RU2383105C1 - Device for determining network status - Google Patents

Abstract

FIELD: physics; communication.

SUBSTANCE: invention relates to data transmission networks. The device has a parametre selection unit (1), an IP address comparator (2), a SYN/FIN unit (3), an intensity unit (4), a loading unit (5), a loss unit (6), an authenticity unit (7), a standardising unit (8), a control unit (9) and an indicating unit (10). The technical result is achieved by introducing additional intensity units (4), loading unit (5), loss unit (6), authenticity unit (7), standardising unit (8) and by making new connections between units.

EFFECT: more stable functioning of the system under unauthorised action.

11 dwg

Description

The invention relates to the field of telecommunications and can be used to determine the status of the communication network and the operational identification of the communication protocol stack TCP / IP, used in digital communication systems, in particular in a data network such as the Internet.

A device for searching for information according to the patent of the Russian Federation No. 2219577, class G06F 17/40, claimed on 04.24.2002, comprising a frequency divider, two memory units, a subtracting counter, four decryption units, four counters, four address receiving units, two comparison units, two decoders is known and display unit.

This device has a drawback - a narrow scope, therefore it is intended only for the analysis of a relatively small number of parameters of flows passing through it, which leads to unstable functioning of automated systems in the conditions of unauthorized information impact and limits its scope in data transmission networks of the Internet type in the conditions unauthorized exposure (information attacks).

The closest in technical essence (prototype) is an information retrieval device containing two memory units, nine counters, eleven decryption units, functionally combined into a parameter allocation unit, a comparison unit, a control unit and an indication unit, according to the patent No. 2301443, priority of the invention on July 04 2005. The input of the first memory block is the input of the information retrieval device, and its output is connected to the information input of the first decryption unit, the second input of which is connected to the first counter, and the output is decrypt ra - to the input of the second counter, a first output connected to the second input of the second decryption unit, the first input of which is connected to the output of the first memory block. The output of the second decryption unit is connected to the input of the second memory unit, and the output of the second counter is connected to the input of the third counter, the output of which is connected to the first input of the third decryption unit, the second input of which is connected to the output of the first memory unit. The first and second outputs of the third decryption unit are connected to the inputs of the fourth and fifth counters. The counter output is connected to the first input of the fifth decryption unit, the second input of which is connected to the output of the first memory unit, the output of the fifth decryption unit is connected to the second input of the comparison unit, the first input of which is connected through the fourth decryption unit to the output of the fourth counter, the second input of the fourth decryption unit connected to the output of the first memory block. The inputs of the control unit are connected to the second output of the first decryption unit, to the third output of the third decryption unit, to the second output of the comparison unit, to the second output of the sixth decryption unit, to the first output of the seventh decryption unit, to the output of the eighth decryption unit, to the output of the ninth decryption unit, to the first output of the tenth decryption block, to the two outputs of the eleventh decryption block. The eleventh output of the control unit is connected to the input of the first counter and to the first memory unit, the twelfth output of the control unit to the first memory unit, the thirteenth output to the input of the display unit. The output of the second memory unit is connected to the first input of the sixth counter, the second input of which is connected to the output of the first comparison unit, and the output of the counter is connected to the input of the sixth decryption unit, the first output of which is connected to the input of the seventh counter, the output of which is connected to the input of the seventh decryption unit, the second the output of which is connected to the input of the eighth counter, the output of which is connected to the first inputs of the tenth, eighth and ninth decryption units, the second inputs of each of which are connected to the output of the first memory block. The second inputs of the sixth, seventh and eleventh decryption blocks are connected to the output of the first memory block, and the second output of the tenth decryption block is connected to the input of the ninth counter, the output of which is connected to the first input of the eleventh decryption block. The display unit is the output of the device.

This device in comparison with the analogue allows you to expand the scope of its application, in particular, to obtain an unambiguous decision on the use of the TCP protocol and the presence of repeatedly repeated requests to create an arbitrarily large number of logical communication channels by comparing the subsequent data block with the previous one in nine parameters, which necessary to ensure the stable functioning of automated systems under unauthorized exposure), described, for example, in Medvedovsky’s book th I.D. and others. Attack on the Internet. - M.: DMK, 1999, pp. 120-128.

The disadvantages of the prototype device include the analysis of a relatively small number of parameters of flows passing through it, based on the signature method, which leads to unstable functioning of automated systems in the conditions of unauthorized information impact, as well as low reliability of decision making.

