RU2760099C1 - Method for selecting and substantiating the tactical and technical characteristics of the protection system against group heterogeneous computer attacks for the medium term - Google Patents

Abstract

FIELD: communication network protection.

SUBSTANCE: invention relates to the field of systems for protecting communication networks for various purposes from information and technical influences and can be used to build protection systems against group heterogeneous computer attacks for the medium term. The expected result is achieved by predicting the development of the quantitative and qualitative composition of computer attacks for the medium term, modeling computer attacks with specified parameters, on the basis of which a list of subsystems of the communication element protection system against computer attacks is determined, then based on the simulation results, the aforementioned protection system is formed, after which the effects of group heterogeneous computer attacks are simulated, the security of the communication element is evaluated and, if necessary, the composition of the protection system is clarified. After selecting the composition of the communication element protection system that meets the requirement, the composition of the mentioned system is clarified, taking into account the funds invested in the composition of this system.

EFFECT: increase in the security of communication network elements from group heterogeneous computer attacks in the medium term due to a reasonable choice of subsystems of the system for protecting communication network elements from computer attacks, taking into account the change in the quantitative and qualitative composition of computer attacks used in the medium term, assessing the ability of subsystems of the computer attack protection system to counteract group computer attacks.

1 cl, 4 dwg

Description

The invention relates to the field of protection systems for communication networks for various purposes from information and technical influences and can be used to build protection systems against group heterogeneous computer attacks for the medium term.

The development of systems for protecting elements of communication networks from computer attacks requires a significant time resource, at the same time, the quantitative and qualitative composition of computer attacks applied to the communication element during the development period of the mentioned system changes, which leads to the fact that the developed system does not meets the requirements for the protection of elements of communication networks from computer attacks.

Also, existing approaches to the formation of the composition of the system for protecting elements of communication networks from computer attacks protect against single computer attacks, however, at present, cybercriminals are increasingly using several computer attacks coordinated in place and time.

To reduce the cost of developing a system for protecting the nodes of a communication system from group heterogeneous computer attacks, standard systems are used, however, as practical experience shows, elements of a communication system that apply different physical principles of information transmission are accordingly exposed to various types of computer attacks.

Terms and Definitions:

1. Medium-term period - a period lasting over one year and up to 57 years (Economics and law: dictionary-reference book. - M .: University and school. 2004. L.P. Kurakov, V.L. Kurakov, A.L. Kurakov ).

2. The system of protection of group heterogeneous computer attacks is understood as a combination of interacting elements organized to ensure the protection of the communication network from various computer attacks (GOST R ISO / IEC 15288-2005 Information technology (IT). System engineering. Processes of the life cycle of systems).

3. An element of the protection system for group heterogeneous computer attacks is understood as a hardware, software or hardware-technical solution that provides protection against these threats.

4. Group heterogeneous computer attacks mean the use of several classes of computer attacks in the course of one impact (Dobryshin MM Model of heterogeneous computer attacks carried out simultaneously on a computer communication network node / Telecommunications No. 12. - 2019, pp. 31-35).

5. Communication network - a technological system that includes means and communication lines and is intended for telecommunications or postal communications (RF Law "On Communications", article 2, paragraph 24).

6. Tactical and technical characteristics of a system - a set of quantitative characteristics of a sample (complex) of military equipment, ordered according to a certain concept, which determine its properties (combat capabilities) (Dictionary of military terms. - Moscow: Military Publishing House. AM Plekhov, S.G. Shapkin. 1988).

The state of the art known "Method and device for selecting the preferred means of protecting information" (RF Patent No. 2558238 G06F 15/16, G06F 17/00, Published: 07/27/2015), based on the use of the estimated sample, consisting of standardized unit quality indicators that allow create two benchmarks with an average quality level and a better quality level. Based on the use of these standards, the preferred object with the greatest complex quality indicator is selected from the entire set of evaluated means.

The known "Method for choosing cost-effective options for building a protection system against computer attacks" (RF Patent No. 2649447 G06F 21/00 (2013.01), G06Q 40/06 (2012.01), G06F 17/30 (2006.01). Published: 03.04.2018 Byul No. 10), which includes the stage of filling in the database describing the functions implemented by each of the available for use by means of protection against computer attacks and the database of characteristics of each of the means of protection against computer attacks available for use; the stage of assessing the cost of the life cycle of each alternative option for building a protection system against computer attacks; the stage of formation of affordable construction options, during which, using the life cycle costs of alternative options for building a protection system against computer attacks recorded at the previous stage, such options for building a protection system are selected, the life cycle cost of which does not exceed the specified one.

