RU2710284C1 - Method and apparatus for controlling data streams of a distributed information system using identifiers - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: invention relates to information security. Method of controlling data flows consists in the fact that distributed information system uses identifiers of authorized data streams by generating them by cryptographic transformation and checking on analysis units. When generating a transmitted data stream on a specific network node, a current identifier I_cur, for which cryptographic transformation is used, then recorded in IP packet of transmitted data stream formed current identifier I_cur, response identifier I_res is generated, for which cryptographic transformation is used in reverse order. After receiving the data stream, a response identifier I_res and comparing obtained values with previously stored current identifier I_cur, correcting the switching table in case of mismatch values separated from the response and current identifiers, then, using new parameters of network interaction, blocking this data stream, and if match continues its transfer.

EFFECT: technical result is wider range of means.

2 cl, 4 dwg

Description

The inventions are united by a single inventive concept and relate to the field of ensuring information security, namely, methods and means of managing data flows in secure distributed information systems, in order to prevent unauthorized users from accessing network information resources and services through distributed control of established network connections.

A known method of detecting intrusions according to patent US 7424744, G06F 11/00, publ. 09.09.2008 “System and method for detecting intrusions based on signatures”. The method consists in filtering received packets according to filtering rules and comparing their signatures with existing profiles.

The disadvantage of this method is the inability to control data streams, and the implementation of partial filtering of data streams.

Known "Network switch" patent WO 2008077320, H04L 12/28, publ. 07/03/2008, which manages data flows in a computer network by switching network packets. In the network switch, to determine the destination port of the transmitted network packets, a correspondence table is used between the switch ports and the network addresses of network devices connected to them.

A disadvantage of the known device is the switching of data streams without regard to security requirements and access restrictions.

The well-known "Network switch with access control" patent WO 2008128085, H04L 12/28, publ. 10/23/2008, which transmits data streams in a computer network in accordance with network packet security rules.

A disadvantage of the known device is the inability to control data flows and access control to network services and resources at the application level.

The well-known "Method of managing data streams of secure distributed information systems in an encrypted communication network" patent RU No. 2402881, IPC H04L 9/32, publ. 10/27/2010, bull. No. 30. The method consists in the following actions: set the switching table that defines the correspondence between the ports of the connection device and the network addresses of the devices connected to it, control the switching of network connections using a dynamic switching table that determines the allowed routes for the transmission of data streams, identify security events in the transmitted data stream, temporarily block the data flow when security events are detected, analyze the detected event to decide whether edachi associated with this event data stream, a dynamic switching table change depending on the rules further defined security policy block the flow or transfer it to the destination depending on the resolution of the dynamic table switching network communication that is implemented by the data stream.

Closest to the technical nature of the proposed method is the "Method of managing data flows of a distributed information system" patent RU No. 2547628, IPC H04L 9/32, publ. 02/10/2015, bull. No. 4. The prototype method consists in the following actions: set the parameters of a distributed information system, identify security events in the received data stream, analyze them in order to decide on the admissibility of the data stream transmission associated with this event, and if the data stream is permissible, transmit its intended purpose, additionally set the table of reference trace files of a distributed information system in the test mode of its operation, consisting of reference trace files for all sa When accessing information resources and services of certain network nodes of a distributed information system, after permission to transfer the data stream in the switching unit to a specific network node, current trace files are generated on it when the i-th user accesses the information resources and services of the j-th network node of a distributed information system, transmit the received trace files to the access control center, remember the transmitted trace files of the j-th network node edelennoy information system while accessing the i-th user, compares the trace files to reference values, adjust the switching table in case of a mismatch trace files, and then using the new networking settings, block the flow of data, and the coincidence continue its transmission.

The technical problem is the relatively low security of the distributed information system, due to the fact that data flow is controlled by generating trace files when users access information resources and services of the information system only in test mode, and the possibility of occurrence of security events on the network nodes of the distributed information system is not taken into account systems due to undeclared software features.