The technical task of the invention is the development of a device for determining the state of a communication network, providing an expanded scope and increasing the reliability of decision making by expanding the set of characteristic parameters, analyzing the TCP protocol, taking into account the rules for establishing and maintaining a communication session, identifying cases of an abnormal increase in the intensity of information exchange, anomalous increase traffic load, changes in the ratio of the number of packets on the establishment and disconnection of the connection neniya, an abnormal increase in the number of packets rejected, determining the validity of the source IP address is used, detection of illicit installation combinations flags improper installation and IP addresses of the sender and recipient of the package.

This goal is achieved by the fact that in the known information retrieval device comprising an indication unit, a control unit, an IP address comparison unit, a SYN / FIN unit and a parameter extraction unit, the input of which is an information input of the device, and the third and fourth outputs are connected respectively to the first and the second inputs of the SYN / FIN block, the first and second outputs are connected respectively to the first and second inputs of the IP address comparison unit, the first and second outputs of the control unit are connected to the first and second inputs of the pair allocation unit trov, in addition, an intensity block, a load block, a loss block, a validity block, a normalization block, the first and second inputs of the intensity blocks, the loads are connected respectively to the fifth, sixth, seventh, eighth outputs of the parameter allocation block, and the first, second, third inputs of the block the reliability is connected respectively to the ninth, tenth and eleventh outputs of the parameter allocation unit, the twelfth output of the parameter allocation unit is connected to the nineteenth input of the display unit, the input of the loss unit is I have statistical information on the ratio of the number of packets that have failed to the total number of packets received, the first output of the SYN / FIN block, the outputs of the intensity block, load block and loss block are connected respectively to the first, second, third and fourth inputs of the normalization block, the first, second , the third and fourth outputs of which are connected respectively to the first, second, third and fourth inputs of the control unit, the output of the reliability unit is connected to the eighteenth input of the display unit, and the outputs of the control unit from the third about eighteenth inclusive are connected respectively to the inputs of the indication unit of the second to seventeenth inclusive, the output IP address comparator unit connected to the first input of the indication unit.

The analysis of the prior art made it possible to establish that analogues that are characterized by a combination of features that are identical to all the features of the claimed technical solution are absent, which indicates compliance of the claimed device with the patentability condition “Novelty”. Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed object from the prototype showed that they do not follow explicitly from the prior art. From the modern level of technology, the popularity of the influence of the transformations provided for by the essential features of the claimed invention on the achievement of the specified technical result has not been revealed either. Therefore, the claimed invention meets the condition of patentability "Inventive step".

The claimed device is illustrated by the following drawings:

figure 1 - device for determining the status of the communication network;

figure 2 is a structural diagram of a block selection parameters;

figure 3 is a structural diagram of a block comparing IP addresses;

4 is a block diagram of a SYN / FIN block;

5 is a block diagram of an intensity unit;

6 is a structural diagram of a load block;

7 is a structural diagram of a confidence block;

Fig. 8 is a structural diagram of a normalization block;

Fig.9-10 is a structural diagram of a control unit;

11 is a diagram of a display algorithm.

The device for determining the status of the communication network, shown in Fig. 1, contains a parameter allocation unit 1, an IP 2 address comparison unit, a SYN / FIN 3 unit, an intensity unit 4, a load unit 5, a loss unit 6, a confidence unit 7, a normalization unit 8, control unit 9, display unit 10.

The input of the parameter allocation block 1 is the information input of the device, and the third and fourth outputs are connected respectively to the first and second inputs of the SYN / FIN block 3. The first and second outputs are connected respectively to the first and second inputs of the IP address comparison block 2. The first and second outputs of the block control 9 are connected to the first and second inputs of the block selection parameters 1. The first and second inputs of blocks of intensity 4, load 5 are connected respectively to the fifth, sixth and seventh, eighth outputs of the block selection parameters 1, and the first, second, third inputs of the confidence block 7 are connected respectively to the ninth, tenth and eleventh outputs of the parameter allocation unit 1. The twelfth output of the parameter allocation unit 1 is connected to the nineteenth input of the indication unit 10. The input of the loss unit 6 is statistical information about the ratio of the number of packets received failure, to the total number of packets received. The first output of the SYN / FIN 3 unit, the outputs of the intensity unit 4, the load unit 5 and the loss unit 6 are connected respectively to the first, second, third and fourth inputs of the normalization unit 8, the first, second, third and fourth outputs of which are connected respectively to the first, second , the third and fourth inputs of the control unit 9. The output of the reliability unit 7 is connected to the eighteenth input of the display unit 10, and the outputs of the control unit from the third to eighteenth inclusive are connected respectively to the inputs of the display unit 10 from the second to the seventeenth inclusive. The output of the IP address comparison unit 2 is connected to the first input of the display unit.