The closest in technical essence and functions performed by the analogue (prototype) to the claimed is "A method of building a protection system against computer attacks for automated control systems" (RF Patent No. 2642374 G06F 21/57 (2013.01). Published: 24.01.2018 Bul. No. 3 ) including the stage of forming a set of all possible options for constructing subsystems of the protection system against computer attacks, during which, using the method of morphological analysis implemented with the help of a computer, a set of possible options for constructing a subsystem for detecting computer attacks, many possible options for constructing a subsystem for countering computer attacks and a set of possible options for constructing a subsystem for eliminating the consequences of the use of computer attacks, while in order to reduce the number of possible options for constructing subsystems for the parameters of elements of subsystems with smoothly varying values, they take the minimum, average and maximum values; the stage of forming a set of all possible options for building a protection system against computer attacks, during which, using a computer-assisted method of morphological analysis, based on the sets of possible options for building subsystems obtained at the previous stage, a set of all possible options for building a system for protecting against computer attacks is formed , which is written into the computer memory; the stage of assessing the cost and required resources of options for building a protection system against computer attacks, the input of which with the help of a computer determines the cost and resources required for the functioning of all options for building a system from the set of options formed at the previous stage, using a computer, select options, cost and consumed resources which do not exceed the specified ones, and then from these selected options form a set of options for building a protection system against computer attacks that meet the requirements for cost and consumed resources, which is recorded in the computer memory; the stage of evaluating the effectiveness of options for building a protection system against computer attacks, the input of which, using testing using a computer, determines the effectiveness of options for building a protection system from the set formed at the previous stage, select options whose effectiveness is equal to or exceeds the required one, and then form many options for building a protection system against computer attacks that meet the requirements for efficiency, while the security factor of the automated control system and the recovery time of the automated control system after the use of computer attacks are used as performance indicators; the stage of assessing the degree of influence of the options for building a protection system on the performance of the protected automated control system, the input of which evaluates the level of decrease in the performance of the protected automated control system when introducing into its composition options for the protection system against computer attacks that meet the efficiency requirements from the set formed at the previous stage, and choose a rational option for constructing a protection system against computer attacks with a minimum level of degradation in the performance of the protected automated control system, while as an indicator of the level of performance degradation, a complex performance degradation factor is used, which includes a degradation factor for the technical component of the protected system and a degradation factor for the service provider of the protected system staff.

Technical problem: low security of communication network elements from group heterogeneous computer attacks in the medium term, caused by an insufficiently substantiated choice of subsystems for protecting communication network elements from computer attacks due to changes in the quantitative and qualitative composition of applied computer attacks in the medium term, lack of assessment of the ability of the system subsystems protection against computer attacks to counteract group computer attacks, as well as an insufficiently justified choice of the composition of the protection system for elements of communication networks with limited funds for the formed protection system.

Solution of a technical problem: on the basis of predicting the development of the quantitative and qualitative composition of computer attacks for the medium term, computer attacks are simulated with refined parameters, on the basis of which a list of subsystems of the system for protecting communication network elements from computer attacks is determined, then, based on the simulation results, the mentioned protection system is formed, after that, simulations of the impact of group heterogeneous computer attacks are carried out, the security of the communication element is assessed and, if necessary, the composition of the protection system is clarified. After choosing the composition of the protection system of the communication element that satisfies the requirement, the composition of the said system is specified, taking into account the funds laid down for the composition of this system.

EFFECT: increased security of communication network elements from heterogeneous group computer attacks for the medium term, due to a reasonable choice of subsystems of the system for protecting communication network elements from computer attacks, taking into account the change in the quantitative and qualitative composition of applied computer attacks in the medium term, assessing the ability of subsystems of the protection system against computer attacks. attacks to counteract group computer attacks.

The technical result is achieved by developing a method for selecting the tactical and technical characteristics of the system of protection against group heterogeneous computer attacks for the medium term, in which the following actions are performed: measure the damage from various types of computer attacks to the elements of the protected communication network and store the measured values of damage in the database; define a variety of options for building a protection system against computer attacks, which include the elements of the protection system necessary to counter the selected types of computer attacks, links between the specified elements of the protection system, certain options for building the protection system are stored in the database; many options for building a protection system against computer attacks are presented as all possible combinations of specified protection means; determine the values of the used resources of the options for constructing the protection system against computer attacks and the influence of the options for constructing the protection system on the performance of the communication network elements, the values of the used resources of the communication network elements are stored in the database; comparing the calculated values of the parameters characterizing the influence of the options for constructing the protection system against computer attacks on the performance of the elements of the communication network with the permissible value; if the calculated values of the parameters of the influence of the options for constructing the protection system against computer attacks on the performance of the communication network elements are greater than the permissible value, then the corresponding option for constructing the system for protecting against computer attacks is excluded from the admissible options; compare the security of all elements of the communication network subjected to various group heterogeneous computer attacks with a threshold value of damage from various types of computer attacks, if the security of all elements of the communication network subjected to various group heterogeneous computer attacks is less than the threshold value of damage from various types of computer attacks, then the corresponding option for building a protection system from computer attacks is excluded from the acceptable options from the database; determine the costs for the development of elements of the protection system against computer attacks, necessary to counter the applied types of computer attacks, the values of these costs are saved in the database; compare the previously calculated costs of developing protection against computer attacks with the amount of funds allocated for the development of a protection system; if the costs of developing protection against computer attacks are less than or equal to the amount of funds allocated for the development of a protection system, then the optimal option for building a protection system against computer attacks is chosen, maximizing the value of the security of the communication network elements with minimal costs for building a protection system acts as an optimization criterion.

