a database that stores data corresponding to the accumulated examples of problems being solved, a visualization device and an input-output device for inputting the initial data and outputting the results, interconnected with the processing control device data of the data processing device and with the database management device of the data storage device

The closest in technical essence and performed functions analogue (prototype) to the claimed one is the system implemented in the invention "Method for developing solutions to the problems of development of an automated control system (ACS) and its system implementing" (RF patent No. 2487409, G06N 99/00 (2010.01) , published: 3 July 10, 2013 Bull. No. 19). The system comprises a data processing device including a data processing control device, a virtual working version of the system synthesis device and an optimal solution selection device interconnected, a data storage device including a database management device connected to a data processing control device, a database data types of problems and mathematical models and a database of examples of problem solving, visualization device and input-output device for inputting initial data of output and output results, interconnected with a data processing control device and with a database management device, a database of parameters of the ACS development level and a database of general mathematical methods for solving problems connected to a database management device are entered into the data storage device, and into the device a data processing device has been introduced a device for comparing ACS parameters and a device for ranking problems in the development of ACS connected to each other and to a data processing control device.

The technical problem is the low security of SS nodes from network and streaming computer intelligence (M&R KR), due to the low efficiency of existing solutions for masking SS nodes in the ESE, the low security of SS nodes from network attacks (SA), due to the low efficiency of existing solutions on the application of existing methods of counteracting CA, caused by the lack of an assessment of the activation time and the weakening abilities of the available options for counteracting CA, as well as the lack of dynamic prediction of the state of the network communication, taking into account the provision of a different number of communication services to various categories of subscribers in the context of counteraction with CA.

The solution to these technical problems is to create a way to effectively use the options for counteracting network and streaming computer intelligence and network attacks and implementing it, providing the following technical result: increasing the security of SS nodes from M & A KR, by increasing the efficiency of the process of masking SS nodes in the ESE, achieved introducing into the system a block of a group of RSM sensors a control of the state of a communication network element, an identification and classification block of an SA, an activation Rianta counter CA, activation control unit CA for this counter, block optimization of controllable parameters; increasing the security of the SS nodes from the CA by increasing the effectiveness of existing solutions for using existing methods of counteracting the CA, evaluating the activation time and weakening abilities of the available options for countering the CA, as well as dynamically predicting the state of the node of the communication network taking into account the provision of a different number of communication services to various categories of subscribers under conditions of counteraction of CA, achieved by introducing into the system a block of forecasting parameters of CA, PCM control unit, block predicted the state of the element of the communication network in the conditions of the CA, the modeling block of the joint application of methods and options for counteraction.

The technical problem is solved by the fact that in the method of effectively using the options for countering network and streaming computer intelligence and network attacks and the system that implements it, the following sequence of actions is performed:

1. A method for the effective use of options for countering network and streaming computer intelligence and network attacks and its system that consists in the fact that among the parameters of the communication network, network and streaming computer intelligence and network attacks, individual parameters are distinguished that are signs of the technical state of the communication network network and streaming computer intelligence and network attacks, compare the values of the selected parameters with the reference features of the original alphabet of state classes and by the result comparisons define a group of classes of a possible state in the conditions of network and streaming computer intelligence and network attacks, reduce the number of monitored parameters of the state of the communication network in the conditions of network and streaming computer intelligence and network attacks by identifying a strong correlation between the parameters of the technical state of the communication network, between network and streaming computer intelligence and network attacks, monitor the parameters of the communication network, network and streaming computer intelligence and network attacks, taking into account the dynamics of changes in the identified controlled parameters, they forecast the time of the critical (pre-failure) state of the communication network, measure the parameters of operational failures and failures on the same functioning communication networks, measure the parameters of network and streaming computer intelligence and network attacks on the same functioning communication networks, store the measured values in the data storage unit, enter the measured values into the data processing unit, based on the topology the created communication network, determine the possible locations of monitoring points for monitoring parameters of the communication network, network and streaming computer intelligence and network attacks, form a model of a distributed monitoring system for the technical condition of the communication network, reduce the number of monitoring points of a distributed monitoring system in the conditions of network and streaming computer intelligence and network attacks by identifying a strong correlation between the values of the parameters of the technical state of the communication network at monitoring in conditions of operational failures and failures and the parameters of network and streaming computer intelligence and network attacks, for a given reliability of monitoring the technical condition, monitor the parameters of the communication network, network and streaming computer intelligence and network attacks for cases of normal functioning of the communication network, change the number of monitoring points for normal functioning, form physical models of network and streaming computer intelligence and network attacks of the attacker, model the functions positioning a communication network and a distributed monitoring system in the conditions of operational failures and failures, conducting network and streaming computer intelligence and network attacks, calculate and evaluate the reliability of the measured parameters of a distributed monitoring system, change the number and location of monitoring points, calculate the performance parameters of a distributed monitoring system for detection operational failures and failures, as well as the facts of conducting network and streaming computer intelligence and network attacks, ra work on measures to counteract network and streaming computer intelligence and network attacks, deploy and operate a communication network, deploy and operate a distributed monitoring system for normal conditions of functioning of a communication network, establish connections with monitoring systems of the provider of the communication service and other independent network attack detection systems , during the operation of the communication network, monitoring the parameters of the network and streaming computer intelligence and network attacks, while fixing the fact of network and streaming computer intelligence, they include all monitoring points and increase the number of monitored parameters of network and streaming computer intelligence and network attacks, based on the available statistics, network and streaming computer intelligence and network attacks are predicted, and Also, the parameters of the communication network in the conditions of conducting network attacks, when fixing the fact of conducting a network attack, reconfigure the distributed monitoring system by abridging To monitor the controlled parameters and disable some monitoring points, on the basis of data received from the distributed monitoring system on the parameters of the network attack and the predicted values of the communication network, a set of measures is taken to counteract network attacks, at the end of the impact, the measured parameters of the network attack and the parameter values obtained from independent third-party systems are compared monitoring

characterized in that after selecting parameters that are signs of the technical condition of the communication network, conducting network and streaming computer intelligence and network attacks, form the models of the communication network node with a security system that takes into account ways to counter network attacks, taking into account the different number of subscribers who are provided with a different number of services communication.

They simulate network attacks on a communication network node taking into account the protection system, measure the activation time of countermeasures; measure the attenuating abilities of countermeasures, save the results.

After reducing the number of monitoring points of a distributed monitoring system in the context of network and streaming computer intelligence and network attacks by identifying a strong correlation between the values of the parameters of the technical state of the communication network at the monitoring points in the conditions of operational failures and failures and the parameters of the network and streaming computer intelligence and network attacks, conduct the selection of a Unified Telecommunication Network node for tuning.

Adjust the communication network node.

After developing measures to counteract network and streaming computer intelligence and network attacks, a set of measures is developed taking into account the time of activation and attenuation of the strength of a network attack by the capabilities of the protection system; while monitoring the parameters of network and streaming computer intelligence and network attacks, monitor changes in the parameters of the communication network node.

Optimize the parameters of the communication network node in excess of the specified values.

After fixing the facts of maintaining the M & A of the Kyrgyz Republic or the CA, based on the available signs, an attacker is identified.

When fixing the fact of conducting network and streaming computer intelligence, they include all monitoring points and increase the number of monitored parameters of network and streaming computer intelligence and network attacks, based on the available statistical data, the parameters of network and streaming computer intelligence and network attacks are predicted, as well as the parameters of the communication network in the conditions of conducting network attacks, while fixing the fact of conducting a network attack, reconfigure the distributed monitoring system by reducing the monitored parameters and disable some monitoring points and then evaluate the capabilities of the attacker.

At the end of the exposure, the actual values of the protection system are compared with the set values. If the specified values are exceeded, changes are made to the source data.

The technical problem is solved due to the fact that in the system of effective use of options for countering network and streaming computer intelligence and network attacks, including a visualization device connected to a data processing control device and a database management device, an input-output device for input data connected to a database management device , a data processing device including a data processing control device connected to a device for ranking development problems and by means of comparison of the parameters of the communication network connected to the device and the synthesis device of the virtual working version of the system connected to the device for selecting the optimal solution, a data storage device including a database management device connected to a data processing control device and a database of problem solving examples, a database types of problems and mathematical models, a database of development equation parameters, a database of general mathematical methods for solving problems, add In particular, a device for modeling (predicting) the state of a communication network node consisting of a unit for predicting the parameters of information and technical effects connected to a device for ranking development problems, a device for comparing communication network parameters and a unit for predicting the state of a communication network node under conditions of information and technical effects with a device for comparing communication network parameters and an optimization unit of controlled parameters connected to devices m comparing the parameters of the communication network and the simulation unit for the joint application of methods and countermeasures connected to the device for comparing the parameters of the communication network, a control device for a distributed monitoring system consisting of a group of sensors of a distributed monitoring system receiving information flows characterizing the technical condition of the communication network node and network attacks and connected to control unit of a distributed monitoring system connected to a visualization device, device m for managing databases and an identification and classification block for information and technical actions; a device for controlling methods and options for counteracting information and technical actions consisting of a group of activation blocks for counteracting information and technical actions connected to a control unit for activating methods and options for counteracting connected to a distributed control unit has been introduced monitoring system and device for choosing the best solution.

