RU2649789C1 - Method of computer networks protection - Google Patents

Abstract

FIELD: information technologies.

SUBSTANCE: invention relates to the attacks detection with the aim of prompt detecting and countering unauthorized influences in computer networks. Remembering the authorized information flows reference identifiers, which allows to detect unauthorized influences on the computer network at the initial stage and block them. If the intruder addresses to the predetermined false addresses of the computer network subscribers, the response messages packets are transmitted with excessive fragmentation and a decrease in the transmission rate, which simulates the poor quality communication channel. Recording the maximum number of received and unprocessed messages packets, which the computer network can process without overload. Keeping in two-way communication order with the messages packets sender while increasing the unauthorized information flows intensity causing overload, and blocking the sender attempts to disconnect. This provides an increase in the destructive impact subject discomfort and advantage in time for the information security service, which is necessary for the implementation of the trace formation mechanisms and response measures.

EFFECT: technical result is increase in the protection effectiveness and misleading the offender with respect to the computer network structure due to the accounting if the maximum number of messages received from the sender and unprocessed messages packets, which the computer network can process without overload, in a two-way keeping connection with the messages packets sender with the increase in the unauthorized information flows intensity and blocking the sender attempts to break the connection.

1 cl, 9 dwg

Description

The invention relates to telecommunications and can be used in attack detection systems for the rapid detection and counteraction of unauthorized influences in computer networks, in particular, in the Internet data transmission network based on the TCP / IP (Transmission Control Protocol / Internet) communication protocol family Protocol) and described in the book Kulgin M. Technology corporate networks. Encyclopedia. - St. Petersburg: Publishing House "Peter", 1999. - 704 p.: Ill.

The well-known "Method for detecting remote attacks in a computer network" according to the patent of the Russian Federation No. 2179738, class G06F 12/14, decl. 04.24.2000. The known method includes the following sequence of actions. Monitoring the information flow of data packets addressed to the subscriber, including continuously renewed counting of the number of packets, performed within a series of packets arriving successively one after another at intervals of no more than a given time. At the same time, the incoming data packets are checked for compliance with the given rules each time the size of the next observed series reaches a critical number of packets.

The disadvantage of this method is the relatively narrow scope, since the known method can only be used to protect against substitution of one of the participants in the connection.

Also known is the "Method for monitoring the security of automated systems" according to the patent of the Russian Federation No. 2261472, class G06F 12/14, 11/00 decl. 03/29/2004.

The known method includes the following sequence of actions. Keeping records of the rules for establishing and maintaining a communication session by increasing the number of memorable message packets and introducing the maximum allowable number of message packets, which is necessary to ensure the stable functioning of automated systems. Moreover, for monitoring, the response threshold (sensitivity) of the security monitoring system of the automated system is preliminarily determined, which is determined by the maximum allowable number of message packets and the number of standards, and the values of indicators can be selected depending on the required reliability of the attack detection.

The disadvantage of this method is the relatively low reliability of detection of unauthorized influences in computer networks, due to the lack of rules for establishing and maintaining a communication session.

The well-known "Method of controlling information flows in digital communication networks" according to the patent of the Russian Federation No. 2267154, class G06F 15/40, decl. 07/13/2004.

The method consists in preliminarily setting N≥1 reference identifiers of authorized information flows (IPs) containing the addresses of senders and recipients of message packets, receiving a message packet from a communication channel, extracting the IP identifier from the header of the received message packet, comparing the selected identifier with predefined with reference identifiers of authorized IPs and, if they coincide, they transmit a message packet to the recipient, and if they do not match, the sender address specified in the identifier is compared the identifier of the received message packet with the addresses of the senders indicated in the reference identifiers of the authorized IP.

The disadvantage of this method is the relatively low security against unauthorized influences, the signs of which are unauthorized IP. This is due to the fact that when determining the presence of unauthorized IP in computer networks, the transmission of a message packet is blocked, which is insufficient to protect computer networks from unauthorized influences. The implementation of this approach to protection forces the attacker to further influence the computer networks and (or) change the strategy of exposure.

The closest in technical essence to the claimed one is the method (options) for protecting computer networks according to the patent of the Russian Federation No. 2307392, class G06F 21/00, publ. 09/27/2007.

