RU2789810C1 - Method for protection of computer networks - Google Patents

Abstract

FIELD: computer technology.

SUBSTANCE: invention relates to computer technology. A method for protecting computer networks, in which, during a specified time, the parameters of network traffic in the protected subnet are read and its self-similarity index is calculated. In case of detection of unauthorized information flows, the lease of previously assigned network parameters of devices in the source subnet is terminated and a device is set to generate and direct false network traffic. Form and assign new parameters in the new subnet to all devices, except for the device for the formation and direction of false network traffic. New parameters are generated and assigned in the new subnet to all devices, except for the device for generating and directing false network traffic. The calculated self-similarity index is compared with the set of its required values. If they do not match, false traffic with random parameters is generated and sent to the source subnet. Otherwise, mathematical models are formed for each of the network traffic parameters, in accordance with which information flows of self-similar network traffic are formed and sent to the source subnet within a specified time. After the specified time has elapsed, the direction of false network traffic to the original subnet is assigned to the device specified for this, new network parameters in the new subnet.

EFFECT: improving the efficiency of protection of computer networks.

7 cl, 3 dwg

Description

The invention relates to telecommunications and can be used in intrusion detection systems for the purpose of prompt detection and counteraction to unauthorized influences in computer networks, in particular, in an Internet-type data transmission network based on the TCP/IP family of communication protocols (Transmission Control Protocol / Internet protocol).

Known "Method and device for anonymous data exchange using a network with dynamically changing address space" according to US patent No. US20120117376A1, class H04L 29/06 (2006.01), publ. 05/04/2012. The known method includes the following sequence of actions. Special software is installed on the network devices of the computer network, they receive incoming message packets, read the values of the service fields of the protocol, and then form their own special protocol. The principle of operation of the generated special protocol is based on changing the network address and protocol fields at specified time intervals. After the formation of a special protocol, the delivery parameters of message packets, such as IP address, for example, are mapped to end nodes in the network. End nodes are network devices that receive/send packets located on the network. The nodes participating in the process have the means to synchronize changes in the parameters being changed, deliver them over the network and are able to fully exchange data with each other. Periodic changes in delivery parameters over time eventually lead to obfuscation of information about active network nodes or network services of a computer network. Thus, an intruder scanning a computer network encounters a multitude of dynamic parameters that are understandable only to the network nodes participating in the information exchange. Configuration of special software can be implemented by one of three types of control: by time (synchronous), by the fact of scanning, constant on all packets/frames without exception.

The disadvantage of this method is the relatively low effectiveness of the protection of computer networks. The low effectiveness of protection is due to the fact that in the analogue the speed of information exchange between the sender and recipient of message packets is reduced due to the installed additional special software that consumes network resources to convert outgoing packets into its own protocol, which in turn reduces the availability of network information resources to clients and can lead to network overload.

There is a known method for protecting computer networks, described in the article Antonatos S., Akritidis P., Markatos E., Anagnostakis K. Defending against Hitlist Worms using Network Address Space Randomization 2005 ACM Workshop on Rapid Malcode, Fairfax, VA, USA, on page 30 -40. The known method includes the following sequence of actions. Connect network devices to a computer network. The DHCP server sets for the network devices of the computer network from which the requests were received, the synchronization parameters of the set time zone, the lease duration time t _ap and the IP address. After that, network connections are established between the network devices of the network. At the end of the IP address lease duration time t _ap , new IP addresses in the current subnet and other network parameters are randomly generated on the DHCP server for each of the network devices of the computer network. For network devices between which a critical connection is not established, new IP addresses are set, to which they switch after the lease time t _ap , and for network devices between which a critical connection is established, the lease of IP addresses is extended for the same time t _ap , up to the end of connection activity, after which network devices move to new IP addresses in the current subnet. The next transition to new IP addresses is carried out after the time t _ap .

The disadvantage of this method is its relatively narrow scope, relatively low efficiency and relatively high resource intensity of protection. The narrow scope is due to the fact that there is a break in critically important active connections between network devices, as well as the fact that the change of the IP addresses of the nodes of the protected computer network occurs within the same subnet, which imposes a restriction on the used range of restructuring the parameters of the protected computer network, consisting of relatively large number of host IP addresses. This can lead to the possibility of the violator calculating the algorithm for restructuring the IP addresses of the nodes of the protected computer network and taking measures to bypass the protection system. Relatively low efficiency is associated with a change in the IP addresses of the nodes of the protected computer network after a fixed period of time t _ap , regardless of the operating conditions and actions of the intruder. This can lead to an untimely transfer of the computer network to a predetermined configuration, resulting in the omission of unauthorized action or a false operation of the protection system. The relatively high resource intensity of the prototype method is associated with the possibility of its false positives, which can lead to an unreasonable increase in the computing resource for changing the configuration of the computer network parameters.

The closest in its technical essence to the claimed, the prototype method is the "Method of protecting computer networks" according to the patent of the Russian Federation No. 2716220 IPC G06F 21/60, H04L 29/06 publ. 03/06/2020 The known method includes the following sequence of actions. Connect network devices to a computer network. The DHCP server for network devices of the computer network generates synchronization parameters of the set time zone and time, assigned IP addresses and their lease time, subnet number. After that, generated response messages are sent from the DHCP server to network devices of the computer network. Further, each network device of the computer network receives messages from the DHCP server and sets the synchronization parameters of the set time zone and time, the assigned IP addresses and their lease time, the subnet number to the network devices of the computer network. Then network connections are established between network devices of the computer network. After receiving a message packet from the communication channel, the identifier of the information flow is extracted from the header of the received message packet. Next, it is compared with the identifiers of the authorized information flows, and if the selected information flow identifier matches the identifiers of the authorized information flows, the message packet is transmitted to the recipient and the next message packet is received from the communication channel. If the allocated identifier does not match the identifiers of the authorized information flows, the IP address of the recipient in the received message packet is compared with the predefined false IP addresses of the computer network subscribers. If the recipient's IP address in the received message packet does not match the predefined false subscriber IP addresses, the message packet is ignored, and if the recipient's IP address in the received message packet matches the predefined false subscriber IP addresses, the packet sender's IP address is compared. messages with each IP address of a network device of a computer network. If they match, block the IP address of the sender of message packets. Otherwise, response messages are generated from the DHCP server containing the new subnet number, the IP addresses of network devices for the new subnet, their lease duration for the new subnet, the next subnet number, the IP address of the DHCP server, the synchronization settings of the set time zone, and time. Further, after sending response messages containing the above network parameters from the DHCP server to the network devices of the computer network, these messages are received by each network device of the computer network. After that, each network device of the computer network is assigned the obtained parameters for functioning in a new subnet.

The disadvantage of the prototype method is its relatively low protection efficiency, due to the high capabilities of the intruder to detect the use of computer network protection tools and identify their characteristics. This is due to the fact that after a synchronous change in the network parameters of the devices of the source subnet to the network parameters in the new subnet, in the source subnet, where network information exchange was previously organized, there will be no such network and there will be no active IP addresses of network devices. This circumstance can lead to the compromise of the protection means used and the identification of their characteristics in the event of interception of network traffic or network scanning of the computer network by the intruder, as well as to the change by the intruder of the malicious impact strategy.