The listed new set of essential features provides an increase in the security of the SS nodes from the CA, due to the dynamic prediction of the state of the communication network node in the conditions of counteraction of the CA and the use of methods and variants of counteraction of the CA; increase the speed of the data processing process characterizing the state of the communication network; increase the speed of the decision-making process of choosing methods and options for counteracting CA and their activation.

Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed invention from the prototypes showed that they do not follow explicitly from the prior art. From the prior art determined by the applicant, the influence of the provided by the essential features of the claimed invention on the achievement of the specified technical result is not known. Therefore, the claimed invention meets the condition of patentability "inventive step".

"Industrial applicability" of the developed method and its implementing system is due to the presence of the element base, on the basis of which devices can be made that implement this method to achieve the destination specified in the invention. The developed system may be implemented on the basis of programmable logic integrated circuits (FPGAs) (VB Steshenko. School of circuit design of signal processing devices. Lesson 7. Implementation of computing devices on FPGAs. Electronic resource: kit-e.ru/articles/ circuit /2001_01_74.php). Based on the analysis of the amount of processed information from the sensors, the required reaction rate of the system to changes in state, it is advisable to use the DE1-SOC FPGA (manufacturer Technologies LLC (USA) (Terasic). When implementing block 16. (PCM sensor group monitoring the state of the communication network node) PAC Forpost 200MD network sensors can be used (RNT Company (Russia)).

The claimed method and its implementing system is illustrated by figures, which show:

FIG. 1 - Generalized structural and logical sequence of the method of effective use of options for countering network and streaming computer intelligence and network attacks;

FIG. 2 - Structural and logical sequence of modeling the functioning of PCM;

FIG. 3 - Structural and logical sequence of the difficulty of maintaining M & A KR;

FIG. 4 - The structural and logical sequence of evaluating the effectiveness of the developed options and methods for counteracting M & A KR and SA;

FIG. 5 - Functional diagram of a system that implements a device for the effective use of countermeasures of M & A of the Kyrgyz Republic and the CA;

) (предоставляемая оператором технология, связность сети, предоставляемая оператором полоса пропускания, шифрование пользовательского потока данных, используемые в сети пользователя адреса 3 уровня, используемые в сети пользователя протоколы маршрутизации, состояние 123/UDP (NTP) порта на граничном маршрутизаторе пользователя, состояние 22/TCP (SSH) и 23/TCP (Telnet) портов на граничном маршрутизаторе пользователя, операционная система на граничном маршрутизаторе пользователя, операционная система серверного оборудования пользователя) где n – номер функционирующей сети связи, i – номер узла функционирующей сети связи, p – номер параметра узла сети связи; измеряют значения параметров средств СиП КР злоумышленника (

) и DDoS-атак (

), где m- значение параметра характеризующие средства вскрытия (воздействия) на сети связи, j- порядковый номер присвоенный злоумышленнику. Осуществляют анализ измеренных параметров, идентифицируют оборудование функционирующих сетей связи в указанном сегменте ЕСЭ и злоумышленника. Осуществляют создание базы данных измеренных параметров (

,

,

) и записывают их в блоке хранения данных. Ранжируют измеренные параметры существующих сетей связи. Производят выбор из перечня параметров наиболее значимых. The claimed method is illustrated by the structural-logical sequence (Fig. 1), where in block 1, in advance of the deployment of the created communication network, the values of the parameters of the communication network and the SS nodes operating in the specified ESE segment are measured (

) (technology provided by the operator, network connectivity, bandwidth provided by the operator, user data stream encryption, level 3 addresses used on the user's network, routing protocols used on the user's network, 123 / UDP (NTP) port state on the user's border router, state 22 / TCP (SSH) and 23 / TCP (Telnet) ports on the user's border router, operating system on the user's border router, operating system of the user's server equipment) where n is the number unktsioniruyuschey communication network, i - node operating telecommunications number, p - node number of the parameter communication network; measure the values of the parameters of the means of M & A KR of an attacker (

) and DDoS attacks (

), where m is the value of the parameter characterizing the means of opening (impact) on the communication network, j is the serial number assigned to the attacker. They analyze the measured parameters, identify the equipment of functioning communication networks in the specified segment of the ESE and the attacker. Create a database of measured parameters (

,

,

) and write them in the data storage unit. Rank the measured parameters of existing communication networks. Make a selection from the list of parameters of the most significant.

) и параметры распределенной системы мониторинга (РСМ) (

) где e – номер элемента РСМ, r – номер комбинации измеряемых параметров.In block 2 enter the values of the technical parameters characterizing the created communication network and the elements included in this network (

) and the parameters of a distributed monitoring system (PCM) (

) where e is the number of the PCM element, r is the combination number of the measured parameters.

) и подавлению (

) сети связи. Определяют критерии оценки параметров функционирования узла сети связи с учетом предоставления различных услуг связи различному количеству абонентов, сети связи в целом, в условиях ведения СиП КР и DDoS-атак. Моделируют совместное функционирование разработанных моделей. Сохраняют измеренные значения и критерии в блоке хранения данных.In block 3, models are created for the functioning of the communication network with the protection system, taking into account various ways of counteracting the CA; models of functioning of SS nodes in the context of the provision of various communication services to a different number of subscribers; model of the j-th attacker's autopsy

) and suppression (

) communication networks. Criteria for assessing the functioning parameters of the communication network node are determined, taking into account the provision of various communication services to a different number of subscribers, the communication network as a whole, in the context of M&R KR and DDoS attacks. Model the joint functioning of the developed models. Save the measured values and criteria in the data storage unit.

In block 4, the activation time of the methods of counteracting CA is measured
(https://www.securitylab.ru/analytics/442099.php, RF patent No. 2636640 C2, published November 27, 2017 Bull. No. 33) their weakening ability (Grechishnikov E.V., Dobryshin M.M., "Assessment the ability of a virtual private network node to provide communication services in the context of counteraction and DDoS attacks ", Military Academy of Communications named after Marshal of the Soviet Union S. Budyonny, scientific-practical conference" Problems of technical support of troops in modern conditions)). Save the measured values in the data storage unit.

In block 5, combinations of the measured parameters are determined by the PCM points, the number of functioning monitoring points under normal conditions, and the identification of signs of the monitoring and control system of the CR and SA. The sequence of actions is presented in figure 2 and consists in the fact that in block 5.1, based on the topology of the communication network being created, as well as on the basis of statistics on the actions of the attacker to conduct reconnaissance and suppression of the communication network, possible locations of monitoring points for monitoring parameters of the communication network are determined , M & A KR and DDoS attacks. Form a physical model of the PCM communication network.

). Сохраняют значения параметров сети связи в условиях предоставления различных услуг связи различному количеству абонентов, а так же ведения СиП КР и DDoS-атак.In block 5.2, the functioning of the communication network, RSM, M & A KR and DDoS attacks is modeled. Measure the performance of the PCM communication network (

) They preserve the values of the communication network parameters in the context of the provision of various communication services to a different number of subscribers, as well as conducting M & A KR and DDoS attacks.

.In block 5.3, on the basis of statistical data, a database of reference features of the original alphabet of the classes of states of the communication network is created

.

Next, in block 5.4, the values of the selected parameters are compared with the reference values of the attributes of the initial alphabet of state classes and the group of classes of the possible state of the communication network is determined by the results of the comparison under the conditions of providing various communication services to a different number of subscribers when conducting M & A KR and DDoS attacks.

(1)

(one)

) при ведении СиП КР и DDoS-атак (для нормального закона распределения наблюдаемых параметров данную зависимость можно определить в соответствии с выражением (Гмурман В.Е. Теория вероятностей и математическая статистика: Учеб. пособие для вузов. - 8-е изд., стер. - М.: Высшая школа., 2002. - 479 с)) согласно формулы:In block 5.5, correlation relationships between the state parameters of the communication network (

) in the conduct of S&P KR and DDoS attacks (for the normal law of distribution of the observed parameters, this dependence can be determined in accordance with the expression (Gmurman V.E. Probability theory and mathematical statistics: Textbook for universities. - 8th ed., erased . - M .: Higher school., 2002. - 479 c)) according to the formula:

(2)

(2)

,

- математическое ожидание параметров

,

- среднеквадратическое отклонение параметров

;

- объем выборки параметров

.Where

,

- mathematical expectation of parameters

,

- standard deviation of the parameters

;

- parameter sample size

.

