RU2751987C1 - Method for physical diversity of data reception and transmission paths in conditions of destructive program impact - Google Patents

Abstract

FIELD: telecommunications.SUBSTANCE: invention relates to the field of telecommunications, namely to methods for data transmission in communication systems. The technical result is achieved by consistent and reasonable physical blocking of the directions of execution of destructive program impact (DPI), upon detection thereof, on correspondents and communication network elements and complete physical blocking of the corresponding communication node of the DPI source upon detection thereof.EFFECT: increased protection of correspondents and communication network elements from destructive program impact.1 cl, 7 dwg

Description

The invention relates to the field of telecommunications, in particular to methods of data transmission in communication systems, and can be used in the design of communication networks and the development of data transmission protocols designed to ensure the transmission of user traffic in conditions of destructive software influences.

The development of digital and information technologies has led to the formation of the most complex system on Earth - the international information and telecommunication system, the resources of which are used by almost the entire world community in almost any sphere of life of the population, states, corporations, etc.

Communication networks and systems (information and telecommunication systems) belong to the class of large systems, the stages of design, implementation, operation and evolution of which are impossible without taking into account the interconnections and mutual influence of their properties, the consequences of various types of destructive influences (Sovetov B.Ya., Yakovlev S.A. “Modeling of systems.” - M .: Higher school, 2009, - 343 p.).

The increasing rates of development of communication networks, accompanied by the processes of globalization, determine the development of forms and methods of illegal processes in communication networks through destructive programmatic influences. The openness and architecture of communication networks, which are fragments of the international information and telecommunication system, contributes to the implementation of these destructive influences.

Often, the consequences of destructive programmatic influences (DPA) adversely affect the activities of consumers (both legal entities and individuals), the consequences for critical infrastructure can be especially significant. Modern, massively applied methods and methods of protecting correspondents (consumers) and elements of communication networks from DPV, related to internal destructive factors, are based on an object-based approach to protection [Klimov S.M., Sychev M.P., Astrakhov A.V. Countering computer attacks. Technological foundations: Electronic educational publication. - M .: MSTU named after N.E. Bauman, 2013.70 p .; Drobotun E.B. Theoretical foundations of building protection systems against computer attacks for automated control systems. Monograph. - SPb .: Science-intensive technologies, 2017. - 120 p., Ill.], Which consists in the implementation of the protection of correspondents and elements of communication networks directly in the place (physical and logical) of their location by software and hardware (firewalls (filters), crypto gateways, antivirus software, etc.). The implementation of this approach is accompanied by a variety of equipment and technologies used in communication networks in a wide range of indicators, which determines the technical complexity and a large list of hardware and software protection tools according to the values of their target indicators. In addition, these means have certain indicators of the protective potential, overcoming which is possible with DPA, which has an attack potential exceeding the defense. Therefore, it is necessary to develop new methods of data transmission in networks and communication systems, the introduction of which will allow timely blocking of destructive software influences and isolate their sources.

One of the promising directions for achieving this goal is the use of two aspects in data transmission methods:

1. Physical blocking of the direction (in the communication line) of destructive program influence.

2. Physical blocking of the corresponding communication center of the source of destructive program influence.

Terms and definitions used in the application.

Communication network (system) is a technological system that includes means and communication lines and is intended for telecommunications (Federal Law of July 7, 2003 N 126-FZ "On Communication").

Communication node - a set of technical means of communication that provide traffic (data) routing, provision of communication services and connection of users to the public network.

Switching node - a communication node where communication lines (channels and paths in it) are switched according to the route of the information direction.

Corresponding communication node - communication node to which the user (sender / receiver) of the information direction is connected.

Communication line - transmission lines, physical circuits and line-cable communication facilities.

A simple communication channel is a system of technical means and a signal propagation medium within a single channelization system for transmitting data from a sender to a receiver.

Composite information channel - two or more sequentially connected simple communication channels that provide data transfer between correspondents of the information direction in the form of physical signals corresponding to the type of communication lines.

Data block is a bit sequence transmitted as a whole between the elements of the information and telecommunication system. For various technologies, this is a package, container, etc.

Bandwidth is the maximum data transmission rate of the communication line (information direction).

Memory is a medium for storing data for a certain period of time. It has indicators of volume, read / write speed, etc.

Information direction - a set of technical means of communication, ensuring the transfer of data between correspondents (users).

Session is the time of continuous functioning of the information direction.

