RU2728763C1 - Adaptive information and technical monitoring system - Google Patents

Abstract

FIELD: information security.

SUBSTANCE: reduced time for monitoring by a system of monitoring packets of incoming and outgoing data streams is provided by reducing the number of signatures of computer attacks based on detecting strong correlation links between parameters characterizing the incoming and outgoing data stream.

EFFECT: shorter time for the monitoring system to check the checked packets of the incoming and outgoing data stream to values not exceeding the time of receipt of the next packet.

1 cl, 1 dwg

Description

The invention relates to the field of information technology, in particular to information security, in particular to information security monitoring tools and provides traffic control and prevention of computer attacks.

Currently, the growing needs of subscribers of computer communication networks require the use of high-speed communication channels (more than 1 Gbps), however, existing information security monitoring systems are able to operate stably at these speeds with only a small set of signatures describing computer attacks, which leads to a decrease in the security of nodes computer communication network. An increase in the number of signatures leads to difficulty, and in some cases, complete blocking of data transmission.

Information technology impacts (ITI) are understood as methods of electronic warfare, penetration into computer networks, etc. (Basic principles of information security of computer networks: a textbook for students studying in the specialties 08050565, 21040665, 22050165, 23040165 / AA Gladkikh, VE Dementyev; - Ulyanovsk: UlSTU, 2009. - P. 135).

Network traffic - the amount of information transmitted through a computer network for a certain period of time using IP packets. (A. Vinokurov Principles of organizing IP-traffic accounting. Electronic resource. Access mode: http://habrahabr.ru/post/136844).

Known "System and method for detecting targeted attacks on corporate infrastructure" (RF patent No. 2587426 G06F 21/00, 20.06.2016 Bull. No. 17) containing: a means of detecting suspicious objects, designed to obtain information about an object on a computing device; analyzing information about an object based on a set of heuristic rules used by the suspicious object detection tool and allows you to determine whether the analyzed object is suspicious or not; to collect information about an object, if it has been recognized as potentially malicious, a database of suspicious object descriptions associated with the suspicious object detection tool, which contains the heuristic rules and rules used by the specified tool for collecting information about objects; an object analysis tool associated with a suspicious object detection tool designed to analyze information about an object received from a suspicious object detection tool, while analyzing based on a set of heuristic rules used by the object analysis tool, it is determined whether the object is potentially malicious or not; for analyzing potentially malicious objects received from the suspicious object detection tool, in this case, within the framework of the said analysis, it is determined whether the degree of similarity of a potentially malicious object with an object from the database of malicious objects exceeds a predetermined threshold, and if the degree of similarity of a potentially malicious object if an object from the database of malicious objects exceeds a predetermined threshold, then the said object is considered malicious; in this case, the recognition of a suspicious object as potentially harmful in accordance with heuristic rules is carried out by comparing information about the analyzed object and information about objects stored in the database of malicious objects and the database of safe objects; the set of heuristic rules used for said analysis differs from the set of heuristic rules used by the suspicious object detection tool; a database of malicious objects, which is used to store information about malicious objects.

Known "System and method for detecting signs of a computer attack" (RF patent No. 2661533 G06F 21/55, 07/17/2018 Bull. No. 20) containing: a security tool designed for: collecting information about an object on a computer, transferring a security notification to the detection tool, including , information about the protection tool and collected information about an object, a detection tool connected over a network with an information system and designed to: save security notifications to the object database, search for an object from a security notification in the threat database, add labels to the object database corresponding to the mentioned object in the threat database, searching for signs of suspicious activity contained in the suspicious activity database, based on the received security notification and added labels of the object contained in the said security notification, adding to the database of objects, in particular, to the security notification labels contained in ba from data of suspicious activity when finding a sign of suspicious activity, detecting signs of a computer attack by identifying the signature of computer attacks from the database of computer attacks among the received objects, and security notifications, and labels of the mentioned objects, and labels of security notifications from the database of objects, using protection tools collect information about the behavior of processes, events in the operating system, information about internetworking, indicators of compromise; remedy verdicts; the signs of suspicious behavior depend on: tactics, technologies and procedures of known targeted attacks; information about targeted attacks obtained during penetration tests; when a sign of suspicious activity is found, a tag is added from the database of suspicious activity to the protection tool; when a computer attack is detected, it is additionally based on comparing the set labels to the protection tool with signatures of computer attacks from the targeted attacks database; the detection tool generates a security notification for the detected malicious object, containing information about the object and information about the protection tools on the computers of which the object is contained.