The closest in technical essence to the claimed device is a "Device for managing data flows of a distributed information system" patent RU No. 2547628, IPC H04L 9/32, publ. 02/10/2015, bull. No. 4. In the closest analogue (prototype) of the data flow control device of protected distributed information systems, there is a switching unit, a switching table storage unit that determines the correspondence between network connection ports and network addresses of network nodes connected to the network, event detection unit, table control unit switching, the first information input of the switching unit is the input of the device data stream, and the first information output of the switching unit is connected to network nodes, the second control the output output of the switching unit is connected to the event detecting unit, the output of which is connected to the control input of the switching table control unit, the output of which is connected to the first control input of the switching table storage unit, and the output of which is connected to the second information input of the switching unit, a network trace control module is additionally introduced , consisting of a trace comparison unit, a trace file storage unit, and a memory unit for a table of trace trace files consisting of a reference x trace files for all authorized users when they access information resources and services of certain network nodes of a distributed information system, trace file generation modules, consisting of a trace file generation unit, trace file transfer unit, information output of the file generation unit in each trace file generation unit the trace is connected to the information input of the trace file transfer unit, the information output of which is connected to the information by the input of the memory block of trace files and with the information input of the memory block of the table of reference trace files, the first information input of the trace comparison block is connected to the information output of the memory block of the reference trace file table, and the second information input is connected to the information output of the trace file memory block, the first and second the control outputs of the trace comparison unit are connected to the control inputs of the switching unit and the table storage unit, respectively switching.

The technical problem is the relatively low security of the distributed information system, due to the fact that data flow is controlled by generating trace files when users access information resources and services of the information system only in test mode, and the possibility of occurrence of security events on the network nodes of the distributed information system is not taken into account systems due to undeclared software features.

The technical problem is solved through the use of identifiers formed by cryptographic conversion over the values of the numbers of network nodes and software.

The technical result is to increase the security of a distributed information system, through the use of identifiers of authorized data streams, by forming them with cryptographic conversion and checking on analysis units.

The technical problem is solved by the fact that in the method of managing data flows of a distributed information system, which consists in the fact that in a distributed information system containing an analysis unit and an access control center, a switching table is preliminarily defined that defines the correspondence between the network connection ports and the network addresses connected to network of network nodes, and also set the parameters of a distributed information system, identify security events in the received data stream, analyze them with the aim of receiving a decision is made on the admissibility of the transmission of the data stream associated with this event, and, if the transmission of the data stream is permissible, transmit it as intended, additionally set the table of arrays of used software K _r corresponding to the array of nodes of the user network N _{i of the} distributed information system. When forming the transmitted data stream at a certain network node, the current I _tech identifier is generated and stored, for which cryptographic conversion is used over the values of the user network node number N _i , software number K _r , and the network node number of the information resource and service S _j . Then, the generated current identifier I _{tech is} written into the IP packet of the transmitted data stream and transmitted, after permission to transmit the data stream in the switching unit at a certain jth network node, the IP packet of the data stream is received and the current I _tech identifier is extracted from it. Then, a response identifier I _holes, which uses a cryptographic transformation in reverse order on the values of the node number of an information resource and service S _j, software number K _r and node number by user N _i network then recorded in IP-packet of the transmitted data stream the generated response identifier I _resp and transmit it. Then, after receiving information data stream recovered therefrom response identifier I _{of holes} and by a cryptographic transformation is formed therefrom value numbers network node N _i, software number K _r, and the node number of an information resource network and the service S _j and storing them, compare obtained network node number value N _i, software number K _r, and the node number of an information resource and a network service S _j from the response identifier i _holes with the previously stored identifier from the transmitted current i _flowed, the armature projected onto a switching table in case of discrepancy between the values extracted from the response and the current ID. Then, using the new parameters of network interaction, they block this data stream, and if they match, continue to transmit it.