The parameter allocation block is designed to determine the presence of TCP in the information stream, analyze it and supply the extracted characteristic parameters (sender and receiver IP addresses, TTL field value, setting flags in the TCP packet header, total packet size) to the input of the remaining blocks. Its structural diagram is presented in figure 2

The first memory block 1.1 is intended for storage and subsequent reading from it to the first 1.2, eighth 1.15 counters, the second 1.6, the third 1.8, the fourth 1.12, the fifth 1.14 memory blocks, the second 1.10, the third 1.16, the fourth 1.17, the fifth 1.18 blocks of decryption of data packet bytes coming from a demodulating device (channel controller) and issuing a command to end the recording of received packet data to the first counter 1.2.

The first counter 1.2 counts 14 bytes in numerical order to determine the IP packet.

The first decryption unit 1.3 is designed to determine in the sequence of incoming IP protocol data and supply a control signal to the validity unit.

The second counter 1.4 is designed to count 4 bits to detect the field length of the packet header.

The third counter 1.5 is designed to count 12 bits to find the total size of the IP packet and supply a control signal to enable the recording of this value in the second memory block 1.6.

The second block of memory 1.6 is designed to record and store the total size of the IP packet and output this value to the intensity block.

The fourth counter 1.7 is designed to count 6 bytes to find the value of the TTL field of the packet and provide a control signal about the permission of its recording in the third memory block 1.8.

The third block of memory 1.8 is designed to write to it and store the value of the TTL field of the IP packet and issue this value to the confidence block 7.

The fifth counter 1.9 is designed to count 1 byte to find the value of the field indicating the protocol of the higher level, the packet and supply a control signal to enable its recording in the second decryption unit 1.10.

The second decryption unit 1.10 is used to determine the numerical value of “six” in decimal form, i.e. determining the TCP protocol and supplying the control signal “1” to the sixth counter 1.11, to the load and intensity blocks.

The sixth counter 1.11 is designed to count 5 bytes to find the last two bytes of the sender address of the IP packet and provide a control signal to enable the recording of this value in the fourth memory block 1.12.

The fourth memory block 1.12 is designed to record and store the value of the last two bytes of the IP packet sender address and to issue this value to the confidence blocks 7 and compare IP addresses 2.

The seventh counter 1.13 is designed to count 4 bytes to find the last two bytes of the address of the recipient of the IP packet and supply a control signal to enable the recording of this value in the fifth memory block 1.14.

The fifth memory block 1.14 is designed to record and store the value of the last two bytes of the address of the recipient of packet I and to issue this value to the block for comparing IP addresses 2.

The eighth counter 1.15 is designed to find the byte of the TCP header flags and issue this byte to the third 1.16, fourth 1.17, and fifth 1.18 decryption blocks.

The third decryption block 1.16 is intended to determine the case of setting the SYN flag in the TCP header and supplying a control signal to the SYN / FIN 3 block.

The fourth decryption block 1.17 is intended to determine the case of setting the FIN flag in the TCP header and supplying a control signal to the SYN / FIN 3 block.

The fifth decryption block 1.18 is designed to determine the case of abnormal joint setting of the SYN and FIN flags in the TCP header and the supply of a control signal to the control unit 9.

The block comparing IP addresses 2 is designed to detect an abnormal setting of IP addresses in TCP packets and signaling this to the display unit 10. A variant of the block comparing IP addresses 2 is shown in Fig. 3.

The SYN / FIN 3 block is intended for calculating the ratio of the number of TCP packets with the SYN and FIN flags set and outputting this value to the normalization block. An embodiment of the SYN / FIN block diagram is shown in FIG. 4.

Intensity block 4 is intended for calculating the intensity of information exchange of TCP packets and issuing this value to the normalization block 8. A variant of the circuit of this block is presented in Fig. 5.

The load block 5 is designed to calculate the number of TCP packets arriving at a time unit and output this value to the normalization block 8. A variant of the circuit of this block is presented in Fig.6.

Loss block 6 is intended for storing statistical information arriving at it on the ratio of the number of packets that failed, to the total number of packets arriving and issuing this value to the normalization block.