If the distribution law of the observed parameters is unknown, it is advisable to use communication characteristics that are free of the type of distribution. In particular, one of these characteristics is Spearman's rank correlation coefficient (Statistical Methods for Processing Observation Results: A Textbook for High Schools. Edited by Prof. Yusupov, Doctor of Technical Sciences, USSR Ministry of Defense, 1984. - 687 p.).

According to the values of the correlation coefficients at a given level of confidence to the sample sizes, the significance of the relationship between the internal parameters is determined, the closer the value of the correlation coefficient to ± 1, the closer this relationship is to the linear functional (Belko I.V., Svirid G.P. Probability theory and mathematical statistics, Examples and tasks: Textbook, Edited by KK Kuzmich - 2nd ed., Sr. - Mn .: New knowledge, 2004. - 251 s).

In block 5.6, based on the revealed correlation between the monitored parameters of the state of the communication network, S&P KR and DDoS attacks, the number of monitored parameters is reduced. With a negative outcome of this operation, it is believed that the parameters are independent. Reducing the parameters that are in functional dependence, avoids the redundancy of the statistical information contained in them, thereby increasing the speed of the PCM communication network.

) (для нормального закона распределения наблюдаемых параметров данную зависимость можно определить в соответствии с выражением (Гмурман В.Е. Теория вероятностей и математическая статистика: Учеб. пособие для вузов. - 8-е изд., стер. - М.: Высшая школа., 2002. - 479 с)) согласно формулы:In block 5.7, correlation relationships between the values of the parameters of the state of the communication network when conducting M&R KR and DDoS attacks at various monitoring points are determined (

) (for the normal law of distribution of the observed parameters, this dependence can be determined in accordance with the expression (Gmurman V.E. Probability theory and mathematical statistics: Textbook. manual for universities. - 8th ed., Sr. - M .: Higher school. , 2002. - 479 c)) according to the formula:

(3)

(3)

,

- математическое ожидание параметров

- в точке мониторинга а и b,

- среднеквадратическое отклонение параметров

,

- объем выборки параметров

.Where

,

- mathematical expectation of parameters

- at the monitoring point a and b,

- standard deviation of the parameters

,

- parameter sample size

.

In block 5.8, based on the revealed correlation between the monitored parameters of the state of the communication network, S&P KR and DDoS attacks at various monitoring points, the monitoring points are excluded from the PCM of the communication network. With a negative outcome of this operation, it is believed that the parameters are independent. Reducing the monitoring points, which are in functional dependence, avoids the redundancy of the statistical information contained in them, thereby increasing the speed of the PCM communication network.

In block 5.9, the optimal number of monitoring points, their locations and monitored parameters are determined for cases of normal functioning of the communication network, the functioning of the communication network when detecting the actions of M&R KR and DDoS attacks of an attacker

In block 5.10, the functioning of a communication network, PCM, S&P KR and DDoS attacks is simulated with a reduced number of monitoring points and the indicated controlled parameters. Given the reliability of monitoring the technical condition, control the parameters of the communication network, M & A KR and DDoS attacks. The performance of the PCM communication network is measured. The selected parameters are saved to the database.

In block 5.11, the PCM performance is compared with the reduced number of monitoring points and monitored parameters for various specific cases of the communication network functioning with the available PCM performance values with the total number of monitoring points and parameters in the context of the provision of various communication services to a different number of subscribers, at different values of M&R parameters and DDoS attacks.

In block 5.12, the performance of the monitoring system is evaluated. If the PCM reliability values differ from the required ones, they change (increase / decrease) the number and location of monitoring points and the number of monitored parameters.

In block 6, based on the measured values of the topology and parameters of the communication network and the parameters of the communication network node of third-party organizations operating in the selected ESE segment and the requirements for the communication network being created, parameters are tuned to make it difficult for an attacker to control the security information system of the attacker (masking) (Fig. 3).

On the basis of the measured data in block 6.1 determine the communication network and the elements of communication networks on which the least amount of destructive effects was carried out.

).In block 6.2, a communication network is selected from the list of networks included in the list of communication networks subjected to the least amount of destructive effects (

)

In block 6.3, based on the topology, technical parameters of the selected communication network and the technical parameters of its elements, the topology, technical parameters of the communication network and its elements are compared with similar values of the communication network.

If the selected communication network according to its technical parameters or topology does not satisfy the requirements for the created communication network, then in block 2, the topology of the created communication network is changed and (or) the technical parameters of the communication network are changed, and (or) the technical parameters of the communication network node are repeated carry out a comparison.

If the selected communication network satisfies the required value, then in block 6.4 the value of the contrast coefficient is calculated according to the formulas (Model of the access node of the communication network as an object of network and streaming computer intelligence and DDoS attacks, Cybersecurity Issues No. 3 (16) - 2016. Grechishnikov E.V. ., Dobryshin M.M., Zakalkin P.V.):

, (4)

, (four)

– коэффициент контраста i – номер узла функционирующей сети связи, p – номер параметра узла сети связи;

– весовой коэффициент i – й параметра узла сети связи. Весовой коэффициент i – й параметра узла сети связи определяется на основании экспертной оценки (Модель узла доступа сети связи как объекта сетевой и потоковой компьютерных разведок и DDoS-атак, Вопросы кибербезопасности №3(16) – 2016г. Гречишников Е.В., Добрышин М.М., Закалкин П.В.):Where

- contrast ratio i is the node number of the functioning communication network, p is the parameter number of the node of the communication network;

Is the weight coefficient of the ith parameter of the communication network node. The weight coefficient of the ith parameter of the communication network node is determined on the basis of expert assessment (Model of the access network of the communication network as an object of network and streaming computer intelligence and DDoS attacks, Cybersecurity Issues No. 3 (16) - 2016. Grechishnikov EV, Dobryshin M .M., Zakalkin P.V.):

(5)

(5)

– значение параметра узлов СС функционирующих в указанном сегменте ЕСЭ;

– значение технического параметра создаваемого узла сети связи, i – номер узла функционирующей сети связи, p – номер параметра узла сети связи.Where

- the value of the parameter of the nodes of the SS functioning in the specified segment of the ESE;

Is the value of the technical parameter of the created communication network node, i is the node number of the functioning communication network, p is the parameter number of the communication network node.

In block 6.5, the values of the calculated contrast ratio are compared with the desired contrast ratio.

If the value of the contrast coefficient does not satisfy the value, then in block 2, the parameters of the communication network are adjusted to the values of the parameters of the selected communication network.

If the value of the contrast coefficient satisfies the value, then in block 6.6, the probability of the junction of the communication network node being opened by means of S&P KR of the jth attacker is calculated according to the formulas (VPN access node model as an object of network and streaming computer intelligence and DDoS attacks, Cybersecurity issues No. 3 (16) - 2016. Grechishnikov E.V., Dobryshin M.M., Zakalkin P.V.):

(6)

(6)

– время квазистационарного состояния узла сети связи;

– среднее время вскрытия j – м злоумышленником узла сети связи средствами СиП КР.Where

- time of the quasistationary state of a communication network node;

- the average opening time by the jth malefactor of the communication network node by means of M & A KR.

In block 6.7, the likelihood of the opening of the communication network node by the means of S&P KR of the j-th attacker is compared with valid values:

(7)

(7)

If the value of the probability of opening the communication network satisfies expression 7, then continue the algorithm in block 7.

).If the value of the contrast coefficient does not satisfy, then in blocks 6.8 and 6.9 the next communication network is selected from the list of networks included in the list of communication networks that have undergone the least amount of destructive effects (

)

) не удовлетворяет требованиям предъявляемым к топологии сети связи и (или), техническим параметрам сети связи и (или) техническим параметрам узла сети связи в нее входящим, то в блоках 6.10-6.17 осуществляют выбор из сетей связи не вошедших в перечень сетей связи подвергшихся наименьшему количеству деструктивных воздействий (

) и проводят действия аналогичные как и для перечня сетей вошедших в перечень сетей связи подвергшихся наименьшему количеству деструктивных воздействий.If none of the selected communication networks (

) does not satisfy the requirements for the topology of the communication network and (or), the technical parameters of the communication network and (or) the technical parameters of the node of the communication network included in it, then in blocks 6.10-6.17, the ones that are not included in the list of communication networks that undergo the least the number of destructive effects (

) and carry out actions similar to those for the list of networks included in the list of communication networks subjected to the least amount of destructive effects.