The technical problem in the claimed device is achieved by the fact that in the known data stream control device of a distributed information system comprising a switching unit, a switching table memory unit defining a correspondence between network connection ports and network addresses of network nodes connected to the network, the first information input-output of the unit switching is the input-output of the device data stream, and the second information input-output of the switching unit is connected to network nodes, the control input of the switching unit The unit is connected to the output of the storage unit of the switching table, an identifier management module is introduced, consisting of a unit for storing the current identifier, a unit for storing the response identifier, a unit for comparing identifiers, and a cryptographic conversion unit performing cryptographic conversion over the values of the user network node number N _i , software number K _r , and the node numbers of the network of the information resource and service S _j . Modules for generating response identifiers consisting of a unit for extracting the current identifier from packets, a unit for generating a response identifier, a cryptographic conversion unit, and a packet transfer unit with identifiers. In each module for generating the response identifier, the information input of the unit for extracting the current identifier from the packets is an input of the data stream of the module for generating the response identifiers, the output of which is connected to the first information input of the unit for generating the response identifier, and the second information input and the first information output are connected to the cryptographic conversion unit, which from the current identifier is formed a response identifier. The second information output of the response identifier generating unit is connected to the information input of the packet transmitting unit with identifiers, the information output of which is the output of the data stream of the response identifier generating unit. Modules for generating current identifiers, consisting of a block for generating current identifiers, a cryptographic transforming unit, and a packet transmitting unit with identifiers. In each module for generating current identifiers, the information input and the first information output of the current identifier generation unit are connected to the information input and output of the cryptographic conversion unit, respectively, and the second information output of which is connected to the information input of the packet transfer unit with identifiers. The information output of the packet transmission unit with identifiers is connected to the third information input of the switching unit and to the information input of the current identifier storage unit, the information output of which is connected to the first information input of the cryptographic conversion unit, and the second information input is connected to the response identifier storage unit, the information input of which is connected with the third information output of the switching unit. The first and second information outputs of the cryptographic conversion unit are connected to the identifier comparison unit, the control output of the identifier comparison unit is connected to the control input of the memory of the switching table.

The analysis of the prior art allowed us to establish that analogues, characterized by sets of features that are identical to all the features of the claimed method and device, are absent. Therefore, the claimed invention meets the condition of patentability "novelty."

The listed new set of essential features provides the expansion of the capabilities of the method and device of the prototype through the use of identifiers of authorized data streams, by forming them by cryptographic conversion and verification on analysis units.

Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed inventions from the prototypes showed that they do not follow explicitly from the prior art. From the prior art determined by the applicant, the influence of the inventions provided for by the essential features on the achievement of the indicated technical result is not known. Therefore, the claimed invention meets the condition of patentability "inventive step".

The "industrial applicability" of the method and device is due to the presence of an element base, on the basis of which devices can be made that implement this method with the achievement of the result specified in the inventions.

The claimed method and device is illustrated by drawings, which show:

in FIG. 1 is a diagram of a distributed information system (RIS);

in FIG. 2 is a flowchart of a method for managing data streams of a distributed information system using identifiers;

in FIG. 3 is a block diagram of a data flow control device;

in FIG. 4 is a block diagram of a module for generating response identifiers.

The implementation of the claimed method can be explained on the diagram of distributed information systems shown in FIG. 1.

Distributed Information System (RIS) 2 is connected to an external network 1 through an analysis unit. In the general case, distributed information system 2 is a collection of network nodes 2.1 ₁ –2.1 _N (routers, hubs, switches, PCs) [V.G. Olifer, N.A. Olifer Computer networks. Principles, technologies, protocols (3rd edition) St. Petersburg - 2009, p. 57], access control center 3, analysis unit 4, additional analysis nodes 2.2 ₁ –2.2 _N , on network nodes 2.1 ₁ –2.1 _N , additional 5.2 nodes ₁ –5.2 _N at the nodes of information resources and services of RIS 5.1 ₁ –5.1 _N connected by physical communication lines. All these elements have identifiers, for which network addresses (IP addresses) are used in the most common TCP / IP protocol stack. An external network is represented by a set of routers that transport information flows from one RIS to another. An information stream, or data stream, is called a continuous sequence of data united by a set of common features that distinguish them from the general network traffic [V. G. Olifer, N. A. Olifer Computer networks. Principles, technologies, protocols (3rd edition) of St. Petersburg - 2009, p. 65].