The purpose of the claimed technical solution is to develop a method for protecting computer networks, providing an increase in the effectiveness of protection by reducing the ability of the intruder to compromise the means of protection and mislead him. This is achieved by generating false network traffic on the original subnet after changing the current settings of network devices to new settings on the new subnet.

, где d - номер подсети DHCP-сервера, d=1, 2 … z, где z - максимальное количество подсетей. Далее для каждого подмножества d задают IP-адреса DHCP-серверов

, где

- IP-адрес DHCP-сервера,

. После этого предварительно задают массив памяти D=[1, 2, …, z] для хранения номеров подсетей DHCP-сервера и t^d _max - максимальное значение времени аренды всех IP-адресов подсети с номером d. Далее задают С={CIP₁, CIP₂ … CIP_m} множество соединений между сетевыми устройствами вычислительной сети, где CIP_m - идентификатор соединения между сетевыми устройствами вычислительной сети, который содержит в себе IP-адрес отправителя с, и получателя b, тип протокола взаимодействия, порты взаимодействия, где m - максимальное допустимое количество соединений между сетевыми устройствами вычислительной сети. После этого предварительно задают массив памяти C_i=[CIP₁, CIP₂ … CIP_m] для хранения идентификаторов CIP_m и множество идентификаторов санкционированных информационных потоков TS≥1. Затем предварительно задают MAC={MAC₁, МАС₂ … MAC_l} множество МАС-адресов сетевых устройств вычислительной сети, где l - максимальное количество сетевых устройств в вычислительной сети. Далее задают массив памяти N_A для хранения матрицы соответствия n-му IP-адресу сетевого устройства из множества IP-адресов l-го МАС-адреса из массива памяти MAC. Затем задают

- множество IP-адресов ложных абонентов подсети d, где ƒ - максимальное допустимое количество IP-адресов сетевых устройств подсети d. После этого подключают сетевые устройства к вычислительной сети. Далее направляют с сетевых устройств вычислительной сети сообщения DHCP-серверу для получения параметров синхронизации установленного часового пояса и времени, номера подсети d, IP-адресов IP^d и времени их аренды, IP-адреса DHCP-сервера

. Затем принимают DHCP-сервером сообщения от сетевых устройств вычислительной сети. После этого формируют для сетевых устройств сообщения, содержащие параметры синхронизации установленного часового пояса и времени, назначенные номер подсети d, IP-адреса IP^d и время их аренды, IP-адрес DHCP-сервера

. Затем направляют сформированные сообщения сетевым устройствам вычислительной сети. Далее принимают каждым сетевым устройством вычислительной сети сообщение от DHCP-сервера. После этого направляют от сетевых устройств вычислительной сети ответные сообщения DHCP-серверу, подтверждающие его выбор. Затем принимают DHCP-сервером сообщения от сетевых устройств вычислительной сети, подтверждающие его выбор. После этого задают сетевым устройством вычислительной сети параметры синхронизации установленного часового пояса и времени, назначенные номер подсети d, IP-адреса IP^d и время их аренды, для DHCP-сервера IP-адрес

. Далее устанавливают соответствие MAC- и IP-адресов. Затем запоминают соответствие MAC- и IP-адресов в массиве памяти N_A. После этого удаляют из массива памяти N_A, те соответствия сетевых устройств вычислительной сети, от которых не получили сообщения, подтверждающие их выбор. Далее устанавливают соединения между сетевыми устройствами вычислительной сети и назначают установленным соединениям между сетевыми устройствами вычислительной сети идентификаторы CIP_m. Затем запоминают идентификаторы CIP_m в массиве памяти C_i и принимают из канала связи пакет сообщения. После этого выделяют из заголовка принятого пакета сообщения идентификатор информационного потока, а затем сравнивают его с идентификаторами санкционированных информационных потоков TS. В случае совпадения выделенного идентификатора информационного потока с идентификаторами санкционированных информационных потоков TS передают пакет сообщений получателю. После этого принимают из канала связи следующий пакет сообщения. В случае несовпадения выделенного идентификатора с идентификаторами санкционированных информационных потоков TS сравнивают IP-адрес получателя в принятом пакете сообщений с предварительно заданными ложными IP-адресами абонентов вычислительной сети FIP. В ином случае, при несовпадении IP-адреса получателя в принятом пакете сообщений с предварительно заданными ложными IP-адресами абонентов FIP, игнорируют пакет сообщений. При совпадении IP-адреса получателя в принятом пакете сообщений с предварительно заданными ложными IP-адресами абонентов FIP, сравнивают IP-адрес отправителя пакетов сообщений с каждым IP-адресом сетевого устройства вычислительной сети из множества IP^d. В случае их совпадения исключают МАС-адрес сетевого устройства из массива N_A DHCP-сервера, а в случае их несовпадения считывают DHCP-сервером из массива D следующий d=d+1 номер подсети. После этого формируют для сетевых устройств сообщения, содержащие новые параметры синхронизации установленного часового пояса и времени, номер подсети d=d+1, IP-адреса IP^(d+1) и время их аренды

, DHCP-серверу IP-адрес

. Затем направляют с DHCP-сервера сетевым устройствам вычислительной сети сформированные сообщения, содержащие новые параметры синхронизации установленного часового пояса и времени, номер подсети d=d+1, IP-адреса IP^(d+1) и время их аренды

. Далее принимают каждым сетевым устройством вычислительной сети сообщения, содержащие новые параметры синхронизации установленного часового пояса и времени, номер подсети d=d+1, IP-адреса IP^(d+1) и время их аренды

. После этого задают сетевым устройствам вычислительной сети параметры синхронизации установленного часового пояса и времени, номер подсети d=d+1, IP-адреса IP^(d+1) и время их аренды

, задают IP-адрес

для DHCP-сервера. Затем вновь формируют массив памяти N_A для хранения матрицы соответствия MAC- и IP-адресов сетевых устройств вычислительной сети. В предварительно заданные исходные данные дополнительно задают значение времени t_z считывания параметров сетевого трафика из подсети d. Затем дополнительно задают массив памяти M_z для хранения параметров считанного сетевого трафика из подсети d. После этого дополнительно задают массив памяти M_H для хранения вычисленного значения коэффициента самоподобия сетевого трафика из подсети d. Далее дополнительно задают множество {H_t} требуемых значений коэффициента самоподобия сетевого трафика из подсети d, время t_d направления ложного сетевого трафика в подсеть. После формирования и назначения параметров сетевым устройствам подсети, установления соответствия MAC- и IP-адресов и запоминания этого соответствия в массиве памяти N_A, а также установления между сетевыми устройствами сетевых соединений и идентификаторов CIP_m этих соединений, считывают в течение времени t_z параметры сетевого трафика между сетевыми устройствами из подсети d. Затем запоминают в массиве памяти M_z считанные параметры сетевого трафика между сетевыми устройствами из подсети d. Далее вычисляют значение Н_с показателя самоподобия сетевого трафика между сетевыми устройствами из подсети d. После этого запоминают в массиве памяти M_H вычисленное значение Н_с показателя самоподобия сетевого трафика между сетевыми устройствами из подсети d. Затем, после приема из канала связи пакета сообщения и выделения идентификатора информационного потока, последующего его сравнения с идентификаторами санкционированных информационных потоков и в случае несовпадения IP-адреса отправителя пакетов сообщений с множеством IP-адресов IP^d подсети d, после формирования для сетевых устройств подсети d сообщений, содержащих новые сетевые параметры и направления этих сообщений сетевым устройствам, задают в подсети d сетевое устройство для формирования и направления информационных потоков ложного сетевого трафика в этой подсети. Далее задают сетевым устройствам подсети d, кроме сетевого устройства для формирования и направления информационных потоков ложного сетевого трафика, параметры синхронизации установленного часового пояса и времени, номер подсети d=d+1, IP-адреса IP^(d+1) и время их аренды