The prototype method consists in the following actions: pre-set N≥1 reference identifiers of authorized IPs containing the addresses of senders and recipients of message packets, receive a message packet from the communication channel, extract the IP identifier from the header of the received message packet, compare the selected identifier with the predefined reference identifiers of authorized IPs and, if they coincide, transmit a message packet to the recipient, and if they do not match, the sender address is compared, indicated th in the identifier of the received message packet with the sender addresses indicated in the reference identifiers of the authorized IP, set P≥1 false addresses of the subscribers of the computer network and the delay time for sending message packets t _ass . If the sender address in the received message packet coincides with one of the addresses of the senders of the reference identifiers of authorized IPs, the recipient address in the received message packet is compared with the addresses of the recipients of the reference identifiers of authorized IPs. If the recipient address in the received message packet does not match the recipient addresses of the reference identifiers of the authorized IPs, the recipient address in the received message packet is additionally compared with the pre-set false addresses of the subscribers of the computer network. In case of mismatch of the recipient address in the received message packet with predefined false addresses of the subscribers, the message packet is blocked. And if the sender’s address in the received message packet does not match one of the addresses of the senders of the reference identifiers of authorized IPs or the recipient’s address in the received message packet matches the addresses of the recipients of the reference identifiers of authorized IPs, or if it coincides with the pre-set false addresses of the subscribers of the computer network, they form a response message packet, and then, after a predetermined delay time for sending message packets t _ass reduce the transmission rate of the generated message packet. It is transmitted to the sender, after which another message packet is received from the communication channel. To reduce the transmission speed of the generated message packet, the message packet is fragmented, the message packet is transmitted after a predetermined delay time for sending message packets t _ass .

The known prototype method eliminates some of the disadvantages of analogues and provides higher security of computer networks from unauthorized influences by simulating false subscribers and communication sessions, as well as by simulating a decrease in the quality of the communication channel. Simulations of reducing the quality of the communication channel are achieved by reducing the speed of information exchange with the sender of unauthorized IPs, fragmenting message packets, delaying the sending of message packets and lowering the quality of service by blocking the transmission of some simulated message packets.

The disadvantages of the prototype method are the relatively low efficiency of protection of computer networks and the narrow scope of the protection method. The low effectiveness of protection is due to the fact that in the prototype an increase in the intensity of unauthorized information flows and the preservation of a specified delay time for sending response message packets to the sender will lead to an overload of the computer network. The narrow scope is due to the fact that to implement the protection method in the prototype, the speed of information exchange with the sender of unauthorized information flows is reduced only from the side of the computer network, that is, unilaterally, and they do not take into account the ability of the sender to disconnect.

Decreasing the value of the specified delay time for sending response message packets to the sender is proportional to the increase in the intensity of unauthorized information flows in order to avoid overloading the computer network will lead to an increase in the speed of information exchange with the sender of unauthorized IPs, i.e., to regression (degradation) of the main quality of the prototype method.

The purpose of the claimed technical solution is to develop a method of protecting computer networks that provides increased protection and misleads the attacker regarding the structure of computer networks by taking into account the maximum number of message packets received from the sender and the unprocessed message that can be processed by the computer network without overload, withholding two-way connections with the sender of message packets with increasing intensity of unauthorized information currents and block the sender attempts to break the connection.