The closest in technical essence and functions performed by the analogue (prototype) to the claimed is "A method of using options for countering network and streaming computer intelligence and network attacks and a system that implements it" (RF patent No. 2682108, G06F 21/60, H04B 17/00 publ. 14.03.2019 Bul. No. 8). The specified system includes a visualization device connected to a data processing control device and a database control device; an input-output device for initial data connected to the database management device; a data processing device including a data processing control device connected to a development problem ranking device and a communication network parameters comparison device connected to a data processing control device and a synthesis device for a virtual working version of the system connected to a device for selecting the optimal solution; a data storage device including a database management device connected to a data processing control device and a database of problem solving examples, a database of problem types and mathematical models, a development equation parameter database, a database of general mathematical problem solving methods, additionally to a processing device data introduced a device for modeling (predicting) the state of communication network nodes, consisting of a unit for predicting the parameters of network attacks connected to the device for ranking development problems; a device for comparing the parameters of a communication network and a unit for predicting the state of nodes of a communication network under conditions of a network attack connected to a device for comparing parameters of a communication network and a unit for optimizing monitored parameters connected to a device for comparing parameters of a communication network and a block for simulating the joint application of methods and countermeasures connected to a device for comparing network parameters communication, introduced a control device for a distributed monitoring system consisting of a group of sensors with a distributed monitoring system that receive information flows characterizing the technical condition of the nodes of a communication network and a network attack and connected to a distributed monitoring system control unit connected to a visualization device, a database management device and an identification and classification unit network attacks, a device for controlling methods and options for countering a network attack consisting of a group of blocks for activating methods of countering The actions of a network attack, connected with the methods of countering a network attack and the control unit for activating the methods and variants of counteraction, connected with the control unit of the distributed monitoring system and the device for choosing the optimal solution.

Technical problem: the time it takes for the monitoring system to check the incoming and outgoing packets of data is longer than the arrival time of the next packet, due to the large number of computer attack signatures used by this system, which leads to the appearance and accumulation of data flow delays, as a result of which deterioration (or break) occurs communication quality.

Solution of a technical problem: reducing the time of checking by the monitoring system of checked packets of incoming and outgoing data flow by reducing the number of signatures of computer attacks based on the identification of strong correlations between the parameters characterizing the incoming and outgoing data flow.

EFFECT: reducing the time of checking by the monitoring system of the checked packets of the incoming and outgoing data flow to values that do not exceed the time of arrival of the next packet, by reducing the number of signatures of computer attacks based on the identification of strong correlations between the parameters, which prevents the appearance and accumulation of data flow delays , which provides the required quality of communication.

The technical result is achieved through the development of an adaptive system for monitoring information and technical impacts, consisting of a network traffic analyzer [software complex SKAT DPI. ITGLOBAL.COM]; a device for controlling the functioning of a monitoring system consisting of a block for entering normalized values and signatures [classification of information input devices / https://spravochnick.ru/informatika/arhitektura_personalnogo_kompyutera/ustroystva_vvoda_informacii /] the first output, which is connected to the database input [Microsoft - SQL Server] , the second output of the database is connected to the input of the visualization unit [formation of images and graphic information using computer monitors]; devices for data processing and control of the monitoring system consisting of a block for evaluating the parameters of the monitoring system [Attack detection system FORPOST version 2.0 / https://www.rnt.ru/ru/production/detail.php?ID=19] the second input, which is connected to the first output of the database, the first output is connected to the first input of the visualization unit, the third output is connected to the synthesis and configuration block of the attack detection system [Attack detection system "FORPOST" version 2.0 / https://www.rnt.ru/ru/ production /detail.php?ID=19]; a computer attack detection device consisting of a signature switching unit [Initialization and connection of an attack detector. Encryption hardware and software Continent Version 3.7 / https://www.securitycode.ru/upload/ documentation / detektor_atak / IDS_Admin_Guide.pdf] input connected to the output of the synthesis and configuration block of attack detection systems [Working with rules. Encryption hardware-software complex Continent Version 3.7 /https://www.securitycode.ru/upload/documentation/detektor_atak/ IDS_Admin_ Guide.pdf], block for identification and classification of attacks [Intrusion detection system management tools. Encryption hardware and software Continent Version 3.7 / https://www.securitycode.ru/upload/documentation/detektor_atak / IDS_Admin_ Guide.pdf] the first output, which is connected to the second input of the visualization unit.