Routing is the process of determining the route of data transmission in communication networks.

Destructive software impact - any purposeful software and hardware impact on information and telecommunications facilities, leading to a violation or decrease in the efficiency of technological control cycles in the information system.

Known methods of data transmission, implemented on the basis of technology with circuit switching, which include such network technologies as PDH and SDH [B.S. Goldstein, N.A. Sokolov, G.G. Yanovsky. Communication networks: Textbook for universities. SPb .: BHV-Petersburg, 2014 .-- 400 p., Ill. S. 53-68, 271-284]. When switching channels in a communication network between correspondents, a continuous composite information physical channel is formed from sequentially connected intermediate simple communication channels. The data transfer process includes three stages:

1. Establishment of a duplex (bidirectional) channel. Before the data transfer begins, the channel connecting the source and the recipient of information must be switched, while signaling information is exchanged between the network nodes, as a result, the nodes of the entire route remember information about the new connection.

2. Data transmission. In this case, when transmitting data, each of the transit nodes uses the information stored at the stage of establishing the channel to determine the next node to which it is necessary to transfer information related to this connection.

3. Disconnection. As a rule, it occurs at the initiative of one of the parties. During disconnection, signaling information is transmitted along the entire route - the opposite side is notified of the termination of communication, and transit nodes release the resources allocated for this connection.

The disadvantages of this method are: the ability to implement DPV in any direction of the communication line at the same time; the need to implement object protection of correspondents and elements of the communication network, which does not exclude the implementation of DPA.

A known method of transmitting digital data [RF patent No. 2541838, publ. 02/20/2015]. The method consists in the fact that simultaneously transmitting useful data of many services with different characteristics, in real time build and maintain a communication network with the help of a central modem, using the main and alternative communication routes, to which they switch without losing additional time searching for routes when communication conditions change and communication devices are replaced. The list of addresses of subordinate communication devices is read from the central modem, defining the list of newly appeared and excluded from the communication network of devices; for the newly appeared devices, a selection of a suitable exchange protocol is made. The exchange protocols are adjusted to minimize the time for reading payload data from devices by grouping requests and responses into packets having a length close to the maximum buffer size of the communication network modems, where the types of requested data are marked with flags. The priority for each type of payload is set, parameters common to all devices are transmitted by transmission from the concentrator of broadcast packets, followed by control of the success of the command by reading the confirmation from each device, and the parameters are individually adjusted.

The disadvantage of this method is the lack of the possibility of physical resistance to destructive program influences and their sources in the conditions of the possibility of their action along any route (in the extreme case, along all routes) of the information direction.

Analysis and generalization of the theoretical foundations and practice of data transmission in shortwave (HF) radio communication networks using physical separation of the transmission and reception paths of correspondents in information directions, due to the peculiarities of the construction of HF (LW, VLV) radio lines, [Fundamentals of radio engineering and communication: a tutorial // P.P. Berezovsky. - Yekaterinburg: Ural Publishing House. University, 2017. - 212 p .; Complex of models for the functioning and control of the HF-band packet radio network // Belyaev D.O., Kanaev A.K., Prisyazhnyuk S.P., Sakharova M.A., Sorokin R.P. Proceedings of educational institutions of communication. 2020. T. 6. No. 1. S. 32-42 .; GOST R 55711-2013 Complex of technical means of automated adaptive HF (HF) duplex radio communication. Work algorithms. M .: Standartinform, 2018; Olifer V., Olifer N. Computer networks. Principles, technologies, protocols: Textbook for universities. 5th ed. - SPb .: Peter, 2016. - 992 p .: ill.] Made it possible to distinguish the following sequence of actions used in the proposed method as a prototype: set the composition and structure of the communication network, providing at least two physical routes in the information directions of correspondents, requirements for routes for the transmission of various categories of data, the required speeds for the transmission and reception paths in information directions; the sender generates a session data flow in the information direction, select a session routing algorithm in accordance with the category of transmitted data in the generated stream, determine the existing routes for the transmission and reception paths in the information direction in accordance with the transmission directions of radio links and specified rules, select the appropriate routes, transmit data blocks along selected routes, consisting of unidirectional radio lines, at each transit radio station (radio node) receive data blocks and transmit them over unidirectional lines in accordance with the received route, the receiver receives data blocks and sends a message about their successful reception to the sender.

The disadvantages of the prototype method is that the direction of operation of the radio lines cannot be changed, which excludes the possibility of manipulating them in order to block DPV and their sources.