This goal is achieved by the fact that in the known method of protecting computer networks, N≥1 reference identifiers of authorized information streams containing the addresses of senders and recipients of message packets are pre-set. Then pre-set P≥1 false addresses of the subscribers of the computer network and the delay time of sending message packets t _ass . After that, a message packet is received from the communication channel and information flow identifiers are extracted from the header of the received message packet. They are compared with the reference identifiers, and when the selected identifier matches the predefined reference identifiers of the authorized information flows, a message packet is transmitted to the recipient. Then again receive the next message packet. And if the selected identifier does not coincide with the predefined reference identifiers of authorized information flows, the recipient address in the received message packet is compared with the predefined false addresses of the subscribers of the computer network. If the recipient address in the received message packet with the predefined false addresses of the subscribers does not match, the message packet is blocked, and if the recipient address in the received message packet with the predefined false addresses of the subscribers matches, the response message packet is generated, the transmission speed of the generated message packet is reduced and transmitted after time t _backside formed message packet to the sender with a decrease in transmission speed. In a predetermined initial data, the counter I _{P is} additionally set for the number of message packets received from the sender and the unprocessed message, the maximum number I _{max of} message packets that the computer network can process without overload, the memory arrays M _about and M _beats for storing received message packets, Also, the initial value W of the _{beginning of} the "window size" field for the formation of the TCP-header of the response message packet. After receiving a message packet from the communication channel, the value of the counter I _{P is} compared with the value of I _max . According to the comparison results, when the condition I _P <I _{max is} fulfilled, the received message packets are sequentially stored in the memory array M _about , and otherwise, when the condition I _P ≥I _{max is} met, the received message packets are sequentially stored in the memory array M _beats . The identifiers of the information stream are extracted from the header stored in the memory array M _beats of the message packet and compared with reference identifiers. When the selected identifier coincides with the predefined reference identifiers of authorized information flows, a message packet is transmitted to the recipient. If the selected identifier does not coincide with the predefined reference identifiers of authorized information flows, the recipient address of the message packet stored in the memory array M _{beats is} compared with the predefined false addresses of the subscribers of the computer network. When they match, message packets in the array M _{beats are} processed sequentially. To form this response message packet with the value of the field "window size" in the TCP header of equal to W _nach and transmitting it to the sender. Then, to maintain the connection with the sender of message packets, the window size field in the TCP message header of the message package is set to zero W _beats = 0, response message packets are generated, and message packets with the set window size field in the TCP response header are sent to the sender message packet equal to zero W _beats = 0. To block attempts by the sender of message packets to disconnect, incoming message packets with the FIN or URG flags set in the TCP header are ignored. Consistently delete the processed message packets from the memory array M _about and sequentially move the message packets from the array M _beats to the array M _about .

The value of W _beginning field "window size" for the formation of the TCP header of the response message packet is selected at least 20 bytes.

Thanks to the new set of essential features in the claimed method, along with simulating false communication subscribers, simulating false communication sessions and lowering the quality of the communication channel, the protection efficiency is improved and the intruder is misled regarding the structure of computer networks by taking into account the maximum number of message packets received from the sender and unprocessed which can be processed by a computer network without overload, and expanding the scope of the protection method by keeping it in in a close order of connection with the sender of message packets with increasing intensity of unauthorized information flows and blocking attempts by the sender to disconnect.

The claimed objects of the invention are illustrated by drawings, which show:

FIG. 1 - structure of a computer network;

FIG. 2 shows the structure of the message packet and the header of IP message packets;

FIG. 3 is a block diagram of a sequence of actions that implement the claimed method of protecting computer networks;

FIG. 4 - table of addresses of senders and recipients;

FIG. 5 is an illustration of the principle of fragmentation of an initial generated message packet into new message packets;

FIG. 6 - structure of the TCP-header of the message packet;

FIG. 7 is an illustration of the sequence for establishing a TCP connection and holding a connection with the sender of message packets;

FIG. 8 - a screen copy of the command line with the value of the variable containing the connection timeout time;

FIG. 9 is a screen copy of the interface of the software layout for evaluating the effectiveness of the claimed method of protection.

The implementation of the claimed method is explained as follows. It is known that to ensure the information security of computer networks, it is necessary to determine with high reliability the facts of unauthorized destructive influences and to respond in a timely manner to their appearance. However, in existing methods and means of protection when detecting unauthorized influences, as a rule, they only block message packets coming from the intruder. In these cases, the intruder makes attempts at other influences on the computer network, which in turn requires measures to re-identify and suppress new attempts by the intruder. This can lead, ultimately, to the depletion of the resource of the protection system or to the achievement by the intruder of the possibility of "circumvention" of the protection system.

Adaptation of the protection system, consisting in the restructuring of its parameters and (or) structure in accordance with the identified tactics of the intruder, is practically impossible due to the transience of the processes of destructive influences on the computer network by the intruder.

Thus, a contradiction arises between the need to ensure the functioning of the computer network under the conditions of destructive influences aimed at overloading it and the capabilities of the protection system to control the speed of information exchange processes with the intruder within the standardized rules for establishing and maintaining a communication session. To eliminate this contradiction, the claimed method is directed.

