RU2758974C1 - Method for combined control of the state of the process of functioning of automated systems - Google Patents

Abstract

FIELD: computer technology.

SUBSTANCE: expected result is achieved due to the fact that a set of controlled parameters, their reference values, exploits are set during the control process, which consists in measuring the parameter values and comparing them with the reference ones for a given time. If the measured values do not match the reference values, or if the structural element of the AS is unavailable, the corresponding sets of exploits are formed and sequentially launched. If the exploit is executed and the purpose of its execution is achieved, an alarm signal is generated, the operation of the corresponding elements of the AS is blocked. If the exploit is aimed at violating availability, but the result of its execution is not received, the actual and initial state of the system functioning process is compared. If they match, the execution of the exploit is forcibly interrupted. When the specified time comes, a report is generated, which includes information about the blocked elements of the automated system, and based on it, a decision is made about the safety of the AS.

EFFECT: increase in the reliability of the results of monitoring the state of functioning of the automated system (AS).

1 cl, 6 dwg, 3 tbl

Description

The technical field to which the invention relates

The claimed invention relates to the field of computer technology and can be used to analyze the state of security and monitor the safety of automated systems (AS), which are elements of communication and automation systems.

State of the art

a) Description of analogs

A known method for monitoring the state of a distributed AU according to US patent No. 7430598 "Systems and methods for managing notification and status monitoring for network systems", class G06F 15/16, Appl. 30.09.2008. In the known method, the centralized collection, storage, aggregation of information is carried out during monitoring of the state of the distributed automated system and the generation of reports taking into account the dynamics of the state of the system and the ability to identify general trends in the occurrence of malfunctions.

The disadvantages of this method are:

low efficiency of control of the plant in conditions of centralized attacks that do not lead to malfunctions in the functioning of the plant, since only the network activity of the plant components is taken into account when generating reports;

load on the communication channels of the AU in conditions of unstable network interaction with the control facility, since the control facility does not provide for the presence of dynamic structural elements of the AU, the exchange of information with which can be periodically interrupted;

the impossibility of identifying priority NPP components, the disruption of the functioning of which can lead to more significant damage, since during the control the information is processed sequentially, without taking into account the sources of this information;

low reliability of control results in the event of a change in the NPP configuration, which does not lead to an increase in the likelihood of disruption of the NPP functioning process due to the use of compensating measures.

A known method for monitoring the state of security of the AU according to the patent of the Russian Federation No. 178282 "Device for monitoring the state of security of automated control systems for military purposes", class G06F 21/00, Appl. 12/19/2016. In the known method, a reference model of the monitored AS is built, and in the process of operation, a network model is generated at certain intervals and compared with the reference model, the network is monitored for suspicious network activity.

The disadvantages of this method are:

low efficiency of control of the AU in the conditions of centralized attacks that do not lead to malfunctions in the functioning of the AU in conditions of unstable network interaction with the means of control;

the impossibility of identifying priority NPP components, the malfunction of which can lead to more significant damage;

low reliability of the control results in the event of a change in the NPP configuration that does not lead to an increase in the likelihood of disruption of the NPP functioning process due to the use of compensating measures;

high resource consumption of the data collection and analysis process, which does not implement the aggregation of the received data.

A known method for monitoring the safety of nuclear power plants according to RF patent No. 2210112 "Unified Chernyakov / Petrushin method for assessing the effectiveness of large systems", class G06F 17/00, Appl. 07.06.2001. The known method consists in the fact that a set of monitored parameters characterizing NPP safety, reference values of monitored parameters and their importance coefficients are preset, and then an analysis cycle is performed, for which the values of monitored parameters are measured, compared with the reference ones, and a report is generated based on the comparison results. and based on the generated report, a decision is made on the NPP safety.

The disadvantages of this method are:

low efficiency of NPP control in conditions of unstable network interaction with the control facility;

low reliability of the control results in the event of a change in the NPP configuration that does not lead to an increase in the likelihood of disruption of the NPP functioning process due to the use of compensating measures;

high resource consumption of the data collection and analysis process, which does not implement the aggregation of the received data.

A known method for monitoring the safety of nuclear power plants according to RF patent No. 2355024 "Method for monitoring the safety of an automated system", class G06F 15/00, App. 02/12/2007. The known method consists in the fact that when setting a set of monitored parameters, grouping them and setting the reference values of these parameters, the importance factors and temporal characteristics of the groups under consideration are also determined, such as the minimum and maximum values of the time intervals for measuring the values of the monitored parameters, the time of generation of the safety report AC. In the process of monitoring, if the measured values of the monitored parameters do not coincide with the reference ones, the time interval for measuring the parameter values is corrected, and if the minimum time interval is reached or the moment the report is generated, the monitoring process is interrupted.

The disadvantages of this method are:

low efficiency of NPP control in conditions of unstable network interaction with the control facility;

low reliability of control results in the event of a change in the NPP configuration, which does not lead to an increase in the likelihood of disruption of the NPP functioning process due to the use of compensating measures.

b) Description of the closest analogue (prototype)

максимальное

и минимальное

значения временных интервалов измерений значений контролируемых параметров и момент времени

формирования отчета о безопасности АС. Выполняют цикл анализа, для чего выбирают g-ю группу контролируемых параметров. Устанавливают значение интервала времени ΔT_g измерения значений контролируемых параметров g-й группы равным максимальному

Измеряют значения контролируемых параметров в каждой из G групп. Сравнивают измеренные значения параметров с эталонными, и в случае их несовпадения значения запоминают и переходят к проверке доступности g-го структурного элемента АС для измерения значений контролируемых параметров. При недоступности g-го структурного элемента АС устанавливают признак незавершенности измерения значений контролируемых параметров g-й группы в массиве D. Запоминают в массиве D значение ССП в момент прерывания измерения значений контролируемых параметров. Корректируют значение временного интервала измерений по формуле

Сравнивают откорректированное значение

с минимальным

При

переходят к сравнению времени T_g измерения значений контролируемых параметров с заданным моментом времени

формирования отчета. При

проверяют наличие признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D. В случае отсутствия признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D переходят к измерению значений контролируемых параметров в каждой из G групп. При наличии в массиве D признака незавершенности измерения значений контролируемых параметров g-й группы удаляют его из массива D. Считывают запомненное значение ССП из массива D. Измеряют значения контролируемых параметров с момента прерывания их измерения. Переходят к сравнению измеренных значений контролируемых параметров с эталонными. При

формируют отчет и по сформированному отчету принимают решение о безопасности АС, а при

формируют сигнал тревоги о выходе контролируемых параметров в g-й группе за пределы допустимых значений. Блокируют работу элементов АС, параметры которых вышли за пределы допустимых значений. В отчет о состоянии АС включают сведения о заблокированных элементах АС. При доступности g-го структурного элемента АС переходят к корректировке значения временного интервала измерений по формуле

При совпадении измеренных значений контролируемых параметров с эталонными переходят к сравнению времени T_g измерения значений контролируемых параметров с заданным моментом времени

формирования отчета.The closest in technical essence to the claimed is a method for monitoring the safety of nuclear power plants according to RF patent No. 2646388 "Method for monitoring the safety of automated systems", class G06F 15/00, Appl. 04.24.2017 (published 02.03.2018). The prototype method includes the following sequence of actions. A set of N≥2 monitored parameters characterizing the NPP safety is preset, M≥N reference values of monitored parameters, an array D for storing a sign of incomplete measurement of the values of monitored parameters of the g-th group and the value of the monitoring program status word (SSP) at the moment of interruption of the measurement of values controlled parameters. Groups of controlled parameters are formed from the number of predetermined controlled parameters G≥2. Each g-th group of monitored parameters, where g ∈ {1, ..., G}, characterizes the safety of the g-th structural element and / or functional process of the AU. For each g-th group of monitored parameters, the importance coefficients are set

the maximum

and minimal

the values of the time intervals of measurements of the values of the monitored parameters and the moment of time

generating a NPP safety report. An analysis cycle is performed, for which the g-th group of controlled parameters is selected. Set the value of the time interval ΔT _{g for} measuring the values of the monitored parameters of the g-th group equal to the maximum

Measure the values of the controlled parameters in each of the G groups. The measured values of the parameters are compared with the reference ones, and if they do not coincide, the values are memorized and proceed to checking the availability of the g-th structural element of the AU to measure the values of the monitored parameters. If the g-th structural element of the AU is unavailable, a sign of incomplete measurement of the values of the monitored parameters of the g-th group in array D is established. Correct the value of the measurement time interval according to the formula

Compare the corrected value

with minimal

At

go to the comparison of the time T _{g of} measuring the values of the monitored parameters with a given time

generating a report. At

check for the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in array D. If there is a sign of incompleteness of measurement of the values of the monitored parameters of the g-th group in array D, it is removed from array D. The memorized value of the SSP is read from array D. The values of the monitored parameters are measured from the moment of interruption of their measurement. They proceed to the comparison of the measured values of the controlled parameters with the reference ones. At

form a report and, based on the generated report, make a decision on the NPP safety, and when

form an alarm signal about the exit of the monitored parameters in the g-th group beyond the permissible values. They block the operation of AC elements, the parameters of which are outside the range of permissible values. The report on the state of the AU includes information about the blocked elements of the AU. When the g-th structural element is available, the AU switches to adjusting the value of the measurement time interval according to the formula

When the measured values of the monitored parameters coincide with the reference ones, they go to the comparison of the time T _{g of} measuring the values of the monitored parameters with a given moment in time

generating a report.

Compared to analogs, the prototype method in the process of monitoring the state of the functioning process by collecting and analyzing the values of the monitored parameters takes into account the possibility of a safety violation of the nuclear power plant, which does not imply a violation of the network activity of the nuclear power plant, allows you to highlight the priority structural elements of the nuclear power plant, takes into account the presence of non-stationary (dynamic ) objects of control, which are characterized by a relatively short time interval of operation, as well as the possibility of unstable network interaction of objects of control with the control means, and also allows minimizing the NPP resources used for control purposes by grouping the monitored parameters characterizing the corresponding functions of the AU, and adaptive control of the process characteristics monitoring the state of the process of functioning of the AU.