According to the invention, additional input data is introduced, including: information on computer attacks: statistical data on the number of different types of computer attacks for an exceeding period of observation of the considered elements of communication networks and analogs in third-party networks; statistical data on the parameters of various types of computer attacks for an exceeding period of observation of the considered elements of communication networks and analogues in third-party networks; statistical data on damage from various types of computer attacks for a period exceeding the observation period for the considered elements of communication networks and analogues in third-party networks; statistical data on the costs of developing a given type of computer attacks; statistical data on the share of computer attacks by type of industry; information about the protected element of the communication network: the values of the parameters of the communication network lines, describing their operational characteristics; the values of the parameters of the nodes of the communication network, describing their operational characteristics; the values of the parameters describing the topology of building the protected communication network; the values of the parameters of the applied protection against computer attacks, describing their operational characteristics; the values of the parameters of the influence of means of protection against computer attacks on the protected element of the communication network; the minimum permissible values of the parameters, operational characteristics of the communication network lines required to perform the tasks as intended; minimum permissible values of parameters, operational characteristics of communication network nodes, necessary to perform tasks as intended; threshold value of damage from various types of computer attacks; the permissible value of the influence of the options, the construction of a protection system against computer attacks on the performance of the elements of the communication network; the amount of funds for the development of a protection system; predict for the medium term the use of computer attacks by cybercriminals using automated tools of the theory of neural networks, based on the forecast of changes in the number of various types of computer attacks in the medium term, the forecast of changes in the values of the parameters of various types of computer attacks in the medium term, and the forecast of changes in damage from various types of computer attacks on medium-term period, forecasting changes in costs for the development of various types of computer attacks for the medium-term period, determining correction factors taking into account the use of various types of computer attacks on the elements of the protected communication network of the selected industry; taking into account the quantitative and qualitative composition of the predicted computer attacks, simulation models of the mentioned computer attacks are formed on the basis of hardware, software and software; form a simulation model of the protected communication network, consisting of formed models of various types of elements included in the protected communication network, based on hardware, software and software, taking into account the model of interaction of open systems, as well as formed models of various types of communication lines that unite elements of the protected communication network taking into account the model of interaction of open systems; simulate various types of computer attacks on models of various types of communication network elements, taking into account the destructive impact of computer attacks on different levels of the model of interaction of open systems; rank the measured values of damage from various types of computer attacks, based on a comparison of the ranked values of damage and threshold values of damage from various types of computer attacks, determine the list of computer attacks that can damage an element of the communication network; form simulation models of a protection system against computer attacks of each of the options for building a protection system for all elements of a communication network based on hardware, software and software; simulate various types of computer attacks based on the use of hardware, software and software on models of various types of elements included in the protected communication network, taking into account the models of previously defined options for building a system for protecting communication network elements from computer attacks; the values of the decrease in productivity from the use of the specified option stored in the database are compared with the measured damage from various types of computer attacks for the elements of the protected communication network; the saved values of the costs necessary for the development of protection elements are compared with the measured damage from various types of computer attacks for the elements of the protected communication network; if, when comparing the costs of developing protection against computer attacks with the amount and available funds for developing a protection system, the condition is not met, then the corresponding option for building a protection system against computer attacks is excluded from the acceptable options; output in a formalized form the values of the parameters characterizing the tactical and technical characteristics of the elements and the scheme of building the protection system for each type of elements of the communication system, as well as information about computer attacks from which a certain version of building the protection system does not provide protection, and save in the database, for generating a report; if, after excluding the options for building protection systems against computer attacks, at least one option is absent in the database, then the tactical and technical characteristics of the corresponding element of the protection system are changed, after which the possible options for building the protection system; if, after excluding options for building protection systems against computer attacks, at least one option is absent in the database, then deviations between the value of the required resources for the functioning of options for building a protection system against computer attacks and the permissible value are determined; based on the ranked damage values and the associated values of the resources used for the selected type of communication network element, when using the considered option for building a protection system, the composition of the communication network protection system from computer attacks is changed, by reducing the elements that provide protection against computer attacks that can cause the least damage, refined options for building the system protection and stored in a database for further processing; information about computer attacks, from which a certain variant of building a protection system does not provide protection, is saved to generate a report; if, after excluding the options for building protection systems against computer attacks, at least one option is missing in the database, then the deviation values between the costs of developing the protection system and the available funds for developing the protection system are determined; on the basis of the ranked values of damage and the values of the costs associated with the development of elements of the protection system against these computer attacks, the elements of the system for protecting the communication network from computer attacks are determined by reducing the elements that provide protection against computer attacks that can cause the least damage.