The claimed method is implemented as follows. In the general case (Fig. 1), a computer network is a combination of a personal computer 1, peripheral and communication equipment 2, connected by physical communication lines 3. All these elements are determined by identifiers, which are used in the most common TCP / IP protocol stack network addresses (IP Addresses) 4.

To transfer information between remote local area networks (for example, local area network 1 and local area network 2 in Fig. 1) using communication protocols establish a communication channel, which is understood as an IP from the sender to the receiver. The structure of message packets is known (Fig. 2 a ), as is the principle of packet transmission in computer networks, which makes it possible to analyze the identifiers of the source and recipient of the IP and the formation of reference identifiers. For example, in FIG. Figure 2b shows the structure of the IP message packet header, where the fields of the addresses of the sender and recipient of the message packet, the set of which are the identifiers of the IP, are shaded.

All components of message packets (Fig. 2) are electromagnetic signals in digital (binary) form. Actions on them consist in the corresponding signal transformations, at which their parameters change.

In FIG. 3 presents a block diagram of a sequence of actions that implement the claimed method of protecting computer networks, in which the following notation:

N≥1 - a base of reference identifiers of authorized IPs containing the addresses of senders and recipients of message packets;

P≥1 - base of false addresses of subscribers of the computer network;

t _ass is the delay time for sending message packets;

ID - identifier of the IP;

{ID _o } - a set of reference identifiers of authorized IP;

IP _n - recipient address specified in the identifier of the received message packet;

{IP _l ) - a set of false addresses of subscribers of a computer network;

I _P - the counter of the number of received from the sender and unprocessed message packets;

I _max - the maximum number of message packets that a computer network can process without overload;

W _beg - the initial value of the window size field for the formation of the TCP header of the response message packet;

W _beats - the set value of the "window size" field in the TCP-header of the message packet to keep the connection with the sender of the message packet;

M _about - an array of memory for storing received for processing message packets when the condition I _P <I _max ;

M _beats - an array of memory for storing message packets when the condition I _P ≥I _max .

To agree on the addresses of the sender and recipient, the corresponding subscribers are pre-set with a base (see block 1 in Fig. 3) from N≥1 reference identifiers of authorized connections, which are taken as identification signs of connections containing the addresses of the sender and recipient of the packets, and remember them. The base of P≥1 false addresses of the subscribers of the computer network is set, the counter I _{P is the} number of message packets received from the sender and the unprocessed message, and the maximum number I _{max of} message packets that the computer network can process without overload.

The need to establish the maximum number of message packets I _max is due to the fact that the computing network per unit of time is capable of processing a limited number of message packets without overflowing the clipboard or reducing the quality of service for applications. An increase in the intensity of incoming unauthorized information flows from one IP address or multiple IP addresses can lead to a Denial of Service (DoS) attack or a distributed denial of service attack. , DDoS), respectively. These types of attacks are described, for example, in the book of Olifer V.G. and Olifer N.A. "Computer networks. Principles, technologies, protocols, uc. For Universities, 4th ed .; - St. Petersburg: Peter, 2015.S. 831-833. If in order to avoid overloading the computer network, we begin to proportionally decrease the value of the specified delay time t _{backside to} send response message packets, then the main quality of the protection method will begin to regress (degrade).

To avoid this, the following is necessary. In addition, specify an array _of M memory, which stores the sequence of messages and packets are processed received from the sender IP when the condition _P I <I _max, when a computer network operates without overloading and fully carry out their functions.

An additional array of memory M _{beats is} also specified for storing message packets when the condition I _P ≥I _max . The onset of this condition means that the computer network has received such a number of message packets, the processing of which will lead to an increase in the speed of information exchange with the sender of the IP, that is, to the regression (degradation) of the main quality of the prototype method and, as a result, will cause the computer network to overload and fail maintenance.

Then further define the initial value W _nach field "window size" for the formation of the TCP packet header of the response message, which indicates the sender of message packets for readiness to conduct an information exchange a certain amount of data. From the existing practice of masking the anti-intruder algorithms used in the security system, the value of W _{beginning of} the window size field must be selected with at least 20 bytes to form the TCP header of the response message packet.