, IP-адрес выбранного DHCP-сервера

. После этого вновь формируют массив памяти N_A для новой подсети d=d+1. Затем сравнивают вычисленное значение Н_с показателя самоподобия сетевого трафика между сетевыми устройствами из подсети d со значением требуемого коэффициента самоподобия сетевого трафика из множества {H_t}. В случае их несоответствия формируют для подсети d информационные потоки ложного сетевого трафика со случайными параметрами. После этого направляют с заданного сетевого устройства в подсеть d информационные потоки сформированного ложного сетевого трафика со случайными параметрами до истечения времени t_d. В ином случае, при соответствии вычисленного значения Н_с показателя самоподобия сетевого трафика между сетевыми устройствами из подсети d значению требуемого коэффициента самоподобия сетевого трафика из множества {H_t}, считывают из массива памяти M_z параметры сетевого трафика подсети d. Далее формируют математическую модель для каждого из параметров сетевого трафика подсети d. После этого формируют информационные потоки ложного сетевого трафика между сетевыми устройствами подсети d с параметрами, полученными на основании сформированных математических моделей для каждого из них. Затем направляют с заданного сетевого устройства информационные потоки сформированного ложного самоподобного сетевого трафика в подсеть d до истечения времени t_d. По истечении времени направления ложного сетевого трафика td завершают направление ложного сетевого трафика в подсеть d. Далее задают сетевому устройству, с которого осуществлялось формирование и направление ложного сетевого трафика в подсеть d, новые параметры синхронизации установленного часового пояса и времени, номер подсети d=d+1, IP-адрес IP^(d+1) и время его аренды

, IP-адрес выбранного DHCP-сервера

. Затем вновь формируют массив памяти N_A для хранения матрицы соответствия MAC- и IP-адресов сетевых устройств в подсети d=d+1 с учетом появившегося из подсети d сетевого устройства, с которого осуществлялось формирование и направление ложного сетевого трафика.This goal is achieved by the fact that in the well-known method of protecting computer networks, IP=[IP ₁ , IP ₂ ... IP _n } is pre-set IP addresses of network devices of the computer network that are DHCP clients of the DHCP server, where n is the maximum allowable value of the number IP addresses of network devices of a computer network. Then subsets d are preliminarily set in the set of IP addresses of network devices of the computer network

, where d is the DHCP server subnet number, d=1, 2 … z, where z is the maximum number of subnets. Next, for each subset d, the IP addresses of DHCP servers are set

, Where

- DHCP server IP address,

. After that, a memory array D=[1, 2, …, z] is preliminarily set to store the subnet numbers of the DHCP server and t ^d _max is the maximum value of the lease time for all IP addresses of the subnet with the number d. Next, C={CIP ₁ , CIP ₂ ... CIP _m } is set to a set of connections between network devices of a computer network, where CIP _m is a connection identifier between network devices of a computer network, which contains the IP address of the sender c, and the recipient b, protocol type interactions, interaction ports, where m is the maximum allowable number of connections between network devices of a computer network. After that, a memory array C _i =[CIP ₁ , CIP ₂ ... CIP _m ] is preliminarily set to store identifiers CIP _m and a set of identifiers of authorized information flows TS≥1. Then pre-set MAC={MAC ₁ , MAC ₂ ... MAC _l } a set of MAC addresses of network devices of the computer network, where l is the maximum number of network devices in the computer network. Next, a memory array N _A is set to store the matrix of correspondence to the n-th IP address of the network device from the set of IP addresses of the l-th MAC address from the MAC memory array. Then ask

is the set of IP addresses of false subscribers of subnet d, where ƒ is the maximum allowable number of IP addresses of network devices of subnet d. After that, network devices are connected to the computer network. Next, messages are sent from the network devices of the computer network to the DHCP server to obtain the synchronization parameters of the set time zone and time, subnet number d, IP addresses IP ^d and their lease time, IP address of the DHCP server

. Then the DHCP server receives messages from network devices of the computer network. After that, messages are generated for network devices containing the synchronization parameters of the set time zone and time, assigned subnet number d, IP addresses IP ^d and their lease time, IP address of the DHCP server

. Then the generated messages are sent to the network devices of the computer network. Next, each network device of the computer network receives a message from the DHCP server. After that, response messages are sent from the network devices of the computer network to the DHCP server, confirming its choice. Then the DHCP server receives messages from network devices of the computer network confirming its choice. After that, the network device of the computer network sets the synchronization parameters of the set time zone and time, assigned subnet number d, IP addresses IP ^d and their lease time, for the DHCP server IP address

. Next, match the MAC and IP addresses. Then remember the correspondence of MAC and IP addresses in the memory array N _A . After that, those correspondences of network devices of the computer network are removed from the memory array N _A , from which they did not receive messages confirming their choice. Next, connections are established between the network devices of the computer network and assigned to the established connections between the network devices of the computer network identifiers CIP _m . Then the identifiers CIP _m are stored in the memory array C _i and a message packet is received from the communication channel. After that, the identifier of the information flow is extracted from the header of the received message packet, and then it is compared with the identifiers of the authorized information flows of the TS. If the allocated information flow identifier matches the authorized information flow identifiers, the TS transmits the message packet to the recipient. After that, the next message packet is received from the communication channel. If the allocated identifier does not match the identifiers of the authorized information flows, the TS compares the IP address of the recipient in the received message packet with the predefined false IP addresses of the FIP computer network subscribers. Otherwise, if the recipient's IP address in the received message packet does not match the predefined false IP addresses of FIP subscribers, the message packet is ignored. If the IP address of the recipient in the received message packet matches the predefined false IP addresses of FIP subscribers, the IP address of the sender of the message packets is compared with each IP address of the network device of the computer network from the set of IP ^d . If they match, the MAC address of the network device is excluded from the array N _A of the DHCP server, and if they do not match, the next d=d+1 subnet number is read by the DHCP server from the array D. After that, messages are generated for network devices containing new synchronization parameters of the set time zone and time, subnet number d=d+1, IP addresses ^(d+1) and their lease time