If according to the results of adjusting the parameters of the communication network to the values of the communication network of the ESE of the Russian Federation, the values of the probability of tampering do not satisfy the required values and it is impossible to change the values of the parameters of the communication network and proceed to the calculations in block 7.

In block 7, measures are being developed to counteract M & A KR and DDoS attacks. Evaluate the effectiveness of the developed options and methods of counteracting M & A KR and DDoS attacks (Fig. 4):

In block 7.1, the impact options and the principles of their implementation are determined (by source of attack; ways of attack; purpose and method of purpose of indication; method of implementation and protocol used) (https://firstvds.ru/technology/types-of-ddos).

In block 7.2, the development of a private proposal to eliminate (reduce) the destructive effect of options and methods of suppressing a communication node in a DDoS attack.

In block 7.3, based on the data obtained in blocks 3 and 4, taking into account the weakening effect of the communication network protection system, a set of methods for counteracting the CA is developed based on the activation time and effectiveness of each method of counteraction.

In block 7.4, a regression equation is formed for the process of functioning of the communication network node in the conditions of DDoS attacks and counteraction to them with the developed variants and methods of counteraction.

In block 7.5, the optimization problem is solved by choosing the option to counter the DDoS attack or the integrated use of several options, methods.

In block 8, a communication network, a distributed monitoring system, and options and methods for countering DDoS attacks are deployed.

In block 9, the end time of the communication network is determined.

In block 10, continuous monitoring of the technical parameters of the communication network that most precisely meets the technical requirements is carried out), the search for the first created communication networks is carried out, as well as the parameters of other functioning communication networks in the area of deployment of the communication network are evaluated; they control the values of the parameters of the communication network, on the basis of the analysis of the parameters of the communication network, they fix the signs of conducting M & A RS and DDoS attacks.

In block 11, the parameters of the communication network are compared with similar parameters of the communication network, as well as with the parameters of other networks. If the conditions are met, then continue to monitor in block 9.

If the equality is not fulfilled then in block 12, a decision is made to rebuild the p-parameters of the created communication network in block 5.

In block 13, they constantly monitor the signs and (or) the actions of the attacker to open the created communication network. Based on the selected criteria, the fact of the opening of the created communication network is recorded.

In block 14, based on the analysis of the values of the parameters of the node of the communication network, the values of the S&P parameters of the RS are determined.

In block 15, the signs and (or) the actions of the attacker are constantly monitored for the destructive impact on the created communication network. Based on the selected criteria, the fact of the onset of the destructive impact on the created communication network is fixed.

In block 16, based on the analysis of the values of the parameters of the communication network node, the values of the DDoS attack parameters are determined.

In block 17, based on the statistical data and the individual characteristics of the tampering equipment available to the attacker, a decision is made to identify the equipment belonging to a particular attacker.

In block 18, based on the peculiarities of conducting S&P KR or DDoS attacks, a decision is made to identify S&P KR or DDoS attacks.

Upon detection of signs of conducting M & A KR in block 19, the options for the functioning of the SM when managing M & A KR are activated.

Upon detection of signs of conducting DDoS attacks in block 24, the options for the functioning of the SM when conducting DDoS attacks are activated.

In block 20, an attacker is evaluated for opening a communication network.

) (Модель узла доступа VPN как объекта сетевой и потоковой компьютерных разведок и DDoS-атак, Вопросы кибербезопасности №3(16) – 2016г. Гречишников Е.В., Добрышин М.М., Закалкин П.В.):Calculate the actual opening time of the communication network node (

) (Model of a VPN access node as an object of network and streaming computer intelligence and DDoS attacks, Cybersecurity Issues No. 3 (16) - 2016. Grechishnikov E.V., Dobryshin M.M., Zakalkin P.V.):

, (8)

, (8)

The nodes of the communication network on which a destructive effect is possible are determined:

, (9)

, (9)

) DDoS-атакой j – го злоумышленника (Модель узла доступа VPN как объекта сетевой и потоковой компьютерных разведок и DDoS-атак, Вопросы кибербезопасности №3(16) – 2016г. Гречишников Е.В., Добрышин М.М., Закалкин П.В.):In block 21, the capabilities of an attacker to suppress SS nodes (

) DDoS attack of the j-th attacker (Model of a VPN access node as an object of network and streaming computer intelligence and DDoS attacks, Cybersecurity Issues No. 3 (16) - 2016. Grechishnikov EV, Dobryshin MM, Zakalkin P. AT.):

, (10)

, (10)

 – среднее время атаки j – м злоумышленником.where K ₃ is the efficiency coefficient of the attack of the j-th attacker on the communication network node, K ₄ is the coefficient of the ability of the protection system of the z-th communication network node to resist attacks,

Is the average attack time by the jth attacker.

) средствами DDoS-атаки j – го злоумышленника с допустимыми значениями:Compare the likelihood of suppressing a communication network node (

) by means of the DDoS attack of the j-th attacker with valid values:

, (11)

, (eleven)

In block 22, the capabilities of a communication network node are evaluated to provide communication services to subscribers of various categories:

) и вероятность предоставления нескольких услуг связи (

) i-ой категории абонентов (Модель узла доступа VPN как объекта сетевой и потоковой компьютерных разведок и DDoS-атак, Вопросы кибербезопасности №3(16) – 2016г. Гречишников Е.В., Добрышин М.М., Закалкин П.В.):The probability of providing the y-th communication service (

) and the probability of providing several communication services (

) i-th category of subscribers (Model of a VPN access node as an object of network and streaming computer intelligence and DDoS attacks, Cybersecurity Issues No. 3 (16) - 2016. Grechishnikov EV, Dobryshin MM, Zakalkin PV ):

:

(12)

(12)

- сетевой ресурс необходимый для обеспечения y-й услуги связи.

- a network resource necessary to provide the y-th communication service.

(13)

(13)

) и вероятность предоставления нескольких услуг связи (

) с допустимыми значениями:Compare the probability of providing the y-th communication service (

) and the probability of providing several communication services (

) with valid values:

(14)

(fourteen)

. (15)

. (fifteen)

The denial of service for the y-th communication service and several communication services for i-category subscribers is determined by a DDoS attack (VPN access node model as an object of network and streaming computer intelligence and DDoS attacks, E. Grechishnikov, M. Dobryshin M., Zakalkin P.V., Cybersecurity Issues No. 3 (16) - 2016):

, (16)

, (16)

(17)

(17)

Compare the operating time of a communication network node with the time of a denial of service caused by a DDoS attack:

(18)

(eighteen)

In block 23, on the basis of the developed options and methods for countering DDoS attacks conducted in block 7 and the possible damage caused by the DDoS attack, a sequence of activation of the methods and variants of counteraction is generated.

In block 25, if an assessment of an attacker's capabilities to suppress a communication network node, as well as an assessment of the capabilities of a communication network node to provide communication services to subscribers of various categories, was performed, the actions specified in blocks 20-22 are carried out.

If the assessment is carried out, then in block 26 the options and methods for countering DDoS attacks are used.

In block 27, at the end of the impact, the obtained results of the impact on the communication network node are evaluated, compared with the predicted results. If necessary, supplement the available data in blocks 1, 2.

In block 28, the results of the calculations and the results are displayed.

The system that implements the method of effective use of anti-M&C countermeasures options (Fig. 5) includes a visualization device (3) connected to a data processing control device (14) and a database management device (12). An input-output device for input data (4) connected to a database management device (12). A data processing device (1) including a data processing control device (14) connected to a development problems ranking device (13) and a communication network parameter comparison device (7) connected to the device 14 and a synthesis device for a virtual working version of the system (5) connected to the selection device optimal solution (6).

A data storage device (2) including a database management device (12) connected to a data processing control device (14) and a database of problem solving examples (8), a database of problem types and mathematical models (9), a database parameters of the development equation (10), a database of general mathematical methods for solving problems (11), in addition to the data processing device (1), a device for modeling (predicting) the state of the nodes of the SS (22) was introduced, consisting of a block for predicting the parameters of the SA (23) connected to a device for ranking development problems (13).

The device for comparing the parameters of the communication network (7) and the unit for predicting the state of the nodes of the SS in the conditions of the CA (24) connected to the device for comparing the parameters of the communication network (7) and the optimization unit for the controlled parameters (25) connected to the device for comparing the parameters of the communication network (7) and the unit simulation of the joint application of methods and variants of counteraction (26) connected to a device for comparing communication network parameters (7), a control device for a distributed monitoring system (15) consisting of a group of distribution sensors has been introduced a monitoring system (16) receiving information flows characterizing the technical condition of the SS and CA nodes and connected to the control unit of the distributed monitoring system (17) connected to the visualization device (3), the database management device (12) and the CA identification and classification unit ( 18), a device for controlling the methods and options for counteracting the CA (19) consisting of a group of blocks of activation of the methods of counteracting the CA (20) connected to the methods of counteracting the CA and the activation control unit was introduced methods and reaction variants (21) connected to a distributed control system monitoring unit (17) and the device select the optimal variant solutions (6) .Sformulirovannaya object of the invention is confirmed by the claimed method presented calculation.