The disadvantage of the prototype method is the low reliability of the results of monitoring the state of the process of functioning of the AC, due to the fact that there is a possibility of the formation of a false positive signal about the output of the measured values of the controlled parameters characterizing the state of the process of functioning of the structural elements of the AC, beyond their permissible values and blocking the operation of the corresponding structural elements of the AC , while a change in the state of the process of functioning of structural elements is prevented by compensating measures that do not provide for the adjustment of the values of the corresponding controlled parameters.

Disclosure of the invention (its essence)

a) the technical result to which the invention is aimed

The aim of the claimed technical solution is to develop a method for combined monitoring of the state of the process of the functioning of the AU, which ensures an increase in the reliability of the results of monitoring the state of functioning of the AU due to the implementation in the known method of an active method of control and ensuring its interaction with the passive method implemented in the prototype method in the process of monitoring the state of the process of functioning of the AU ...

b) a set of essential features

максимальное

и минимальное

значения временных интервалов измерений значений контролируемых параметров, момент времени

формирования отчета о безопасности автоматизированной системы и массив D для хранения признака незавершенности измерения значений контролируемых параметров g-й группы и значения слова состояния программы контроля в момент прерывания измерения значений контролируемых параметров, а затем выбирают g группу контролируемых параметров, устанавливают значение интервала времени ΔT_g измерения значений контролируемых параметров g-й группы равным максимальному

измеряют значения контролируемых параметров в каждой из G групп, сравнивают измеренные значения контролируемых параметров с эталонными в случае несовпадения запоминают их, проверяют доступность g-го структурного элемента автоматизированной системы для измерения значений контролируемых параметров в случае его недоступности устанавливают признак незавершенности измерения значений контролируемых параметров g-й группы в массиве D, запоминают в массиве D значение слова состояния программы контроля в момент прерывания измерения значений контролируемых параметров, корректируют значение временного интервала измерений значений контролируемых параметров по формуле

сравнивают откорректированное значение

с минимальным

, в случае

сравнивают время T_g измерения значений контролируемых параметров с заданным моментом времени

формирования отчета и при

проверяют наличие признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D, в случае его отсутствия переходят к измерению значений контролируемых параметров в каждой из G групп, а при наличии в массиве D признака незавершенности измерения значений контролируемых параметров g-й группы удаляют его из массива D, считывают запомненное значение слова состояния программы контроля из массива D, измеряют значения контролируемых параметров с момента прерывания их измерения и переходят к сравнению измеренных значений контролируемых параметров с эталонными, в случае

формируют отчет и по сформированному отчету принимают решение о состоянии процесса функционирования автоматизированной системы, а при

формируют сигнал тревоги о выходе контролируемых параметров в g-й группе за пределы допустимых значений, блокируют работу элементов автоматизированной системы, параметры которых вышли за пределы допустимых значений, включают в отчет о состоянии процесса функционирования автоматизированной системы сведения о ее заблокированных элементах, в случае доступности g-го структурного элемента автоматизированной системы для измерения значений контролируемых параметров переходят к корректировке значения временного интервала измерений значений контролируемых параметров по формуле

а при совпадении измеренных значений контролируемых параметров с эталонными переходят к сравнению время измерения значений контролируемых параметров с заданным моментом времени

формирования отчета.The method of combined control of the state of the process of functioning of an automated system consists in the fact that a set of N≥2 monitored parameters characterizing the safety of the automated system, M≥N reference values of monitored parameters, are preset, formed from the number of preset monitored parameters G≥2 groups of monitored parameters, moreover, each g-th group of monitored parameters, where g ∈ {1, 2, ..., G}, characterizes the safety of the g-th structural element of the AU, for each g-th group of monitored parameters, the importance coefficients are set

the maximum

and minimal

values of time intervals of measurements of values of monitored parameters, time point

generating a report on the safety of the automated system and array D for storing the sign of incomplete measurement of the values of the monitored parameters of the g-th group and the value of the state word of the control program at the moment of interruption of the measurement of the values of the monitored parameters, and then select the group of monitored parameters g, set the value of the time interval ΔT _{g of the} measurement values of the monitored parameters of the g-th group equal to the maximum

the values of the monitored parameters in each of the G groups are measured, the measured values of the monitored parameters are compared with the reference ones in case of mismatch, they are stored, the availability of the g-th structural element of the automated system is checked to measure the values of the monitored parameters in case of its inaccessibility, a sign of incomplete measurement of the values of the monitored parameters is set g- of the first group in array D, store in array D the value of the state word of the control program at the moment of interruption of the measurement of the values of the monitored parameters, correct the value of the time interval of measurements of the values of the monitored parameters according to the formula

compare the corrected value

with minimal

, when

compare the time T _{g of} measuring the values of the monitored parameters with a given moment in time

generating a report and

check for the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D, if it is absent, proceed to measuring the values of the monitored parameters in each of the G groups, and if there is a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D, delete it from array D, read the memorized value of the status word of the control program from array D, measure the values of the monitored parameters from the moment of interruption of their measurement and proceed to comparing the measured values of the monitored parameters with the reference ones, in the case of

generate a report and, based on the generated report, make a decision on the state of the process of functioning of the automated system, and when

generate an alarm signal about the exit of the monitored parameters in the g-th group beyond the permissible values, block the operation of the elements of the automated system, the parameters of which have gone beyond the permissible values, include in the report on the state of the process of functioning of the automated system information about its blocked elements, if g is available -th structural element of the automated system for measuring the values of monitored parameters, proceed to adjusting the value of the time interval for measuring the values of monitored parameters according to the formula

and when the measured values of the monitored parameters coincide with the reference ones, the measurement time of the values of the monitored parameters with a given moment of time is compared

generating a report.

эксплойтов, причем направленность j-го эксплойта

где j ∈ {1, 2, …, m}, на g-й структурный элемент соответствует значению контролируемого параметра, не совпавшего с эталонным, массив S для хранения контрольной информации о ходе выполнения задач контроля состояния процесса функционирования автоматизированной системы, включающей исходное s₀ и фактическое s₁ состояния процесса функционирования g-го структурного элемента автоматизированной системы, а после сравнения времени T_g измерения значений контролируемых параметров с заданным моментом времени

формирования отчета и при

проверяют наличие признаков выполнения

эксплойта, в случае их отсутствия проверяют наличие результата выполнения

эксплойта и при его отсутствии проверяют сформированность набора E_i эксплойтов, а в случае его отсутствия переходят к проверке наличия признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D, в случае сформированности набора E_i эксплойтов считывают

эксплойт из массива W, запускают

эксплойт и переходят к проверке наличия признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D, а при наличии результата выполнения

эксплойта проверяют достижение цели его выполнения, в случае не достижения цели выполнения

эксплойта сравнивают значение индекса

эксплойта со значением индекса

эксплойта, принадлежащих i-му упорядоченному набору E_i эксплойтов и при j<m увеличивают значение индекса j на 1, переходят к считыванию

эксплойта из массива W, а при j≥m удаляют i-й упорядоченный набор E_i эксплойтов из массива W, сравнивают значение индекса i-го упорядоченного набора E_i эксплойтов с значением индекса р-го упорядоченного набора Е_р эксплойтов, входящих в массив W, в случае i<р увеличивают значение индекса i на 1, переходят к считыванию

эксплойта из массива W, а при i≥р переходят к проверке наличия признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D, а в случае достижения цели очищают массив W и переходят к формированию сигнала тревоги о выходе контролируемых параметров в g-й группе за пределы допустимых значений, а после блокирования работы элементов автоматизированной системы, параметры которых вышли за пределы допустимых значений, переходят к формированию отчета, а при наличии признаков выполнения

эксплойта проверяют наличие признаков направленности

эксплойта на нарушение доступности g-го структурного элемента автоматизированной системы, в случае отсутствия признаков направленности переходят к проверке наличия признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D, а при наличии признаков направленности

эксплойта на нарушение доступности g-го структурного элемента автоматизированной системы определяют фактическое s₁ состояние процесса функционирования g-го структурного элемента автоматизированной системы, считывают исходное s₀ состояния процесса функционирования g-го структурного элемента автоматизированной системы из массива S, сравнивают фактическое s₁ состояние процесса функционирования g-го структурного элемента автоматизированной системы с исходным s₀ в случае s₁≠s₀ присваивают значению исходного s₀ состояния значение фактического s₁ состояния процесса функционирования g-го структурного элемента автоматизированной системы), запоминают исходное s₀ состояние процесса функционирования g-го структурного элемента автоматизированной системы в массиве S и переходят к проверке наличия признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D, а при s₁=s₀ останавливают выполнение

эксплойта, очищают массив S и переходят к проверке достижения цели выполнения

эксплойта, а после проверки доступности g-го структурного элемента автоматизированной системы для измерения значений контролируемых параметров и в случае его доступности считывают множество {e₁, e₂, …, e_n} эксплойтов из массива Е_ехр, формируют i-й набор E_i эксплойтов, запоминают i-й набор E_i эксплойтов в массиве W, конфигурируют массив W и переходят к корректировке значения временного интервала измерений значений контролируемых параметров по формуле