In addition, the access control center 3 processes a security event when it receives a notification from the analysis unit 4 that there is a security event in the information flow. A security event is understood as an operation or action performed by a user or a program, leading to a change in data flows in a distributed information system. A security event is the identified occurrence of a certain state of a system, service or network, indicating a possible violation of security policy or a failure of protective measures, or the occurrence of a previously unknown situation that may be related to security [GOST R ISO / IEC 18044-2007, Information technology. Security methods and tools. Information Security Incident Management, p. 2]. A security event may be the fact of determining the actions of undeclared software features.

Undeclared features - software functionality that is not described or does not correspond to those described in the documentation, the use of which may violate the confidentiality, availability or integrity of the processed information [Guidance document. Protection against unauthorized access to information. Part 1. Software for information security. Classification by level of control of the absence of undeclared opportunities. Approved by the decision of the Chairman of the State Technical Commission under the President of the Russian Federation of June 4, 1999 No. 114]. Moreover, undeclared capabilities can be realized by an attacker at the stage of testing the RIS, which requires the creation of additional control over the actions of the software. The implementation of this type of control is possible due to the formation of identifiers that, when analyzing them, can identify information data streams accessing network nodes that are not part of the RCA and do not comply with the adopted security policy. In addition, it is possible to generate identifiers using cryptographic transformations, which will allow avoiding the possibility of falsification by an attacker.

Analysis unit 4 performs the change of the switching table in accordance with the system-wide security policy and, using data on the equivalence of current and response identifiers, either block the incoming data stream or transmit them to the corresponding RIS network node.

In FIG. 2 is a flowchart illustrating an algorithm of a method for controlling RIS data flows using identifiers.

Initially form the switching table M (block 1, Fig. 2). In the switching table, the local or global sign (s) of the stream (for example, destination address) is assigned the port number to which the network node must transmit data related to this stream [V.G. Olifer, N.A. Olifer Computer networks. Principles, technologies, protocols: Textbook for universities. 5th ed. St. Petersburg: - 2016, p. 69].

Next, arrays of network nodes L _i and used software K _{R are formed} , corresponding to an array of network nodes of users N _{i of a} distributed information system that form P _k data streams (block 2, Fig. 2).

Further, for the k-th transmitted data stream P from a specific network node L _i (block 3, Fig. 2), the current I I _tech identifier is generated on the additional analysis node by cryptographic conversion over the values of the user network node number N _i , software number K _r , and the network node number of the information resource and service S _j and is stored (block 4 and 5, Fig. 2).

A cryptographic transformation is an information transformation based on some algorithm that depends on a variable parameter (usually called a secret key) and which has the property of impossibility to restore the original information from the converted one without knowing the valid key [GOST 28147-89 Information Processing Systems. Cryptographic protection. Cryptographic conversion algorithm. Moscow. Standartinform. 1996, pp. 16–18]. The main advantage of cryptographic methods is that they provide high security durability.

Next, the generated current identifier I _tech is recorded in the IP packet of the transmitted data stream P _k and its transmission (block 6, Fig. 2). The current identifier can be written into the fields of the IP packet [Stevens U.R. TCP / IP protocols. Practical Guide / Per. from English - St. Petersburg: “Nevsky dialect” - “BHV-Petersburg”, 2003, p. 54].

After permission to transmit the data stream in the switching unit and transfer it to the RIS information resources (block 7, Fig. 2), in the additional analysis node of the corresponding resource, an IP packet of the data stream P _{k is} received and the current identifier I _{tech is} extracted from it (block 8, Figure 2). Identification is performed by reading data from the fields of IP packets.

Then, a response identifier I _{of holes,} which are used for S _j, software number K _r and node number N _i user network (block 9, FIG. 2) the cryptographic transformation in reverse order on the values of the node number of an information resource and service. Changing the sequence of values over which the cryptographic conversion is performed will lead to a change in the value of the result of this conversion and, as a result, the response identifier being generated.