Evaluation of the effectiveness of the claimed method and system was carried out as follows.

1. The process of counteracting the conduct by an attacker of M & As of the Kyrgyz Republic consists in adjusting the parameters of the communication network node to the parameters of the nodes operating in a given segment of the RF ESE. For the calculation, the initial data of table 1 are used.

Table 1

No. p / p Parameter Value The amount of tamper one The number of nodes operating in the segment of the ESE of the Russian Federation 5 The number of VPN nodes operating in the ESE segment of the Russian Federation one Time allocation DMP, means of streaming TCR 5 minutes.

Continuation of table 1

VPN host scan time using network TCR 30 minutes. VPN host opening time 35 minutes VPN I-Site Feature Weighting Factor one Quasi-Stationary VPN Host Time 480 minutes

) без учета разработанной подсистемы:Calculation of the probability of identification of the nodes of the SS (

) without taking into account the developed subsystem:

) в признаковом пространстве ЕСЭ РФ:- calculation of the speed coefficient of the autopsy system (

) in the characteristic space of the ESE of the Russian Federation:

(19)

(19)

).- the contrast ratio is not calculated and taken equal to one (

)

- calculation of the probability of identification of the nodes of the SS:

(20)

(twenty)

) с учетом разработанной подсистемы:Calculation of the probability of identification of the nodes of the SS (

) taking into account the developed subsystem:

) в признаковом пространстве ЕСЭ РФ:- calculation of the speed coefficient of the autopsy system (

) in the characteristic space of the ESE of the Russian Federation:

(21)

(21)

) узлов СС в признаковом пространстве ЕСЭ РФ. Результаты расчета представлены в таблице 2.- the contrast ratio is calculated (

) SS nodes in the characteristic space of the ESE of the Russian Federation. The calculation results are presented in table 2.

table 2

Node 1 Node 2 Knot 3 Knot 4 Node 5 No. i

No. i

No. i

No. i

No. i

one one one 0 0 one one one 0 one 0.625 0.25 0.25 0.625 0.5 one one 0 one one one one one one one one one one one 0 one one one one one 0 one one one one 0 0 0 0 0 0 0 0 0 0

0.663

0.725

0.625

0.563

0.55

) приведен в таблице 3.- calculation of the probability of identification of the nodes of the SS (

) is given in table 3.

Table 3

Trim Node

Winnings (%) one 0.787 12.85 2 0.816 9.67 3 0.767 15.04 four 0.731 19.05 5 0.723 19.96

Based on the results of comparing the calculated values of the identification probability presented in Table 3, it follows that the application of the developed subprocess makes it difficult to identify a communication network node by means of M&S KR by 9.67-19.96%.

2. The process of developing decisions on the use of existing methods of counteracting DDoS attacks and options for their application is to assess the ability of a communication network node to provide the required number of communication services (CS) to a given number of subscribers in the context of DDoS attacks.

Assessing the ability of existing methods and options to counter DDoS attacks to minimize the damage done. If the communication network node is not able to fulfill its functional tasks, develop solutions for the application of methods and (or) countermeasures, in order to ensure functioning in a given mode.

The initial data used in the calculation are presented in tables 1, 2, 4-6. Where subscribers No. 1-3 are subscribers of the first category, subscribers No. 4-6 are subscribers of the second category, subscribers No. 7-9 are subscribers of the 3rd category.

Table 4

No. p / p Parameter Value No. p / p Parameter Value

20 Mbps

0.2

9

0.1

10.352 Mbps

0.05

2 Mbps

0.2

0.512 Mbps

300 s

0.064 Mbps

21 sec

4500

1800 s

5000

600 s

28800 s.

600 s

Table 5

Subscriber number Provided by CSS Subscriber number Provided by CSS Subscriber number 1 1,2,3 Subscriber number 6 2,3 Subscriber number 2 1,2,3 Subscriber number 7 3 Subscriber number 3 1,2,3 Subscriber number 8 3 Subscriber number 4 2,3 Subscriber number 9 3 Subscriber number 5 2,3

Table 6

Method (option) of counteraction Counteraction Activation time Option 1 (method 1)
(reduction in the number of subscribers to lower categories) for subscribers of the 1st category -7% attack power; for subscribers of the 2nd category -3% attack power. 5 sec Option 2 (method 2) (developed method) -8% attack intensity, for subscribers of all categories. 10 sec Option 3 (method 3) (network reconfiguration) 40% time to failure. 21 sec

Continuation of table 6

Option 4 (application of method 1, method 2) for subscribers of the 1st category -7% attack power; for subscribers of category 2 -3% attack power;
-8% attack intensity, for subscribers of all categories. 15 sec

) проводится согласно выражения 22, вероятность предоставления нескольких УС (

) абонента согласно выражения 25, вероятности предоставления УС абонентам узлов СС (

) согласно выражения 26. Результаты расчетов представлены в таблице 7.The calculation of the probability of providing the y-th CSS (

) is carried out according to expression 22, the probability of providing multiple CSS (

) of the subscriber according to expression 25, the probability of providing the DC to subscribers of the SS nodes (

) according to expression 26. The calculation results are presented in table 7.

(22)

(22)

- сетевой ресурс необходимый для обеспечения y-й услуги связи.

- a network resource necessary to provide the y-th communication service.

(23)

(23)

- сетевой ресурс необходимый для предоставления требуемого количества УС, всем абонентам узлов СС.Where

- a network resource necessary to provide the required number of CSS to all subscribers of the SS nodes.

(24)

(24)

where A is the number of subscribers of the SS nodes, I is the number of categories of subscribers, Y is the number of DC provided to subscribers of the I category

(25)

(25)

(26)

(26)

Table 7

Subscriber Communication Services Provided one 2 3 1,2,3 1,2 1.3 2,3 one 0.522 0.586 0.604 0.495 0.498 0.519 0.584 1,2 0.413 0.565 0.601 0.352 0.36 0.413 0.56 1,2,3 0.284 0.543 0.599 0.169 0.185 0.284 0.535 four - 0.586 0.604 - - - 0.584 4,5 - 0.565 0.601 - - - 0.56 4,5,6 - 0.543 0.599 - - - 0.535 7 - - 0.604 - - - - 7.8 - - 0.601 - - - - 7,8,9 - - 0.599 - - - - 1.4 0.522 0.565 0.601 0.466 0.473 0.516 0.56 1,4,5 0.522 0.543 0.599 0.436 0.446 0.513 0.535 1,4,5,6 0.522 0.52 0.596 0.405 0.418 0.51 0.508 1,2,4 0.413 0.543 0.599 0.315 0.328 0.41 0.535 1,2,4,5 0.413 0.52 0.596 0.278 0.294 0.406 0.508 1,2,4,5,6 0.413 0.496 0.594 0.235 0.258 0.402 0.48 1,2,3,4 0.284 0.52 0.596 0,112 0.122 0.279 0.508 1,2,3,4,5 0.284 0.496 0.594 0,072 0.1 0.275 0.48 1,2,3,4,5,6 0.284 0.47 0.591 0.018 0,054 0.27 0.45 1.7 0.522 0.586 0.601 0.492 0.498 0.516 0.56 1,7,8 0.522 0.586 0.599 0.489 0.498 0.513 0.535 1,7,8,9 0.522 0.586 0.596 0.486 0.498 0.51 0.508 1,2,7 0.413 0.565 0.599 0.348 0.36 0.41 0.535 1,2,7,8 0.413 0.565 0.596 0.344 0.36 0.406 0.508 1,2,7,8,9 0.413 0.565 0.594 0.34 0.36 0.402 0.48 1,2,3,7 0.284 0.543 0.599 0.164 0.122 0.279 0.508 1,2,3,7,8 0.284 0.543 0.594 0.159 0.1 0.275 0.48 1,2,3,7,8,9 0.284 0.543 0.591 0.154 0,054 0.27 0.45 1,4,7 0.522 0.565 0.604 0.463 0.473 0.513 0.557 1,4,7,8 0.522 0.565 0.596 0.459 0.473 0.51 0.554 1,4,7,8,9 0.522 0.565 0.594 0.456 0.473 0.507 0.552 1,4,5,7 0.522 0.543 0.596 0.432 0.446 0.51 0.532 1,4,5,7,8 0.522 0.543 0.594 0.429 0.446 0.507 0.529 1,4,5,7,8,9 0.522 0.543 0.591 0.425 0.446 0.504 0.526 1,4,5,6,7 0.522 0.52 0.594 0.4 0.418 0.507 0.505 1,4,5,6,7,8 0.522 0.52 0.591 0.396 0.418 0.504 0.502 1,4,5,6,7,8,9 0.413 0.52 0.589 0.392 0.418 0,501 0.499 1,2,4,7 0.413 0.543 0.596 0.311 0.328 0.406 0.532 1,2,4,7,8 0.413 0.543 0.594 0,307 0.328 0.402 0.529 1,2,4,7,8,9 0.413 0.543 0.591 0.302 0.328 0.399 0.526 1,2,4,5,7 0.413 0.52 0.594 0.267 0.294 0.402 0.505 1,2,4,5,7,8 0.413 0.52 0.591 0.262 0.294 0.399 0.502