An example of the address base, presented in tabular form, is shown in FIG. 4. The first column in the table indicates the sequence number of the address of the sender or recipient in the address database. The second and fourth columns show the corresponding values of the sender and receiver addresses. An IP address having a length of 4 bytes (32 bits) is displayed in the table in the most used form of representation of the IP address - in decimal form. The third and fifth columns provide additional address information. For example, they indicate the designation of false addresses of subscribers of a computer network.

A message packet is received from the communication channel (see block 2 in Fig. 3) from the sender, and after receiving a message packet from the communication channel, the value of the counter I _{P is} compared with the value I _max (see block 3 in Fig. 3). According to the results of the comparison, when the condition I _P <I _{max is} fulfilled, the received message packets are sequentially stored in the memory array M _about (see block 4 in Fig. 3).

From the header stored in the memory array M _beats (when the condition I _P ≥I _{max is} met) of the message packet and M _about (otherwise) identifiers of the information flow IP ID (see blocks 11 and 5 in Fig. 3). Then, the selected IP identifier is compared (for example, bitwise) with the predefined reference identifiers of the authorized IP {ID _o } for coincidence (see blocks 12 and 6 in Fig. 3). The coincidence of this check (ID∈ {ID ₀ )) means that the received message packet refers to an authorized IP. In this case, the received message packet is transmitted to the recipient (see blocks 13 and 7 in Fig. 3), after which the message packet is received again (see block 2 in Fig. 3).

If they do not coincide (ID∉ {ID ₀ }), which means that the received message packet belongs to an unauthorized IP, they proceed to compare the recipient address of the message packet IP _n stored in the memory arrays M _o and M _ud with the pre-set false addresses of the computing subscribers network {IP _l } (see blocks 14 and 8 in Fig. 3).

In the event of a mismatch (IP _П ∉ {IP _Л }) of the recipient address in the received message packet with predefined false addresses of subscribers, which means the intruder addresses the nonexistent subscriber address of the computer network, the message packet is blocked (see blocks 15 and 9 in FIG. 3).

In case of coincidence (IP _n ∈ {IP} _L) the recipient address accepted and stored in the memory array M _of packet messages at predetermined addresses of subscribers false return message packet is formed (see. The block 24 in FIG. 3). Then, the transmission rate of the generated message packet is reduced (see block 25 in FIG. 3), for which the message packet is fragmented. The fragmentation process consists in breaking and packing the original generated message packet into new packets. In FIG. 5 illustrates the principle of fragmentation of an initial generated message packet into new message packets. Each new packet is a separate packet with its own IP header, the field values of which are copied from the original generated message packet. Then, after time t _{ass, the} generated message packet is transmitted to the sender with a decrease in the transmission rate (see block 26 in Fig. 3). The transmission speed of the generated message packet is reduced on the network interface. This is done in order to simulate a communication channel with poor quality and allows you to control the speed of information exchange processes with the intruder within the standardized rules for establishing and maintaining a communication session.

When the condition I _n ≥I _{max is} fulfilled, which means that the computer network is overloaded, and the decrease in the time t _ass will lead to an increase in the rate of information exchange with the sender of the IP, that is, to the regression (degradation) of the main quality of the prototype method, the received message packets are sequentially stored in the memory array M _beats (see block 10 in Fig. 3).

If (IP _П ∈ {IP _Л }) matches the recipient address of the IP _n message packet stored in the memory array M _beats with predefined false addresses of the subscribers of the computer network {IP _l } (see block 14 in Fig. 3), the message packets are processed sequentially in the array M _beats . To do this, form a response message packet with the set value of the window size field in the TCP-header (the TCP-header format is shown in Fig. 6) W _starting at least 20 bytes (see block 16 in Fig. 3) and transmit it to the sender ( block 17 in Fig. 3).

The setting of the "window size" field in the TCP header is implemented as follows. The procedure for establishing a TCP connection between the sender and recipient of message packets is known and described, for example, in the book of Olifer V.G. and Olifer N.A. "Computer networks. Principles, technologies, protocols, uc. For Universities, 4th ed .; - St. Petersburg: Peter, 2015.S. 561-562. The connection is initiated by the sender of the message packages. If necessary, to exchange data with the recipient of message packets, the client application accesses the underlying TCP protocol, which sends a connection request by setting the SYN flag to SYN = 1.