Additionally introduced: the output of the network traffic analyzer is connected to the input of the switching and matching device [Switching equipment and its features / http://www.aitek-d.ru/articles9851.html]; the first output of the switching and matching device is connected to the first input and the second inputs of the intermediate calculations device, namely, to the first input of the block for calculating the performance parameters of the monitoring system [Dobryshin M.M. and others. The program for calculating the speed of the system for monitoring the technical condition of communication facilities / Certificate of state registration of the computer program No. 2018618661 of 17.07.2018 Byul. No. 7.] and the first input of the block for calculating the correlation coefficients [Dobryshin M.M. and others. Calculation of correlations between the values of the parameters of the technical condition of communication facilities / Certificate of state registration of a computer program No. 2018615232 dated 05/03/2018 byul. No. 5.], the second input of the block for calculating the correlation coefficients is connected to the first output of the database, the third input of the block for calculating the correlation coefficients is connected to the second output of the block for evaluating the parameters of the monitoring system, the output of the block is connected to the input of the signature reduction block [Working with rules. Encryption hardware and software complex Continent Version 3.7 / https://www.securitycode.ru/upload/documentation/ detektor_ atak / IDS_Admin_Guide.pdf]; output of the signature reduction block [Working with rules. The hardware-software encryption complex Continent Version 3.7 / https://www.securitycode.ru/ upload / documentation / detektor_atak / IDS_Admin_Guide.pdf] is connected to the second input of the block for calculating the performance parameters of the monitoring system; the control device for the monitoring system functioning is supplemented with a manual control unit [classification of information input devices / https://spravochnick.ru/informatika/arhitektura_personalnogo_kompyutera/ustroystva_vvoda_informacii /], the first input of which is connected to the output of the visualization unit, the first output is connected to the second input of the switching device and coordination; the device for data processing and control of the monitoring system is supplemented with a block for selecting additional signatures [Working with rules. Hardware and software encryption complex Continent Version 3.7 / https://www.securitycode.ru/upload/ documentation / detektor_atak / IDS_Admin_Guide.pdf] the first input of which is connected to the output of the manual control unit, the output is connected to the visualization unit; The computer attack detection device has been supplemented with a signature block [Viewing rules assigned to an attack detector. Hardware and software encryption complex Continent Version 3.7 / https://www.securitycode.ru/upload/documentation/ detektor_atak / IDS_Admin_ Guide.pdf], the first input of which is connected to the second output of the unit for entering normalized values and signatures, the second input is connected to the output the signature switching unit, the output is connected to the second input of the attack identification and classification unit.

The enumerated new set of essential features reduces the time of checking by the monitoring system of checked packets of the incoming and outgoing data stream to values that do not exceed the time of arrival of the next packet.

The analysis of the state of the art made it possible to establish that there are no analogs characterized by sets of features identical to all features of the claimed system. Therefore, the claimed invention meets the "novelty" requirement of patentability.

The "industrial applicability" of the developed adaptive system is due to the presence of an element base, on the basis of which devices that implement this system can be made with the achievement of the result specified in the invention.

The results of the search for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the prototypes of the features of the claimed invention, have shown that they do not follow explicitly from the prior art. The prior art determined by the applicant has not revealed the influence of the essential features of the claimed invention on the achievement of the specified technical result. Therefore, the claimed invention meets the "inventive step" requirement of patentability.

The declared objects of the system are illustrated by drawings, which show:

Figure 1 is a block diagram of an adaptive system for monitoring information technology impacts.

The adaptive system for monitoring information and technical influences (Fig. 1), operates as follows: using the block for entering normalized values and signatures (block 3.4), a device for controlling the operation of the monitoring system (block 3), the operator enters the normalized values of the parameters that are stored in the database data (block 3.3) and signatures characterizing various computer attacks, which are stored in signature blocks (block 6.2), computer attack detection devices (block 6).

The n inputs of the network traffic analyzer (block 1) receive the incoming and outgoing information flow of the protected communication node.

In block 1, statistical values of the analyzed information flow are selected and fed to the output of block 1 connected to the first input of the switching and matching device (block 2). The second input of block 2 receives a control signal from the manual control unit (block 3.1), the monitoring system operation control device (block 3) about the direction of the selected statistical values, or to the block for calculating the performance parameters of the monitoring system (block 4.1), an intermediate calculation device (block 4 ) or into the block for identification and classification of computer attacks (block 6.3), a computer attack detection device (block 6).

If the signal “monitoring system settings” is received from block 3.1, then from the first output of block 2 the statistical values of the analyzed information flow are sent to the first input of block 4.1, where the values of the monitoring system performance parameters are calculated.