Additionally, an array E _{exp is} specified, which is a set of E _exp = {e ₁ , e ₂ , ..., e _n } of exploits, and the rth exploit e _r ∈ E _exp , where r ∈ {1, 2, ..., n}, is a computer program, a piece of program code and / or a sequence of commands used to carry out a computer attack on an automated system, an array W for storing a set of ordered sets W = {E ₁ , E ₂ , ..., E _p } exploits, and the i-th an ordered set E _i ∈ W of exploits, where i ∈ {1, 2, ..., p}, is a set

exploits, and the focus of the j-th exploit

where j ∈ {1, 2, ..., m}, on the g-th structural element corresponds to the value of the monitored parameter that does not coincide with the reference one, the array S for storing control information on the progress of monitoring the state of the process of functioning of the automated system, including the original s ₀ and the actual s ₁ state of the process of functioning of the g-th structural element of the automated system, and after comparing the time T _{g of} measuring the values of the monitored parameters with a given moment in time

generating a report and

check for signs of progress

exploit, if they are absent, the presence of the result of the execution is checked

exploit and in its absence, the formation of the set of E _i exploits is checked, and if it is absent, they proceed to checking the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D, if the set of E _i exploits is formed, read

exploit from array W, launch

exploit and proceed to checking the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in array D, and if there is a result of execution

exploit checks whether the goal of its execution has been achieved, if the execution goal has not been achieved

exploit compare the index value

exploit with index value

exploit belonging to the i-th ordered set of _{exploits E i} and for j <m increase the value of the index j by 1, proceed to reading

exploit from the array W, and for j≥m remove the i-th ordered set E _{i of} exploits from the array W, compare the index value of the i-th ordered set of E _i exploits with the value of the index of the p-th ordered set E _{p of} exploits included in the array W , in the case i <p, increase the value of the index i by 1, go to reading

exploit from the array W, and for i≥р, they proceed to checking for a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D, and if the goal is achieved, the array W is cleared and proceeds to the generation of an alarm signal about the exit of the monitored parameters in the g-th group outside the permissible values, and after blocking the operation of the elements of the automated system, the parameters of which have gone beyond the permissible values, they proceed to the formation of a report, and if there are signs of execution

exploit checks for directional signs

exploit to violate the accessibility of the g-th structural element of the automated system, in the absence of directional signs, proceed to checking the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in array D, and in the presence of directionality signs

of the exploit for violation of the accessibility of the g-th structural element of the automated system determine the actual s ₁ state of the process of functioning of the g-th structural element of the automated system, read the initial s ₀ state of the functioning process of the g-th structural element of the automated system from the array S, compare the actual s ₁ state of the process the functioning of the g-th structural element of the automated system with the initial s ₀ in the case s ₁ ≠ s ₀ assign the value of the initial _{state s 0 the} value of the actual _{state s 1 of the} state of the process of functioning of the g-th structural element of the automated system), remember the initial s ₀ state of the functioning process g- th structural element of the automated system in the array S and proceed to checking the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D, and when s ₁ = s ₀ , the execution

exploit, clear the array S and proceed to check if the execution target has been achieved

exploit, and after checking the availability of the g-th structural element of the automated system for measuring the values of the monitored parameters and, if available, read the set {e ₁ , e ₂ , ..., e _n } of exploits from the array E _exp , form the i-th set E _i exploits, memorize the i-th set of _{exploits E i} in the W array, configure the W array and proceed to adjusting the value of the time interval for measuring the values of the monitored parameters according to the formula

Comparative analysis of the proposed solution with the prototype shows that the proposed method differs from the known one:

- the use of specialized tools that implement an active method of monitoring the state of the NPP functioning process (hereinafter referred to as specialized controls) for exploiting vulnerabilities determined by the results of passive control;

- using a database of exploits provided by specialized controls;

- the presence of a mechanism for additional verification of the state of the process of functioning of the AU when the measured values of the monitored parameters do not coincide with the reference ones by forming sets of exploits, the focus of which on the structural element of the AU corresponds to the value of the monitored parameter that did not coincide with the reference one, their configuration and launch;

- the presence of a mechanism for determining the actual state of the process of functioning of the automated system and comparing it to the initial one if the exploit launched at the time of monitoring is aimed at disrupting the availability of information processed in the AS.

c) Causal relationship between features and technical result

Thanks to the new set of essential features in the claimed method, the reliability of the results of monitoring the state of the functioning of the nuclear power plant is increased by implementing an active control method using the mechanism for generating a set of exploits when the values of the corresponding monitored parameters that characterize the state of the process of functioning of structural elements, the configuration of the generated set and the sequential launch of the corresponding exploits do not match. taking into account the peculiarities of the influence of the process of their implementation on the functioning of the AU and its interaction with the control device, as well as the implementation of the mechanism for changing the sequence of the use of active and passive control methods in time close to real, during the procedure for monitoring the state of the AU functioning process.

Brief Description of Drawings

The claimed method is illustrated by drawings, which show:

fig. 1 - the structure of the automated system;

fig. 2 - grouping of controlled parameters of the structural elements of the automated system;

fig. 3 - grouping of controlled parameters of the functional processes of the automated system;

fig. 4 is a block diagram of a sequence of actions that implements a method of combined monitoring of the state of the process of functioning of an automated system;

fig. 5 - the structure of the specialized control tool Metasploit;

fig. 6 - the principle of processing interruptions of the monitoring program.

Implementation of the invention

In order to ensure the safety of the nuclear power plant, it is necessary to timely and with high reliability monitor the state of the process of its functioning and provide relevant results of control to the system of a higher level of the hierarchy (for example, information security event processing systems). In modern conditions, control of the state of the process of functioning of automated systems is carried out through the implementation of methods of passive and active control.

The passive method of monitoring the state of the process of the functioning of the AU consists in collecting (measuring), processing and analyzing the values of parametric data characterizing the state of the process of functioning of the AU by comparing the collected data with the reference values describing the normal mode of its functioning. As parametric data, as a rule, one considers the state of network ports and application services associated with these ports, the presence or absence of updates of the software included in the AS, etc. The technical solutions that implement the passive method of monitoring the state of the process of functioning of the AU include, for example, security analysis scanners Max Patrol, XSpider (see functionality, for example, on the official website of Positive Technologies [Electronic resource]. - Access mode. - URL: http://www.ptsecurity.ru).

As a rule, an information attack, defined as a set of actions of an intruder aimed at implementing a threat to information security, is a process of exploiting vulnerabilities in the structural elements of a nuclear power plant based on flaws in their configuration, errors made in the development of software that are part of it, not corrected by appropriate updates, etc., and since the parametric data correctly formed in the process of passive control reflect the signs of the presence of the aforementioned vulnerabilities of the nuclear power plant structural elements, the measured values of the parametric data outside the range of values describing the normal functioning of the nuclear power plant is a necessary condition for the presence (occurrence) of structural vulnerability. element of the speaker.

However, in order to exploit the identified vulnerability, in addition to the very fact of the vulnerability of the nuclear power plant structural element, it is necessary to have accompanying factors, such as, for example, flaws in configuring firewalls, intrusion detection tools, etc. In addition to adjusting the values of the parametric data in accordance with the reference values, in order to prevent disruption of the state of the NPP functioning process by exploiting the vulnerability of structural elements, it is possible to implement compensatory measures aimed, for example, at making adjustments to the configuration of information security tools. Thus, in the case of implementing compensating measures, the probability of disrupting the state of the process of functioning of the structural element of the nuclear power plant due to the exploitation of the identified vulnerability, determined by the values of the parameters that went beyond the values describing the normal functioning of the nuclear power plant, can be reduced without adjusting the values of the parametric data.

That is, the main disadvantage of technical means that implement the passive method of control is the low reliability of the control results, since there is a possibility that the output of the values of the controlled parameters measured during passive control is not a sufficient condition for disrupting the functioning of the corresponding structural element of the automated system, since a change in the state of the process of functioning of structural elements can be prevented by compensating measures that do not provide for the adjustment of the values of the corresponding monitored parameters.

One of the ways to increase the reliability of monitoring the state of the NPP functioning process is to implement an active monitoring method. An active method of monitoring the security state of the AS is to simulate information attacks directed at the AS in order to violate the confidentiality, integrity and availability of the information processed in the AS. The formation of the list of computer attacks to be simulated is carried out on the basis of the AS vulnerabilities identified by means of the passive control method. Since the active control method is aimed at imitating the real actions of an intruder, it makes it possible to increase the reliability of the security control results. The most well-known technical solutions that implement an active method of monitoring the state of the process of functioning of an automated system use a mechanism for exploiting known vulnerabilities and can be represented by means such as Metasploit (see additional information and documentation on the official Metasploit website [Electronic resource]. - Access mode. - URL: http://www.metasploit.com) and additional software tools that extend its functionality, such as ART2 and Armitage. The functionality for exploiting vulnerabilities is partially performed by the Burp Suite network sniffer with the ability to inject malicious code into intercepted network packets, as well as the Nmap network scanner in conjunction with a set of NSE scripts.

The main disadvantages of technical means that implement an active method of monitoring the state of the process of functioning of an automated system are their low level of automation, the need for a security administrator to have certain skills to interact with them, as well as the low reliability of the results of monitoring an automated system that functions with unstable network interactions with technical means. ...

Thus, a contradiction arises between the need to provide a prompt and reliable assessment during the monitoring of the state of the process of the functioning of the AU and the lack of technical solutions that allow combined control of the state of the process of functioning of the AU by implementing passive and active methods with the possibility of changing the sequence of their application in time close to real. taking into account the possibility of the functioning of the AS with unstable network interactions and the elimination of the shortcomings inherent in the considered control methods.

The implementation of the claimed method is explained as follows. In general, an AC is a collection of structural elements and communication equipment, combined by wired and wireless communication lines, as shown in FIG. 1, including a stationary personal computer (PC) 1 and a dynamic personal computer (PC) 2, server 3, switch 4, automated workstation for security monitoring 5, on which the monitoring program is installed, wireless access points Wi-Fi 6 and 7. Unstable network the interaction of the automated workstation for monitoring security 5 with a dynamic object (PC 2) occurs when it moves, as a result of which there is a loss of communication with the wireless access point 6 (Fig. 1a). After moving the dynamic object (PC 2) is connected to the wireless access point 7 (Fig. 1b). During the movement, a dynamic object (PC 2) is out of reach of wireless access points 6 and 7. The structural elements of the AU are determined during monitoring by identifiers, which are used as network addresses (IP addresses) in the most common family of TCP / IP protocols. Building blocks carry out functional processes such as file exchange processes, e-mail messaging processes, and networking processes. The functional processes of the AS are determined by logical ports, which are understood as "entry points" into programs that implement user application processes. Each structural element and functional process of the nuclear power plant is characterized by a set of parameters that determine the state of information security of the structural element and / or the process of the nuclear power plant, and are subject to control.

Preset parameters characterizing the safety of NPP elements are shown in Fig. 2, on which the following designations are adopted:

Adr - IP address;

AD - activity of the remote access connection manager;

LSA - list of active logical ports;

ASPO - activity of the exchange folders service;

PCSFO - local settings of the user client of the file exchange service;

PASEP - local settings of the user agent of the e-mail service;

SSFO - local settings of the file exchange service server;

SSEP - local settings of the server of the e-mail service. Elements of the AU are characterized by the following parameters common to them (see Fig. 2): IP-address;

Remote Access Connection Manager Activity

list of active logical ports;

Exchange folder service activity.