, DHCP server IP address

. Then generated messages are sent from the DHCP server to the network devices of the computer network containing new synchronization parameters of the set time zone and time, subnet number d=d+1, IP addresses ^(d+1) and their lease time

. Next, each network device of the computer network receives messages containing new synchronization parameters for the set time zone and time, subnet number d=d+1, IP addresses ^(d+1) and their lease time

. After that, the network devices of the computer network are set the synchronization parameters of the set time zone and time, the subnet number d=d+1, IP addresses ^(d+1) and their lease time

, set the IP address

for the DHCP server. Then, a memory array N _A is again formed to store the mapping matrix of MAC and IP addresses of network devices of the computer network. The predetermined initial data is additionally set with the time value t _z for reading the network traffic parameters from the subnet d. Then, a memory array M _z is additionally set to store the parameters of the read network traffic from the subnet d. After that, a memory array M _H is additionally set to store the calculated value of the self-similarity coefficient of network traffic from the subnet d. Further, a set {H _t } of required values of the self-similarity coefficient of network traffic from subnet d, time t _d of sending false network traffic to the subnet are additionally set. After the formation and assignment of parameters to the network devices of the subnet, the establishment of a correspondence between MAC and IP addresses and storing this correspondence in the memory array N _A , as well as the establishment of network connections and identifiers CIP _m of these connections between network devices, the network parameters are read during time t _z traffic between network devices on the subnet d. Then the read parameters of network traffic between network devices from subnet d are stored in the memory array M _z . Next, the value of H is calculated _from the self-similarity index of network traffic between network devices from subnet d. After that, the calculated value _H c _of the self-similarity index of network traffic between network devices from the subnet d is stored in the memory array M H. Then, after receiving a message packet from the communication channel and extracting the identifier of the information flow, then comparing it with the identifiers of authorized information flows, and in the event that the IP address of the sender of message packets does not match the set of IP addresses IP ^d of the subnet d, after the formation of subnet d for network devices messages containing new network parameters and the direction of these messages to network devices, specify a network device in subnet d to form and direct information flows of false network traffic in this subnet. Next, the network devices of the subnet d, except for the network device for generating and directing information flows of false network traffic, are set to the synchronization parameters of the set time zone and time, the subnet number d=d+1, IP addresses ^(d+1) and their lease time

, IP address of selected DHCP server

. After that, the memory array N _A is again formed for the new subnet d=d+1. Then, the calculated value H is compared _with the network traffic self-similarity index between network devices from the subnet d with the value of the required network traffic self-similarity coefficient from the set {H _t }. In case of their discrepancy, information flows of false network traffic with random parameters are formed for subnet d. After that, information flows of generated false network traffic with random parameters are sent from a given network device to subnet d until time t _d expires. Otherwise, if the calculated value H corresponds _to the network traffic self-similarity index between network devices from the subnet d to the required network traffic self-similarity coefficient from the set {H _t }, the network traffic parameters of the subnet d are read from the memory array M _z . Next, a mathematical model is formed for each of the network traffic parameters of the subnet d. After that, information flows of false network traffic are formed between network devices of subnet d with parameters obtained on the basis of the generated mathematical models for each of them. Then information flows of generated false self-similar network traffic are sent from a given network device to subnet d until time t _d expires. After the timeout, the directions of the fake network traffic td complete the direction of the fake network traffic to the subnet d. Next, the network device from which the false network traffic was generated and sent to the subnet d is given new synchronization parameters for the set time zone and time, subnet number d=d+1, IP address IP ^(d+1) and its lease time

, IP address of selected DHCP server

. Then, a memory array N _A is again formed to store the mapping matrix of MAC and IP addresses of network devices in subnet d=d+1, taking into account the network device that appeared from subnet d, from which false network traffic was generated and directed.

The value of time t _d for sending false network traffic to subnet d is set to 86400 seconds.

Connection duration, source IP address, source port, destination IP address, destination port, number of packets per session, number of bytes transferred per session are selected as parameters for generating self-similar false network traffic.

The time value t _z for reading network traffic parameters in subnet d is set to 86400 seconds.

As an algorithm for calculating the self-similarity index H _from network traffic, an algorithm for analyzing the corrected changed range is chosen.

The nonlinear van der Pol oscillator is chosen as an attractor of the mathematical model of self-similar false network traffic.

The required values of the coefficient of self-similarity of network traffic Ht is chosen within 0.5<H _t <1.

Due to the new set of essential features in the claimed method, the effectiveness of protection is increased by reducing the ability of the intruder to compromise the means of protection and mislead him. This is achieved by generating false network traffic on the original subnet after changing the current settings of network devices to new settings on the new subnet.

The claimed objects of the invention are illustrated by drawings, which show:

fig. 1 - Scheme of a protected computer network using a device for generating and directing false network traffic to the network;

fig. 2a - Block diagram of the sequence of actions that implement the claimed method of protecting computer networks;

fig. 2b - Block diagram of the sequence of actions that implement the claimed method for protecting computer networks.

The implementation of the claimed method is explained as follows. At present, information protection measures in state information systems include: hiding the architecture and configuration of information systems; creation (emulation) of false information systems or their components; transfer of an information (automated) system to a safe state in the event of failures (failures), which is given, for example, in the Order of the FSTEC of Russia dated December 25, 2017 "On approval of the Requirements for ensuring the security of significant objects of critical information infrastructure of the Russian Federation (as amended by orders FSTEC of Russia dated August 9, 2018 No. 138, dated March 26, 2019 No. 60, dated February 20, 2020 No. 35) ”on page 35.

This is due to the fact that, along with threats to information security associated with the implementation of unauthorized impact on information systems, the components of which are computer networks, a fairly large number of computer attacks are reconnaissance in nature in order to obtain information about the composition, structure and algorithms of functioning, location and ownership of information systems. In particular, the threat of determining the topology of information systems, implemented by the intruder by means of network intelligence through network scanning and network traffic analysis, is aimed at reconstructing the structural and functional characteristics of information systems. The result of network intelligence is the discovery of the topology of information systems distributed in cyberspace and the determination of the importance of its nodes, which can be used by the intruder to implement planned APT attacks (from the English advanced persistent threat - “developed persistent threat”, targeted computer attack), which are known and are described, for example, in the article Levtsov V., Demidov, N. Anatomy of a targeted attack, part 1, Information security, 2016, No. 2, on pp. 36-39.

The task of implementing the above measures to protect information systems from network reconnaissance is solved by generating false network traffic, which is understood as a set of false (masking) message packets formed in order to create stable false stereotypes in the offender about the composition, structure and algorithms of information systems functioning, which is known and described, for example, in the article Sokolovsky S.P., Telenga A.P. Methodology for generating false network traffic of information systems to protect against network intelligence, Bulletin of Computer and Information Technologies, 2022, v. 19, No. 2, on pp. 40-47. However, the solution of this problem is complicated by the following circumstance. After the reconfiguration of the structural and functional characteristics of the information system, there will be no active nodes in the subnet where the information exchange was originally organized and, accordingly, there will be no network traffic. This circumstance will lead to the compromise of the applied means of protection and a change in the strategy of the malicious impact on the information system by the intruder. To eliminate such a revealing feature of the protection system, it is necessary not only to reconfigure the structural and functional characteristics of information systems within several subnets, but also to support false network traffic between nodes, which has the statistical characteristics of a compromised information system, so that the cyber maneuver is not detected by the intruder, which is known and described, for example, in the article Applegate S.D. The principle of maneuver in cyber operations, 4th International Conference on Cyber Conflict (CYCON 2012) on pp. 1-13. In this case, the following options for solving the problem of generating false network traffic of an information system are possible.