The listed new set of essential features provides an increase in the security of communication network elements from heterogeneous group computer attacks for the medium term, due to the reasonable choice of subsystems of the system for protecting communication network elements from computer attacks, taking into account the change in the quantitative and qualitative composition of the applied computer attacks in the medium term, assessing the ability of the system subsystems protection against computer attacks to counteract group computer attacks, as well as a reasonable choice of the composition of the protection system of the communication element with limited funds for the formed protection system.

The results of the search for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the prototypes of the features of the claimed invention, have shown that they do not follow explicitly from the prior art. From the prior art determined by the applicant, the knowledge of the influence of the essential features of the claimed invention on the achievement of the specified technical result has not been revealed. Therefore, the claimed invention meets the "inventive step" requirement of patentability.

The analysis of the prior art made it possible to establish that there are no analogs characterized by sets of features identical to all features of the claimed method. Therefore, the claimed invention meets the "novelty" requirement of patentability.

The "industrial applicability" of the method is due to the presence of an element base, on the basis of which devices that implement this method can be made to achieve the result specified in the invention.

The claimed method is illustrated by drawings, which show:

fig. 1 - generalized structural and logical sequence of functioning of the method for determining the composition of the protection system of a communication network element against group heterogeneous computer attacks for the medium term;

fig. 2 - sequence of forecasting the quantitative and qualitative composition of computer attacks used in the medium term;

The claimed method is illustrated by the structural and logical sequence (Fig. 1), where in block 1 input data, including:

,

,

- количество видов компьютерных атак), за предшествующий период наблюдения за рассматриваемыми элементами сетей связи и аналогами в сторонних сетях; статистические данные о параметрах различных видов компьютерных атак (

), за период превышающий период прогнозирования (в качестве примера возможно использование статистических данных сформированных компанией Positive Technologies (Актуальные киберугрозы. II квартал 2019)); статистические данные об ущербе от различных видов компьютерных атак (

) за период превышающий период прогнозирования; статистические данные о затратах на разработку i-о вида компьютерных атак (

), за период превышающий период прогнозирования (в качестве примера возможно использование статистических данных сформированных Центральным банком России (Отчет Центра мониторинга и реагирования на компьютерные атаки в кредитно-финансовой сфере Главного управления безопасности и защиты информации Банка России. За период с 01 июня 2015 г. по 31 мая 2016 г.)); статистические данные о доли компьютерных атак по видам отраслей (

) (в качестве примера возможно использование статистических данных сформированных компанией Positive Technologies (Рынок преступных киберуслуг 2018));information on computer attacks: statistics on the number of different types of computer attacks (

,

,

- the number of types of computer attacks), for the previous period of observation of the considered elements of communication networks and analogues in third-party networks; statistical data on the parameters of various types of computer attacks (

), for a period exceeding the forecasting period (as an example, it is possible to use statistical data generated by Positive Technologies (Actual cyber threats. II quarter 2019)); statistical data on damage from various types of computer attacks (

) for a period exceeding the forecasting period; statistical data on the costs of developing the i-type of computer attacks (

), for a period exceeding the forecasting period (as an example, it is possible to use statistical data generated by the Central Bank of Russia (Report of the Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sphere of the Main Directorate for Security and Information Protection of the Bank of Russia. until May 31, 2016)); statistical data on the share of computer attacks by type of industry (

) (as an example, it is possible to use statistical data generated by Positive Technologies (Market of criminal cyber services 2018));

,

,

- количество видов линий сети связи); значения параметров узлов сети связи, описывающие их эксплуатационные характеристики (

,

,

- количество видов узлов сети связи); значения параметров описывающих топологию построения защищаемой сети связи (

,

,

- количество линий сети связи); значения параметров применяемых средств защиты от компьютерных атак, описывающие их эксплуатационные характеристики (

,

,

- количество видов средств защиты от компьютерных атак); значения параметров влияния средств защиты от компьютерных атак на защищаемый элемент сети связи (

); минимально допустимые значения параметров эксплуатационных характеристик линий сети связи, необходимых для выполнения задач по предназначению (

); минимально допустимые значения параметров эксплуатационных характеристик узлов сети связи, необходимых для выполнения задач по предназначению (

); пороговое значение ущерба от различных видов компьютерных атак (

); допустимое значение влияния вариантов построения системы защиты от компьютерных атак на производительность элементов сети связи (

); заданными средствами на разработку систему защиты (

);information about the protected element of the communication network: the values of the parameters of the communication network lines, describing their operational characteristics (

,

,

- the number of types of communication network lines); the values of the parameters of the nodes of the communication network, describing their operational characteristics (

