RU2791071C1 - Method for assessment of importance of nodes of information and communication networks - Google Patents

Abstract

FIELD: computer technology.

SUBSTANCE: invention relates to the field of computer technology for provision of security of information and communication networks for data transmission. A database of weight factors of network nodes is formed, a network traffic is monitored, during which attack sources – the latest node, from which IP packets come, defined with an attack detection system as dangerous and threatening for network functioning, are determined, a network graph is built, all possible network paths for all “attack source – protection object” pairs are determined, importance of nodes belonging to paths determined for all “attack source – protection object” pairs is assessed by calculating a node centrality value, taking into account weight factors of nodes: an attack source and a protection object, nodes are ranked by an importance degree, impossibility of reception and transmission of IP packets with nodes with the highest rank from attack sources is provided with available means, and the end of an attack to each protection object is checked, and, if the attack continues, actions, according to the method, are repeated, starting from calculation of node centrality.

EFFECT: increase in the reliability of assessment of importance of network nodes to provide network security.

1 cl, 2 dwg

Description

The field of technology to which the invention belongs

The invention relates to the field of security of data transmission networks and can be used to protect communication network service servers from computer attacks using graph theory.

State of the art

Any information and communication networks, the nodes of which are interconnected by some type of relationship, can be represented in the form of graphs. Representing a network in the form of a graph and calculating its main characteristics allows assessing the importance of nodes, their role and influence in the network, as well as conducting research to ensure the protection of communication networks from computer attacks and unauthorized access. Computer attacks, in addition to directly affecting specific network objects, can affect other parts of the information and communication network, infecting it with virus traffic, which leads to blocking the functioning of the network. The source of an attack is understood as the source of a computer attack, where a computer attack is a targeted software and hardware impact on information and telecommunication means, leading to a violation or reduction in the efficiency of the execution of technological control cycles in an information system. [Klimov S.M., Sychev M.P., Astrakhov A.V. "Experimental evaluation of counteraction to computer attacks on the test site"].

As part of information security measures, one of the approaches to assessing the importance of network nodes, that is, the degree of potential danger in facilitating the spread of network traffic through the network from attack sources (hereinafter referred to as important nodes), is to calculate the centrality value of nodes by the degree of mediation. The centrality of a network node is an index (scalar value), which is calculated according to a predetermined algorithm, and characterizes the significance of the node in the formation of the network topology, the integration of relatively separated network clusters, participation in the most important information flows [Nodes in social networks: measures of centrality and role in network processes Electronic resource. Access mode: https://cyberleninka.ru/article/v/uzly-v-sotsialnyh-setyah-mery-tsentralnosti-i-rol-v-setevyh-protsessah]. To increase the reliability of calculating the centrality of nodes, in the process of researching the shortest paths, the role and degree (weight) of the terminal nodes of these routes, that is, the source of attack and the object of protection, can be taken into account.

The weight (weight coefficients) of a node is a qualitative characteristic that takes into account the role, degree of influence and other individual characteristics of a network node, which can be calculated on the basis of assessments and calculations by relevant specialists and experts.

A known method of managing networks using connectivity analysis [Russia, patent No. 2394382 H04L 12/24, published: 10.07.2010 Bull. No. 19], which consists in the fact that the identification of networks, consisting of a plurality of nodes, is carried out on the basis of a comparison of the network topology map and the calculation of the value of the strength of the connection between the nodes and the centrality index of the eigenvector for all nodes. After identifying and measuring values, a role is assigned to each node depending on its position and membership, then the central node is determined.

This method provides the calculation of the centrality of the node, while not taking into account the values of the weight coefficients of the network nodes. In this regard, the determination of the value of the centrality of the node is less reliable.

The closest in technical essence to the proposed one is a method for protecting communication network service servers from computer attacks [Russia, patent No. No. 10], based on the search for the most central nodes in the network and preventing them from receiving information packets from nodes that have been attacked.

The disadvantage of this method is the lack of consideration of the weights of the nodes that belong to the studied shortest routes in the network, when calculating the centrality value of the node of interest. This shortcoming leads to less reliable results of calculating the centrality of nodes.

The purpose of the invention is to increase the reliability of estimating the importance of nodes by taking into account the weight coefficients of the attack source and the object of protection when calculating their centrality in the interests of increasing the security of the network.

The essence of the invention.

The technical result of the invention is to increase the reliability of estimating the importance of nodes based on taking into account a priori information about the weight coefficients of the attack source and the object of protection when calculating the centrality values of the evaluated nodes.

The essence of the method is to determine the most important network nodes based on the calculation of their centrality, taking into account the weight coefficients of the nodes, such as the source of attack and the object of protection.

The technical result is achieved by taking into account the weighting coefficients of nodes, such as the source of attack and the object of protection, when calculating the centrality of network nodes in order to assess their importance.

The technical result of this technical solution is manifested in the following possibilities:

reliable assessment of the importance of information and communication network nodes based on the calculation of their centrality, taking into account the weight coefficients of the attack source and the object of protection;

forming a ranked set of nodes according to their degree of importance based on the value of their centrality;

timely adoption of measures to protect information and communication networks by preventing the most important nodes from receiving and transmitting information packets from network nodes that have been attacked.