In addition, the structural elements of the AU are additionally characterized (see Fig. 2):

1 - PC 1 - local settings of the user client of the file exchange service;

2 - PC 2 - local settings of the user agent of the e-mail service;

3 - server - local settings of the servers of the file exchange service and the e-mail service.

The above parameters form three groups that characterize the state of the structural elements of the PC 1, PC 2 and server 3. Of the AC elements shown in FIG. 2, the file exchange service covers 1 - PCs 1 and 3 - the server, the e-mail service covers 2 - PCs 2 and 3 - the server, and the network interaction processes and the exchange folders service - all three structural elements of the AS. The interrelation of the parameters of structural elements and functional processes leads to the need to group the monitored parameters additionally into the following four groups, shown in Fig. 3:

4th group - file exchange services (Fig. 3a);

5th group - e-mail services (Fig. 3b);

6th group - exchange folder services (Fig. 3c);

7th group - network interaction (Fig. 3d).

The functional processes of the AU are characterized by the following parameters common to them (see Fig. 3):

IP address;

Remote Access Connection Manager Activity

list of active logical ports.

In addition, the functional processes of the AU are additionally characterized (see Fig. 3):

4th group - local settings of the user client and server of the file exchange service;

5th group - local settings of the user agent and the server of the e-mail service;

6th group - by the activity of the exchange folders service.

где g ∈ {1, 2, …, G}, и эталонные значения параметров.For each group of controlled parameters formed in this way, their importance coefficients are set

where g ∈ {1, 2,…, G}, and the reference values of the parameters.

Table 1 shows: a list of monitored parameters and their reference values, names of groups of monitored parameters and the importance factors of the groups.

The values of the importance coefficients and the reference values of the monitored parameters are determined from considerations of the importance of the information being processed and the potential vulnerability of the structural element (process) by methods using, for example, informal, expert methods and are set in the form of a matrix (table) or a database (expert assessment methods are known and described, for example, in the book Petrenko SA, Simonov SV "Information risk management. Economically justified security." - M .: IT Company, DMK Press, 2004. - 384 p.).

The “+” sign means that the parameter belongs to the specified group, its value can be logical “1”, which corresponds to the “Enabled” state, or logical “0”, which corresponds to the “Disabled” state. The reference value for all parameters, except for the IP address, is logical "1". The absence of the "+" sign means that the parameter value is not read during the group control. The line "Adr" contains the corresponding identifiers of the structural elements of the AU. An IP address having a length of 4 bytes (32 bits) is displayed in Table 1. 1 in the most commonly used form of representation of the IP address - in decimal form (the format for representing the IP address in decimal form is known and described, for example, in the book by V. G. Olifer and N. A. Olifer "Computer networks. Principles, technologies, protocols" : uch. for universities. - 2nd ed. - SPb .: Peter, 2003. - p. 497).

и минимальное

значения временных интервалов измерений значений контролируемых параметров и момент времени

формирования отчета о безопасности АС задают директивно из соображений важности обрабатываемой информации и потенциальной уязвимости структурного элемента (функционального процесса). Кроме этого, минимальное

значение временных интервалов измерений значений контролируемых параметров для каждой g-й группы, определяют таким, ниже которого процесс мониторинга будет или неполным, или будет наносить ущерб функционированию АС по целевому предназначению.Maximum

and minimal

the values of the time intervals of measurements of the values of the monitored parameters and the moment of time

NPP safety report generation is prescriptive from considerations of the importance of the information being processed and the potential vulnerability of the structural element (functional process). In addition, the minimum

the value of the time intervals for measuring the values of the monitored parameters for each g-th group is determined as below which the monitoring process will be either incomplete or will damage the functioning of the NPP for its intended purpose.

An example of setting the monitoring time characteristics is shown in Table 2.

An array D is also set, which is intended to store the sign of incomplete measurement of the values of the monitored parameters of the g-th group and the value of the status word of the monitoring program installed on the automated workplace of safety monitoring 5, at the time of interruption of the measurement of the values of the monitored parameters, the array E _exp , which is a set {e ₁ , e ₂ , ..., e _n } exploits, and the rth exploit e _r , where r ∈ {1, 2, ..., n}, is a computer program, a piece of program code and / or a sequence of commands used for carrying out a computer attack on an automated system, an array W for storing a plurality of ordered sets {E ₁ , E ₂ , ..., E _p } of exploits, as well as an array S for storing control information on the progress of monitoring the state of the AS functioning process, including the initial s ₀ and the actual s ₁ state of the process of functioning of the AU.

The E _exp exploit array is formed on the basis of exploit databases presented and regularly updated by specialized control tools, for example, Metasploit. The structure of the Metasploit software tool containing the exploit base is shown in Fig. 5. (see the contents of the exploit database maintained by the Offensive Security company on the official ExploitDB repository [Electronic resource]. - Access mode. - URL: https://github.com/offensive-security/exploitdb).

The specialized tool Metasploit is a collection of the following elements.

Libraries:

Rex (Ruby Extension, Ruby extension. Base component, contains socket wrapper subsystems, client and server protocol implementations, logging subsystem and exploitation tool classes);

Metasploit core (Implementation of all required interfaces for interaction with modules, plugins and sessions):

Metasploit base (a set of basic commands for interacting with the Metasploit core and auxiliary tools for managing Metasploit components); Interfaces: Console; Web interface; GUI (graphical interface);

Instruments;

Plugins;

Modules:

Payloads (Payload, payload. Code fragments executed in the system after exploiting a vulnerability);

Exploits;

Encoders (means of hiding the signs of malicious code by encoding or encryption);

NOPs (Sequences of assembler NOP instructions that shift the program execution pointer to the required memory fragment);

Other.

The E _exp array contains many X exploits, determined according to the methodology described in Peter Mell's A Complete Guide to the Common Vulnerability Scoring System. Version 2.0 ": - Carnegie Mellon University, 2007. - from 123-139 as follows:

where Ψ _j is an arbitrary exploit presented as an ordered set of tags (identifiers) that characterize the possibility of its use:

where z ^Ψj is the type of attack Ψ _j , for example, z ^Ψj = "DoS";

В ^Ψj is a finite set of OSs on which Ψ _j is executed, for example В ^Ψj = {Windows,…, Linux};

G ^Ψj is a finite set of software, which is acted upon by Ψ _j , for example, G ^Ψj = {Aimp,…, Chrome};

D ^Ψj is a finite set of AO, to which the action Ψ _j is directed, for example, D ^Ψj = {Zyxel,…, Intel};

Е ^Ψj - a finite set of network services of the AU, to which the influence of Ψ _{j is} directed, for example, E ^Ψj = {FTP,…, HTTP};

u ^Ψj - tag (identifier) of belonging Ψ ^j to exploits provided by an information security specialist (user exploits).

ζ is the total number of exploits stored in the exploit database provided by a developer of specialized controls and an information security specialist.

(бл. 3 на фиг. 4). То есть первое измерение значений параметров будет произведено: для групп параметров с коэффициентом важности

через 25 минут; для

через 50 минут и т.д., как это показано в таблице 3.A block diagram of the sequence of actions that implements the claimed method of combined monitoring of the state of the process of functioning of the AU is shown in Fig. 4. Select the g-th group of monitored parameters (unit 2 in Fig. 4) and set the value of the time interval ΔT _{g of} measuring the values of the monitored parameters of each g-th group equal to the maximum

(block 3 in Fig. 4). That is, the first measurement of the parameter values will be made: for groups of parameters with a coefficient of importance

after 25 minutes; for

after 50 minutes, etc., as shown in Table 3.

After that, the values of the monitored parameters in each of the G groups are measured (unit 4 in Fig. 4) and the measured values of the parameters N _{i are} compared with the predetermined reference values M _i (unit 5 in Fig. 4). If the measured values of the monitored parameters do not coincide with the reference ones (see Table 3, starting from the monitoring step No. 5), they are stored (unit 6 in Fig. 4) and the availability of the g-th structural element of the AC for measuring the values of the monitored parameters (unit 1) is checked. 7 in Fig. 4). Information about the availability of AC elements can be obtained by a simple echo request using the ping utility (see the ping utility, for example, in the book by V. G. Olifer and N. A. Olifer "Computer networks. Principles, technologies, protocols": textbook. for Universities. - 4th ed. - SPb .: Peter, 2010. - pp. 596-597). If AS elements respond to echo requests, then they are considered available, otherwise - unavailable. If the g-th structural element of the AU is unavailable for measuring the values of the monitored parameters (see Table 3, starting from the monitoring step No. 16), the interruption of the monitoring program installed on the automated workstation for safety monitoring is called. ... 6, on which the following designations are adopted:

N is the address in the main memory of the security monitoring workstation 5, at which the interruption occurred;

Y - the initial address of interrupt handling in the main memory of the security monitoring workstation 5;

L is the size of the interrupt handler in the main memory of the security monitoring workstation 5;

T is the last address before array D in the main memory of the security monitoring workstation 5;

M is the size of the array D in the main memory of the automated workstation for security monitoring 5;

RON - general purpose registers of the security monitoring workstation processor 5.

FIG. 6, only those elements of the main memory and processor of the safety monitoring workstation 5 are indicated, which are used to explain the principle of processing interruptions of the monitoring program.

FIG. 6a shows the processing of interruption of the monitoring program after receiving information about the unavailability of the g-th structural element of the AS. In addition (see Fig. 6a), one of the RON is set to a logical "1" (TRUE), indicating the sign of incomplete measurement of the values of the monitored parameters (N _i ), and is written into the array D (block 8 in Fig. 4), located in the main memory of a safety monitoring workstation. After that, the value of the SSP, which includes the value of N + 1 of the program counter, is stored in the array D (Unit 9 in Fig. 4) (the general organization of the interrupt system is described, for example, in the book of VA Tikhonov and AV Baranov. "Organization of computers and systems": textbook. - M .: Helios, 2008. - S. 57-95).