Continuation of table 7

1,2,4,5,7,8,9 0.413 0.52 0.589 0.258 0.294 0.395 0.499 1,2,4,5,6,7 0.413 0.496 0.591 0.23 0.258 0.399 0.477 1,2,4,5,6,7,8 0.413 0.496 0.589 0.225 0.258 0.395 0.473 1,2,4,5,6,7,8,9 0.413 0.496 0.586 0.22 0.258 0.391 0.47 1,2,3,4,7 0.284 0.52 0.594 0.116 0.122 0.275 0.505 1,2,3,4,7,8 0.284 0.52 0.591 0,111 0.122 0.27 0.502 1,2,3,4,7,8,9 0.284 0.52 0.589 0.105 0.122 0.266 0.499 1,2,3,4,5,7 0.284 0.496 0.591 0,066 0.1 0.27 0.477 1,2,3,4,5,7,8 0.284 0.496 0.589 0.06 0.1 0.266 0.473 1,2,3,4,5,7,8,9 0.284 0.496 0.586 0,054 0.1 0.261 0.47 1,2,3,4,5,6,7 0.284 0.47 0.589 0.012 0,054 0.266 0.447 1,2,3,4,5,6,7,8 0.284 0.47 0.586 0.006 0,054 0.261 0.443 1,2,3,4,5,6,7,8,9 0.284 0.47 0.584 0 0,054 0.257 0.44 4.7 - 0.586 0.601 - - - 0.581 4.7.8 - 0.586 0.599 - - - 0.579 4,7,8,9 - 0.586 0.596 - - - 0.576 4,5,7 - 0.565 0.599 - - - 0.557 4,5,7,8 - 0.565 0.596 - - - 0.554 4,5,7,8,9 - 0.565 0.594 - - - 0.552 4,5,6,7 - 0.543 0.596 - - - 0.532 4,5,6,7,8 - 0.543 0.594 - - - 0.529 4,5,6,7,8,9 - 0.543 0.591 - - - 0.526

) проводится согласно выражений 27-29: определяют время отказа в обслуживании y-й УС, время отказа в обслуживании услуг связи для а-го абонента, время отказа услуг связи группы абонентов узлов СС вызванных DDoS-атакой (

,

,

), согласно выражений 30-32. Результаты расчетов представлены в таблице 8.Calculation of the coefficient of effective attack power (

) is carried out according to the expressions 27-29: determine the time of denial of service of the y-th SS, the time of denial of service of communication services for the ith subscriber, the time of failure of communication services of a group of subscribers of the nodes of the SS caused by a DDoS attack (

,

,

), according to expressions 30-32. The calculation results are presented in table 8.

Table 8

Subscriber

Subscriber

one 0.6464 829.95 1,4,5,7,8,9 0.7136 751,79 1,2 0.7752 692.05 1,4,5,6,7 0.736 728.91 1,2,3 0.904 593.45 1,4,5,6,7,8 0.7392 725.76 four 0.5464 1404.70 1,4,5,6,7,8,9 0.7424 722.63 4,5 0.5752 1334.37 1,2,4,7 0.8072 664.62 4,5,6 0.604 1270.74 1,2,4,7,8 0.8104 661,99 7 0.5208 1917.39 1,2,4,7,8,9 0.8136 659.39 7.8 0.524 1905.68 1,2,4,5,7 0.836 641.72 7,8,9 0.5272 1894.11 1,2,4,5,7,8 0.8392 639.27 1.4 0.6752 794.55 1,2,4,5,7,8,9 0.8424 636.85

 Continuation of table 8

1,4,5 0.704 762.04 1,2,4,5,6,7 0.8648 620.35 1,4,5,6 0.7328 732.10 1,2,4,5,6,7,8 0.868 618.06 1,2,4 0.804 667.26 1,2,4,5,6,7,8,9 0.8712 615.79 1,2,4,5 0.8328 644.19 1,2,3,4,7 0.936 573.16 1,2,4,5,6 0.8616 622.65 1,2,3,4,7,8 0.9392 571.21 1,2,3,4 0.9328 575.13 1,2,3,4,7,8,9 0.9424 569.27 1,2,3,4,5 0.9616 557.90 1,2,3,4,5,7 0.9648 556.05 1,2,3,4,5,6 0,9904 541.68 1,2,3,4,5,7,8 0.968 554.21 1.7 0.6496 825.86 1,2,3,4,5,7,8,9 0.9712 552.39 1,7,8 0.6528 821.81 1,2,3,4,5,6,7 0,9936 539.93 1,7,8,9 0.656 817.80 1,2,3,4,5,6,7,8 0.9968 538.20 1,2,7 0.7784 689.21 1,2,3,4,5,6,7,8,9 one 536.48 1,2,7,8 0.7816 686.39 4.7 0.5496 1396.52 1,2,7,8,9 0.7848 683.59 4.7.8 0.5528 1388.44 1,2,3,7 0.9072 591.36 4,7,8,9 0.556 1380.45 1,2,3,7,8 0.9104 589.28 4,5,7 0.5784 1326.99 1,2,3,7,8,9 0.9136 587.21 4,5,7,8 0.5816 1319.68 1,4,7 0.6784 790.80 4,5,7,8,9 0.5848 1312.46 1,4,7,8 0.6816 787.09 4,5,6,7 0.6072 1264.05 1,4,7,8,9 0.6848 783.41 4,5,6,7,8 0.6104 1257.42 1,4,5,7 0.7104 758.60 4,5,6,7,8,9 0.6136 1250.86 1,4,5,7,8 0.7072 755.18

The coefficient of performance of the identification system of the j-th attacker:

(27)

(27)

– количество средств идентификации имеющихся у j – го злоумышленника;

– количество сторонних однотипных узлов ЕСЭ РФ функционирующих в указанном районе;

 – количество однотипных узлов СС функционирующих в указанном районе.Where

- the number of identification tools available to the j-th attacker;

- the number of third-party similar nodes of the ESE of the Russian Federation operating in the specified area;

- the number of similar nodes of the SS functioning in the specified area.

) узлов СС:Contrast Ratio (

) SS nodes:

(28)

(28)

– коэффициент контраста i-й характеристики узлов СС;

– весовой коэффициент i-й характеристики узлов СС. Весовой коэффициент i-й характеристики узлов СС определяется на основании экспертной оценки.Where

- contrast ratio of the i-th characteristic of the nodes of the SS;

- weight coefficient of the i-th characteristic of the nodes of the SS. The weight coefficient of the i-th characteristic of the SS nodes is determined on the basis of expert assessment.

Contrast coefficient of the i-th characteristic of the nodes of the SS:

(29)

(29)

(30)

(thirty)

(31)

(31)

(32)

(32)

,

,

- вероятность наступления отказа в обслуживании y-й УС и нескольких УС и узлов СС в целом,

- коэффициент эффективной мощности атаки,

- коэффициент способности системы защиты противодействовать DDoS-атаке (определяются при помощи "Модель узла сети связи как объекта сетевой и потоковой компьютерных технических разведок и сетевых атак "распределенный отказ в обслуживании", отличающаяся от известных учетом демаскирующих признаков узла, количеством предоставляемых УС и абонентов, а так же оценкой способности злоумышленника своевременно идентифицировать и подавить узел").Where

,

,

- the probability of a denial of service for the y-th CSS and several CSS and nodes of the SS as a whole,

- coefficient of effective attack power,

- the coefficient of the ability of the protection system to counteract the DDoS attack (determined using the "Model of a communication network node as an object of network and streaming computer technical intelligence and network attacks" distributed denial of service ", which differs from the known ones by taking into account the unmasking signs of the node, the number of provided UEs and subscribers, as well as assessing the ability of an attacker to identify and suppress a node in a timely manner ").