The first option is to pre-record the network traffic of the information system and then send the saved packets to the network. In this case, the time interval between packets is taken from a previously recorded dump of the network traffic of the information system. The disadvantage of this approach, associated with the need to store large amounts of data, is obvious. In addition, with a relatively small number of subscribers in the information system, it is possible to detect the fact of reuse (cloning) of network traffic.

The second, and more preferable, option is the generation of false network traffic based on the characteristics of real network traffic, which is performed by a specially designated computer network node. To ensure the maximum likelihood of false network traffic, its statistical properties must correspond to the statistical properties of the information traffic of the protection object. Otherwise, the application of such protection measures may be compromised, and the objectives of the simulation will not be achieved.

The claimed method is implemented as follows. In the general case (see Fig. 1), a subnet is a collection of correspondents 100, a DHCP server 101 that are sources and recipients of network traffic, a packet analyzer (102) for reporting, peripheral and communication equipment 103, a device for generating and sending to fake network traffic subnet 104.

To protect the computer network and mislead the intruder 105 regarding the structure of the computer network, they periodically change the IP addresses and other network parameters of its network devices within several subnets, and to mislead the intruder regarding the use of protection tools, they form and send to the original subnet fake network traffic.

In FIG. 2a, 2b shows a block diagram of the sequence of actions that implement the claimed method of protecting computer networks, in which the following designations are accepted:

, где d - номер подсети DHCP-сервера d=1, 2 … z, a z - максимальное количество подсетей;{IP ^d } - the set of all IP addresses of network devices of the computer network that are clients of the DHCP server with the IP address

, where d - DHCP server subnet number d=1, 2 … z, az - maximum number of subnets;

- IP-адрес доверенного DHCP-сервера, где

;

- IP address of a trusted DHCP server, where

;

[D] - memory array for storing the subnet number of the DHCP server;

t ^d _max - the maximum value of the lease time for all IP addresses of subnet d;

{С} - set of connections between network devices of a computer network;

CIP _m - connection identifier between network devices of the computer network;

m - the maximum allowable number of connections between network devices of a computer network;

[C _i ] - memory array for storing identifiers CIP _m ;

{TS} - set of identifiers of authorized information flows;

{MAC} - set of MAC addresses of network devices of a computer network;

l - the maximum number of network devices in the computer network;

[N _A ] - a memory array for storing a matrix of correspondence to the n-th IP address of the network device from the set of IP addresses of the l-th MAC address from the MAC memory array;

{FIP ^d } - set of IP addresses of false subscribers of subnet d, FIP ^d ={FIP ^d ₁ , FIP ^d ₂ ... FIP ^d _n }, where n - the maximum allowable number of IP addresses of network devices of the computer network.

To improve the effectiveness of protection, by reducing the ability of the intruder to compromise the means of protection and misleading the intruder, the predefined initial data is additionally set (see block 1 in Fig. 2a) with the time value t _z for reading network traffic parameters from subnet d, which allows get a representative sample of network traffic.

Then, in the predefined initial data, an additional memory array M _z is specified (see block 1 in Fig. 2a) to store the parameters of the read network traffic from subnet d, necessary to calculate the coefficient of self-similarity of network traffic from subnet d.

After that, in order to form the parameters for generating false network traffic, a memory array M _H is additionally specified in the predefined initial data (see block 1 in Fig. 2a) to store the calculated value of the self-similarity coefficient of network traffic from the subnet d.

Further, to calculate the parameters of mathematical models of false network traffic, the set of required values of the self-similarity coefficient of network traffic from the subnet d is additionally specified (see block 1 in Fig. 2a) in the predefined initial data (see block ₁ in Fig. 2a).

After that, in order to perform an uncompromising cyber maneuver, the predetermined initial data is additionally set (see block 1 in Fig. 2a) with the time t _d of sending false network traffic to the subnet d.

для получения параметров синхронизации установленного часового пояса, IP-адресов и времени продолжительности их аренды t_ap, номера подсети d и IP-адреса DHCP-сервера

. Схема протокольного обмена сообщениями между сетевыми устройствами и DHCP-сервером известна и описана, например, в технических спецификациях (RFC, Request for Comments) сети Интернет (см., например, https://tools.ietf.org/html/rfc2131).Then the network devices are connected (see block 2 in Fig. 2a) to the computer network and after their initialization they are sent (see block 3 in Fig. 2a) from the network devices of the computer network messages to the DHCP server with the IP address

to get the synchronization parameters of the set time zone, IP addresses and their lease duration t _ap , subnet number d and IP address of the DHCP server

. The scheme of protocol messaging between network devices and a DHCP server is known and described, for example, in the technical specifications (RFC, Request for Comments) of the Internet (see, for example, https://tools.ietf.org/html/rfc2131).

сообщения от сетевых устройств вычислительной сети.After that, they are accepted (see block 4 in Fig. 2a) by a DHCP server with an IP address

messages from network devices of a computer network.

. Необходимость синхронизации установленного часового пояса и времени возникает в случае, когда время сервера и сетевых устройств вычислительной сети различается, при этом сервер может счесть аренду завершившейся раньше, чем это сделает сетевое устройство. Синхронизация осуществляется путем установки общего часового пояса и времени DHCP-сервера и сетевых устройств вычислительной сети.Then messages are generated (see block 5 in Fig. 2a) for network devices containing synchronization parameters of the set time zone and time, assigned subnet number d, IP addresses IP ^d and their lease time, IP address of the DHCP server

. The need to synchronize the set time zone and time arises when the time of the server and network devices of the computer network differs, while the server may consider the lease to be completed earlier than the network device does. Synchronization is carried out by setting a common time zone and time of the DHCP server and network devices of the computer network.

, для обратившихся с запросом сетевых устройств вычислительной сети.Next, (see block 6 in Fig. 2a) the DHCP server sends response messages containing the synchronization parameters of the set time zone and time, the assigned subnet number d, IP addresses IP ^d and their lease time, IP address of the DHCP server

, for the network devices of the computer network that made the request.

Each network device receives (see block 7 in Fig. 2a) messages from the DHCP server and sends (see block 8 in Fig. 2a) response messages to the DHCP server confirming their choice of this DHCP server.

выбранного DHCP-сервера.After that, messages are received (see block 9 in Fig. 2a) by the DHCP server from network devices of the computer network confirming their choice and set (see block 10 in Fig. 2a) to the network devices of the computer network the synchronization parameters of the set time zone and time, assigned subnet number d, IP addresses ^d and their lease time, DHCP server IP address

selected DHCP server.