(бл. 22 на фиг. 4) и сравнение откорректированного значения

с минимальным

(бл. 23 на фиг. 4) При

переходят к сравнению времени T_g измерения значений контролируемых параметров с заданным моментом времени

формирования отчета (бл. 12 на фиг. 4). При

проверяют наличие признака выполнения

эксплойта (бл. 13 на фиг. 4). Процедура проверки наличия признака выполнения эксплойта может быть осуществлена за счет механизмов, реализованных в специализированных средствах контроля. Например, при использовании специализированного средства контроля Metasploit в качестве признака выполнения эксплойта может выступать возвращаемый параметр, в который при завершении процедуры выполнения эксплойта записываются данные об успешной эксплуатации уязвимости, досрочном завершении процедуры выполнения эксплойта по истечении времени, выделенного специализированным средством контроля на его выполнение либо результат выполнения «полезной нагрузки», то есть подпрограммы, составляемой пользователем и автоматически запускаемой при получении доступа к атакуемой системе в рамках выполнения эксплойта. В случае, если выполнение эксплойта завершено (прервано), параметр принимает соответствующие значения. В случае, если эксплойт выполняется - параметр не содержит данных. То есть в роли признака выполнения эксплойта может выступать наличие данных в параметре, возвращаемом при завершении его выполнения. (Особенности взаимодействия с программным средством Metasploit см., например, в книге А. Сингха [Abhinav Singh] «Metasploit penetration testing cookbook»: Бирмингем: Packt Publishing, 2012. - C. 53-63).After memorizing the value of the SSP, the value of the time interval of measurements is corrected according to the formula

(block 22 in Fig. 4) and comparison of the corrected value

with minimal

(Unit 23 in Fig. 4) For

go to the comparison of the time T _{g of} measuring the values of the monitored parameters with a given time

generating a report (block 12 in Fig. 4). At

check for a progress bar

exploit (block 13 in Fig. 4). The procedure for checking the presence of a sign of an exploit can be carried out using mechanisms implemented in specialized control tools. For example, when using the specialized control tool Metasploit, the return parameter can be used as a sign of the execution of an exploit, which, when the exploit execution procedure is completed, records data on the successful exploitation of the vulnerability, the early completion of the exploit execution procedure after the time allotted by the specialized control tool for its execution, or the result executing a "payload", that is, a subroutine compiled by the user and automatically launched when accessing an attacked system as part of an exploit. If the exploit is completed (interrupted), the parameter takes on the corresponding values. If the exploit is executed, the parameter contains no data. That is, the presence of data in the parameter returned upon completion of its execution can act as a sign of the exploit being executed. (For specifics of interaction with the Metasploit software, see, for example, the book by A. Singh [Abhinav Singh] "Metasploit penetration testing cookbook": Birmingham: Packt Publishing, 2012. - pp. 53-63).

эксплойта (бл. 14 на фиг. 4), осуществляемой, например, на основе возвращаемого параметра, обрабатываемого механизмами специализированного средства контроля, описанного выше. В качестве признака наличия результата выполнения эксплойта при этом может выступать значения параметра, не содержащие сведения о досрочном завершении выполнения эксплойта. При отсутствии результата выполнения очередного

эксплойта из набора, E_i эксплойтов, проверяют сформированность набора E_i эксплойтов (бл. 15 на фиг. 4) путем поиска в массиве W наборов эксплойтов, соответствующих измеренному значению N_i контролируемого параметра g-го структурного элемента. В случае, если необходимый набор не сформирован (отсутствует в массиве W), переходят к проверке наличия признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D (бл. 16 на фиг. 4).If there is no indication that exploits have been executed, they proceed to checking for the presence of a result of the execution.

exploit (block 14 in Fig. 4), carried out, for example, on the basis of the return parameter processed by the mechanisms of the specialized control tool described above. In this case, parameter values that do not contain information about the early completion of the exploit can be used as an indication of the existence of a result of the exploit execution. If there is no result of executing the next

exploit from the set, E _i exploits, check the formation of the set E _i exploits (block 15 in Fig. 4) by searching in the array W of sets of exploits corresponding to the measured value N _{i of the} monitored parameter of the g-th structural element. If the required set is not formed (absent in the array W), proceed to checking the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D (block 16 in Fig. 4).

In the absence of a sign of incomplete measurement of the values of the monitored parameters in the array D, a transition is made to the measurement of the values of the monitored parameters (block 4 in Fig. 4).

If there is a sign of incompleteness in the array D, the process of returning to the main monitoring program after processing the interrupt is carried out, the principle of which is shown in FIG. 6b. In addition (see Fig. 6b), first remove the sign of incomplete measurement of the values of the monitored parameters (N _i ) from the array D (unit 17 in Fig. 4) by replacing TRUE with FALSE (logical "0"), and then read the value SSP from array D (block 18 in Fig. 4) by rewriting the value of the program counter from Y + L to N + 1. After processing the interruption of the monitoring program, the values of the monitored parameters (N _i ) are measured from the moment of interruption of the main monitoring program (unit 19 in Fig. 4) (see Table 3, monitoring step No. 17) and proceed to the comparison of the measured values of the monitored parameters with the reference (block 5 in Fig. 4).

из массива W (бл. 20 на фиг. 4), его запуск (бл. 21 на фиг. 4) и переход к проверке наличия признака незавершенности в массиве D (бл. 16 на фиг. 4). Запуск эксплойта осуществляется за счет взаимодействия со специализируемым средством контроля.If a set of E _i exploits corresponding to the value of the monitored parameter, which does not coincide with the reference one, is formed, reads the next exploit

from array W (block 20 in Fig. 4), its launch (block 21 in Fig. 4) and the transition to checking for the presence of an incomplete sign in array D (block 16 in Fig. 4). The exploit is launched by interacting with a specialized control tool.

For example (see Table 3), at the monitoring step No. 5, as a result of comparing the values of the monitored parameters with the reference ones, their discrepancy was revealed in the 6th and 7th groups of monitored parameters due to the server unavailability. After checking the availability, setting the sign of incomplete measurement of the monitored parameter to array D and writing the value of the program status word to array D, the value of the measurement time interval is corrected:

с минимальным

и т.к.

(8>5) переходят к сравнению времени T_g измерения значений контролируемых параметров с заданным моментом времени

формирования отчета, поскольку

(125<250) проверяют наличие признаков выполнения соответствующего эксплойта. Но, поскольку ранее набор эксплойтов не был сформирован и запущен, отсутствуют и признаки выполнения, и результаты выполнения. Таким образом, проверив сформированность набора эксплойтов, осуществляется переход к проверке наличия признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D. Поскольку признак незавершенности измерения значений контролируемых параметров 6-й и 7-й групп был установлен в массив D ранее, осуществляют удаление признака незавершенности измерения значения контролируемого параметра из массива D, считывают значение слова состояния программы и заново измеряют значение контролируемого параметра с момента прерывания (шаг №6 в табл. 3). Если на шаге контроля №6 значения контролируемых параметров у 6-й и 7-й групп вновь не совпали с эталонными, а сервер по прежнему недоступен, то после установки признака незавершенности измерения контролируемого параметра в массив D и записи значения слова состояния программы в массив D значения временных интервалов измерений рассматриваемых групп вновь корректируют:and recorded in table. 3 in the line of the monitoring step # 5. Changing the current time interval of measurements to 8 minutes leads to the fact that monitoring of the 6th and 7th groups of parameters will be performed more often, as can be seen from the table. 3, where, starting from the monitoring step No. 6, the monitoring interval has decreased (it has ceased to be a multiple of 25 minutes). After that, the corrected value is compared

with minimal

and since

(8> 5) go to the comparison of the time T _{g of} measuring the values of the monitored parameters with a given time

generating a report, since

(125 <250) check for signs of execution of the corresponding exploit. However, since the exploit set was not generated and launched earlier, there are no signs of progress or results of execution. Thus, after checking the formation of the set of exploits, the transition to checking the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in array D is carried out. removing the sign of incomplete measurement of the value of the monitored parameter from array D, read the value of the program status word and re-measure the value of the monitored parameter from the moment of interruption (step 6 in Table 3). If at control step No. 6 the values of the monitored parameters in the 6th and 7th groups again did not coincide with the reference ones, and the server is still unavailable, then after setting the sign of incomplete measurement of the monitored parameter to array D and writing the value of the program status word to array D the values of the time intervals of measurements of the considered groups are corrected again:

для 6-й и 7-й групп (3<5), то формируют сигнал тревоги о выходе контролируемых параметров в 6-й и 7-й группах за пределы допустимых значений. После чего блокируют работу элементов АС, параметры которых вышли за пределы допустимых значений и включают в отчет о состоянии АС сведения о заблокированных элементах, а мониторинг остальных групп контролируемых параметров продолжают до наступления условия

как это показано в табл. 3 на шагах мониторинга №7-20.Since the condition

for the 6th and 7th groups (3 <5), then an alarm is generated about the exit of the monitored parameters in the 6th and 7th groups beyond the permissible values. After that, the operation of the AC elements is blocked, the parameters of which have gone beyond the permissible values and include information about the blocked elements in the AC state report, and the monitoring of the remaining groups of monitored parameters continues until the condition occurs

as shown in table. 3 at monitoring steps 7-20.

