Method of trusted integration of active network hardware control systems with distributed computer systems and system to this end

FIELD: physics, computation hardware.

SUBSTANCE: invention relates to safety of info systems. Standard technical conditions of active network hardware are, first, recorded. The list of open network ports, check sums of configuration files and software files, check sums of the results of control effects over active network hardware control system are recorded. Intermittent monitoring of active network hardware is executed. Reference and current states of said reference and current hardware are compared. In case current technical state does not comply with reference state, appropriate message is generated.

EFFECT: higher level of active network hardware protection.

2 cl, 2 dwg

 

The invention relates to the field of information systems protection, namely to ensure a trusted systems integration control of active network equipment in a distributed computing system by the automated filtering of flows of interaction between active network equipment and management systems, active network equipment, and identify adverse control flows resulting from compromise of control systems resulting from unauthorized access or triggering them in software tabs.

Modern distributed computer systems are built on the basis of a large number of active network equipment - switches, routers, gateways, and servers. To ensure the security of distributed computer systems use regular protection mechanisms: authentication mechanisms and access to individual network services. The distributed nature of large computer systems and the large number of different network devices makes it very difficult to manage manually.

Typically, the control system of active network equipment is a hardware and software system that implements one of the standard network management protocols. Such systems are capable Dec�you a variety of different tasks, starting with the configuration management of the network and to handle errors arising in the course of such management. Building distributed computing systems associated with actual issues of providing protection from unauthorized access through the control of active network equipment, and the absence of mechanisms for the administration of security in control systems, active network equipment leads to computer attacks for switches and routers, which are important links of the nodes of a distributed computing system, captured attacker could potentially gain access not only to network devices, but also to all network nodes.

The basis of the invention is to provide a method a trusted systems integration control of active network equipment in a distributed computing system and system for its implementation, the use of which ensures the security of active network equipment, reducing time and resource costs of securing access to active network equipment due to the possibility of using a single instance of the control system for all kinds of active network equipment.

The known method of filtering control actions underlying device type "firewall �crane", wherein the controlled active networking permitted only those impacts that are explicitly specified by the administrator through an interactive interface provided by firewalls [http://wiki.mvtom.ru/index.php/_].

A disadvantage of the known technical solutions is the lack of functions for the implementation of protection against the offender, and the impact of programmes bookmarks, able to sow discord in the process of functioning of the equipment.

The closest technical solution is firewalls with packet filtering [http://www.npo-rtc.ru/product/sspt-2/], which consists in the following steps:

populating the database containing a description of control actions of the control system of network equipment, including a set of protocols, types of teams within the protocols and control commands;

populating the database containing the description of a set of controlled active network equipment and management systems, active network equipment, including the identification parameters of the equipment: IP addresses and network names;

populating the database containing a description of the filtering rules control commands in the form of records that describe a corresponding pair of sets of admissible control�known impacts of management systems and sets of controlled active network devices;

fixation transmitted over the network control commands received at the active network equipment management systems, active network equipment, and processing, while providing identification parameters (IP addresses and network names) of active network equipment and management systems, active network equipment, and filtration control commands by comparing the allowed control actions specified in the database containing a description of the filtering rules management teams, and committed management teams, and the difference of two sets, the definition of which operating influences are untrusted;

blocking control actions, if they are untrusted, or forward control actions further active network equipment, unless they are untrusted;

cyclic continuation fixation transmitted over the network control commands, thereby providing continuous filtration control commands active network equipment.

However, this decision is aimed at preventing external computer attacks for the controlled network hardware, and provides protection from internal intruder with physical access to the equipment, as well as from programs bookmarks, potentially� available as part of the technical solution. Thus, the existing solutions do not solve the problem completely, but it does not provide sufficient security of active network equipment.

The technical result of the proposed solution is securing active network equipment, reducing time and resource costs of securing access to active network equipment due to the possibility of using a single instance of the control system for all kinds of active network equipment.

The solution of the technical problem is achieved in that in the method a trusted systems integration control of active network equipment in distributed computer systems

record technical reference status of active network equipment: list of open network ports, checksums configuration files, and software files, the checksum of the effects of control actions of the control system of active network equipment;

perform periodic condition monitoring of active network equipment by comparing the reference and current (at the time of comparison) technical conditions of active network equipment and display a message in case of lack of conformity �Cusago technical condition of the reference;

populate the database containing a description of control actions of the control system of network equipment, including a set of protocols, types of teams within the protocols and control commands;

populate the database containing the description of a set of controlled active network equipment and management systems, active network equipment, including the identification parameters of the equipment: IP addresses and network names;

populate the database containing a description of the filtering rules control commands in the form of records that describe a corresponding pair of sets of admissible control actions of the control systems and sets of controlled active network devices;

record transmitted on the network control commands received at the active network equipment management systems, active network equipment, and perform their processing, while providing identification parameters (IP addresses and network names) of active network equipment and management systems, active network equipment, and perform the filtering control commands by comparing the allowed administrative action, the database containing a description of the filtering rules management teams, and committed management team, and the difference d�wow sets define what control actions are untrusted;

block administrative action, if they are untrusted, or missing control action further active network equipment, unless they are untrusted;

then continue to cyclically record is transmitted on the network control command, thereby providing continuous filtering commands control of active network equipment.