The technical problem to be solved by the proposed invention is the high probability of the implementation of destructive software influences by attackers in modern communication networks included in the international information and telecommunication system, the result of systemic and technical solutions of which is the physical access of correspondents of information directions and sources of DPV to general telecommunication and information resources. In addition, the massively implemented object approach to the protection of a multitude of multi-level and heterogeneous correspondents and elements of communication networks is characterized by a variety of equipment and technologies used in a wide range of indicators, technical complexity and a large list of hardware and software protection means according to the values of their target indicators.

The technical problem is solved by sequential and reasonable physical blocking of the directions of implementation of destructive program influences, upon their detection, on correspondents and elements of the communication network, and complete physical blocking of the corresponding communication node of the source of DPV when it is detected.

The technical result consists in increasing the security of correspondents and elements of the communication network from destructive program influences due to controlled physical separation in the structure of the communication network of the transmission and reception paths of information directions, excluding the presence of a physical way of implementing destructive program influences. Thus, it is possible to implement the transition from the approach of object protection of correspondents and elements of communication networks to the approach of isolating sources of DPV.

The technical result is achieved by the fact that in the known method of data transmission, which consists in setting the composition and structure of the communication network that provide at least two physical routes in the information directions of correspondents, the requirements for the routes for the transmission of various categories of data, the required speeds for the receiving paths and transmissions in informational directions; the sender generates a session data flow in the information direction, select a session routing algorithm in accordance with the category of transmitted data in the generated stream, determine the existing routes for the transmission and reception paths in the information direction in accordance with the specified rules and select those corresponding to the requirements, transmit data blocks along the selected routes consisting of unidirectional communication lines, at each transit node receive data blocks and transmit them in accordance with the received route over unidirectional communication lines, the recipient receives the data blocks and sends a message about their successful reception to the sender; additionally placed on both sides of all communication lines controllable switches of unidirectional data transmission, additionally setting the rules for the separation of the transmission and reception paths, excluding their intersection on the physical elements of the network, remember the direction of data transmission in the communication lines; reveals destructive software influences on correspondents of the information direction and / or elements of the communication network arriving along the receiving and / or transmitting data paths and their sources, if the source of destructive software influences is not identified, then the direction of data flows on the communication lines of the route is changed and remembered, through which destructive software influences are carried out on correspondents of the information direction and / or elements of the communication network, on the opposite, they determine the existing routes in the path of the information direction with the changed direction of operation of the communication lines and select the appropriate one, correct the routes of the channels for receiving and / or transmitting data of other information directions that involved communication lines with changed directions of work; if the source of destructive program influences is identified, then all communication lines of the corresponding node of the source of destructive program influences are switched to the opposite direction, in relation to the node, the changes in the directions of data streams in these communication lines are remembered, the routes of the receiving and / or transmitting data of information directions are corrected, that used the corresponding node of the source of destructive program influences; after the end of the session, for the next session, in accordance with the specified requirements, the session routing algorithm is selected and the routes of the data transmission and reception paths are determined, taking into account the current transmission directions in the communication lines.

From the prior art, no solutions have been identified regarding methods for transmitting data in communication networks characterized by the claimed set of features, therefore, which indicates the compliance of the claimed method with the "novelty" condition of patentability.

The results of the search for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the prototypes of the features of the claimed invention, have shown that they do not follow explicitly from the prior art. From the prior art determined by the applicant, the knowledge of the influence of the essential features of the claimed invention on the achievement of the specified technical result has not been revealed. Therefore, the claimed invention meets the “inventive step” requirement of patentability.

The "industrial applicability" of the method is due to the presence of an element base, on the basis of which devices that implement the method can be made.

The claimed method is illustrated by drawings, which show:

fig. 1 is a block diagram of a method for physical separation of data transmission and reception paths under conditions of destructive software influences;

fig. 2 is a graphical representation of a bidirectional route of information direction AB in a communication network;

fig. 3 is a graphical representation of a bidirectional (duplex) communication line providing data transmission of a multichannel transmission system;

fig. 4 is a graphical representation of a communication line with controllable switches of the direction of data transmission, providing unidirectional data transmission of a multichannel transmission system;

fig. 5 - graphical representation of unidirectional routes of transmission / reception of data routes of information direction A-B of the correspondent A / B in a communication network with controlled unidirectional communication lines;

fig. 6 is a graphical representation of the reconfiguration of the route of the receiving path of the correspondent A in the information direction A-B as a result of DPV from the side of its source and blocking of the DPV by switching the direction of operation of the communication line through which the DPV arrives to the opposite;

fig. 7 is a graphical representation of blocking the source of DPV when it is detected by switching all communication lines of the corresponding node of the source of DPV to the opposite one.