эксплойта получен, осуществляется проверка достижения цели выполнения

эксплойта (бл. 34 на фиг. 4). В случае, если цель выполнения эксплойта состоит в получении несанкционированного доступа к g-му структурному элементу АС, достижение цели может быть однозначно определено по полученному результату. Формат и содержание возвращаемого результата определяется специализированным средством контроля. Например, если выполнение эксплойта реализовано за счет использования специализированного средства контроля Metasploit, а сам эксплойт подразумевает получение терминального доступа к атакуемому g-му структурному элементу, возможно формирование полезной нагрузки эксплойта, т.е. фрагмента кода или части вредоносной программы, который непосредственно выполняет деструктивное воздействие на структурный элемент, таким образом, чтобы при получении доступа осуществлялось сбрасывание терминального соединения с возвратом специализированному средству контроля значения, интерпретируемого как достижение цели выполнения эксплойта. Процедура формирования и анализа результатов выполнения полезной нагрузки с помощью специализированного средства контроля Metasploit описана в книге А. Сингха [Abhinav Singh] «Metasploit penetration testing cookbook»: Бирмингем: Packt Publishing, 2012. - С. 40-50. В случае, если эксплойт направлен на нарушение сетевой доступности g-го структурного элемента, проверку достижения цели его выполнения возможно осуществить путем получения информации о доступности g-го структурного элемента простым эхо-запросом при помощи программной утилиты ping, описанным ранее. Если эксплойт направлен на нарушение доступности сетевого сервиса (WEB-сервер, FTP-сервер и т.д.), проверка достижения цели выполнения эксплойта может быть осуществлена за счет формирования и отправки соответствующих запросов к атакуемым сервисам. В случае отсутствия ответа либо при получении ответа, содержащего информацию о неполадках в функционировании сервиса целесообразно сделать вывод о достижении цели выполнения эксплойта. Примером подобной проверки может выступать использование сетевой утилиты Telnet для проверки доступности НТТР-сервера. С помощью Telnet формируется запрос по соответствующему IP-адресу и порту и в случае, если сервер не отвечает, либо возвращает код ошибки (к примеру «404 Not Found» или «408 Request timeout»), делается вывод о недоступности сервера либо о его некорректном функционировании.If the result of execution

the exploit is received, a check is made that the execution goal has been achieved

exploit (block 34 in Fig. 4). If the purpose of the exploit is to gain unauthorized access to the g-th structural element of the AS, the achievement of the goal can be unambiguously determined by the result obtained. The format and content of the returned result is determined by a custom control. For example, if the execution of an exploit is implemented using a specialized control tool Metasploit, and the exploit itself implies obtaining terminal access to the attacked g-th structural element, it is possible to generate an exploit payload, i.e. a piece of code or part of a malicious program that directly performs a destructive effect on a structural element, so that upon gaining access, the terminal connection is dropped and returned to a specialized means of control of the value, which is interpreted as reaching the goal of executing the exploit. The procedure for generating and analyzing the results of the execution of the payload using the specialized control tool Metasploit is described in the book by A. Singh [Abhinav Singh] "Metasploit penetration testing cookbook": Birmingham: Packt Publishing, 2012. - pp. 40-50. If the exploit is aimed at disrupting the network accessibility of the g-th structural element, it is possible to check the achievement of the goal of its execution by obtaining information about the availability of the g-th structural element by a simple echo request using the ping utility described earlier. If the exploit is aimed at disrupting the availability of a network service (WEB server, FTP server, etc.), verification of the achievement of the exploit execution goal can be performed by generating and sending appropriate requests to the attacked services. If there is no response, or if you receive a response containing information about problems with the operation of the service, it is advisable to conclude that the goal of executing the exploit has been achieved. An example of such a check would be the use of the Telnet network utility to check the availability of an HTTP server. With the help of Telnet, a request is formed at the corresponding IP address and port, and if the server does not respond, or returns an error code (for example, "404 Not Found" or "408 Request timeout"), it is concluded that the server is unavailable or that it is incorrect functioning.

эксплойта с значением индекса

эксплойта, принадлежащих i-му упорядоченному набору E_i эксплойтов (бл. 39 на фиг. 4). При j<m значение индекса j увеличивают на 1 (бл. 40 на фиг. 4) и переходят к считыванию очередного

эксплойта из массива W (бл. 20 на фиг. 4). При j≥m i-й упорядоченный набор E_i эксплойтов удаляется из массива W (бл. 41 на фиг. 4), затем осуществляется сравнение значение индекса i-го упорядоченного набора E_i эксплойтов с значением индекса -го упорядоченного набора Е_р эксплойтов, входящих в массив W (бл. 42 на фиг. 4). В случае i<р значение индекса i увеличивают на 1 (бл. 42 на фиг. 4)и переходят к считыванию

эксплойта из массива D (бл. 20 на фиг. 4), а при i≥р переходят к проверке наличия признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D (бл. 16 на фиг. 4).If the execution target is not reached, the index value is compared

exploit with index value

exploit belonging to the i-th ordered set of E _i exploits (block 39 in Fig. 4). For j <m, the value of the index j is increased by 1 (block 40 in Fig. 4) and proceeds to reading the next

exploit from array W (block 20 in Fig. 4). For j≥m, the i-th ordered set of E _i exploits is removed from the array W (block 41 in Fig. 4), then the index value of the i-th ordered set of E _i exploits is compared with the value of the index of the ith ordered set of E _p exploits, included in the array W (block 42 in Fig. 4). In the case i <p, the value of the index i is increased by 1 (block 42 in Fig. 4) and proceeds to reading

exploit from array D (block 20 in Fig. 4), and when i≥p, they proceed to checking the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in array D (block 16 in Fig. 4).

. В случае, если в данный момент выполняется третий эксплойт из первого набора, то индекс эксплойта в наборе j=3, а индекс набора i=1, соответственно выполняется условие j<m (3<5), при котором значение индекса j увеличивают на 1, из массива W считывают j-й эксплойт i-го набора, то есть четвертый эксплойт первого набора.For example, let the array W contain 3 sets of E _i , each of which contains 5 exploits

... If at the moment the third exploit from the first set is being executed, then the exploit index in the set is j = 3, and the set index is i = 1, respectively, the condition j <m (3 <5) is satisfied, in which the value of the j index is increased by 1 , the j-th exploit of the i-th set, that is, the fourth exploit of the first set, is read from the array W.

из последнего набора E_i из массива W. В этом случае осуществляется переход к проверке наличия признака незавершенности измерения N_i в D.If the fifth exploit of the first set (j = 5, i = 1) is executed, the condition j≥m is fulfilled, for the set W, the fully considered ith set of exploits E _{i is} removed, and since i <p, the value of the index i is increased by 1 and proceed to reading and launching the first exploit of the second set. If the fifth exploit of the third set is executed, the conditions i≥р and j≥m are met, that is, the last exploit is considered

from the last set E _i from array W. In this case, the transition to checking the presence of a sign of incomplete measurement of N _i in D.

If the goal of the exploit is achieved, the array W is cleared (block 35 in Fig. 4) by sequentially deleting all the elements contained in the array from memory, an alarm is generated that the monitored parameters in the g-th group are out of range (block 35). 36 in Fig. 4), the operation of the g-th structural element of the AU, the parameters of which have gone beyond the permissible values, is blocked (block 37 in Fig. 4), a report on the safety of the nuclear power plant is generated (block 38 in Fig. 4), on on the basis of which a decision is made on the state of the process of functioning of the AU (unit 43 in Fig. 4).

эксплойта производится проверка его направленности на нарушение доступности g-го структурного элемента (бл. 24 на фиг. 4). Проверка направленности эксплойта осуществляется за счет анализа вектора опасности CVSS^Ωi уязвимости Ωⁱ, которая соответствует значению контролируемого параметра g-й структурного элемента автоматизированной системы, не совпавшему с эталонным, на которую направлен эксплойт.If there are signs of progress

of the exploit, it is checked that it is directed at violating the accessibility of the g-th structural element (block 24 in Fig. 4). The exploit orientation is checked by analyzing the CVSS ^Ωi hazard vector of the Ω ⁱ vulnerability, which corresponds to the value of the monitored parameter of the g-th structural element of the automated system, which does not coincide with the reference one at which the exploit is directed.

The vulnerability hazard vector Ω ⁱ is presented as an ordered set of the following tags (identifiers):

- вектор атаки (степень удаленности потенциального атакующего от АС), использующей Ωⁱ;Where

- the attack vector (the degree of remoteness of the potential attacker from the AS) using Ω ⁱ ;

- сложность эксплуатации Ωⁱ на АС;

- the complexity of the operation of Ω ⁱ at the NPP;

- требуемый уровень привилегий (прав), необходимый для проведения атаки, использующей Ωⁱ;

- the required level of privileges (rights) required to carry out an attack using Ω ⁱ ;

- оценка степени влияния атаки, использующей Ωⁱ, на конфиденциальность, целостность и доступность информации, содержащейся в АС, соответственно.

- assessment of the impact of an attack using Ω ⁱ on the confidentiality, integrity and availability of information contained in the AS, respectively.

In addition, the specified tags take on the following values:

Where N - Network, that is, a potential attacker conducts an attack using Ω ⁱ through the global network;

L - Local, that is, a potential attacker conducts an attack using Ω ⁱ through a local network;

where L - Low, that is, a low level of complexity of operation Ω ⁱ at the NPP;

M - Medium, that is, the average level of complexity of operation Ω ⁱ at the NPP;

Н - High, that is, a high level of complexity of operation of Ω ⁱ at the NPP;

where N - None, that is, when carrying out an attack using Ω ⁱ , extended access rights to the AU are not required;

S - Single, that is, when carrying out an attack using Ω ⁱ , the AC user rights are required;

М - Multiple, that is, when carrying out an attack using Ω ⁱ , the administrator's rights of the AS are required;

where N - None, that is, an attack using Ω ⁱ does not affect the confidentiality, integrity and availability of information contained in the AS;

P - Partial, that is, an attack using Ω ⁱ partially affects the confidentiality, integrity and availability of information contained in the AS;

C - Complete, that is, an attack using Ω ⁱ has a full impact on the confidentiality, integrity and availability of the information contained in the AU.

эксплойта осуществляется анализ тегов

вектора опасности соответствующей уязвимости. В случае, если тег

принимает значение С, а теги

принимают значения Р или N, либо тег

принимает значение Р, а теги

принимают значения N, эксплойт

направлен на нарушение доступности.Accordingly, to determine the direction

the exploit is analyzed tags

the hazard vectors of the corresponding vulnerability. In case the tag

takes the value C, and tags

take the values P or N, or tag

takes the value P, and tags

take values N, exploit

aims to disrupt accessibility.

эксплойта на нарушение доступности g-го структурного элемента производится переход к проверке наличия признака незавершенности измерения значений контролируемых параметров g-й группы в массиве D (бл. 16 на фиг. 4).In the absence of directional signs

of the exploit for violation of the availability of the g-th structural element, a transition is made to checking the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D (block 16 in Fig. 4).

эксплойта на нарушение доступности g-ro структурного элемента АС осуществляется определение фактического s₁ состояния процесса функционирования g-го структурного элемента АС (бл. 25 на фиг. 4).If there are signs of directionality

of the exploit for violation of the accessibility of the g-ro structural element of the AU, the actual s ₁ state of the process of functioning of the g-th structural element of the AU is determined (block 25 in Fig. 4).