Then set (see block 11 in Fig. 2a) the correspondence of MAC and IP addresses and remember (see block 12 in Fig. 2a) this correspondence of MAC and IP addresses in the memory array N _A .

Next, remove (see block 13 in Fig. 2a) from the memory array N _A , those correspondences of network devices of the computer network from which they did not receive messages confirming their choice, thereby excluding the issuance of IP addresses to inactive network devices.

After that, connections are established between the network devices of the computer network (see block 14 in Fig. 2a) and assigned (see block 15 in Fig. 2a) to the established connections between the network devices of the computer network identifiers CIP _m .

Further, the set identifiers CIP _m are stored (see block 16 in Fig. 2a) in the memory array C _i .

Then read (see block 17 in Fig. 2a) during the time t _z network traffic parameters between network devices from the subnet d. There are several approaches to describing the network traffic of a computer network: in the form of streams and in the form of a sequence of packets ("raw" traffic).

Streams contain header information about network connections between two end devices, such as servers or workstations. Each stream is a collection of transmitted network packets that share some common properties. As a rule, all transmitted network packets with the same source IP address, source port, destination IP address, destination port and transport protocol within the time window are combined into one stream, as described, for example, in the article Choudhary S., Usage of Netflow in Security and Monitoring of Computer Networks, International Journal of Computer Applications, 2013, vol. 68, no. 24, on pp. 17-24.

"Raw" traffic is a sequence of packets, each of which contains the time the packet was sent, the source IP address, source port, destination IP address, destination port, protocol, packet size, flags set, and the data field in which the payload is written, as described, for example, in Alothman B. Raw Network Traffic Data Preprocessing and Preparation for Automatic Analysis, 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), 2019, on pages 1-5. Thus, the parameters that determine the network interaction of two nodes of the data transmission network of a computer network are the source IP address, source port, destination IP address, destination port, protocol, packet size, connection duration.

After that, the read parameters of network traffic between network devices from subnet d are stored (see block 18 in Fig. 2a) in the memory array M _z .

Next, calculate (see block 19 in Fig. 2a) the value H _with the index of self-similarity of network traffic between network devices from the subnet d. The generally accepted indicator of the self-similarity of the process is the Hurst exponent H, which is known and described, for example, in the book Hurst H.E., Black P., Simaika RY. M. Long-Term Storage: An Experimental Study, London: Constable, 1965. 145 p. Depending on the calculated values of which, the following conclusions are made about the processes under study: at 0≤H≤0.5 - a random process that does not have self-similarity; at 0.5<H<1 - the process has a long memory and is self-similar.

To calculate the Hurst exponent, for example, the algorithm for analyzing the adjusted rescaled range is used, which is known and described, for example, in the article by Anis A.A., Lloyd E.N. The expected value of the adjusted rescaled Hurst range of independent normal summands, Biometrica, 1976, no 63, at pp. 283-298.

Then store (see block 20 in Fig. 2a) in the memory array M _H the calculated value Hc of the index of self-similarity of network traffic between network devices from the subnet d.

Receive (see block 21 in Fig. 2a) a message packet from the communication channel and extract (see block 22 in Fig. 2a) from the header of the received message packet the identifier of the information flow CIP _m .

After that, it is compared (see block 23 in Fig. 2a) with the identifiers of authorized TS information flows to determine the possibility of further transmission of the packet to the destination.

If the allocated information flow identifier CIP _m matches the authorized information flow identifier TS, a message packet is transmitted (see block 24 in Fig. 2a) to the recipient, and then the next message packet is received (see block 21 in Fig. 2a) from the communication channel.

If the allocated CIP identifier _m does not match the identifiers of the authorized information flows TS, the recipient's IP address in the received message packet is compared (see block 25 in Fig. 2b) with predefined false IP addresses of FIP computer network subscribers.

If the IP address of the recipient in the received message packet does not match the predefined false IP addresses of FIP subscribers, the message packet is ignored (see block 26 in Fig. 2b).

Otherwise, if the IP address of the recipient in the received message packet matches the predefined false IP addresses of the FIP subscribers, it is determined whether the sender of the message packet is an authorized subscriber or an intruder, for this they compare (see block 27 in Fig. 2b) IP- the address of the sender of message packets with each IP address of the network device of the computer network from the set of IP ^d .

If they match, the IP address of the sender of message packets is blocked, considering it a potential intruder, for which they exclude (see block 28 in Fig. 2b) the MAC address of this network device from the memory array N _{A of} the DHCP server, thereby isolating the intruder from further information exchange in the computer network during the subsequent reconfiguration of the network parameters of devices and communication equipment of the computer network.

In the case of their mismatch, that is, when the sender of the message packets has an illegitimate IP address, the structural and functional characteristics of the network devices of the computer network are reconfigured. To do this, read (see block 29 in Fig. 2b) by the DHCP server from the array D the next d=d+1 subnet number to form the parameters of network devices in the new subnet by increasing the current network number d by one.

, значения

, следующий номер подсети d=d+1 и IP-адрес выбранного DHCP-сервера

для каждого из сетевых устройств вычислительной сети. Формирование нового значения времени аренды IP-адресов сетевых устройств вычислительной сети

осуществляют для исключения возможности нарушителя вычислить алгоритм перестройки IP-адресов.Then, DHCP server response messages are generated (see block 30 in Fig. 2b), containing the parameters of the set time zone and time, as well as new IP addresses.

, values

, the next subnet number d=d+1 and the IP address of the selected DHCP server

for each of the network devices of the computer network. Formation of a new lease time value for IP addresses of network devices of a computer network

are carried out to eliminate the possibility of the intruder to calculate the algorithm for rebuilding IP addresses.

значения

, следующий номер подсети d=d+1 и IP-адрес выбранного DHCP-сервера

сетевым устройствам вычислительной сети.Next, send (see block 31 in Fig. 2b) DHCP server response messages containing the parameters of the set time zone and time, as well as new IP addresses

values

, the next subnet number d=d+1 and the IP address of the selected DHCP server

network devices of a computer network.

, номер подсети d=d+1 и IP-адрес выбранного DHCP-сервера

.Then they receive (see block 32 in Fig. 2b) each network device of the computer network messages containing the synchronization parameters of the set time zone and time, new IP addresses and the duration of their lease

, subnet number d=d+1 and IP address of the selected DHCP server

.

Further, in order to hide the fact of using protection means and mislead the intruder, a network device is set (see block 33 in Fig. 2b) in subnet d to form and direct information flows of false network traffic in this subnet.

и время их аренды

, IP-адрес выбранного DHCP-сервера

.After that, set (see block 34 in Fig. 2b) to network devices of subnet d, except for a network device for the formation and direction of information flows of false network traffic, synchronization parameters of the set time zone and time, subnet number d=d+1, IP addresses

and rental time

, IP address of selected DHCP server

.

DHCP-серверу.Then set (see block 35 in Fig. 2b) IP address

DHCP server.