Next is formed by recording the response identifier I _holes in the IP-packet data stream transmitted P _k with its subsequent transmission to a network node L _i (block 9 and 10, FIG. 2). Upon receiving the IP-packet information data stream recovered therefrom response identifier I _{of holes} and by a cryptographic transformation is formed therefrom value numbers network node N _i, software number K _r, and the node number of an information resource network and the service S _j and storing them ( block 11, Fig. 2). Then produce a comparison obtained from the response identifier I _holes network node numbers of values N _i, software K _r, and the node information resource and network service S _j with the previously stored identifier from the transmitted current I _flowed (block 12, FIG. 2). In case of discrepancy between the values extracted from the response and the current identifiers, the switching table M is corrected and the transmitted data stream P _{k is} blocked (block 13 and 15, Fig. 2), and if it matches, continue to transmit it (block 14, Fig. 2).

The above-described method for managing data flows of a distributed information system using identifiers is implemented using a data flow control device of a distributed information system using identifiers.

A device whose structural diagram is shown in FIG. 3 and FIG. 4, consists of interconnected switching unit (BC) 4, a memory unit for switching table (BZTK) 3, which determines the correspondence between the network connection ports and network addresses of network nodes connected to the network, identifier management module (MMI) 1, consisting of a unit storing the current identifier (BZTI) 1.2, the block storing the response identifier (BZOI) 1.1, the unit for comparing identifiers (BSI) 1.4 and the block of cryptographic conversion (BKP) 1.3 performing cryptographic conversion over the values but EPA node network user N _i, software number K _r, and the node number of an information resource network and the service S _j, modules forming response identifiers (IFIP) 5 consisting of block allocation of the current identifier of the packets (BVTI) 5.3 forming unit response identifier ( BFOI) 5.2, cryptographic conversion unit (BCP) 5.4, packet transmission unit with identifiers (BPPI) 5.1, current identifier generation modules (MIPT) 2 consisting of a current identifier generation unit (BIPT) 2.2, a cryptographic block conversion (BKP) 2.3 and the packet transmission unit with identifiers (BPPI) 2.1.

The first information input-output of the BC 4 is the input-output of the data stream of the device, and the second information input-output of the BC 4 is connected to the network nodes, the control input of the BC 4 is connected to the output of the BZTK 3. Information input BVTI 5.3 is the input of the data stream, the output of which is connected with the first information input of the BPOI 5.2, and the second information input and the first information output is connected to the BKP 5.4, the second information output of the BPOI 5.2 is connected to the information input of the BPOI 5.1. The information input and the first information output of the BFTI 2.2 are connected to the information input and output of the BKP 2.3, respectively, and the second information output of which is connected to the information input of the BPPI 2.1. The information output of BPPI 2.1 is connected to the third information input of BKTI 4 and to the information input of BZTI 1.2, the information output of which is connected to the first information input of BKP 1.3, and the second information input is connected to BZOI 1.1, the information input of which is connected to the third information output of BC 4. First and the second information outputs BKP 1.3 connected to BSI 1.4, the control output BSI 1.4 connected to the control input BZTK 3.

MUI 1 is intended for storing and cryptographic conversion, over the values of the user network node number N _i , the software number K _r , and the network node number of the information resource and service S _j , current and response identifiers of information flows and fixing unauthorized actions by comparing the corresponding current and response identifiers. MUI 1 consists of BZOI 1.1, BZTI 1.2, BKP 1.3 and BSI 1.4.

BZOI 1.1 is designed to record response identifier data received from certain RIS network nodes when accessing information resources and services available on them, in the process of its functioning. BZOI 1.1 can be implemented using read-only memory devices described in the literature [Veniaminov VN, Lebedev ON and other microcircuits and their application. Handbook, 3rd ed. M., "Radio and Communications", 1989 - 152, 159 pp.].

BZTI 1.2 is designed to record data of the current identifier of the transmitted data stream formed at MIPT 2 of a particular network node. BZTI 1.2 can be implemented using read-only memory devices described in the literature [Veniaminov VN, Lebedev ON and other microcircuits and their application. Handbook, 3rd ed. M., "Radio and Communications", 1989 - 152, 159 pp.].