эксплойта, но и преднамеренным санкционированным внесением изменением в конфигурацию структурного элемента АС, существует необходимость разделения данных состояний. В целях определения изменения состояния процесса функционирования g-го структурного элемента фактическое состояние процесса функционирования определяется как совокупность сведений о доступности g-го структурного элемента, определяемой эхо-запросом эхо-запросом при помощи программной утилиты ping, либо путем отправки соответствующих запросов к атакуемым сервисам и анализа возвращаемых значений при помощи сетевой утилиты Telnet, а также сведений о сетевой нагрузке на автоматизированную систему, выраженных количеством принимаемых сетевых пакетов от адресов за пределами АС либо генерируемыми и отправляемыми структурными элементами АС. Сбор сведений о сетевой нагрузке автоматизированной системы возможен за счет использования специализированных распределенных программных средств мониторинга, таких как Zabbix, позволяющих в реальном времени отслеживать сетевую нагрузку тех или иных структурных элементов автоматизированной системы. Описание распределенной системы мониторинга Zabbix и руководство по отслеживанию сетевой нагрузки см. на официальном сайте Zabbix [Электронный ресурс]. - Режим доступа. - URL: https://www.zabbix.com.Since a change in the state of the process of functioning of the g-th structural element in this case can be a consequence of not only the functioning

exploit, but also a deliberate authorized change in the configuration of the structural element of the AU, there is a need to separate these states. In order to determine the change in the state of the functioning process of the g-th structural element, the actual state of the functioning process is determined as a set of information about the availability of the g-th structural element, determined by an echo request by an echo request using the ping utility, or by sending appropriate requests to the attacked services and analysis of return values using the Telnet network utility, as well as information about the network load on the automated system, expressed by the number of network packets received from addresses outside the AU or generated and sent by the AU structural elements. Collecting information about the network load of an automated system is possible through the use of specialized distributed monitoring software, such as Zabbix, which allows real-time monitoring of the network load of certain structural elements of the automated system. For a description of the distributed monitoring system Zabbix and a guide for monitoring network load, see the official Zabbix website [Electronic resource]. - Access mode. - URL: https://www.zabbix.com.

After determining the actual _{state s 1} from the array S read the initial _{state s 0} of the process of functioning of the g-th structural element of the automated system for their subsequent comparison (block 26 in Fig. 4). When comparing the states (block 27 in Fig. 4), the fact is taken into account that at the initial start, the initial s ₀ value of the state of the functioning process of the g-th structural element does not contain data and, accordingly, during the first comparison, the actual s ₁ and initial s ₀ states the process of functioning of the g-th structural element do not coincide

In this case (s ₁ ≠ s ₀ ) the value of the actual s ₁ state of the process of functioning of the g-th structural element of the AU is assigned to the value of the initial s ₀ state of the g-th structural element of the automated system (block 30 in Fig. 4), which is stored in the array S (block 31 in Fig. 4) and proceed to check for the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D (block 16 in Fig. 4).

эксплойта, направленного на нарушение доступности g-го структурного элемента, выполнение

эксплойта останавливают (бл. 28 на фиг. 4), массив S очищают (бл. 29 на фиг. 4) и переходят к проверке достижения цели выполнения

эксплойта (бл. 34 на фиг. 4)If s ₁ = s ₀ , that is, the procedure for determining the actual s ₁ state of the process of functioning of the g-th structural element was performed at one of the previous steps of the control, in which the g-th structural element was unavailable when performing

exploit aimed at disrupting the accessibility of the g-th structural element, execution

the exploit is stopped (block 28 in Fig. 4), the array S is cleared (block 29 in Fig. 4) and proceeds to check whether the execution goal has been achieved

exploit (block 34 in fig. 4)

формируют отчет о состоянии АС (бл. 38 фиг. 4), в который включают сведения о ее заблокированных элементах, и на основании его принимают решение о состоянии безопасности АС (бл. 43 фиг. 4).When the condition occurs

form a report on the state of the AU (block 38 of Fig. 4), which includes information about its blocked elements, and on the basis of it a decision is made about the safety state of the AU (block 43 of Fig. 4).

то формируется сигнал тревоги о выходе контролируемых параметров за пределы допустимых значений (бл. 36 на фиг. 4). После чего блокируют работу структурного элемента АС, значения контролируемых параметров которого вышли за пределы допустимых значений (бл. 37 на фиг. 4) и включают в отчет о состоянии АС сведения о заблокированных элементах.If the condition is met

then an alarm signal is generated about the exit of the monitored parameters beyond the permissible values (block 36 in Fig. 4). After that, the operation of the structural element of the AU is blocked, the values of the monitored parameters of which have gone beyond the permissible values (block 37 in Fig. 4) and include information about the blocked elements in the report on the state of the AU.

If the g-th structural element of the AS is available for measuring the values of the monitored parameters, the exploits are read from the E _exp array by interacting with specialized means of control and containing the corresponding database of exploits (block 10 in Fig. 4), and a set of exploits is generated E _i corresponding to the measured value N _{i of the} monitored parameters of the g-th structural element of the AU (unit 11 in Fig. 4).

The set of E _i exploits is formed as follows.

The value of the monitored parameter, which does not coincide with the reference one, is defined as a vulnerability and is presented in the form of an ordered set of tags (identifiers) characterizing the vulnerable elements of the AS being scanned:

where B ^Ωi is a finite set of operating systems (OS) of the AS, in which Ω _i is implemented, for example, B ^Ωi = {Windows,…, Linux};

G ^Ωi is a finite set of software (SW) of the AS, in which Ω _i is realized, for example, G ^Ωi = {Aimp,…, Chrome};

D ^Ωi is a finite set of hardware (AO) of the AS, in which Ω _i is implemented, for example D ^Ωi = {Zyxel,…, Intel};

E ^Ωi - a finite set of network services of the AU, in which Ω _i is implemented, for example, E ^Ωi = {FTP,…, HTTP};

CVSS ^Ωi is the hazard vector Ω _i defined above.

в виде:For the vulnerability presented, a general hazard index is determined

as:

where r (CVSS ^Ωi ) is a function defined based on the approaches described in Peter Mell's book A Complete Guide to the Common Vulnerability Scoring System. Version 2.0 ": - Carnegie Mellon University, 2007. - pp. 142-150.

α is the total number of AC vulnerabilities identified as a result of monitoring the state of the process of functioning of the automated system.

The set of exploits J, the targeting of which corresponds to the tags Ω _i ∈ R, is defined as follows:

where Φ _λ is an arbitrary exploit belonging to J;

ϕ is the total number of exploits whose targeting corresponds to tags Ω _i ∈ R

Φ _{λ is} determined based on the matching of tags Ψ _j and Ω _i :

where f ₀ (Ψ _j , Ω _i ) is a function that determines the correspondence of tags inherent in Ψ _j and Ω _i

where f ₁ (Y ^Ψj , Y ^Ωi ) is a function that determines the correspondence of the values of the tags characterizing the OS, software, hardware and the network services of the AU, in which the impact is performed (directed) Ψ _j and Ω _{i is implemented}

where Y ^Ψj is an arbitrary tag that takes values corresponding to the characteristics B ^Ψj , G ^Ψj , D ^Ψj , E ^Ψj ;

Y ^Ωi - an arbitrary tag that takes values that correspond to the characteristics B ^Ωi G ^Ωi , D ^Ωi , E ^Ωi .

The set of exploits generated E _{i is} stored in W (block 32 in Fig. 4), then the array W is ordered (configured) (block 33 in Fig. 4) as follows.

For each Φ _λ ∈ J, realizing the corresponding Ω _i , the hazard vector (CVSS ^Φλ ) is determined in the form:

в виде:As well as the general hazard index

as:

where r (CVSS ^Φλ ) is a function defined based on the approaches described in Peter Mell's book A Complete Guide to the Common Vulnerability Scoring System. Version 2.0 ": - Carnegie Mellon University, 2007. - p. 123-139.

As a result of the configuration procedure J, an ordered set of exploits W is generated:

- произвольный набор эксплойтов, принадлежащий W;Where

- an arbitrary set of exploits belonging to W;

ν is the total number of exploit kits contained in the ordered exploit kit.

The formation of W is carried out on the basis of the following principles.

Principle # 1. Exploits to provide privilege (rights) escalation are executed first.

Principle number 2. Exploits that violate the availability of information contained in the AU are executed last.

Principle number 3. Exploits that require fewer privileges (rights) are executed with a higher priority.

Principle number 4. Exploits that violate the confidentiality of information contained in an AS are performed with a higher priority than exploits that violate the integrity of information.

Principle number 5. Custom exploits are performed with a higher priority than exploits provided by the custom control developer.

выполняются с большим приоритетом.Principle number 6. Exploits with a large index

are performed with high priority.

Based on principles # 1-6, we represent the configuration process J in the form of sequential execution of the following steps:

Stage 1 - identifying exploits according to principles # 1-3;

Stage 2 - identifying exploits according to principle # 4;

Stage 3 - identifying exploits according to principles # 1-6.

As part of the first stage of the configuration process J based on principles No. 1-3 and tags (identifiers) CVSS ^Φλ , as well as the tag z ^{Φλ, the} set J is decomposed into the following subsets:

1. A lot of exploits to provide the expansion of privileges (rights) (Q ₁ ):

where Δ _β is an arbitrary exploit belonging to Q ₁ ,

χ is the total number of exploits that allow for the expansion of privileges (rights).

2. A lot of exploits that violate the accessibility of the information contained in the AC (Q ₂ ):

where Γ _δ is an arbitrary exploit belonging to Q ₂ ;

ε is the total number of exploits that violate the availability of information contained in the AS.

3. A lot of exploits that do not require extended access rights to the AC (Q ₃ ):

where O _φ is an arbitrary exploit belonging to Q ₃ ;

γ is the total number of exploits that do not require extended access rights to the AS.

4. Lots of exploits requiring AC user rights (Q ₄ ):

where Π _η is an arbitrary exploit belonging to Q ₄ ;

l is the total number of exploits that require AS user rights.

5. Lots of exploits that require AC administrator rights (Q ₅ ):

where Λ _to - an arbitrary exploit belonging to Q ₅ ;

μ is the total number of exploits that require AS administrator rights.

The formation of Q _{1 is} carried out by determining Δ _β in J:

where z ^Φλ is a tag (identifier) that determines the type of attack Φ _λ . The formation of Q _{2 is} carried out by defining Γ _δ in J:

where A ^CVSSΦλ is an estimate of the degree of influence of Φ _λ on the availability of information contained in the AS.