The proposed method for protecting information and communication networks based on the calculation of the centrality of nodes, taking into account weight coefficients in order to determine the most dangerous nodes, is as follows (Fig. 1).

In block 1, to increase the reliability of estimating the importance of nodes, a database of weight coefficients of network nodes is formed.

In block 2, network traffic is monitored [Network monitoring. Wireshark sniffer. Electronic resource. Access mode: http://www.4stud.info/networking/work2.html]. Further, when an attack is detected in block 4, the source of the attack is determined based on the definition of the extreme network node from which the IP packets were received, determined by the attack detection system as dangerous and posing a threat to the functioning of the network.

In block 5, a network graph is built [A.A. Zykov Theory of Finite Graphs Publishing house "Nauka" Novosibirsk 1969, p. 543], in block 6 all possible network paths for all pairs "source of attack - object of attack" are determined, in block 7 the importance of nodes is estimated based on the calculation of the centrality values of the evaluated nodes, included in these network paths, taking into account the weight coefficients of the nodes: the source of the attack and the object of protection.

The calculation of the centrality of nodes, taking into account weight coefficients in the interests of estimating the importance of nodes, is carried out according to the following formula:

where N is the number of nodes, σ _{and w} is the number of shortest paths in the graph connecting any pairs of “attack source (s) - attack object (w)”, σ _{and w} (v) is the number of shortest paths passing through the node ν under study, Р( i) - the value of the weight coefficient of the node - the source of the attack, P(w) - the value of the weight coefficient of the node - the object of protection.

After calculating the centrality value of each node (2), which acts as an indicator of importance, the plurality of nodes is ranked by importance values (block 8).

By identifying the nodes that are most important, i.e. having the highest value of calculated centrality, in block 9, the security system operator ensures by available means a ban on the reception and transmission of information packets by these nodes from attack sources.

In block 10, the end of the attack is checked for each network object. If the attack continues, then the actions according to the method are repeated, starting from the sixth block.

To assess the increase in the reliability of determining the centrality of the node, simulation modeling was carried out using specialized software "Opnet" [Brief description of the Opnet software package. Electronic resource. Access mode: http://www.helpiks.org/3-2303.html]. By means of this software, a data transmission network was simulated, where one of the random nodes was the “source of attack”, and the other was the “object of protection”. For this network model, importance calculations were made based on the centrality of nodes, taking into account the weight coefficients of the remaining nodes and without (Fig. 2). The sets of nodes obtained by both methods were ranked (sorted in decreasing order of importance) and compared with the sorted list using the simulation software Opnet. As a result of the calculations, it was found that the average value of the node ranking error by the importance value calculated by the proposed method, i.e. taking into account the weight coefficients of nodes, such as the source of attack and the object of protection, decreased by 23.37% (accordingly, the reliability increased by 23.7%). The ranking error was determined according to formula (1).

Brief description of the drawings.

The essence of the invention is illustrated by graphic materials, where: in Fig. 1 schematically shows the sequence of blocks in accordance with the claimed method; in fig. Figure 2 shows the results of simulation modeling for calculating the errors of ranking a set of nodes according to their degree of importance under two conditions: without taking into account the weight coefficients of the remaining nodes (filled marks on the graph) and taking into account the weight coefficients (unfilled marks on the graph).

Comparing the proposed method with the prototype and analogues, as well as with the results of the search for known technical solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed method, showed that they are absent in publicly available sources of information. Therefore, the claimed invention meets the criteria of "novelty" and "inventive step".

The presence of an appropriate element base, on the basis of which devices that implement this method can be made with the achievement of the specified result, determine the "Industrial applicability" of this method.

The proposed method for assessing the importance of nodes of information and communication networks, based on the assessment of the centrality of nodes, taking into account the values of the weight coefficients of the nodes: the source of attack and the object of protection, allows you to reliably evaluate the importance of the nodes and rank the resulting set of nodes according to the calculated importance values, determining the most important nodes, in order to ensuring the security of information and communication networks.

Claims (1)

A method for assessing the importance of nodes of information and communication networks for protecting networks from computer attacks, which consists in monitoring the network traffic of the network, during which the sources of attack are determined, the network graph is built, all possible network paths are determined for all pairs of "attack source - object protection”, evaluate the importance of all nodes of these paths, representing the degree of potential danger of nodes to facilitate the propagation of network traffic over the network from attack sources and determined through the centrality value of the node, rank the nodes in order of importance, ensure that the nodes with the highest rank cannot receive and transmit IP- packets from attack sources and check the end of the attack on each protected object, characterized in that at the stage of calculating the centrality values of the nodes belonging to the paths "source of attack - object of protection", as the main indicator of their importance, additionally take into account information about the weight coefficients of the data nodes of the path th, such as the source of attack and the object of protection, also before the implementation of the stage of monitoring network traffic, a database of node weights is formed.

Images