The claimed method is implemented in the form of a simulation block diagram shown in FIG. one.

In block 1 of FIG. 1set:

- the composition and structure of the communication network, providing at least two physical routes in the information directions of correspondents. In this case, the structure of the network includes structural elements - nodes and communication lines. In this case, the topology and structure of the communication network are taken in accordance with the current telecommunications equipment of a real geographic fragment of the territory, or they are modeled using known methods for modeling fragments of communication networks invariant to real fragments of communication networks, using the methods described in [RF Patent 2546318, IPC G06F 17 / 10 (2006.01), G06F 17/50 (2006.01), H04W 16/22 (2009.01), publ. 04/10/2015; RF patent 2723296, IPC H04W 16/22 (2009.01), G06F 30/27 (2020.01), publ. 06/09/2020; Belikova I.S., Zakalkin P.V., Starodubtsev Yu.I., Sukhorukova E.V. Modeling of communication networks taking into account topological and structural inhomogeneities // Information systems and technologies. 2017. No. 2 (100). S. 93-101; Software. Bentley Fiber. Access mode: www.bentley.com/ru/products/product-line/utilities-and-communications-networks-software/bentley-fiber]. This action can be performed by performing operations on the algorithms developed and specified in the listed sources using a computer.

- R categories of data on various grounds - type of transmitted data, maximum delivery time, priority of data transmission, etc.;

- options for routing algorithms for various categories of data. The variant and criteria for the operation of the algorithms may depend on the category of transmitted data, the time of their relevance for correspondents, the category of protection of the transmitted information, requirements for the stability of the information direction, etc. Routing algorithms can be unique - developed anew for a specific task, or it is possible to use well-known algorithms and their modifications [Fundamentals of network technologies based on switches and routers / N.N. Vasin. Binomial. Knowledge laboratory, 2017 -270 p.]. For example: Dijkstra's algorithm (finds the shortest path from one of the vertices of the graph to all the others in the weighted graph. The weight of the edges must be positive); Bellman - Ford algorithm (finds the shortest paths from one vertex of the graph to all the others in the weighted graph. The weight of the edges can be negative); Search algorithm A * (finds the route with the lowest cost from one vertex (initial) to another (target, final), using the search algorithm by the first best match on the graph); Floyd - Warshall algorithm (finds the shortest paths between all vertices of a weighted directed graph); Johnson's algorithm (finds the shortest paths between all pairs of vertices of a weighted directed graph); Lee's algorithm (wave algorithm, finds a path between the vertices of a planar graph containing the minimum number of intermediate vertices (edges); Kildall's algorithm;

- requirements for routes that establish the procedure for applying the criteria for selecting a routing algorithm (by the type of transmitted data, maximum delivery time, priority of data transmission, etc.) and determining the conditions for selecting a routing algorithm for the current session in the information direction;

- the required speeds for the transmission and reception paths in information directions. The values of the volume of incoming and outgoing traffic of the correspondent differ from each other, and the differences can be significant. This leads to different requirements for the data transmission rate in the transmission and reception paths of the correspondent's information direction. Given the path spacing, there is no need for communication channels that provide two-way data transmission at a rate corresponding to the highest value in the two paths, which will reduce the load on the communication line by providing a path data transmission path with less traffic. The required speeds in the paths of the information direction can be static or dynamic, they are determined by the composition of communication services of each correspondent, the intensity, generated load in the information direction, its category;

- the rules for the separation of the transmission and reception paths of the correspondent of the information direction, excluding the intersection of these paths on the physical elements of the network. These rules apply to transit route elements. Users are connected to the communication network, in this case by duplex lines, so the diversity of the user's receiving and transmitting paths in the binding line and the corresponding node is impossible.

In block 2 of FIG. 1 is placed on both sides of all communication lines on one controllable unidirectional data transfer switch (POPD).