The formation of Q _{3 is} carried out by determining O _φ in J:

where AU ^{CVSSΦλ is the} required level of privileges (rights) required to fulfill Φ _λ ).

The formation of Q _{4 is} carried out by defining Π _η in J:

The formation of Q _{5 is} carried out by defining Λ _to in J:

Then, within the framework of the second stage of the configuration process J on the basis of principle 4 and tags (identifiers) CVSS ^{Φλ, the} sets Q ₃ , Q ₄ , Q _{5 are} decomposed into the following subsets:

1. A lot of exploits that violate the confidentiality of information contained in the AU and do not require extended access rights to

where Θ ₀ is an arbitrary exploit belonging to

π is the total number of exploits that violate the confidentiality of information contained in the AS and do not require extended access rights to the AS.

2. A lot of exploits that violate the integrity of the information contained in the AU and do not require extended access rights to

where Σ _ϖ is an arbitrary exploit belonging to

θ is the total number of exploits that violate the integrity of the information contained in the AS and do not require extended access rights to the AS.

3. Many exploits that violate the confidentiality of information contained in the AU and require the right of the AU user

where T _ϑ is an arbitrary exploit belonging to

ρ is the total number of exploits that violate the confidentiality of information contained in the AU and require the right of the AU user.

4. A lot of exploits that violate the integrity of the information contained in the AU and require user rights

where Z _σ is an arbitrary exploit belonging to

ς is the total number of exploits that violate the integrity of the information contained in the AU and require the right of the AU user.

5. A lot of exploits that violate the confidentiality of information contained in the AU and require the rights of the AU administrator

where F _τ is an arbitrary exploit belonging to

υ is the total number of exploits that violate the confidentiality of information contained in the AU and require the rights of the AU administrator.

6. Many exploits that violate the integrity of the information contained in the AU and require administrator rights

where S _ω is an arbitrary exploit belonging to

ψ is the total number of exploits that violate the integrity of the information contained in the AU and require the rights of the AU administrator.

осуществляется посредством определения О_φ, Π_η, Λ_к в соответствующие

в общем виде:Formation

is carried out by defining О _φ , Π _η , Λ _to the corresponding

in general:

where g is an arbitrary exploit corresponding to О _φ ∈ Q ₃ , or Π _η ∈ Q ₄ , or Λ _к ∈ Q ₅ ;

либо

, либо

U is an arbitrary exploit that matches

or

or

- оценка степени влияния g на конфиденциальность информации, содержащейся в АС.

- assessment of the degree of influence g on the confidentiality of information contained in the AU.

осуществляется посредством определения О_φ, Π_η, Λ_к в соответствующие

в общем виде:Formation

is carried out by defining О _φ , Π _η , Λ _to the corresponding

in general:

либо

, либо

where V is an arbitrary exploit corresponding to

or

or

I ^CVSSg - an assessment of the degree of influence g on the integrity of the information contained in the AU.

представляется в виде:In the third step of the configuration process for J based on principles # 1-6

is presented in the form:

выбираются из соответствующих множеств на основе принципов №5, 6, то есть наибольшим приоритетом при реализации процедуры выбора обладают пользовательские эксплойты с наибольшим значением индекса

Exploits that generate

are selected from the corresponding sets based on principles No. 5, 6, that is, the user exploits with the highest index value have the highest priority in the implementation of the selection procedure

, в который входит Φ_λ.In addition, in order to prevent the cases of repeated addition of Φ _λ to W, it is eliminated from the set J after each formation

, which includes Φ _λ .

After configuring W, the transition to the correction of ΔT _{g is} carried out (block 22 in Fig. 4)

формирования отчета (бл. 12 на фиг. 4).In the case of coincidence of the measured values of the controlled parameters with their reference values, they go to the comparison of the time T _{g of} measuring the values of the controlled parameters with a given moment in time

generating a report (block 12 in Fig. 4).

Thus, thanks to a new set of essential features in the claimed invention, an increase in the reliability of the results of monitoring the state of the process of functioning of an automated system is provided by implementing a set of passive and active methods for monitoring the state of the process of functioning of an automated system by generating a set of exploits aimed at the g-th structural element of the automated system corresponds to the value of the monitored parameter, which does not coincide with the reference, configuring the array containing these sets, sequential controlled launch of exploits contained in the array through interaction with specialized controls and processing the results of exploit execution.

Claims (1)

The method of combined monitoring of the state of the process of functioning of an automated system, which consists in the fact that a set of N≥2 monitored parameters characterizing the safety of an automated system, M≥N reference values of monitored parameters are preset, formed from the number of preset monitored parameters G≥2 groups of monitored parameters , and each g-th group of monitored parameters, where g ∈ {1, 2, ..., G}, characterizes the safety of the g-th structural element of the AU, for each g-th group of monitored parameters, the importance coefficients are set

the maximum

and minimal

values of time intervals of measurements of values of monitored parameters, time point

generating a report on the safety of the automated system and array D for storing the sign of incomplete measurement of the values of the monitored parameters of the g-th group and the value of the state word of the control program at the moment of interruption of the measurement, the value of the monitored parameters, and then select the g-th group of monitored parameters, set the value of the time interval ΔT _g measurement of the values of the monitored parameters of the g-th group equal to the maximum

the values of the monitored parameters in each of the G groups are measured, the measured values of the monitored parameters are compared with the reference ones, if they do not coincide, they are memorized, the availability of the g-th structural element of the automated system for measuring the values of the monitored parameters is checked; of the g-th group in array D, the value of the state word of the control program is stored in array D at the moment of interruption of the measurement of the values of the monitored parameters, the value of the time interval of measurements of the values of the monitored parameters is corrected according to the formula

compare the corrected value

with minimal

when

, compare the time T _{g of} measuring the values of the monitored parameters with a given moment in time

generating a report and

check for the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D, if it is absent, proceed to measuring the values of the monitored parameters in each of the G groups, and if there is a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D, delete it from array D, read the memorized value of the status word of the control program from array D, measure the values of the monitored parameters from the moment of interruption of their measurement and proceed to comparing the measured values of the monitored parameters with the reference ones, in the case of

generate a report and, based on the generated report, make a decision on the state of the process of functioning of the automated system, and when

generate an alarm signal about the exit of the monitored parameters in the g-th group beyond the permissible values, block the operation of the elements of the automated system, the parameters of which have gone beyond the permissible values, include in the report information about the state of the process of functioning of the automated system information about its blocked elements, if available of the g-th structural element of the automated system for measuring the values of the monitored parameters, proceed to adjusting the value of the time interval for measuring the values of the monitored parameters according to the formula

, and when the measured values of the monitored parameters coincide with the reference ones, they go to the comparison of the time T _{g of} measuring the values of the monitored parameters with a given moment in time

generating a report, characterized in that an array E _{exp is} additionally specified, which is a set of E _exp = {e ₁ , e ₂ , ..., e _n } of exploits, and the rth exploit e _r ∈ E _exp , where r ∈ {1, 2, ..., n}, is a computer program, a piece of program code and / or a sequence of commands used to carry out a computer attack on an automated system, an array W for storing a set of ordered sets W = {E ₁ , E ₂ , ..., E _p } exploits, and the i-th ordered set E _i ∈ W of exploits, where i ∈ {1, 2, ..., p}, is a set

exploits, and the focus of the j-exploit

∈ E _i , where j ∈ {1, 2, ..., m} on the g-th structural element corresponds to the value of the monitored parameter that does not coincide with the reference one, the array S for storing control information on the progress of monitoring the state of the process of functioning of the automated system, including initial s ₀ and actual s ₁ states of the process of functioning of the g-th structural element of the automated system, and after comparing the measurement time of the values of the controlled parameters with a given moment in time

generating a report and

check for signs of progress

exploit, if there are no signs, check for the presence of an execution result

and exploit the absence Maturity of check result set E _i exploits, in the case of unformed set proceeds to check for signs of incomplete measurement values of monitored parameters g-th group D array, in the case of formation of set E _i is read exploits

exploit from array W, launch

exploit and proceed to checking the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in array D, and if there is a result of execution

exploit checks whether the goal of its execution has been achieved, if the execution goal has not been achieved

exploit compare the index value

exploit with index value

exploit belonging to the i-th ordered set of E _i exploits, and for j <m increase the value of the index j by 1, go to reading

exploit from the array W, and for j≥m remove the i-th ordered set E _{i of} exploits from the array W, compare the index value of the i-th ordered set of E _i exploits with the value of the index of the p-th ordered set E _{p of} exploits included in the array W , in the case i <p, increase the value of the index i by 1, go to reading

exploit from the array W, and for i≥р, they proceed to checking for a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D, and if the goal is achieved, the array W is cleared and proceeds to the generation of an alarm signal about the exit of the monitored parameters in the g-th group outside the permissible values, and after blocking the operation of the elements of the automated system, the parameters of which have gone beyond the permissible values, they proceed to the formation of a report, and if there are signs of execution

exploit checks for directional signs

exploit to violate the accessibility of the g-th structural element of the automated system, in the absence of directional signs, proceed to checking the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in array D, and in the presence of directionality signs

of the exploit for violation of the accessibility of the g-th structural element of the automated system determine the actual s ₁ state of the process of functioning of the g-th structural element of automated systems, read the initial s ₀ state of the functioning process of the g-th structural element of the automated system from the array S, compare the actual s ₁ state of the process g-operation of the automated system of the structural element with the source s _0, where s ₁ ≠ s ₀ is assigned the value of the initial state s ₀ of the actual value of s automated system state ₁ g-functioning process of the structural element stored initial state s ₀ of the process operation g- th structural element of the automated system in the array S and proceed to checking the presence of a sign of incomplete measurement of the values of the monitored parameters of the g-th group in the array D, and when s ₁ = s ₀ , the execution

exploit, clear the array S and proceed to check if the execution target has been achieved

exploit, and after checking the availability of the g-th structural element of the automated system for measuring the values of the monitored parameters and, if available, read the set {e ₁ , e ₂ , ..., e _n } of exploits from the array E _exp , form the i-th set E _i exploits, memorize the i-th set of _{exploits E i} in the W array, configure the W array and proceed to adjusting the value of the time interval for measuring the values of the monitored parameters according to the formula

Images