From the output of block 4.1, the values of the performance parameters of the monitoring system are fed to the first input of the block for evaluating the parameters of the monitoring system (block 5.1), the data processing and monitoring system control device (block 5).

The second input of block 5.1 from block 3.3 receives the normalized speed of the monitoring system. In block 5.1, the system performance values received at the first and second inputs are compared. If the speed value at the first input is less than the same value at the second input, block 5.1 from the first output sends a control command to the block for calculating the correlation coefficients (block 4.3).

The first input of block 4.3 from the output of block 2 receives the statistical values of the incoming and outgoing information flows. If the second input of block 4.3 receives a control signal from block 5.1, then the values of the correlation coefficients are calculated between all the received statistical values of the parameters of the incoming and outgoing information flows.

The calculated values of the correlation coefficients are transmitted from the output of block 4.3 to the first input of the signature reduction block (block 4.2). In block 4.2, based on a given threshold value of the correlation coefficient (supplied to the second input of block 4.2 from block 3.3), the signatures of the corresponding computer attacks are extracted and reduced. When choosing signatures to be abbreviated, the signatures of the underlying level of the reference model of open systems interaction are retained. After reducing the signatures, the number of remaining signatures is counted.

From the output of block 4.2 to the input of block 4.1, the values of the number of the reduced list of signatures are received. In block 4.1, the performance of the monitoring system is calculated taking into account the reduced number of signatures. From the output of block 4.1, the performance values of the monitoring system are fed to the input of block 5.1.

If repeatedly the values at the first input of block 5.1 are less than the values at the second input of block 5.1, at the second output of block 5.1, a command is generated about the need to reduce the threshold value of the correlation coefficient and transmitted to the input of the visualization unit (block 3.2).

Based on the command received in block 3.2 about the need to reduce the threshold value of the correlation coefficient, the operator decreases the specified value by making changes using block 3.4.

Actions in blocks 4.1-5.1-4.3-4.2 continue until the condition in block 5.1 is met.

If the condition in block 5.1 is satisfied, then from the third output of block 5.1 the signature numbers are transmitted, which must be used during the operation of the monitoring system to the first input of the synthesis and configuration block of the monitoring system (block 5.2).

In block 5.2, the control commands necessary for connecting the specified signatures for detecting computer attacks are formed. From the first output of block 5.2, the command to connect the required signatures is transmitted to the first input of the signature switching unit (block 6.1).

From the first output of block 6.1 to the inputs of the signature blocks (block 6.2), control commands are transmitted for switching signatures with the first input of the attack identification and classification block (block 6.3).

After switching the required signatures (block 6.2) with block 6.3, a message is received from the second output of block 6.1 to the first input of the manual control block (block 3.1) that the computer attack detection device is ready for operation.

After a message about the readiness of the computer attack detection device for operation is received at the input of block 3.1, the operator makes a decision to switch incoming and outgoing information flows from the first input of block 4.1 to the second input of block 6.3.

From the first output of block 3.1 to the second input of block 2, a command is transmitted to switch incoming and outgoing information flows from the first input of block 4.1 to the second input of block 6.3.

When incoming and outgoing information flows arrive at the second input of block 6.3, the selection and analysis of the statistical data of these flows is carried out and compared with the connected signatures of block 6.2 in order to detect computer attacks.

The results of identification and classification of attacks are transmitted from the first output of block 6.3 to the second input of block 3.2.

If, based on the results of identification and classification of attacks, the computer attack detection device could not classify the attack with the required reliability, a corresponding one is generated and transmitted from the second output of block 6.3 to the third input of block 3.1.

When a message arrives at the second input of block 3.1, the operator generates a control command for additional activation of signatures and transmits from the second output of block 3.1 to the first input of the block for selecting additional signatures (block 5.3), and also transmits the statistical values of the incoming and outgoing traffic that the detection device computer attacks failed to classify.

In block 5.3, the attack is classified based on the received control command and the values of the incoming and outgoing traffic and the signatures not connected to the device 6 arriving at the second input of block 5.3.

After the classification of the attack, a message about the classified attack is transmitted from the output of block 5.3 to the input of block 3.2.

The received message on the classification of the attack from block 3.2 is transmitted to block 3.1, where the operator decides to disable the non-activated signature selected in block 5.3.