Having received such a request, the recipient of message packets allocates system resources for information exchange and notifies the sender of the readiness to receive data in limited blocks. To do this, the recipient of message packets and sets the initial value of W _{the beginning} of the field "window size" in the formation of the TCP header of the response message packet, declared by the shipper packages its readiness messages get a small, but adequate for the subsequent exchange of information volume of data, as well as other variables Connection . Connection variables, for example, are described in RFC-793, Transmission Control Protocol, September 1981, for example, such as Maximum Segment Size (MSS) or TCP Header (Padding). Once at the receiving message packets all the required resources have been received and all the necessary actions have been performed, TCP sender module sends the message packet to the ACK flags set and SYN, and W _nach established (see. The block 17 in FIG. 3). In response, the sender of the message packets sends a segment with the ACK flag and enters the established logical connection state. An illustration of the TCP connection setup sequence is shown in FIG. 7.

To keep (in two-way) connection with the sender of message packets, the receiver, after receiving a segment with the ACK flag from the sender of message packets (see Fig. 7), sets the window size field in the TCP-header of the message packet to zero W _beats = 0 ( see block 18 in Fig. 3). Next, response message packets are generated (see block 19 in Fig. 3) and the message packets are sent to the sender with the set window size field in the TCP-header of the response message packet equal to zero W _beats = 0 (see block 20 in Fig. 3 )

Having received a message packet with W _beats = 0, in accordance with the specification of the TCP protocol (see RFC-793), the sender of message packets will periodically send trial single-byte segments (see “zero window probe” in Fig. 7), requesting the recipient of message packets repeat window size information to determine when it will be able to resume sending data. The recipient of message packets, implementing a mechanism for holding in a two-way connection with the sender of message packets, does not enlarge the window, leaving it equal to zero, thereby keeping the sender of message packets blocked for a long time until the timeout expires (FIN-WAIT- 1), determined by the presets of the operating system of the sender of message packets. A screen copy of the command line with the value of the variable containing the connection timeout time for the Linux operating system is illustrated in FIG. 8, where the timeout (“tcp_fin_timeout”) is 60 seconds.

If the sender of message packets attempts to break the held connection (by sending a message packet with the flag FIN = 1 in the TCP-header) or send urgent data (sending a message packet with the flag URG = 1 in the TCP-header), the receiver of the message packets will ignore these incoming packets messages (see block 21 in Fig. 3).

In the process of holding the connection, the resources of the sender of message packets are spent to maintain the state of the connection, which imposes a limitation on the computing resource used by the sender of unauthorized IPs. In most practical cases, the "depletion" of resources at the sender leads to the inability of the sender to send message packets network information exchange.

At the same time, the recipient of message packets does not support the connection state for his part and does not consume his computing resource, which gives him a time gain for adapting the security system, which consists in rebuilding its parameters and (or) structure, and makes it possible to continue to process message packets, stored in the array M _about without clipboard overflow and loss of quality of service.

In the process of processing, message packets from the memory array M _ob (see block 22 in Fig. 3) sequentially delete and sequentially move the message packets from the array M _beats into the array M _ob (see block 23 in Fig. 3), realizing pipeline processing of received message packets (stack).

The effectiveness of the formulated technical result was verified by creating a software layout in the Python 3.3 programming language and conducting an experiment. The developed layout uses the low-level Scapy utility, which allows you to organize interworking over the TCP / IP stack of the operating system to manipulate network packets. The layout user interface (see Fig. 9) is developed using the Qt4 cross-platform library and displays the following group of parameters:

“Number” is the index (numeric identifier) of the network connection.

“Sender” - IP address of the sender.

“Recipient” - IP address of the recipient.

“Status” - the status of the network connection of the information stream.