- линия привязки корреспондента к сети связи, сплошной утолщенной линией с указанием стрелками направления передачи

- двунаправленная линия связи маршрута информационного направления На фиг. 2 маршрут тракта приема данных корреспондента А от корреспондента Б обеспечивается одними и теми же узлами (40, 39, 36, 37) и линиями связи, что и маршрут тракта передачи данных от корреспондента А корреспонденту Б.Traditionally, transmission of signals (data streams) in the lines of a communication network is carried out in both directions (bi-directional transmission). A graphical representation of a bidirectional route of information direction A-B in a communication network is shown in FIG. 2, where A and B are the correspondents of the information direction, 31 - 47 are the nodes of the communication network, with a dotted line with arrows indicating the direction of transmission

- the line of the correspondent's binding to the communication network, a thick thick line with arrows indicating the direction of transmission

- bi-directional data link route In FIG. 2, the route of the data transmission path of correspondent A from correspondent B is provided by the same nodes (40, 39, 36, 37) and communication lines as the route of the data transmission path from correspondent A to correspondent B.

In such networks, transmission systems operate over communication lines with bi-directional transmission of signals in the medium. FIG. 3 shows a generalized diagram of a bidirectional (duplex) communication line providing data transmission of a multichannel transmission system in which:

24 - signal transmission medium,

25 - channel equipment (KO),

26 - linear equipment (LO),

27 - equipment of the linear transmission path (lane),

28 - equipment of the linear receiving path (pr).

Placing controllable switches for unidirectional data transmission at the ends of communication lines allows realizing unidirectional data transmission in communication lines.

Unidirectional data transmission, for example, can be achieved by using diodes [Diodes and thyristors. Under. Common Ed. A.A. Chernysheva. M .: Energiya, 1976. - 200 p., Ill.] In electrically conductive systems, or optical insulators [Yu. Yurchuk. Optical isolators // Photonics, no. 5/59. 2016. - P. 34-41] in optical systems that transmit optical radiation in one direction.

. Маршрут тракта передачи корреспондента А в информационном направлении А-Б обеспечивается узлами связи №№ 40, 41, 42, 37 фиг. 5 и обозначен утолщенной линией со стрелкой, указывающей направление передачи

. Маршрут тракта приема корреспондента А в информационном направлении А-Б обеспечивается узлами связи №№ 37, 36, 39, 40, фиг. 5). Таким образом, обеспечивается разнесение трактов приема и передачи данных систем передачи данных при их прохождении через транзитные узлы связи.The switch for unidirectional data transmission can be represented in the form of a diode circuit consisting of two diodes and a switch that switches the communication line to one of the diodes (unit 29, Fig. 4). The first diode is open for the receive path (unit 26, Fig. 4) of the linear equipment (LO) (unit 28, Fig. 4) of the station semi-set of the data transmission system, and the second is open for the transmission path (Unit 27, Fig. 4) (has the opposite direction with respect to the first diode). The presence of the key does not allow connecting both diodes at the same time, and the unidirectionality of the diode does not allow connecting simultaneously opposite paths of the transmission system through the key in one of the positions. The station semi-set from the opposite side of the communication line is connected to the line by the opposite path (i.e., if one semi-set is connected to the line by the transmitting path, then the second semi-set is connected to the receiving path). Semi-sets of other transmission systems, to this communication line, are connected through the same POPD. Thus, the communication line (including the transmission medium (block 24, Fig. 4)) becomes unidirectional, formed by the channel-forming equipment (CC) (block 25, Fig. 4) of the transmission system N communication channels (cs) also, within the stream data (line spectrum) have only one path in the communication line. The second path of communication channels and transmission systems is connected to another communication line. FIG. 5 shows a graphical representation of unidirectional routes of transmission / reception of data routes of information direction A-B of correspondents A and B in a communication network with controlled unidirectional communication lines, where 31 - 47 are the nodes of the communication network. All communication lines between nodes of a given communication network are unidirectional, the transmission direction of which in FIG. 5 shown by symbol

... The route of the transmission path of the correspondent A in the information direction AB is provided by communication nodes No. 40, 41, 42, 37 of FIG. 5 and indicated by a thickened line with an arrow indicating the direction of transmission

... The route of the receiving path of the correspondent A in the information direction AB is provided by communication nodes No. 37, 36, 39, 40, FIG. five). Thus, the separation of the data transmission and reception paths of the data transmission systems is ensured as they pass through the transit communication nodes.

In block 3, the sender forms a session data flow in the information direction, the characteristics of which (the type of transmitted data, the maximum delivery time, the priority of data transmission, etc.) determine the conditions for selecting the routing algorithm for the current session in the information direction.