Reliability block 7 is designed to generate a signal about the detection of an invalid IP address of the received packet and to supply this signal to the indication block 10. A variant of the scheme of the reliability block 7 is shown in Fig. 7.

The normalization unit 8 is designed to normalize the input values for their equal consideration in the decision-making process and the delivery of the obtained values to the control unit 9. A variant of the normalization unit circuit is shown in Fig. 8.

The control unit 9 is designed to make a decision about the state of the network at a given time based on the analysis of the normalized numerical values of the characteristic parameters arriving at it, determining the state of each of the characteristic parameters, outputting these results to the indicating unit 10, and supplying control signals “erasing” and “recording "To the first memory block 1.1 to enable reading of the next packet of information. A variant of the control unit circuit is shown in Fig.9.

The display unit 10 is designed to visually display the decision made about the state of the network at a particular point in time, the state of each of the studied characteristic parameters, the deviation of the reliability parameter, the anomalous setting of the SYN and FIN flags, and the IP address of the sender. Indicator schemes are known and described, for example, in the book of Veniaminov V.N., Lebedev O.N., Miroshnichenko A.I. Chips and their application: a reference guide. - M.: Radio and Communications, 1989, p. 97, Fig. 7.1.

The first 1.1, second 1.6, third 1.8, fourth 1.12, fifth 1.14 memory blocks can be implemented on RAM chips K185RU4 (Reference on integrated circuits / B.V. Tarabrin, S.V. Yakubovsky, N.A. Baranov and others. Under Edited by B.V. Tarabrin. - 2nd ed., revised and revised - M .: Energy, 1980. - P.215).

Schemes of the first 1.2, second 1.4, third 1.5, fourth 1.7, fifth 1.9, sixth 1.11, seventh 1.13, eighth 1.15 counters are known and described, for example, in FIGS. 6, 7, 8 of RF patent No. 22199577, IPC G06F 17/40 and can be implemented on AND elements, counters and decoders. Schemes of elements And are known and described, for example, in the book Shilo V.L. Popular Digital Chips: A Guide. - M.: Radio and Communications, 1987, p. 40, Fig. 1.23. In particular, such a scheme can be implemented on the K555LI2 chip. Counters can be implemented on chips of the K555 series, see, for example, Shilo V.L. Popular Digital Chips: A Guide. - M.: Radio and Communications, 1987, p. 90, Fig. 1.66. The decoder can be implemented on decoder circuits having four discharges, see, for example, Shilo V.L. Popular Digital Chips: A Guide. - M.: Radio and Communications, 1987, p. 133, Fig. 1.95. In particular, such a scheme can be implemented on the K555IDZ chip.

The schemes of the first 1.3, second 1.10, third 1.16, fourth 1.17, fifth 1.18 decryption units are known (see, for example, FIG. 2 and FIG. 3 of RF patent No. 22199577, IPC G06F 17/40) and can be implemented on elements And, decoders and elements AND NOT. Schemes of elements And are known and described, for example, in the book Shilo V.L. Popular Digital Chips: A Guide. - M.: Radio and Communications, 1987, p. 40, Fig. 1.23. In particular, such a scheme can be implemented on the chip K555LR12. As decoders, 555 series microcircuits can be used, for example, K555ID10 (Shilo V.L. Popular digital microcircuits: A Handbook. - M.: Radio and Communications, 1987, p. 137, Fig. 1.98). As an AND-NOT element, for example, the K155LAZ microcircuit can be used (Shilo V.L. Popular digital microcircuits: Reference book. - M.: Radio and communication, 1987, p. 41, Fig. 1.24).

The IP address comparison block contains comparator 2.1. The scheme of comparators for comparing two N-bit words is known and described in the book by Shilo V.L. Popular Digital Chips: A Guide. M .: Radio and communications, 1987, pp. 183-184, 187, fig. 1.135. It can be implemented on K555SP1 chips.

The SYN / FIN block contains a divider 3.1, which can be implemented on the КР1802ВР2 chip (for example, see N.N. Averyanov, A.I. Berezenko, Yu.I. Borschenko, etc. Microprocessors and microprocessor sets of integrated circuits. Reference: in 2 tons; under the editorship of V.A. Shakhnov. - M .: Radio and communications, 1988.- Vol. 2, p. 61-70).