BKP 1.3 is intended for cryptographic conversion as a result of which the values of the user network node number N _i , the software number K _r , and the network node number of the information resource and service S _{j of the} response and current identifiers are generated. BKP 1.3 can be implemented using the cryptographic information protection device described in the literature ["Cryptographic information protection device" patent RU 82 974 U1, IPC H04L 9/00, publ. 05/10/2009, bull. No. 13].

BSI 1.4 is designed to compare the values extracted from the response and current identifiers of the information data stream generated during the operation of the RIS. BSI 1.4 can be implemented on comparison devices known and widely covered in the literature [Veniaminov VN, Lebedev ON and other microcircuits and their application. Handbook, 3rd ed. M., "Radio and Communications", 1989 - 235 p.].

MIPT 2 is intended for generating and transmitting current identifiers of the information data stream from certain RIS network nodes during its operation using the values of the user network node number N _i , software number K _r , and the network node number of the information resource and service S _j . MIPT 2 consists of BPPI 2.1, BFTI 2.2 and BKP 2.3.

BPPI 2.1 is intended for data transmission of generated current identifiers when accessing information resources and services of a specific network node of a distributed information system. BPPI 2.1 can be implemented as a digital-to-analog converter described in the literature [Veniaminov VN, Lebedev ON and other microcircuits and their application. Handbook, 3rd ed. M., "Radio and Communications", 1989 - 167].

BIPT 2.2 is intended to form the current identifier of the information data stream from certain RIS network nodes during its operation, using the values of the user network node number N _i , software number K _r , and the network node number of the information resource and service S _j . This identifier allows you to determine the implemented actions of a particular application (software) on a specific network node during the operation of the RIS. BIPT 2.2 can be implemented in the form of microprocessors (memory management devices), known and widely covered in the literature [Veniaminov V.N. and other microcircuits and their application. Handbook, 3rd ed. M., "Radio and Communications", 1989 - 161-165 p.].

BKP 2.3 is intended for cryptographic conversion over the values of the user network node number N _i , the software number K _r , and the network node number of the information resource and service S _j, as a result of which the cryptographic message is used as the current identifier. BKP 2.3 can be implemented using the cryptographic information protection device described in the literature ["Cryptographic information protection device" patent RU 82 974 U1, IPC H04L 9/00, publ. 05/10/2009, bull. No. 13].

BZTK 3 is intended for recording correspondence data between ports connecting to an external network and network addresses of network nodes connected to the network. BZTK 3 can be implemented using read-only memory devices described in the literature [Veniaminov V.N., Lebedev O.N. and other microcircuits and their application. Handbook, 3rd ed. M., "Radio and Communications", 1989 - 152, 159 pp.].

BC 4 is designed to control information flows in accordance with the switching table, which determines the correspondence between the ports of connection to the external network and the network addresses of network nodes connected to the network, and the inconsistency of the current trace files generated during the operation of the FIG. BC 4 can be implemented as a selection block described in patent RU No. 2313128, IPC G06F 17/30, publ. December 20, 2007, bull. Number 35.

MFOI 5 is designed to generate and transmit response identifiers of the data information stream from certain RIS network nodes when accessing the information resources and services available on them, during its operation, using the values of the user network node number N _i , software number K _r , and numbers network node information resource and service S _j . MFOI 5 consists of BPPI 5.1, BFII 5.2, BVTI 5.3 and BKP 5.4.

BPPI 5.1 is intended for data transmission of generated response identifiers when accessing information resources and services of a specific network node of a distributed information system. BPPI 5.1 can be implemented as a digital-to-analog converter described in the literature [Veniaminov V.N., Lebedev O.N. and other microcircuits and their application. Handbook, 3rd ed. M., "Radio and Communications", 1989 - 167 p.].

BFOI 5.2 is designed to generate a response identifier of the information data stream from certain network nodes when accessing information resources and services during its operation, using the values of the user network node number N _i , software number K _r , and the network node number of the information resource and service S _j . This identifier is formed from the values of N _i , K _r and S _{j of the} received current identifier, by cryptographic conversion in the reverse order, that is, S _j , K _r , N _i . BFOI 5.2 can be implemented in the form of microprocessors (memory management devices), known and widely covered in the literature [Veniaminov V.N. and other microcircuits and their application. Handbook, 3rd ed. M., "Radio and Communications", 1989 - 161-165 p.].