Depending on the type of IP identifier (IP address), the network connection status can take the following values:

“Allowed” - the allocated identifiers of the IP coincide with the predefined reference identifiers of the authorized IP;

“Blocked” - allocated IP identifiers do not coincide with both predefined reference identifiers of authorized IPs and predefined false addresses of subscribers of a computer network;

“Fragmented” —the allocated IP identifiers coincide with the pre-set false addresses of the subscribers of the computer network (splitting and packing the original generated message packet into new packets with its own IP header, the field values of which are copied from the original generated message packet and transmitted with a specified delay);

“TCP window size resizing” - if the maximum number of unprocessed packets is exceeded for each new message received, a response message packet is generated with the “window size” field set in the TCP header, then this field is set to zero to hold the connection with the message packet sender and in order to block attempts by senders of message packets to disconnect, incoming message packets with the FIN and URG flags set in the TCP header are ignored.

As a result of the experiment, all types of information flows were identified in accordance with the network connection statuses described above. Along with simulating false communication subscribers, false communication sessions and reducing the quality of the communication channel by taking into account the maximum number of message packets received from the sender and unprocessed messages, maintaining two-way communication with the sender of message packets while increasing the intensity of unauthorized information flows and blocking attempts by the sender to disconnect computer network operation without overload.

Thus, in the claimed method, the achievement of the stated goal is achieved, which is to increase the effectiveness of protection and mislead the intruder regarding the structure of computer networks by taking into account the maximum number of message packets received from the sender and unprocessed that can be processed by the computer network without overload, withholding in a two-way the procedure for connecting to the sender of message packets with increasing intensity of unauthorized information flows s and block the sender attempts to break the connection.

Claims (2)

1. The method of protecting computer networks, which consists in pre-setting N≥1 reference identifiers of authorized information flows containing the addresses of senders and recipients of message packets, P≥1 of false addresses of subscribers of the computer network, the delay time for sending message packets t _ass , taken from communication channel message packet, identifiers of the information stream are extracted from the header of the received message packet, compare them with the reference identifiers, if the selected identifier matches by predefined reference identifiers of authorized information flows, a message packet is transmitted to the recipient and the next message packet is received again, and if the selected identifier does not coincide with predefined reference identifiers of authorized information flows, the recipient address in the received message packet is compared with the pre-set false addresses of subscribers of the computer network and if the address does not match the recipient in the received message packet with pre nnym false subscriber addresses block the transmission of message packets, and the coincidence of the recipient address in the received message packet with a predetermined false addresses of subscribers form a response message packet, reduce the generated message packet transmission rate and transmitted after a time t _backside generated message packet to the sender with a decrease in the transmission rate, characterized in that the pre-set source data additionally sets the counter I _{P the} number received from the sender and raw message packets, the maximum number of I _max message packets that can be processed by the computer network without overload, memory arrays M _about and M _beats for storing message packets received for processing, and the initial value W _{beginning of} the window size field to form the TCP-header of the response message packet and after receiving a message packet from the communication channel, the value of the counter I _{P is} compared with the value I _max , according to the results of comparison, when the condition I _P <I _{max is} fulfilled, the received message packets are sequentially stored in the memory array M _about , and otherwise, when the condition I _P ≥I _{max is} fulfilled, the received message packets are sequentially stored in the memory array M _beats , the identifiers of the information stream are extracted from the header of the message packet stored in the memory array M _beats , compare them with the reference identifiers, if the selected identifier matches the predefined the reference identifiers of authorized information flows transmit a message packet to the recipient, and if the selected identifier does not match the predefined supports with the identifiers of authorized information flows, the recipient address of the message packet stored in the memory array M _{beats is} compared with the pre-set false addresses of subscribers of the computer network and, if they match, the message packets in the M _beats array are sequentially processed, for which a response message packet with the set value of the window size field is generated "In the TCP header equal to W _beg and transmit it to the sender, then to keep the connection with the sender of the message packets set the value of the field I have the “window size” in the TCP-header of the message packet equal to zero W _beats = 0, generate response message packets and send message packets with the set value of the “window size” field in the TCP-header of the response message packet to zero W _beats = 0, and attempts to block messages packets sender disconnect ignore incoming message packets with the established FIN flags URG or in the TCP header is removed sequentially processed message packets from the memory array M _of packets and sequentially transferred announce s from an array of M _beats an array _of M. 2. The method according to p. 1, characterized in that the value of W _start field "window size" for the formation of the TCP header of the response message packet is selected at least 20 bytes.

Images