,

,

- the number of types of communication network nodes); the values of the parameters describing the topology of building the protected communication network (

,

,

- the number of lines of the communication network); the values of the parameters of the applied protection against computer attacks, describing their operational characteristics (

,

,

- the number of types of protection against computer attacks); the values of the parameters of the influence of means of protection against computer attacks on the protected element of the communication network (

); the minimum permissible values of the parameters of the operational characteristics of the communication network lines required to perform the tasks as intended (

); the minimum permissible values of the parameters of the operational characteristics of the communication network nodes required to perform the tasks as intended (

); threshold value of damage from various types of computer attacks (

); the permissible value of the influence of options for building a protection system against computer attacks on the performance of communication network elements (

); given funds for the development of a protection system (

);

In block 2, the use of computer attacks by cybercriminals is predicted for the medium term (Fig. 2).

Block 2.1 predicts the change in the number of different types of computer attacks in the medium term. Taking into account the fact that the change in the number of types of attacks is nonlinear, for forecasting it is advisable to use automated tools of the theory of neural networks (As an example, it is possible to use the software "STATISTICA-10.0.228.8 Portable").

In block 2.2, changes in the values of the parameters of various types of computer attacks are predicted for the medium term. Taking into account the fact that the change in the values of the parameters of various types of computer attacks is nonlinear, for forecasting it is advisable to use automated tools of the theory of neural networks (As an example, it is possible to use the software "STATISTICA-10.0.228.8 Portable").

In block 2.3, changes in damage from various types of computer attacks are predicted for the medium term. Taking into account the fact that the change in damage from various types of computer attacks is nonlinear, for forecasting it is advisable to use automated tools of the theory of neural networks (As an example, it is possible to use the software "STATISTICA-10.0.228.8 Portable").

Block 2.4 predicts changes in the costs of developing various types of computer attacks in the medium term. Considering the fact that the costs of developing various types of computer attacks are non-linear, it is advisable to use automated tools of the theory of neural networks for forecasting (As an example, it is possible to use the software "STATISTICA-10.0.228.8 Portable").

In block 2.5, correction factors are determined that take into account the use of various types of computer attacks on the elements of the protected communication network of the selected industry. Correction factors are determined by forming the share of various types of computer attacks applied to the selected industry from the total number of attacks of the considered type:

. (1)

... (1)

Block 2.6 predicts the use of computer attacks on the protected node of the communication network for the medium term, depending on the chosen industry. Forecasting is carried out on the basis of generalization of the forecasting results carried out in blocks 2.1-2.5. Proceeding from the fact that the generalized processes are not linear, it is advisable to construct a forecast based on the generalization of results using specialized software (As an example, it is possible to use the software "STATISTICA-10.0.228.8 Portable").

In block 3, taking into account the quantitative and qualitative composition of the predicted computer attacks, models of the mentioned computer attacks are formed (Dobryshin M.M., Gutsyn R.V. Model of heterogeneous group computer attacks carried out simultaneously on different levels of the EMVOS of a computer communication network node. Bulletin of the Tula State University. Technical sciences. 2019. No. 10. - P. 371-384.). The models of the mentioned computer attacks are formed on the basis of hardware, software and software (for example, computer intelligence using the Wireshark software; SQL injection using the SQLMAP software; exploitation of vulnerabilities using the METASPLOIT software; selection of credentials using the JOHN THE software RIPPER).

In block 4, a model of the protected communication network is formed.

In block 4.1, models of various types of nodes included in the protected communication network are formed, taking into account the MVOS model (Simulation of means and complexes of communication and automation. Ivanov E.V. SPb .: VAS, 1992. - 206 p. O. Zamyatina: Tomsk Polytechnic University - Tomsk: Tomsk Polytechnic University Publishing House, 2011. - 168 pp. Basic router configuration Using Cisco Configuration Professional Electronic resource: http://www.cisco.com/cisco/web/ support / RU / 108/1089 / 1089854_basic-router-config-ccp-00.pdf).

In block 4.2, models of various types of communication lines are formed that unite communication nodes, the protected communication network, taking into account the MVOS model (Galkin A.P. et al. Modeling of communication systems channels. Moscow: Svyaz 1979. 94 p.).

In block 5, various types of computer attacks on various elements of the communication network are simulated, taking into account the destructive impact of computer attacks on various levels of the MSS (Dobryshin M.M., Gutsyn R.V. The model of heterogeneous group computer attacks carried out simultaneously on different levels of the EMC of a computer network node . Bulletin of the Tula State University. Technical Sciences. 2019. No. 10. - P. 371-384.).