BVTI 5.3 is intended for extracting current identifiers from an IP packet of a received data stream when accessing information resources and services of a specific network node of a distributed information system. BVTI 5.3 can be implemented as a digital-to-analog converter described in the literature [Veniaminov V.N., Lebedev O.N. and other microcircuits and their application. Handbook, 3rd ed. M., "Radio and Communications", 1989 - 167].

BKP 5.4 is intended for cryptographic conversion over the values of the node number of the network of the information resource and service S _j , the software number K _r and the node number of the user network N _i , as a result of which the cryptographic message is used as a response identifier. BKP 5.4 can be implemented using the cryptographic information protection device described in the literature ["Cryptographic information protection device" patent RU 82 974 U1, IPC H04L 9/00, publ. 05/10/2009, bull. No. 13].

The claimed device operates as follows, from the table of arrays of used software K _r corresponding to the array of nodes of the network of users N _i RIS, when forming the transmitted data stream on a specific node of the RIS network, the current I _tech identifier is formed in BIPT 2.2. For this, the information input and the first information output of the BFTI 2.2 are connected to the information input and output, respectively, of the BCP 2.3 on which cryptographic conversion is performed over the values of the user network node number N _i , software number K _r , and the network node number of the information resource and service S _j in As a result, a crypto message is used that is used as the current identifier. The second information output of the BIPT 2.2 is connected to the information input of the BPPI 2.1, the information output of which is connected to the third information input of the BC 4 and with the information input of the BIPT 1.3, which records the data of the current identifier of the transmitted data stream generated at MIPT 2. The IP packet of the data stream with the current identifier is sent to the second information input-output of BC 4, in which a decision is made on the admissibility of transmitting the data stream, and, if the transmission of the data stream is permissible, it is sent to the corresponding network node of the information resource and service S _j . From the external network, the IP packet of the data stream with the current identifier receives the input of the BVTI 5.3, which is the input of the data stream of the MFOI 5, the output of which is connected to the first information input of the BFOI 5.2. The second information input and the first information output of BFFI 5.2 is connected to BKP 5. 4, on which a response identifier is generated from the current identifier, for which cryptographic conversion is performed in BKP 5.4 in the reverse order over the values of the network node number of the information resource and service S _j , program number providing K _r and the node number of the user network N _i . After that, the generated response identifier coming from the second information output of the BFID 5.2 is fed to the information input of the BPOI 5.1, the information output of which is the output of the MFOI 5 data stream, on which the generated response identifier is recorded in the IP packet of the transmitted data stream and transmitted to the external network. From an external network, an IP packet of a transmitted data stream with a response identifier is fed to the first information input-output of the BC 4, and the third information output is fed to BZOI 1.1, which records the data of the response identifiers received from certain RIS network nodes when accessing information resources and services on them available, in the process of its functioning. Further, from the information outputs of BZOI 1.1 and BZTI 1.3, the response and current identifiers are sent to BKP 1.3, where by cryptographic conversion the values of the user network node number N _i , software number K _r , and the network node number of the information resource and service S _{j of the} response and current are generated identifiers for subsequent comparison in BSI 1.4. After comparison on BSI 1.4 of the available response and current identifiers generated during the operation of the RIS, control actions are issued to the input of the BZTK 3. By the control action, the BZTK 3 changes the switching table for managing information flows and from the output of the BZTK 3 the control actions go to the input of the BK 4 , while the mismatch of the current and response identifiers leads to the blocking of this data stream, and if it matches, its transmission continues.

The achievement of the technical result is illustrated as follows. For the proposed method, in contrast to the prototype method, the condition for blocking data streams will be a security event detected by checking the equivalence of the received and expected identifiers of data streams, and not based on the results of the analysis of trace files when performing actions to access users to information resources received only when system functioning in test mode. This allows us to conclude that, unlike the prototype method, the effectiveness of the protection system will increase by determining the actions of the undeclared software capabilities and blocking the information data flows associated with them, which can be unambiguously detected only during the operation of the RIS and their implementation can be carried out and in test mode, this makes it impossible to identify undeclared features in the software.