) определяется согласно выражения 35.Calculation of the coefficient of ability of the node protection system
SS counteract DDoS attack (

) is determined according to expression 35.

The probability of suppressing a j-th attacker of the i-th node of a communication network by a DDoS attack:

(33)

(33)

– коэффициент эффективной мощности атаки j – го злоумышленника на узлов СС;

– коэффициент способности системы защиты узлов СС противодействовать DDoS-атаке,

– среднее время DDoS-атаки j-го злоумышленника на узлы СС.Where

- coefficient of effective attack power of the jth attacker on the SS nodes;

- the coefficient of ability of the system of protection of nodes of the SS to counteract the DDoS attack,

- the average time of the DDoS attack of the j-th attacker on the nodes of the SS.

The effective power factor of the attack of the jth attacker on
SS nodes:

(34)

(34)

– значения параметра используемого сетевого ресурса абонентами узла СС;

– значения средней максимальной мощности атаки j-го злоумышленника на узлы СС;

– сетевой ресурс узлов СС получаемый у доверенного оператора связи РФ.Where

- parameter values of the used network resource by subscribers of the SS node;

- values of the average maximum attack power of the j-th attacker on the SS nodes;

- the network resource of the SS nodes obtained from a trusted telecommunications operator of the Russian Federation.

The coefficient of the ability of the SS node protection system to counteract a DDoS attack:

(35)

(35)

– быстродействие s-й Botnet используемой j-м злоумышленника;

– быстродействие системы защиты узлов СС.Where

- performance of the s-th Botnet used by the j-th attacker;

- the speed of the protection system of the nodes of the SS.

Considering the fact that at a given moment in time a different number of nodes that are part of a communication network can function, respectively, a communication network will be considered suppressed only after at least 80% of all SS nodes have been suppressed.

Statistical estimate of the likelihood of jamming a communications network:

(36)

(36)

- количество подавленных узлов СС;

- общее число узлов СС,

- время квазистационарного состояния сети связи.Where

- the number of suppressed nodes SS;

- the total number of nodes SS,

- time of the quasi-stationary state of the communication network.

(37)

(37)

Assessing the ability of SS nodes to provide CSS to subscribers was carried out by comparing the time of providing CSS to subscribers
SS nodes with a denial of service time caused by a DDoS attack according to expressions 30-32. The comparison results are presented in table 9.

Table 9

Subscriber DDoS Assessment Subscriber DDoS Assessment Subscriber DDoS Assessment one DDoS 1,4,5,7,8,9 DDoS 4.7 Work 1,2 DDoS 1,4,5,6,7 DDoS 4.7.8 Work 1,2,3 DDoS 1,4,5,6,7,8 DDoS 4,7,8,9 Work four Work 1,4,5,6,7,8,9 DDoS 4,5,7 Work 4,5 Work 1,2,4,7 DDoS 4,5,7,8 Work 4,5,6 Work 1,2,4,7,8 DDoS 4,5,7,8,9 Work 7 Work 1,2,4,7,8,9 DDoS 4,5,6,7 Work

Continuation of table 9

7.8 Work 1,2,4,5,7 DDoS 4,5,6,7,8 Work 7,8,9 Work 1,2,4,5,7,8 DDoS 4,5,6,7,8,9 Work 1.4 DDoS 1,2,4,5,7,8,9 DDoS 1,2,3,4,5,7 DDoS 1,4,5 DDoS 1,2,4,5,6,7 DDoS 1,2,3,4,5,7,8 DDoS 1,4,5,6 DDoS 1,2,4,5,6,7,8 DDoS 1,2,3,4,5,7,8,9 DDoS 1,2,4 DDoS 1,2,4,5,6,7,8,9 DDoS 1,2,3,4,5,6,7 DDoS 1,2,4,5 DDoS 1,2,3,4,7 DDoS 1,2,3,4,5,6,7,8 DDoS 1,2,4,5,6 DDoS 1,2,3,4,7,8 DDoS 1,2,3,4,5,6,7,8,9 DDoS 1,2,3,4 DDoS 1,2,3,4,7,8,9 DDoS 1,2,7 DDoS 1,2,3,4,5 DDoS 1,4,7 DDoS 1,2,7,8 DDoS 1,2,3,4,5,6 DDoS 1,4,7,8 DDoS 1,2,7,8,9 DDoS 1.7 DDoS 1,4,7,8,9 DDoS 1,2,3,7 DDoS 1,7,8 DDoS 1,4,5,7 DDoS 1,2,3,7,8 DDoS 1,7,8,9 DDoS 1,4,5,7,8 DDoS 1,2,3,7,8,9 DDoS

The evaluation results show that the communication network node is not able to provide the required number of fixed-line telephones to category 1, 2 subscribers. To ensure the required number of DCs, subscribers are assessed for non-activated methods of counteraction, to weaken the destructive impact. The evaluation results are presented in tables 10-14.

Table 10

Subscriber Service 1,2,3 1,2 1.3 2,3 one 2 one 829.95 834.08 864.17 1404.70 868.65 987.63 1,2 692.05 697.81 740.99 1334.37 747.60 943.18 1,2,3 593.45 599.82 648.55 1270.74 656.16 902.56 1.4 794.55 802.15 859.74 1334.37 - 943.18 1,4,5 762.04 772.58 855.36 1270.74 - 902.56 1,4,5,6 732.10 745.11 851.01 1212.91 - 865.29 1,2,4 667.26 675.33 737.73 1270.74 - 902.56 1,2,4,5 644.19 654.24 734.50 1212.91 - 865.29 1,2,4,5,6 622.65 634.44 731.30 1160.11 - 830.98 1234 575.13 583.13 646.05 1212.91 - 865.29 12345 557.90 567.34 643.57 1160.11 - 830.98 123456 541.68 552.39 641.11 1111.72 - 799.28

Table 11

Subscriber Service 1,2,3 1,2 1.3 2,3 one 2 one DDoS DDoS DDoS Work DDoS Work one DDoS DDoS DDoS Work DDoS Work 1,2 DDoS DDoS DDoS Work DDoS Work 1,2,3 DDoS DDoS DDoS Work DDoS Work 1.4 DDoS DDoS DDoS Work Work 1,4,5 DDoS DDoS DDoS Work Work 1,4,5,6 DDoS DDoS DDoS Work Work 1,2,4 DDoS DDoS DDoS Work Work 1,2,4,5 DDoS DDoS DDoS Work Work 1,2,4,5,6 DDoS DDoS DDoS Work Work 1234 DDoS DDoS DDoS Work Work 12345 DDoS DDoS DDoS Work Work 123456 DDoS DDoS DDoS Work Work

Table 12

Subscriber DDoS onset time Subscriber DDoS onset time Subscriber DDoS onset time one 922.17 17 917.62 1247 738.46 12 768.95 178 913.13 12478 735.55 123 659.39 1789 908.67 124789 732.66 four 1560.78 127 765.79 12457 713.02 45 1482.63 1278 762.65 124578 710.31 456 1411.94 12789 759.54 1245789 707.61 7 2130.43 1237 657.06 124567 689.28 78 2117.42 12378 654.75 1245678 686.74 789 2104.57 123789 652.46 12456789 684.22 fourteen 882.83 147 878.67 12347 636.85 145 846.72 1478 874.54 123478 634.68 1456 813.44 14789 870.46 1234789 632.52 124 741.40 1457 842.88 123457 617.84 1245 715.76 14578 839.09 1234578 615.79 12456 691.84 145789 835.33 12345789 613.76 1234 639.03 14567 809.90 1234567 599.93 12345 619.89 145678 806.40 12345678 598.00 123456 601.87 1456789 802.92 123456789 596.09 47 1551.69 457 1474.43 4567 1404.49 478 1542.71 4578 1466.32 45678 1397.13 4789 1533.83 45789 1458.29 456789 1389.85

Table 13

Subscriber The ability to provide CSS Subscriber The ability to provide CSS Subscriber The ability to provide CSS one DDoS 17 DDoS 1247 DDoS 12 DDoS 178 DDoS 12478 DDoS 123 DDoS 1789 DDoS 124789 DDoS four Work 127 DDoS 12457 DDoS 45 Work 1278 DDoS 124578 DDoS 456 Work 12789 DDoS 1245789 DDoS 7 Work 1237 DDoS 124567 DDoS 78 Work 12378 DDoS 1245678 DDoS 789 Work 123789 DDoS 12456789 DDoS fourteen DDoS 147 DDoS 12347 DDoS 145 DDoS 1478 DDoS 123478 DDoS 1456 DDoS 14789 DDoS 1234789 DDoS 124 DDoS 1457 DDoS 123457 DDoS 1245 DDoS 14578 DDoS 1234578 DDoS 12456 DDoS 145789 DDoS 12345789 DDoS 1234 DDoS 14567 DDoS 1234567 DDoS 12345 DDoS 145678 DDoS 12345678 DDoS 123456 DDoS 1456789 DDoS 123456789 DDoS 47 Work 457 Work 4567 Work 478 Work 4578 Work 45678 Work 4789 Work 45789 Work 456789 Work