Further, since the network parameters of the computer network devices have changed, they form again (see block 36 in Fig. 2b) a memory array N _A for the new subnet d=d+1.

Then compare (see block 37 in Fig. 2b) the calculated value Hc _of the network traffic self-similarity index between network devices from the subnet d with the values of the required network traffic self-similarity coefficient from the set {H _t }.

In case of their discrepancy, based on the definition of the self-similarity index, information flows of false network traffic with random parameters are formed (see block 42 in Fig. 2b) for subnet d, as described, for example, in the article Budko P.A., Budko N. P., Litvinov A.I., Nikolaev V.A. Network traffic simulation method, Science-intensive technologies in space exploration of the Earth, vol. 5, no. 2, 2013, on pp. 30-37.

Then send (see block 43 in Fig. 2b) from the network device for the formation and direction of information flows of false network traffic to the subnet d information flows of the generated false network traffic with random parameters before the expiration of time t _d .

Otherwise, when the calculated value H corresponds _to the self-similarity index of network traffic between network devices from the subnet d to the value of the required self-similarity coefficient of network traffic from the set {H _t }, read (see block 38 in Fig. 2b) from the memory array M _z parameters subnet network traffic d.

Next, a mathematical model is formed (see block 39 in Fig. 2b) for each of the network traffic parameters of the subnet d.

, описанного, например, в статье J. Не, J. Cai, Design of a New Chaotic System Based on Van Der Pol Oscillator and Its Encryption Application, Mathematics, 2019, 7, 743 таким образом, чтобы показатель Хёрста H_s синтезированного временного ряда совпадал с заданной точностью с Н_с.For the synthesis of a mathematical model, a method is used that is known and described, for example, in the book by A.E. Davydov. Protection and security of departmental integrated infocommunication systems, Moscow: Voentelecom, 2015, 520 p. In accordance with this method, for each of the selected network traffic parameters, the coefficients a and b of the equation of the nonlinear van der Pol oscillator are selected

, described, for example, in the article J. Ne, J. Cai, Design of a New Chaotic System Based on Van Der Pol Oscillator and Its Encryption Application, Mathematics, 2019, 7, 743 so that the Hurst exponent H _{s of} the synthesized time series coincided with the specified accuracy with H _with .

After that, information flows of false network traffic are formed (see block 40 in Fig. 2b) between network devices of subnet d with parameters obtained on the basis of synthesized mathematical models for each of them. To do this, calculate the values of the time series specified by the corresponding mathematical model for each of the network traffic parameters, changing the value of the variable t from 0 to t _d .

Next, information flows of the generated false self-similar network traffic are sent (see block 41 in Fig. 2b) from a given network device to subnet d until the time t _d expires (see block 44 in Fig. 2b).

Then, after the time t _d has elapsed (see block 45 in Fig. 2b), the direction of false network traffic to the source subnet d is completed. During this time, all available protection measures will be implemented, the cyber maneuver will be guaranteed to be completed, and computer intelligence tools that perform low-intensity scanning will not be able to compromise it.

и время его аренды

, IP-адрес выбранного DHCP-сервера

.After that, the network device from which the false network traffic was generated and sent to the subnet d is given new synchronization parameters for the set time zone and time, the subnet number d=d+1, the IP address

and rental time

, IP address of selected DHCP server

.

Next, a memory array N _A is again formed to store the matrix of matching MAC and IP addresses of network devices in subnet d=d+1, taking into account the network device that appeared from subnet d, from which false network traffic was generated and directed.

The value of time t _d for sending false network traffic to subnet d is set to 86400 seconds. This is due to the need to protect against low-intensity network scanning by means of computer intelligence, as well as to implement additional comprehensive protection measures.

As parameters for generating self-similar false network traffic, the connection duration, source IP address, source port, destination IP address, destination port, number of packets in a session, number of bytes transferred per session are selected. The combination of these parameters makes it possible to obtain the most adequate models for generating self-similar traffic in a computer network.

The time value t _z for reading network traffic parameters in subnet d is set to 86400 seconds. This is due to the need to form a sufficient time series to accurately determine the traffic self-similarity coefficient, which is more clearly manifested over long periods of time.

As an algorithm for calculating the self-similarity index H _from network traffic, the corrected changed range analysis algorithm is chosen, which is known and described, for example, in the book of Peters E.E. Fractal Market Analysis: Applying Chaos Theory to Investment and Economics, New York: Wiley, 1994, 336 p., which is due to its significant speed and accuracy of the results obtained compared to traditional R/S analysis.

. Это обусловлено меньшим количеством вычисляемых коэффициентов модели по сравнению с другими известными динамическими системами, обладающими свойством самоподобия (аттракторами Лоренца и Мэки-Гласса).As an attractor of the mathematical model of network traffic parameters, a nonlinear Van der Pol generator is chosen, which has the form

. This is due to a smaller number of calculated coefficients of the model compared to other known dynamical systems with the self-similarity property (Lorentz and Mackey-Glass attractors).

The required values of the network traffic self-similarity coefficient H _t are selected within 0.5<H _t <1 based on the definition of the Hurst exponent described, for example, in Hurst H.E., Black P., Simaika RY. M. Long-Term Storage: An Experimental Study, London: Constable, 1965. 145 p.

A computer with installed software for generating network traffic, for example, PacketSender (http://packetsender.com), is chosen as a device for generating and directing false network traffic to the subnet.

Thus, the claimed method provides an increase in the effectiveness of protection by reducing the ability of the intruder to compromise the means of protection and mislead him. This is achieved by generating false network traffic on the original subnet after changing the current settings of network devices to new settings on the new subnet.

Claims (7)

A method for protecting computer networks, which consists in pre-setting IP={IP ₁ , IP ₂ ... IP _n } a set of IP addresses of network devices of a computer network that are DHCP clients of a DHCP server, where n is the maximum allowable value of the number of IP addresses of network devices of a computer network, also define subsets d in the set of IP addresses of network devices of a computer network

, where d is the DHCP server subnet number, d=1.2…z, where z is the maximum number of subnets, for each subset d, IP addresses of DHCP servers are specified

, Where

- DHCP server IP address,

, then preliminarily set the memory array D=[1, 2, ..., z] to store the subnet numbers of the DHCP server and t ^d _max - the maximum value of the lease time for all IP addresses of the subnet with number d, then set C={CIP ₁ , CIP ₂ ... CIP _m } set of connections between network devices of a computer network, where CIP _m is a connection identifier between network devices of a computer network, which contains the IP address of the sender c and recipient b, type of interaction protocol, interaction ports, where m - the maximum allowable number of connections between network devices of the computer network, and also pre-set the memory array C _i =[CIP ₁ , CIP ₂ ... CIP _m ] for storing identifiers CIP _m and a set of identifiers of authorized information flows TS≥1, then pre-set MAC= {MAC ₁ , MAC ₂ ... MAC _l } set of MAC addresses of network devices of a computer network, where l is the maximum number of network devices in a computer network, memory array N _A to store the mapping matrix to the n-th IP address of the network device from the set of IP addresses of the l-th MAC address from the MAC memory array, then set