In block 4, a session routing algorithm is selected in accordance with the category of transmitted data in the generated stream. Routing, as a rule, is a multicriteria task, therefore the conditions for choosing an algorithm should rank these criteria - determine the sequence of application of the selection criteria.

In block 5, the existing routes for the transmission and reception paths in the information direction are determined in accordance with the specified rules. Determination of routes can be carried out using a computer according to well-known algorithms [Starodubtsev P.Yu., Sukhorukova E.V., Zakalkin P.V. Method of managing data flows of distributed information systems // Problems of Economics and Management in Trade and Industry. 2015. No. 3 (11). S. 73-78; Fundamentals of network technologies based on switches and routers / N.N. Vasin. Binomial. Knowledge laboratory, 2017 -270 p .; Patent 2690213 Russian Federation, G06N 5/00 (2018.08); H04W 16/22 (2018.08). A method for modeling the optimal variant of the topological placement of a set of informationally interconnected subscribers on a given fragment of a public communication network / A.A. Vershennik, E.V. Vershennik, N.A. Latushko, Yu.I. Starodubtsev, applicant N.A. Latushko, Starodubtsev Yu.I. - 2018118104; app. 05/16/2018; publ. 05/31/2019. bull. No. 16 - 17 p.]. Routes are determined in pairs for the transmission and reception path of the correspondent, in accordance with their rules for spacing, between the corresponding nodes of the information direction.

In block 6, the routes corresponding to the requirements in the data transmission and reception paths are selected, taking into account the rules for their spacing specified in the initial data.

In block 7, the direction of data transmission in the communication lines is stored.

In block 8, data blocks are transmitted along selected routes consisting of unidirectional communication lines.

In block 9, data blocks are received at each transit node. The transmission and reception of data blocks is carried out by means of transmission systems (for example, the Volga DWDM system of the T8 company; access mode: "http://t8.ru/?page_id=3600", date of treatment 10/08/2020)

In block 10, data blocks are transmitted in accordance with the received route over unidirectional communication lines. Routing can be done by various means (router [for example, Cisco NCS 5500 series routers; access mode: https://www.cisco.com/c/en/us/products/routers/network-convergence-system-5500- series / index.html, access date 10/08/2020], a switch with routing function [for example, ML-IPSW2516-4SFP-IND switch of Mikrolink-Svyaz company; access mode: http://microlink.ru/ml-ipsw/ , date of treatment 09/19/2020]).

In block 11, destructive software influences on correspondents of the information direction and / or elements of the communication network arriving through the channels of receiving and / or transmitting data and their sources are detected

Destructive software influences - any purposeful software and hardware impact on information and telecommunication means, leading to a violation or decrease in the efficiency of technological control cycles in the information system [Klimov S.M., Sychev M.P., Astrakhov A.V. "Experimental assessment of countering computer attacks at the test site"]. Identification of destructive program influences (DPA) is possible on the basis of establishing deviations of the characteristics of the indicators of the network elements from their standard ranges of values in the current operating modes and at the current load [Evaluation of the effectiveness of destructive program influences on communication networks / E. V. Grechishnikov, M. M. Dobryshin. Control, communication and security systems, No. 2, 2015. - P. 135-146].

Detection of WPVs and their sources is possible, for example, by means of the FORPOST intrusion detection system (SOA) [FORPOST intrusion detection system version 2.0 Electronic resource of access: http://www.rnt.ru/ru/production/detail.php ? ID = 19 ". In the case of detection of SOA DPV for all pairs "source of DPV - object of influence" determine the extreme node from which the IP packets were received, defined by the SOA as DPV. The route is determined using the tracert utility. [Using the TRACERT command to troubleshoot TCP / IP problems on Windows. Electronic resource. Access mode: https://support.microsoft.com/en-us/help/314868.] This utility is one of the most commonly used network diagnostic tools. Its main purpose is to obtain a chain of nodes through which an IP packet passes, addressed to an end node, the name or IP address of which is specified by a command line parameter. The result of the utility operation will be the route along which the packets determined by the SOA passed as DPV, where the last router will be the router from which these packets were received.

In block 12 of Fig. 1, the fact of identifying the source of destructive program influences is monitored.