The calculation of the efficiency of the declared system was carried out as follows:

Determination of the verification time of the received package for the prototype method was carried out according to the well-known expression (Grechishnikov E.V., Dobryshin M.M., Berlizev A.V.Proposal for improving the system for monitoring information security incidents / Proceedings of the II Interuniversity Scientific and Practical Conference Problems of technical support troops in modern conditions: Military Academy of Communications. - St. Petersburg. –2017. - pp. 31-35.).

, (1)

, (1)

- время проверки одного пакета;

- количество операций для проверки пакета (сопоставимо с количеством сигнатур);

- частота процессора.Where

- time to check one package;

- the number of operations to check the package (comparable to the number of signatures);

- CPU frequency.

From the analysis of expression 1, it follows that for a constant processor frequency with a reduction in the number of signatures, the verification time decreases.

Based on this, it follows that the declared adaptive system for monitoring information and technical impacts provides a reduction in the time for checking the checked packets by the monitoring system of the incoming and outgoing data flow.

By identifying strong correlations between the parameters of network traffic [Grechishnikov E. V., Dobryshin M. M., et al. Proposals to improve the performance of a distributed monitoring system of computer networks integrated into a single telecommunication network / Questions of defense technology. Series 16. Technical means of countering terrorism. No. 3-4 (105-106), Moscow 2017 - pp. 24-29.] It is possible to determine the number of signatures at which the required performance is provided and the required delay of the data flow, which ensures the required quality of communication.

Reducing the number of signatures does not affect the security of the communication site due to the fact that when the facts of information and technical impacts are detected, the identified packets are separated from the processed information flow and analyzed separately from the main traffic.

Claims (1)

An adaptive system for monitoring information and technical impacts consists of a network traffic analyzer, a device for controlling the operation of the monitoring system, which consists of a block for entering normalized values of system performance parameters and signatures of computer attacks, the first output of which is connected to the input of a database of normalized values of system performance parameters, signatures of computer attacks and a threshold value of the correlation coefficient, the second output of the database of normalized values of the system performance parameters, signatures of computer attacks and the threshold value of the correlation coefficient is connected to the input of the visualization unit; a data processing and control device for a monitoring system, consisting of a monitoring system parameter evaluation unit, the second input of which is connected to the first output of the database of normalized system performance parameters, computer attack signatures and the threshold value of the correlation coefficient, the first output is connected to the first input of the visualization unit, the third the output is connected to the synthesis and configuration unit of the attack detection system; a computer attack detection device consisting of a signature switching unit, the input of which is connected to the output of the synthesis and configuration unit of attack detection systems, an attack identification and classification unit, the first output of which is connected to the second input of the visualization unit, characterized in that the output of the network traffic analyzer is connected to the input of the switching and matching device; the first output of the switching and matching device is connected to the first and second inputs of the intermediate calculations device, namely, to the first input of the unit for calculating the performance parameters of the monitoring system and the first input of the unit for calculating the correlation coefficients of the parameter values of the incoming and outgoing information flows; the second output of the matching and switching device is connected to the first input of the attack identification and classification unit; the output of the block for calculating the performance parameters of the monitoring system is connected to the first input of the block for evaluating the parameters of the monitoring system; the second input of the block for calculating the correlation coefficients of the parameter values of the incoming and outgoing information flows is connected to the first output of the database of the normalized values of the system performance parameters, signatures of computer attacks and the threshold value of the correlation coefficient, the third input of the block for calculating the correlation coefficients of the parameter values of the incoming and outgoing information flows is connected to the second the output of the unit for evaluating the parameters of the monitoring system, the output of the unit is connected to the first input of the signature reduction unit; the second input of the signature reduction unit is connected to the third output of the database of normalized system performance parameters, computer attack signatures and the threshold value of the correlation coefficient; the first output of the signature reduction unit is connected to the second input of the unit for calculating the performance parameters of the monitoring system; the control device for the operation of the monitoring system is supplemented with a manual control unit, the first input of which is connected to the output of the visualization unit, the first output is connected to the second input of the switching and matching device; the device for data processing and control of the monitoring system is supplemented with a block for selecting additional signatures, the first input of which is connected to the output of the manual control unit, the first output is connected to the visualization unit; the computer attack detection device is supplemented with a signature block, the first input of which is connected to the second output of the unit for inputting normalized values of the system performance parameters and computer attack signatures, the second input is connected to the first output of the signature switching unit, the first output is connected to the second input of the attack identification and classification unit, the second the output is connected to the second input of the additional signatures selection unit; the second output of the signature switching unit is connected to the second input of the manual control unit; the second output of the attack identification and classification unit is connected to the third input of the manual control unit.

Images