The intensity block contains an adder 4.2 with the accumulation time DT, a divider by AT 4.3, a switching block 4.1. The adder 4.2 can be built on programmable interval timers and accumulative totalizers such as batteries. Schemes of programmable interval timers are known and described, for example, see Ugryumov EP Digital circuitry. Reference manual. - St. Petersburg: BHV-Petersburg, 2004, p. 348-355, Fig. 6.29. In particular, such a scheme can be implemented on a chip VI series K1821 and K1860. Adders can be implemented on K555IMZ chips, for example, see Ugryumov EP Digital circuitry. Reference manual. - SPb .: BHV-Petersburg, 2004,

p. 77-85, fig. 2.24, 2.28. Schemes of OR elements are known, for example, described in the book Yakubovsky S.V. Digital and analog integrated circuits: a reference. - M.: Radio and Communications, 1990, p. 78, Fig. 167. In particular, such a scheme can be implemented on the K555LP2 chip. The switching unit 4.1 can be implemented on multiplexers and demultiplexers, the schemes of which are known, for example, see Ugryumov EP Digital circuitry: Reference manual. - St. Petersburg: BHV-Petersburg, 2004, p. 54-56, Fig. 2.9 (b). In particular, it is built on NAND elements.

The load unit contains an adder 5.2 with a summation time ΔТ, a divider on ДТ 5.3, a switching unit 5.1. Adder 5.2 can be built on programmable interval timers and accumulative totalizers such as batteries. Schemes of programmable interval timers are known and described, for example, see Ugryumov EP Digital circuitry: Reference manual - St. Petersburg: BHV-Petersburg, 2004, pp. 348-355, Fig. 6.29. In particular, such a scheme can be implemented on a chip VI series K1821 and K1860. Adders can be implemented on K555IMZ chips, for example, see Ugryumov EP Digital circuitry: a reference guide. - SPb .: BHV-Petersburg, 2004,

p. 77-85, fig. 2.24, 2.28. Schemes of OR elements are known, for example, described in the book Yakubovsky S.V. Digital and analog integrated circuits: a reference. - M.: Radio and Communications, 1990, p. 78, Fig. 167. In particular, such a scheme can be implemented on the K555LP2 chip. The switching unit 5.1 can be implemented on multiplexers and demultiplexers, the schemes of which are known, for example, see Ugryumov EP Digital circuitry: Reference manual. - St. Petersburg: BHV-Petersburg, 2004, p. 54-56, Fig. 2.9 (b). In particular, it is built on NAND elements.

The validity block contains a memory block 29.1, an average value calculation block 29.2, a four divider 29.3, an adder 29.4, a subtracter 29.5, comparators 29.6 and 29.7, an OR element 29.8. Schemes of memory blocks are known and described, for example, see Ugryumov EP Digital circuitry: a reference guide. - SPb .: BHV-Petersburg, 2004, pp. 175-190. In particular, such a scheme can be implemented on KN531RU9 microcircuits. The unit for calculating the average value 29.2 can be built on arithmetic-logic devices, the schemes of which are known and described, for example, see Ugryumov EP Digital circuitry: a reference guide. - SPb .: BHV-Petersburg, 2004, pp. 90-92. In particular, such a scheme can be implemented on K555IPZ microcircuits. The divider circuit may be implemented in a shift register. Schemes of shift registers are known and described, for example, see Ugryumov EP Digital circuitry: a reference guide. - SPb .: BHV-Petersburg, 2004, pp. 144-150, pp. 143-146, in particular, can be implemented on the IR13 chip of the KR1533 series. Schemes of adders and subtracters are known and described, for example, see Ugryumov EP Digital circuitry: a reference guide. - SPb .: BHV-Petersburg, 2004,

p. 77-85, fig. 2.24, 2.28. In particular, they are based on KM155IMZ microcircuits. Comparator circuits are known and described, for example, see Ugryumov EP Digital circuitry: a reference guide. - St. Petersburg: BHV-Petersburg, 2004, pp. 64-66. In particular, they are based on KR1533SP1 microcircuits. Schemes of OR elements are known, for example, described in the book Yakubovsky S.V. Digital and analog integrated circuits: a reference. - M.: Radio and Communications, 1990, p. 78, Fig. 167. In particular, such a scheme can be implemented on the K555LP2 chip.

The normalization block contains multipliers by ten 8.1 and 8.4, a divisor by ten 8.2, a divisor by a thousand 8.3. These elements can be implemented on the KR1802 BP2 microcircuits (for example, see N.N. Averyanov, A.I. Berezenko, Yu.I. Borschenko, etc. Microprocessors and microprocessor sets of integrated circuits: Reference: 2 tons; ed. V.A. Shakhnova. - M.: Radio and Communications, 1988. - T. 2., Pp. 61-70).