Block 6 measures the damage from various types of computer attacks for elements (Methodology for assessing damage from the impact of computer attacks on critical information segments. Pp. 60-69. Klimov S.M., Sychev M.P., Astrakhov A.V. " Experimental assessment of counteraction to computer attacks at the test site. "Electronic educational publication. - M .: MSTU named after N.E.Bauman, 2013. - 114 p.), The protected communication network and store the measured values of damage in the database (block 7) ( ch. 5.4 pp. 133-146, ch. 7 pp. 168-233, Galitsina OL and others. Databases: Textbook. Forum-Infra-M Moscow 2006. 352 p.).

In block 8, the measured values of damage from various types of computer attacks are ranked.

) определяют перечень компьютерных атак способных нанести ущерб элементу сети связи.In block 9, based on a comparison of the ranked values of damage and the threshold value of damage from various types of computer attacks (

) determine the list of computer attacks capable of damaging an element of a communication network.

In block 10, a set of options for building a protection system against computer attacks is determined, including elements of the protection system and communication between them, necessary to counter the selected types of computer attacks (Method of building a protection system against computer attacks for automated control systems. RF Patent No. 2642374 G06F 21/57 (2013.01). Published: 24.01.2018 Bul. No. 3). The set of options for building a system of protection against computer attacks is presented as all possible combinations of specified protection means. Many options for building a protection system against computer attacks are stored in the database (block 7).

In block 11, models of a protection system against computer attacks are formed for each of the options for building a protection system for all elements of a communication network (Method of full-scale and simulation modeling of the processes of countering computer attacks on critical information systems. Pp. 5-27. Klimov S.M., Sychev MP, Astrakhov AV "Experimental assessment of counteraction to computer attacks at the test site." Electronic educational publication. - M .: MSTU named after NE Bauman, 2013. - 114 p.).

In block 12, various types of computer attacks on each element of the communication network are modeled, taking into account the models of certain options for building a system for protecting the elements of the communication network from computer attacks (Technology for countering computer attacks on critical information systems. Pp. 40-48. Sychev MP, Astrakhov AV "Countering computer attacks. Technological foundations." Electronic educational publication. - Moscow: Bauman Moscow State Technical University, 2013. - 70 p.

Block 13 measures the damage caused to various elements of the communication network from various computer attacks during the functioning of the selected options for building a protection system against these threats (Methodology for assessing damage from the impact of computer attacks on critical information segments. Pp. 60-69. Klimov S.M. , Sychev MP, Astrakhov AV "Experimental assessment of counteraction to computer attacks at the test site." Electronic educational publication. - M .: MSTU named after NE Bauman, 2013. - 114 p.).

, где i-вид компьютерной атаки, j-элемент сети связи) с пороговых значение ущерба от различных видов компьютерных атак (

):Block 14 compares the security of all elements of the communication network subjected to various group heterogeneous computer attacks (

, where i is the type of computer attack, j is the element of the communication network) with the threshold values of damage from various types of computer attacks (

):

. (2)

... (2)

If condition (2) is not met, then in block 7 the corresponding option for building a protection system against computer attacks is excluded from the admissible options from the database.

If condition (2) is met, then in block 15 the values of the resources used for the communication network elements are determined for the options for constructing a protection system against computer attacks on the performance of communication network elements (Method for constructing a protection system against computer attacks for automated control systems. RF Patent No. 2642374 G06F 21 / 57 (2013.01). Published: 24.01.2018 Bul. No. 3). The values of the resources used by the elements of the communication network are stored in the database (block 7), where they are compared with the measured damage from various types of computer attacks for the elements of the protected communication network (measured in block 6).

Block 16 compares the calculated impact of the options for constructing a protection system against computer attacks on the performance of communication network elements with an admissible value:

. (3)

... (3)

If condition (3) is not met, then in block 7 the corresponding option for building a protection system against computer attacks is excluded from the admissible options.

If condition (3) is fulfilled, then in block 17 the costs of developing elements of the protection system against computer attacks necessary to counter the types of computer attacks used are determined (Method of building a protection system against computer attacks for automated control systems. RF Patent No. 2642374 G06F 21/57 (2013.01). Published: 24.01.2018 Bul. No. 3). The values of these costs are stored in the database (block 7), where they are compared with the measured damage from various types of computer attacks for the elements of the protected communication network (measured in block 6).

Block 18 compares the previously calculated (block 17) costs of developing protection against computer attacks with the specified means for developing a protection system:

. (4)

... (4)

If condition (4) is not met, then in block 7 the corresponding option for constructing a protection system against computer attacks is excluded from the admissible options.

If condition (4) is satisfied, then in block 19 the optimal variant of building a system of protection against computer attacks is selected. The optimization criterion is the maximization of the values of the security of the elements of the communication network at the minimum cost of building the protection system.

In block 20, the tactical and technical characteristics of the elements and the scheme for constructing the protection system of the elements of the communication system are displayed in a formalized form, as well as information about computer attacks from which a certain version of the construction of the protection system does not provide protection is stored in block 7 for generating a report in block 20.