, направление деструктивного программного воздействия в сети связи обозначено стрелкой с соответствующей надписью ДПВ

. Изменение направления потоков данных в линиях осуществляется посредством управляемых переключателей однонаправленной передачи данных (блок 2, фиг. 1), размещенных по обеим сторонам линий связи (бл. 29, фиг. 4). Изменение направления потоков данных в линии между узлами 39 и 40 фиг. 6 обозначено при помощи условного обозначения

. Выполнение данного действия исключает осуществление деструктивных программных воздействий на корреспондентов информационного направления и/или элементы сети связи по сформированному маршруту проведения ДПВ.If the source of WPV is not detected, then in block 13 of FIG. 1 change the direction of data streams in the communication lines of the route, by means of which destructive program actions are carried out on the correspondents of the information direction and / or elements of the communication network, to the opposite. For example, in the implementation of DPD through the communication line between the nodes 39, 40 (Fig. 6), the direction of data flows in it is reversed. FIG. 6 Correspondent A of information direction AB, subjected to destructive program influence, is indicated by a gray circle, the source of destructive program effects (IDPV) is indicated by a gray triangle, the IDPV reference line is indicated by a dashed line with an arrow indicating the direction of DPV transmission

, the direction of destructive program action in the communication network is indicated by an arrow with the corresponding inscription ДПВ

... Changing the direction of data streams in the lines is carried out by means of controlled switches of unidirectional data transmission (block 2, Fig. 1), located on both sides of the communication lines (block 29, Fig. 4). Changing the direction of the data streams on the link between nodes 39 and 40 of FIG. 6 indicated by the symbol

... The implementation of this action excludes the implementation of destructive programmatic influences on the correspondents of the information direction and / or elements of the communication network along the formed route of the DPA.

At block 14 of FIG. 1 store changes in the directions of data transmission in communication lines.

At block 15 of FIG. 1 define the existing routes in the path of the information direction with the changed direction of the communication lines. Determination of routes can be carried out using a computer according to well-known algorithms [Starodubtsev P.Yu., Sukhorukova E.V., Zakalkin P.V. Method of managing data flows of distributed information systems // Problems of Economics and Management in Trade and Industry. 2015. No. 3 (11). S. 73-78; Fundamentals of network technologies based on switches and routers / N.N. Vasin. Binomial. Knowledge laboratory, 2017 -270 p .; Patent 2690213 Russian Federation, G06N 5/00 (2018.08); H04W 16/22 (2018.08). A method for modeling the optimal variant of the topological placement of a set of informationally interconnected subscribers on a given fragment of a public communication network / A.A. Vershennik, E.V. Vershennik, N.A. Latushko, Yu.I. Starodubtsev, applicant N.A. Latushko, Starodubtsev Yu.I. - 2018118104; app. 05/16/2018; publ. 05/31/2019. bull. No. 16 - 17 p.]. Routes are determined in pairs for the transmission and reception path of the correspondent, in accordance with their separation rules, between the corresponding nodes of the information direction (for example, the route of the transmission path of the correspondent A in the information direction A-B remains unchanged (provided by communication nodes No. 40, 41, 42, 37, Fig. 6), since no DPVs were detected in it; the route of the receiving path of the correspondent A in the information direction A-B was changed taking into account the rules for the separation of paths (provided by communication nodes No. 37, 36, 35, 34, 38, 40, Fig. 6), bypassing the communication center (No. 39, Fig. 6) from the side of which, along the above line, DPV was carried out).

In block 16, the routes corresponding to the requirements are selected taking into account the rules for their spacing specified in the initial data.

In block 17, the routes of the channels for receiving and / or transmitting data of other information directions, which used communication lines with changed directions of operation, are corrected. Correction of routes is carried out on the basis of actions carried out in blocks 15-16.

The use of resources of permanent memory of telecommunication equipment of communication centers will ensure the integrity of data streams, the violation of which arises as a result of time delays [RF patent No. 2734021 C1, H04L 12/54, publ. from 10/12/2020], appearing when performing actions of blocks 13-17, 18-20.