The control unit is designed to generate control signals in order to implement the required decision-making algorithm and can be implemented on the microprocessor TMS32010 (Lanne A.A. Digital processor TMS32010 and its application - L .: VAS, 1990. - 296 s). Typically, a control unit is a sequential logic circuit and can be synthesized according to well-known rules (Gutnikov BC, Lopatin V.V. et al. Electronic Devices of Information and Measuring Equipment: Textbook. - L .: LPI named after Kalinin, 1980, p. 73-76, Fig. 42; Gutnikov BC Integrated Electronics in Measuring Devices - L .: Energia, 1980.- 248 s).

The device operates as follows. The first memory block 1.1 of the parameter allocation block is designed to store and then read from it bytes of packet data. When 8 control signals “erase” and “write” (logical “1”) are received from the control unit output, the RAM cells of the first memory block are filled with 1.1 bytes of packet received from the demodulating device (channel controller). After all the bytes of the next packet of the analyzed protocol are written down, the permission for reading the information byte by byte (logical “1”) is generated on the second output of the memory block 1.1. From the first output of the first memory block 1.1, bytes of packets are sequentially delivered to the first inputs of the first 1.3, second 1.10, third 1.16, fourth 1.17 and fifth 1.18 decryption blocks, as well as to the first inputs of the second 1.6, third 1.8, fourth 1.12, fifth 1.14 memory blocks, as well as the first inputs of the first 1.2 and eighth counters.

When the first counter 1.2 receives a signal from the memory unit 1.1 (logical “1”), 14 bytes are read to determine the value “six” (06) in decimal form in the signal digital sequence, which corresponds to the IP protocol in the packet.

This description describes the Ethernet 802.3 / LLC frame format. In the case of other types of frames, for example Ethernet DIX (Ethernet II), the length of this field is 2 bytes and its value is in decimal the number "eight" (0800).

If the value of “six” is found, a logical “1” signal is generated at the second output of the first decryption unit 1.3, which arrives at blocks of reliability 7 and load 5.

At the first output of the first decoder 1.3, a control signal is generated that arrives at the second counter 1.4, which counts 4 bits to detect the header length field and generates a control signal that arrives at the third counter 1.5, which serves to count 12 bits to find the total size of the IP packet in the signal digital sequence and the supply of a control signal for recording this value to the second memory block 1.6.

The second memory block 1.6 stores the value of the total packet size and transfers it to the intensity unit 4 on the first output, while at the second output it generates a signal to start the fourth counter 1.7, which counts 6 bytes to find the TTL field value of the TCP packet and sends a control signal for permission writing it to the third memory block 1.8.

The third memory block 1.8 stores the value of the TTL field of the packet and transfers it to the confidence block 7 on the first output, while at the second output it generates a signal to start the fifth counter 1.9, which counts 1 byte to find the value of the field indicating the protocol of the higher level of the packet, and feed control signal about the permission of its recording in the second decryption unit 1.10.

The second decryption unit 1.10 is intended for determining in this byte the numerical value “six” (06) in decimal form. In case (06), the protocol used is TCP and a signal is generated at its output to start the sixth counter 1.11, as well as to the input of load blocks 5 and intensity 4.

The sixth counter 1.11 counts 5 bytes to find the last two bytes of the address of the sender of the IP packet and provides a control signal to enable the recording of this value in the fourth memory block 1.12.

The fourth memory block 1.12 stores the value of the last two bytes of the address of the sender of the IP packet and transfers it to the validity block 7 and to the IP address comparison block 2 on the first output, while at the second output it generates a signal to start the seventh counter 1.13, which counts 4 bytes to find the last two bytes of the address of the recipient of the IP packet and the supply of this value to the unit for comparing IP addresses 2, as well as a control signal for enabling this value to be written to the fifth memory block 1.14.

The fifth memory block 1.14 stores the value of the last two bytes of the address of the recipient of the IP packet and transfers it to the IP comparison block on the first output, while at the second output it generates a signal to start the eighth counter 1.15, which searches for the byte of the flags of the TCP packet header and provides a write enable control signal of this byte in the third 1.16, fourth 1.17, fifth 1.18 decryption blocks.

The third decryption block 1.16 determines the case when the SYN flag is set in the TCP packet header and sends a control signal in the form of a logical “1” about its installation to the SYN / FIN 3 block.

The fourth decryption block 1.17 defines the case of setting the FIN flag in the TCP packet header and sends a control signal in the form of a logical “1” about its installation to the SYN / FIN 3 block.