Table 14

Subscriber Service / Denial of Service Time Service / Ability of a node to provide communication services 1,2,3 1,2 1.3 one 1,2,3 1,2 1.3 one one 922.17 926.75 960.19 965.17 DDoS DDoS DDoS DDoS 1,2 768.95 775.35 823.33 830.67 DDoS DDoS DDoS DDoS 1,2,3 659.39 666.47 720.61 729.07 DDoS DDoS DDoS DDoS 1.4 882.83 891.28 955.27 - DDoS DDoS DDoS 1,4,5 846.72 858.42 950.40 - DDoS DDoS DDoS 1,4,5,6 813.44 827.90 945.57 - DDoS DDoS DDoS 1,2,4 741.40 750.36 819.70 - DDoS DDoS DDoS 1,2,4,5 715.76 726.94 816.11 - DDoS DDoS DDoS 1,2,4,5,6 691.84 704.93 812.55 - DDoS DDoS DDoS 1234 639.03 647.92 717.83 - DDoS DDoS DDoS 12345 619.89 630.38 715.08 - DDoS DDoS DDoS 123456 601.87 613.76 712.34 - DDoS DDoS DDoS

Continuation of table 14

1234 639.03 647.92 717.83 - DDoS DDoS DDoS 12345 619.89 630.38 715.08 - DDoS DDoS DDoS 123456 601.87 613.76 712.34 - DDoS DDoS DDoS

Based on the obtained data (Table 10-14), it follows that, due to the use of this subprocess, the time of denial of service caused by DDoS attacks is increased by 12.2-16.1%, the number of communication services provided to subscribers of SS nodes in conditions of DDoS attacks, due to the timely and reasonable use of options and methods to counter DDoS attacks increased by 1.6 times.

Claims (2)

1. The way to use the options for countering network and streaming computer intelligence and network attacks, which consists in the fact that among the parameters of the communication network, network and streaming computer intelligence and network attacks, individual parameters are distinguished that are signs of the technical state of the communication network, network and streaming computer intelligence and network attacks, compare the values of the selected parameters with the reference features of the original alphabet of state classes and determine the group of classes from the results of the comparison possible condition in the conditions of conducting network and streaming computer intelligence and network attacks, reduce the number of monitored parameters of the state of the communication network in the conditions of conducting network and streaming computer intelligence and network attacks by identifying a strong correlation between the parameters of the technical state of the communication network, between the parameters of network and streaming computer intelligence and network attacks, monitor the parameters of the communication network, network and streaming computer intelligence and network attacks, taking into account the dynamics of changes in the selected monitored parameters predict the time of the onset of the critical (pre-failure) state of the communication network, measure the parameters of operational failures and failures on the same functioning communication networks, measure the parameters of network and streaming computer intelligence and network attacks on the same functioning communication networks, store the measured values in the block data storage, enter the measured values into the data processing unit, based on the topology of the created communication network, determine possible locations of monitoring points for monitoring parameters of the communication network, network and streaming computer intelligence and network attacks, form a model of a distributed monitoring system for the technical condition of the communication network, reduce the number of monitoring points of a distributed monitoring system in the conditions of network and streaming computer intelligence and network attacks by identifying a strong correlation between the values of the parameters of the technical state of the communication network at monitoring points under operational conditions ion failures and malfunctions and the parameters of the network and streaming computer intelligence and network attacks, for a given reliability of monitoring the technical condition, monitor the parameters of the communication network, network and streaming computer intelligence and network attacks for cases of normal functioning of the communication network, change the number of monitoring points for normal operation, form physical models of network and streaming computer intelligence and network attacks of the attacker, model the functioning of the communication network and distributed monitoring system in the conditions of operational failures and failures, conducting network and streaming computer intelligence and network attacks, calculate and evaluate the reliability of the measured parameters of the distributed monitoring system, change the number and location of monitoring points, calculate the performance parameters of the distributed monitoring system to detect operational failures and failures , as well as the facts of conducting network and streaming computer intelligence and network attacks, are developing measures for countermeasures network and streaming computer intelligence and network attacks, deploy and operate a communications network, deploy and operate a distributed monitoring system for normal operating conditions of a communications network, establish connections with monitoring systems of a communications service provider, and other independent network attack detection systems, during the operation of the communication network, the parameters of network and streaming computer intelligence and network attacks are monitored, when fixing the fact of conducting network and streaming computer intelligence, they include all monitoring points and increase the number of monitored parameters of network and streaming computer intelligence and network attacks, based on the available statistical data, the parameters of network and streaming computer intelligence and network attacks are predicted, as well as communication network parameters under conducting network attacks, while fixing the fact of conducting network attacks, reconfigure the distributed monitoring system by reducing the monitored parameters and disconnection of some monitoring points, on the basis of data received from a distributed monitoring system, about network attack parameters and forecasted values of the communication network, a set of measures is taken to counteract network attacks, at the end of the impact, the measured network attack parameters and the parameter values obtained from independent third-party monitoring systems are compared , characterized in that after highlighting the parameters that are signs of the technical condition of the communication network, maintaining a network and streaming computer intelligence and network attacks, they form models of a communication network node with a security system that takes into account ways to counteract network attacks, taking into account the different number of subscribers who are provided with a different number of communication services, model network attacks on a communication network node taking into account the protection system, measure the time of activation of countermeasures , measure the attenuating abilities of countermeasures, save the results, after reducing the number of monitoring points of a distributed monitoring system, select the Unified network node telecommunications for tuning, adjusting the node of the communication network, after developing measures to counteract network and streaming computer intelligence and network attacks, develop countermeasures taking into account the activation time and weakening of the network attack by the capabilities of the protection system, while monitoring the parameters of network and streaming computer intelligence and network attacks measure and determine changes in the parameters of the communication network node, optimize the parameters of the communication network node in excess of the specified values, after fixing Network and streaming computer intelligence or network attacks based on available signs identify the attacker, while fixing the fact of network and streaming computer intelligence, they include all monitoring points and increase the number of monitored parameters of network and streaming computer intelligence and network attacks, based on available statistics, calculate network and streaming computer intelligence and network attack parameters, as well as communication network parameters in the context of network attacks, when fixing the fact of conducting a network attack reconfigures the distributed monitoring system by reducing the monitored parameters and disabling some monitoring points, evaluates the capabilities of the enemy, at the end of the impact, compare the actual values of the protection system with the set values, if the set values are exceeded, make changes to the initial data. 2. A system for using options to counteract network and streaming computer intelligence and network attacks, including a visualization device (3) with a data processing control device (14) and a database management device (12), an input-output device for input data (4) connected to a database management device (12), a data processing device (1) including a data processing management device (14) connected to a development ranking device (13) and a communication network parameter comparison device (7), connect connected to the device 14 and the synthesis device of the virtual working version of the system (5), connected to the device for selecting the optimal solution (6), a data storage device (2) including a database management device (12) connected to a data processing control device (14) and a database of examples of solving problems (8), a database of types of problems and mathematical models (9), a database of parameters of the communication network development equation (10), a database of general mathematical methods for solving problems (11), characterized in thatdata processing device (1) a device for modeling (predicting) the state of a communication network node (22) was introduced, consisting of a block for predicting the parameters of information and technical impacts (23) connected to a ranking device for development problems (13) and a device for comparing communication network parameters (7) ) and a unit for predicting the state of the node of the communication network under the conditions of information and technical influences (24) connected to a device for comparing the parameters of the communication network (7) and an optimization unit for controlled parameters (25) connected a device for comparing the parameters of the communication network (7) and a block for modeling the joint application of methods and variants of counteraction (26) connected to a device for comparing the parameters of the communication network (7), a control device for a distributed monitoring system (15), consisting of a group of sensors of a distributed monitoring system ( 16), receiving information flows characterizing the technical condition of the communication network node and network attacks, and connected to the control unit of a distributed monitoring system (17) connected to the device a visualization module (3), a database management device (12) and a unit for identifying and classifying information and technical influences (18), a device for controlling methods and options for counteracting information and technical influences (19) was introduced, consisting of a group of activation blocks for counteracting information and technical influences technical influences (20) connected to the control unit for activation of methods and options of counteraction (21) connected to the control unit for a distributed monitoring system (17) and a device An ora of the optimal solution (6).

Images