Thus, the claimed method of managing data flows of a distributed information system by checking identifiers generated by cryptographic transformations over the parameters of information flows in which there are actions of undeclared software features allows to increase the security of distributed information systems.

Claims (2)

1. A method of managing data flows of a distributed information system, which consists in the fact that in a distributed information system containing an analysis unit and an access control center, a switching table is preliminarily defined that determines the correspondence between the network connection ports and the network addresses of network nodes connected to the network, and they also set the parameters of the distributed information system, identify security events in the received data stream, analyze them in order to decide on the admissibility of transmission over eye data associated with the event, and, if allowable transmission data stream, transmitting it to the destination, characterized in that it further set table arrays used software K _r, corresponding to array N _i nodes of users of the distributed information system during the formation of the transmitted stream data at a specific node of the network form the current identifier I _tech and remember it, for which they use cryptographic conversion over the values of the node number of the user network N _i , software numbers K _r and network node numbers of the information resource and service S _j , then write the generated current identifier I _tech into the IP packet of the transmitted data stream and transmit it, after permission to transmit the data stream in the switching unit on the specific j-th network node receiving IP-packet data stream and isolating from it a current _flowed identifier I, and then return the identifier I is formed _{of holes,} which uses a cryptographic transformation in reverse order on the values of the node number information of the resource and the service S _j, software number K _r and node number by user N _i network then recorded in IP-packet transmitted by the data stream generated response identifier I _holes and transmitting it, then after reception of the information data stream is recovered from it return identifier i _holes, and is formed by a cryptographic transformation values therefrom numbers network node N _i, software number K _r and node number of an information resource and a network service S _j and storing them, but comparing the values obtained EPA network node N _i, software number K _r and node number of an information resource network and the service S _j from the response identifier I _holes previously stored from the transmitted current identifier I _tech, corrected commutation table in case of a mismatch values extracted from the response and the current identifiers , after which, using the new parameters of network interaction, they block this data stream, and if they match, continue to transmit it. 2. A data flow control device of a distributed information system comprising a switching unit, a memory unit for switching tables, determining the correspondence between network connection ports and network addresses of network nodes connected to the network, the first information input / output of the switching unit is the input / output of the device data stream, and the second information input-output of the switching unit is connected to network nodes, the control input of the switching unit is connected to the output of the storage unit of the switching table, in addition an identifier management module was introduced, consisting of a unit for storing the current identifier, a unit for storing a response identifier, a unit for comparing identifiers and a cryptographic conversion unit that performs cryptographic conversion over the values of the user network node number N _i , software number K _r, and network node number of the information resource and service S _j , modules for generating response identifiers, consisting of a block for extracting the current identifier from packets, a block for generating of the response identifier, cryptographic conversion unit, packet transmission unit with identifiers, in each response identifier generation module, the information input of the current identifier extraction unit from the packets is an input of the data stream of the response identifier generation module, the output of which is connected to the first information input of the response identifier generation unit, and the second information input and the first information output is connected to the cryptographic conversion unit, on which the response identifier is formed from the current identifier, the second information output of the response identifier generation unit is connected to the information input of the packet transmitting unit with identifiers, the information output of which is the output of the data stream of the response identifier generation module, the current identifier generation modules, consisting of the current identifier generation unit, block cryptographic conversion and packet transfer unit with identifiers in each module the current identifiers are formed, the information input and the first information output of the current identifier generation unit are connected to the information input and output of the cryptographic conversion unit, respectively, and the second information output of which is connected to the information input of the packet transfer unit with identifiers, the information output of the packet transfer unit with identifiers is connected to the third information the input of the switching unit and with the information input of the storage unit of the current identifier a, the information output of which is connected to the first information input of the cryptographic conversion unit, and the second information input is connected to the response identifier storage unit, the information input of which is connected to the third information output of the switching unit, the first and second information outputs of the cryptographic conversion unit, are connected to the identifier comparison unit, the control output of the identifier comparison unit is connected to the control input of the switching table memory unit.

Images