The fifth decryption block 1.18 determines the case of the joint installation of the SYN and FIN flags in the TCP packet header and sends a control signal in the form of a logical “1” about their installation to the display unit 10.

When a signal is received from the first output of the second decryption unit 1.10 to the first input of load block 5 that the TCP protocol is in the IP packet, the key 5.1 is turned on and the value “1” coming from the first output of the first decoder 1.3 to the second input of load block 5 passes to the adder 5.2. The unit counts over the time ΔT. After the set time ΔT has elapsed, adder 5.2 outputs its value to the divisor 5.3, which divides the number of TCP packets calculated as ΔТ by the interval value ΔТ, thereby obtaining the average value of the number of incoming TCP packets for the time interval ΔТ. Further, this value is transmitted to the normalization unit 8.

When a signal is received from the first output of the second decryption unit 1.10 to the first input of intensity unit 4 that the TCP protocol is in the IP packet, the key 4.1 is turned on and the TCP packet size value coming from the first output of the second decoder 1.10 to the second input of intensity unit 4 passes to the adder 4.2. The block counts over the time ΔТ. After the set time ΔT has elapsed, adder 4.2 gives its value to the divisor 4.3, which divides the amount of TCP traffic calculated as ΔТ by the value of the interval ΔТ, thereby obtaining the average value of the amount of TCP traffic for the time interval ΔТ. Further, this value is transmitted to the normalization unit 8.

The signals about setting the SYN and FIN flags from the third 1.16 and fourth 1.17 decryption blocks come to the first two inputs of the SYN / FIN 3 block and arrive at the counters 3.1 and 3.2, which count over time ΔТ. After this time, they give the calculated values to the first and second inputs of the divider 3.3, which divides the value coming from counter 3.1 by the value coming from counter 3.2, and transfers the resulting value to normalization block 8.

The signal of the presence of IP protocol in the Ethernet frame, which came from the first decryption unit 1.3 and arrived at the first input of the confidence block 7, generates a read enable command (R) from the 7.1 memory block at the address corresponding to the number received from the fifth memory block 1.12 and received at the second input credibility block 7. The number read from the memory block 7.1, goes to the first input of the block 7.2, the second input of which receives the value received from the third input of the credibility block 7, where it came from the third memory block 1.8. Block 7.2 calculates the average between two numbers, and if one of the numbers is zero, then the result is not a zero number. Having calculated the average value, block 7.2 issues the write permission command (W) to the control inputs of the memory block 7.1, and the result is received at the data input, which is recorded at the same address from which it was read. At the same time, the average value calculated in block 7.2 is transmitted to the input of the divider 7.3, which at the output gives the settable part of the received value (for example, a quarter) to the adders 7.4 and 7.5. The values that arrived at the inputs of adders 7.4 and 7.5 from block 7.2 and the divider 7.3 are summed and subtracted, respectively, and the obtained values from the outputs of adders 7.4 and 7.5 are fed to the second inputs of comparators 7.6 and 7.7. Comparators 7.6 and 7.7 compare the numbers that came to the first inputs from the adders 7.4 and 7.5 with the value of the number that came to the second inputs from the third input of the confidence block. Comparator 7.6 is configured to exceed the value from the first input over the second, and comparator 7.7 is configured to a lower value from the first input compared to the second. The outputs of comparators 7.6 and 7.7 go to the inputs of the OR element 7.8, which outputs a logical “1” signal when at least one of the comparators is triggered, which indicates an anomalous value of the TTL field for a given IP address.

The values of the last two bytes of the IP addresses of the sender and receiver from the fourth 1.12 and fifth 1.13 memory blocks go to the first two inputs of the IP 2 address comparison unit and go to the inputs of the comparator, which, if they match, gives a logical “1” value to the first input of the display unit.

From the outputs of blocks SYN / FIN 3, intensity 4, load 5 and loss block 6 and block values are respectively supplied to the inputs of the first multiplier 8.1, the first divider 8.2, the second multiplier 8.3 and the second divider 8.4. These elements multiply or divide these values to perform their normalization. From the outputs of these elements, the values are transmitted to the control unit 9.

When signals are received at the inputs of the control unit 9, the decision-making algorithm starts. First, the algorithm for indicating characteristic parameters works.

If the value at the fourth input is less than 10, then the logical “1” value is output to the third output of the control unit. Next, the condition “the value at the fourth input is less than 30” is checked, when this condition is met, the logical “1” value is issued to the fourth output of the control unit, and if not fulfilled, to the fifth.