If, after excluding the options for constructing protection systems against computer attacks (block 14), at least one option is absent in the database, in block 21 the tactical and technical characteristics of the corresponding element of the protection system are changed. After that, in block 10, the structure and relationships between the elements of the options for constructing the protection system are changed.

If, after excluding the options for building protection systems against computer attacks (block 16), at least one option is absent in the database, then in block 22 the difference between the required resources for the functioning of the options for building a protection system against computer attacks and the permissible value is determined

. (5)

... (5)

In block 23, based on the ranked damage values and the associated values of the used resources of the communication network element, when using the considered option for constructing the protection system, the composition of the communication network protection system from computer attacks is changed by reducing the elements that provide protection against computer attacks that can cause the least damage. Refined options for building a protection system are stored in block 7 for further processing in block 17. Information about computer attacks, from which a certain version of building a protection system does not provide protection, is stored in block 7 to generate a report in block 20.

If, after excluding the options for building protection systems against computer attacks (block 18), at least one option is missing in the database, in block 24 the difference between the costs of developing the protection system is determined.

. (6)

... (6)

In block 25, on the basis of the ranged damage values and the associated cost values for the development of elements of the protection system against these computer attacks, the elements of the communication network protection system from computer attacks are determined, by reducing the elements that provide protection against computer attacks that can cause the least damage. Information about computer attacks, against which a certain variant of building a protection system does not provide protection, is stored in block 7, for generating a report in block 20.

The calculation of the effectiveness of the claimed method is carried out as follows:

Practical experience in the development of protection systems against group computer attacks shows that it takes from two to five years (2-3 months for the approval of tactical and technical specifications, from 1 to 2 years for scientific research, from 6 months to 1 year for hardware and software implementation, from 6 months to 1 year debugging of the developed protection system).

Based on the statistical data provided by leading organizations in the field of information security (Fig. 3) (Positive Research 2018 / Collection of Practical Security Research), it can be seen that the current information security threats in 2017 change their distribution in 2019 (Current cyber threats. Q2 2019), the share of the distribution of threats has also changed (Fig. 4).

Figure 4 also shows the results of predicting the development of computer attacks using the software "STATISTICA-10.0.228.8 Portable". Based on the analysis of the presented data, it can be seen that the share of the distribution of threats and the predicted values largely coincide, which allows us to design a protection system that is more effective than the prototype in protecting against computer attacks at the time of its commissioning.

Research in the field of information security shows that at present, several computer attacks are used simultaneously to increase the effectiveness or concealment of computer attacks (Dobryshin M.M. Model of heterogeneous computer attacks carried out simultaneously on a computer communication network node / Scientific journal: Telecommunications. - 2019. - No. 12. - P. 31-35). Thus, taking into account new factors affecting the formation of a system of protection against group computer attacks, makes it possible to increase the security of the elements of the communication network.

Based on this, it follows that the claimed method of selecting and substantiating the tactical and technical characteristics of the protection system against group heterogeneous computer attacks for the medium term allows increasing the security of communication network elements from group heterogeneous computer attacks for the medium term, due to the reasonable choice of subsystems of the system for protecting the elements communication networks from computer attacks, taking into account the change in the quantitative and qualitative composition of the applied computer attacks in the medium term, assessing the ability of subsystems of the protection system against computer attacks to resist group computer attacks.

Claims (1)