. Изменение направления потоков данных в линиях осуществляется посредством управляемых переключателей однонаправленной передачи данных (бл. 2, фиг. 1), размещенных по обеим сторонам линий связи (бл. 29, фиг. 4). Выполнение данного действия исключает возможность целевого функционирования источника ДПВ по отношению к любому объекту сети кроме его корреспондирующего узла связи. Так как корреспондирующий узел связи не будет иметь ни одной исходящей линии связи, то все информационные направления, использующие его как транзитный узел, изменят свои маршруты с исключением данного узла.If in block 12 of FIG. 1 revealed the fact of establishing the source of destructive program influences, then in block 18 of FIG. 1 switch all communication lines of the corresponding node of the source of destructive software influences to the opposite direction, in relation to the node, which allows physically blocking the data transmission from this node (for example, changing the direction of the data flow in the communication lines between nodes 34, 39 and 40, 39 leads to the fact that node 39 has no transmission lines - therefore, this node is blocked for transmission until the threat of DPV is eliminated (39, Fig. 7). In Fig. 7, the blocked corresponding communication node of the source of destructive program influences 39 is shaded

... Changing the direction of data streams in the lines is carried out by means of controllable switches for unidirectional data transmission (unit 2, Fig. 1), located on both sides of the communication lines (unit 29, Fig. 4). The implementation of this action excludes the possibility of the target functioning of the source of DPV in relation to any network object except for its corresponding communication node. Since the corresponding communication node will not have a single outgoing communication line, all information directions using it as a transit node will change their routes with the exception of this node.

Thus, it is possible to implement the transition from the approach of object protection of correspondents and elements of communication networks to the approach of isolating sources of DPV.

In block 19, changes in the directions of data transmission in communication lines are stored.

In block 20, the routes of the channels for receiving and / or transmitting data of information directions are adjusted, which involved the corresponding node of the source of destructive program influences. Correction of routes is carried out on the basis of actions carried out in blocks 15-16.

In block 21, the recipient receives the data blocks and in block 22 sends a message to the sender about the successful reception of the data blocks. The frequency of the check can be set for the worst case [RF patent No. 2623791 C1, G06F 19/00, G05B 23/00, publ. 06/29/2017], or optimized in accordance with the intensity of changes in the indicators of the state of the system elements [RF patent No. 2718152 C1, G06F 17/10, G05B 23/00, publ. 03/30/2020].

In block 23, the degree of completion of the session is checked at a predetermined frequency.

If the current session of the information direction is not completed (not all data blocks are received), then go to block 11.

If all data blocks have been received, then the current traffic session ends. After the end of the session, for the next session, in accordance with the specified requirements, the session routing algorithm is selected and the routes of the data transmission and reception paths are determined, taking into account the current transmission directions in the communication lines.

Thus, due to the controlled physical diversity in the structure of the communication network of the transmission and reception paths of information directions, excluding the presence of a physical path for the implementation of destructive program influences, the protection of correspondents and elements of the communication network from destructive program influences is increased.

Claims (1)

The method of distributed data transmission in conditions of destructive software influences, which consists in the fact that the composition and structure of the communication network that provide at least two physical routes in the information directions of correspondents, the requirements for routes for the transmission of various categories of data, the required speeds for the transmission and reception paths in directions, the sender generates a session data flow in the information direction, select a session routing algorithm in accordance with the category of transmitted data in the generated stream, determine the existing routes for the transmission and reception paths in the information direction in accordance with the specified rules and select those corresponding to the requirements, transmit data blocks along the selected routes, consisting of unidirectional communication lines, at each transit node receive data blocks and transmit them in accordance with the accepted route along unidirectional communication lines, the receiver receives data blocks and transmits to the sender a message about their successful reception, characterized in that they place controllable switches for unidirectional data transmission on both sides of all communication lines, additionally set the rules for the separation of the transmission and reception paths, excluding their intersection on the physical elements of the network, remember the direction of data transmission in the lines communications, reveal destructive software influences on correspondents of the information direction and / or elements of the communication network arriving through the receiving and / or transmitting data paths and their sources, if the source of destructive software influences is not identified, then the direction of the data flows on the communication lines of the route is changed and remembered, by means of which destructive software influences are carried out on the correspondents of the information direction and / or elements of the communication network, on the opposite, they determine the existing routes in the path of the information direction with the changed direction of the communication lines and choose the corresponding according to the requirements, they correct the routes of the receiving and / or transmitting paths of other information directions that used communication lines with changed directions of work, if the source of destructive program influences is identified, then they switch all communication lines of the corresponding node of the source of destructive program influences to the direction opposite to the node, memorize changes in the directions of data streams in these communication lines, correct the routes of the channels for receiving and / or transmitting data of information directions that involved the corresponding node of the source of destructive program influences, after the end of the session, for the next session again, in accordance with the specified requirements, select the session routing algorithm and determine the routes paths for receiving and transmitting data, taking into account the current transmission directions in communication lines.

Images