- a set of IP addresses of false subscribers of subnet d, where ƒ is the maximum allowable number of IP addresses of network devices of subnet d, connect network devices to the computer network, send messages from the network devices of the computer network to the DHCP server to obtain synchronization parameters for the set time zone and time , subnet numbers d, IP addresses IP ^d and their lease time, IP addresses of the DHCP server IP ^d _dhcp , receive messages from network devices of the computer network by the DHCP server, generate messages for network devices containing the synchronization parameters of the set time zone and time , assigned subnet number d, IP addresses IP ^d and their lease time, IP address of the DHCP server IP ^d _dhcp , send generated messages to network devices of the computer network, receive a message from the DHCP server by each network device of the computer network, send from network devices computer network, response messages to the DHCP server confirming its choice are received receive by the DHCP server messages from network devices of the computer network confirming its choice, set by the network device of the computer network the synchronization parameters of the set time zone and time, assigned subnet number d, IP addresses IP ^d and their lease time, for the DHCP server IP address IP ^d _dhcp , then match MAC and IP addresses, remember the match of MAC and IP addresses in the memory array N _A , delete from the memory array N _A those matches of network devices of the computer network from which they did not receive messages confirming them selection, establishing connections between network devices of a computer network and assigning CIP _m identifiers to established connections between network devices of a computer network, then storing CIP _m identifiers in memory array C, and receiving a message packet from the communication channel, then extracting the information flow identifier from the header of the received message packet , then compare it with the sanctions identifiers of authorized TS information flows and if the allocated information flow identifier matches the identifiers of the authorized TS information flows, the message packet is transmitted to the recipient, then the next message packet is received from the communication channel, and if the allocated identifier does not match the identifiers of the authorized TS information flows, the IP address is compared recipient in the received message packet with predefined false IP addresses of FIP computer network subscribers and if the recipient's IP address in the received message packet does not match with the predefined false IP addresses of FIP subscribers, the message packet is ignored, and if the recipient's IP address in the received packet of messages with predefined false IP addresses of RUR subscribers, the IP address of the sender of the message packets is compared with each IP address of the network device of the computer network from the set of IP ^d , if they match, the MAC address of the network devices is excluded and from the array N _A of the DHCP server, and if they do not match, the next d=d+1 subnet number is read by the DHCP server from the array D, then messages are generated for network devices containing new synchronization parameters of the set time zone and time, the subnet number d=d+1, IP addresses ^(d+1) and their lease time

, to the DHCP server IP address IP ^(d+1) _dhcp , then generated messages are sent from the DHCP server to network devices of the computer network containing new synchronization parameters of the set time zone and time, subnet number d=d+1, IP addresses ^(d+1) and their lease time

, then each network device of the computer network receives messages containing new synchronization parameters of the set time zone and time, subnet number d=d+1, IP addresses ^(d+1) and their lease time

, after that, the network devices of the computer network are set the synchronization parameters of the set time zone and time, the subnet number d=d+1, IP addresses ^(d+1) and their lease time

, set the IP address IP ^(d+1) _dhcp for the DHCP server, then re-form the memory array N _A to store the matrix of matching MAC and IP addresses of network devices of the computer network, characterized in that the pre-specified source data is additionally set time value t _z of reading network traffic parameters from subnet d, memory array M _z for storing parameters of the read network traffic from subnet d, memory array M _H for storing the calculated value of the self-similarity coefficient of network traffic from subnet d, set {H _t } of required coefficient values self-similarity of network traffic from subnet d, time t _d of sending false network traffic to the subnet, then after the formation and assignment of parameters to the network devices of the subnet, establishing the correspondence between MAC and IP addresses and storing this correspondence in the memory array N _A , as well as establishing between network devices of network connections and CIP identifiers _m of these connections are read during time t _z parameters of network traffic between network devices from subnet d, store in the memory array M _z read parameters of network traffic between network devices from subnet d, calculate the value H _from the self-similarity index of network traffic between network devices from subnet d, store in the memory array M _H the calculated value Hc _of the self-similarity index of network traffic between network devices from subnet d, then, after receiving a message packet from the communication channel and extracting the information flow identifier, then comparing it with the identifiers of authorized information flows and in case of a mismatch between the IP address of the message packet sender and the set of IP - IP addresses ^d of subnet d, after generating messages for network devices of subnet d containing new network parameters and sending these messages to network devices, a network device is set in subnet d to form and direct information flows of false network traffic in this subnet, set network devices of subnet d, except for a network device for generating and directing information flows of false network traffic, synchronization parameters of the set time zone and time, subnet number d=d+1, IP addresses IP ^(d+1) and their lease time

, IP address of the selected DHCP server IP ^(d+1) _dhcp , re-form the memory array N _A for the new subnet d=d+1, compare the calculated value H _with the self-similarity index of network traffic between network devices from the subnet d with the value of the required coefficient self-similarity of network traffic from the set {H _t }, in case of its inconsistency, information flows of false network traffic with random parameters are formed for subnet d, information flows of generated false network traffic with random parameters are sent from a given network device to subnet d before the expiration of time t _d , otherwise, if the calculated value H corresponds _to the self-similarity index of network traffic between network devices from the subnet d to the value of the required self-similarity coefficient of network traffic from the set {H _t }, the network traffic parameters of subnet d are read from the memory array M _z , a mathematical model is formed for each from the network traffic parameters of subnet d, form and information flows of false network traffic between network devices of subnet d with parameters obtained on the basis of the generated mathematical models for each of them send from a given network device information flows of generated false self-similar network traffic to subnet d before the expiration of time t _d , after the time of sending the false network traffic t _d complete the direction of false network traffic to subnet d, set the network device from which the formation and direction of false network traffic to subnet d, new synchronization parameters of the set time zone and time, subnet number d=d+1, IP address IP ^(d+1) and its lease time

, the IP address of the selected DHCP server IP ^(d+1) _dhcp , again form a memory array N _A to store the matrix of matching MAC and IP addresses of network devices in subnet d=d+1, taking into account the network device that appeared from subnet d, from which the formation and direction of false network traffic was carried out. 2. The method according to claim 1, characterized in that the time value t _d for sending false network traffic to subnet d is set to 86400 seconds. 3. The method according to claim 1, characterized in that the duration of the connection, the source IP address, the source port, the destination IP address, the destination port, the number of packets in the session, the number of bytes transmitted are selected as parameters for generating self-similar false network traffic. per session. 4. The method according to claim. 1, characterized in that the value of the time t _z reading network traffic parameters in subnet d is set equal to 86400 seconds. 5. The method according to claim 1, characterized in that as an algorithm for calculating the self-similarity index H _from network traffic, an algorithm for analyzing the corrected changed range is selected. 6. The method according to claim 1, characterized in that the non-linear van der Pol oscillator is chosen as the attractor of the mathematical model of self-similar false network traffic. 7. The method according to p. 1, characterized in that the required values of the coefficient of self-similarity of network traffic H _t is selected within 0.5<H _t <1.

Images