A method for choosing the tactical and technical characteristics of a defense system against heterogeneous group attacks for the medium term, which consists in measuring the damage from various types of computer attacks to the elements of the protected communication network and storing the measured values of damage in the database; define a variety of options for building a protection system against computer attacks, which include the elements of the protection system necessary to counter the selected types of computer attacks, links between the specified elements of the protection system, certain options for building the protection system are stored in the database; many options for building a protection system against computer attacks are presented as all possible combinations of specified protection means; determine the values of the used resources of the options for constructing the protection system against computer attacks and the influence of the options for constructing the protection system on the performance of the communication network elements, the values of the used resources of the communication network elements are stored in the database; comparing the calculated values of the parameters characterizing the influence of the options for constructing the protection system against computer attacks on the performance of the elements of the communication network, with the permissible value; if the calculated values of the parameters of the influence of the options for constructing the protection system against computer attacks on the performance of the communication network elements are greater than the permissible value, then the corresponding option for constructing the system for protecting against computer attacks is excluded from the admissible options; compare the security of all elements of the communication network subjected to various group heterogeneous computer attacks with the threshold value of damage from various types of computer attacks, if the security of all elements of the communication network subjected to various group heterogeneous computer attacks is less than the threshold value of damage from various types of computer attacks, then the corresponding the option of building a protection system against computer attacks is excluded from the acceptable options from the database; determine the costs for the development of elements of the protection system against computer attacks, necessary to counter the applied types of computer attacks, the values of these costs are saved in the database; compare the previously calculated costs of developing protection against computer attacks with the amount of funds allocated for the development of a protection system; if the costs of developing protection against computer attacks are less than or equal to the amount of funds allocated for the development of a protection system, then the optimal option for building a protection system against computer attacks is chosen, maximizing the value of the security of communication network elements with minimal costs for building a protection system acts as an optimization criterion, characterized in that they enter the initial data, including information about computer attacks: statistical data on the number of different types of computer attacks for an exceeding period of observation of the considered elements of communication networks and analogues in third-party networks; statistical data on the parameters of various types of computer attacks for an exceeding period of observation of the considered elements of communication networks and analogues in third-party networks; statistical data on damage from various types of computer attacks for a period exceeding the observation period for the considered elements of communication networks and analogues in third-party networks; statistical data on the costs of developing a given type of computer attacks; statistical data on the share of computer attacks by type of industry; information about the protected element of the communication network:the values of the parameters of the communication network lines, describing their operational characteristics; the values of the parameters of the nodes of the communication network, describing their operational characteristics; the values of the parameters describing the topology of building the protected communication network; the values of the parameters of the applied protection against computer attacks, describing their operational characteristics; the values of the parameters of the influence of means of protection against computer attacks on the protected element of the communication network; the minimum permissible values of the parameters of the operational characteristics of the communication network lines required to perform the tasks as intended; the minimum permissible values of the parameters of the operational characteristics of the communication network nodes required to perform the tasks as intended; threshold value of damage from various types of computer attacks; the permissible value of the influence of the options, the construction of a protection system against computer attacks on the performance of the elements of the communication network; the amount of funds for the development of a protection system; predict for the medium term the use of computer attacks by cybercriminals using automated tools of the theory of neural networks based on the forecast of changes in the number of different types of computer attacks in the medium term, the forecast of changes in the values of the parameters of various types of computer attacks in the medium term, and the forecast of changes in damage from various types of computer attacks in the medium term period, forecasting changes in costs for the development of various types of computer attacks for the medium term, determining correction factors that take into account the use of various types of computer attacks on the elements of the protected communication network of the selected industry; taking into account the quantitative and qualitative composition of the predicted computer attacks, simulation models of the mentioned computer attacks are formed on the basis of hardware, software and software; form a simulation model of the protected communication network, consisting of formed models of various types of elements included in the protected communication network, based on hardware, software and software, taking into account the model of interaction of open systems, as well as formed models of various types of communication lines that unite elements of the protected network communication, taking into account the model of interaction of open systems; simulate various types of computer attacks on models of various types of communication network elements, taking into account the destructive impact of computer attacks on different levels of the model of interaction of open systems; rank the measured values of damage from various types of computer attacks, based on a comparison of the ranked values of damage and threshold values of damage from various types of computer attacks, determine a list of computer attacks that can damage an element of the communication network; form simulation models of a protection system against computer attacks of each of the options for building a protection system for all elements of a communication network based on hardware, software and software; simulate various types of computer attacks based on the use of hardware, software and software on models of various types of elements included in the protected communication network, taking into account the models of previously defined options for constructing a system for protecting communication network elements from computer attacks; the values of the decrease in productivity from the use of the specified option stored in the database are compared with the measured damage from various types of computer attacks for the elements of the protected communication network; the saved values of the costs required for the development of protection elements are compared with the measured damage from various types of computer attacks for the elements of the protected communication network; if, when comparing the costs of developing protection against computer attacks with the amount and available funds for developing a protection system, the condition is not met, then the corresponding option for building a protection system against computer attacks is excluded from the acceptable options; the values of the parameters characterizing the tactical and technical characteristics of the elements and the scheme for constructing the protection system for each type of elements of the communication system are displayed in a formalized form, as well as information about computer attacks from which a certain version of the construction of the protection system does not provide protection, and are stored in the database to form report; if, after excluding the options for building protection systems against computer attacks, at least one option is missing in the database, then the tactical and technical characteristics of the corresponding element of the protection system are changed, after which the possible options for building the protection system; if, after excluding options for building a protection system against computer attacks, at least one option is missing in the database, then deviations between the value of the required resources for the functioning of options for building a protection system against computer attacks and the permissible value are determined; on the basis of the ranked values of damage and the values of the used resources of the selected type of communication network element compared with them, when applying the considered variant of building a protection system, the composition of the network protection system is changed connections from computer attacks by reducing the elements that provide protection against computer attacks that can cause the least damage, the refined options for building the protection system are stored in the database for further processing; information about computer attacks, against which a certain variant of building a protection system does not provide protection, is saved for the formation of a report; if, after excluding the options for building protection systems against computer attacks, at least one option is absent in the database, then the values of the deviation between the costs of developing the protection system and the available funds for developing the protection system are determined; on the basis of the ranked values of damage and the values of the costs associated with them for the development of elements of the protection system against these computer attacks, the elements of the network protection system are determined communications from computer attacks by reducing the elements that provide protection against computer attacks that can cause the least damage.

Images