If the value at the third input is less than 20, then the logical “1” value is output to the sixth output of the control unit. Next, the condition “the value at the third input is less than 40” is checked, when this condition is fulfilled, the logical value “1” is issued to the seventh output of the control unit, and if not fulfilled, to the eighth.

If the value at the second input is less than 30, then the ninth output of the control unit gives a logical value of “1”. Next, the condition “the value at the second input is less than 50” is checked, when this condition is fulfilled, the logical value “1” is issued to the tenth output of the control unit, and if not fulfilled, to the eleventh.

If the value at the first input is less than 10, then the logical “1” value is output to the twelfth output of the control unit. Next, the condition “the value at the first input is less than 30” is checked, when this condition is met, the logical “1” value is issued to the thirteenth output of the control unit, and if it is not fulfilled, to the fourteenth.

Next, the simultaneous fulfillment of the conditions is checked.

Input 4 Input 3 Input 2 Input 1 Decision <10 <20 <50 Issue a “1” on exit 16 <10 <20 ≥50 <10 Issue a “1” on exit 16 <10 <20 ≥50 ≥10 Issue “1” on out.17 <10 ≥20 Issue “1” on out.17 ≥10 AND <30 <20 Issue “1” on out.17 ≥10 AND <30 ≥20 AND <40 <50 Issue “1” on out.17 ≥10 AND <30 ≥20 AND <40 ≥50 <10 Issue “1” on out.17 ≥10 AND <30 ≥20 AND <40 ≥50 ≥10 Issue “1” on out. 18 ≥10 AND <30 ≥40 Issue “1” on out. 18 ≥30 <40 Issue “1” on out. 18 ≥30 ≥40 <30 <10 Issue “1” on out. 18 ≥30 ≥40 <30 ≥10 Issue “1” on exit 19 ≥30 ≥40 ≥30 Issue “1” on exit 19

After verifying the fulfillment of these conditions by the algorithm, the control unit for the first and second output sequentially gives a logical “1” (“erase” and “record” signals), which are fed to the parameter allocation unit.

The device is ready for analysis of the newly incoming digital input sequence.

Thus, it can be seen from the principle of operation of the device that it provides the ability to analyze protocols, determine the use of the TCP protocol and analyze it, take into account the rules for establishing and maintaining a communication session, identifying cases of an abnormal increase in the intensity of information exchange, an abnormal increase in the load of incoming traffic, changing the ratio packets for establishing and disconnecting the connection, an abnormal increase in the number of packets that failed, determining the reliability of the source used th IP address and identification number of installations of banned combinations of flags that you need to ensure sustainable operation of the automated systems in terms of tampering (phishing attacks). This achieves the stated goal - increasing the reliability of decision-making, expanding the scope of the claimed device, which allows not only to determine the type of protocol, take into account the rules for establishing and maintaining a communication session, but also to analyze the flows passing through it to identify network traffic anomalies.

Claims (1)

A device for determining the status of a communication network comprising an indication unit, a control unit, an IP address comparison unit, a SYN / FIN unit and a parameter allocation unit, the input of which is the information input of the device, and the third and fourth outputs are connected respectively to the first and second inputs of the SYN / FIN unit , the first and second outputs are connected respectively to the first and second inputs of the IP address comparison unit, the first and second outputs of the control unit are connected to the first and second inputs of the parameter allocation unit, characterized in that the intensity block, the load block, the loss block, the reliability block, the normalization block, the first and second inputs of the intensity blocks, the loads are connected respectively to the fifth, sixth, seventh, eighth outputs of the parameter selection block, and the first, second, third inputs of the reliability block are connected respectively, to the ninth, tenth and eleventh outputs of the parameter allocation unit, the twelfth output of the parameter allocation unit is connected to the nineteenth input of the display unit, the input of the loss unit is Information on the ratio of the number of packets that failed to the total number of packets arrived, the first output of the SYN / FIN block, the outputs of the intensity block, load block, and loss block are connected respectively to the first, second, third, and fourth inputs of the normalization block, the first, second, third and the fourth outputs of which are connected respectively to the first, second, third and fourth inputs of the control unit, the output of the reliability unit is connected to the eighteenth input of the display unit, and the outputs of the control unit from third to eight adtsaty inclusive are connected respectively to the inputs of the indication unit of the second to seventeenth inclusive, the output IP address comparator unit connected to the first input of the indication unit.

Images