Significant new features are:

fixation of reference of the technical state of active network equipment, including the list of open network ports, checksums configuration files, and software files, the checksum of the effects of control actions of the control system of active network equipment;

perform periodic monitoring of the technical state of active network equipment by comparing the reference and current (at the time of comparison) technical conditions of active network equipment and issuing messages in case of lack of conformity of the current technical state of the reference.

These new significant features in conjunction with the known possible to provide a trusted environment for the integration of active network equipment in distribution�military computing systems, neutralizing external threats posed by untrusted equipment, and internal - from unauthorized users with physical access to the controlled equipment.

The system is a trusted system integration control of active network equipment in a distributed computing system is a gateway that is installed in the gap of the communication channel active network equipment management system of network equipment, which includes:

the module of control of technical condition of active network equipment that performs fixation of reference of the technical state of active network equipment (list open network ports, checksums configuration files, and software files, the checksum of the effects of control actions of the control system of active network equipment) and perform periodic condition monitoring of active network equipment by comparing the reference and current (at the time of comparison) technical conditions of active network equipment;

module specifications control actions, to populate the database containing a description of control actions of the control system of active network equipment�, including a set of protocols, types of teams within the protocols, as well as separate commands;

the accounting module of active network equipment that populates a database containing the description of a set of controlled active network equipment and management systems, active network equipment;

the module define rules, filtering of commands to populate the database containing a description of the filtering rules control commands, including records describing the mapping of the set of allowed control actions of the control systems in a variety of controlled active network devices;

associated with the filter module control commands that perform fixation transmitted over the network control commands received at the active network equipment management systems, active network equipment, and perform their processing, while providing identification parameters (IP addresses and network names) of active network equipment and management systems, active network equipment, and filter control commands by comparing the allowed administrative action, the database containing a description of the filtering rules management teams, and recorded control commands, from the difference of two sets determining which manages�degrees of impact are untrusted, and blocking control actions, if they are untrusted, or missing control action on active network equipment, unless they are non-trusted (allowed control actions).

The invention is explained using Fig.1 and Fig.2. Fig.1 is a diagram of the way a trusted systems integration control of active network equipment in a distributed computing system. Fig.2 illustrates a modular diagram of the system trusted systems integration control of active network equipment in a distributed computing system.

Accordingly in the method is the automated analysis of information flows initiated by control systems, active network equipment, identification of adverse control flows resulting from compromise of control systems through unauthorized access or presence software bookmarks, and trusted systems integration control of active network equipment in a distributed computing system through the use of the proposed system as a trusted gateway between active network equipment and control system of active network equipment, eliminating the possibility of remoting systems upravleniya a distributed computing system to bypass the system. To achieve automation security research on distributed computing systems method and system for its implementation, described in this invention are based on the application of a single instance of the system for all kinds of active network equipment. In addition, the system can be implemented missing in network equipment security, audit and control technical condition of active network equipment.

In the method record technical reference status of active network equipment by connecting to the active device and read the list of open network ports, configuration files, and software files through the file transfer protocols supported by the equipment, calculate checksums of files received, send to the active network equipment control commands on one of the supported equipment control protocols, the results of the execution of these commands, calculate checksums of the results and storing the received checksum on the hard disk.

Then perform periodic condition monitoring of active network equipment by comparing the reference and current (at the time in�complement comparison) technical conditions of active network equipment and display a message in case of lack of conformity of the current technical state of the reference.

The comparison of the checksums is performed sequentially for each file and for each result of the command execution control according to the rules of string comparison.

Then populate the database containing a description of control actions of the control system of network equipment, including the following information:

a variety of control protocols, represented as a set of names assigned to them in accordance with the standards of the RFC;

many message types control protocols presented in the form of set of names assigned in accordance with the standards.

a plurality of individual commands control protocols.

Then populate the database containing the description of a set of controlled active network equipment and management systems, active network equipment, including the identification parameters of the equipment: IP addresses and names submitted in accordance with RFC 1918.

Then populate the database containing a description of the filtering rules control commands, including the rules that maps a set of control actions of the control systems in a variety of controlled active network devices, thereby defining the set of allowed control actions.

When filling in these data bases� of the naming conventions and many types of team management protocols and single command control protocols are defined by the specific implementation of the information system.

Then fix transmitted on the network control commands received at the active network equipment management systems, active network equipment, and perform their processing, while providing identification parameters (IP addresses and network names) of active network equipment and management systems, active network equipment, and perform the filtering control commands by comparing the allowed administrative action, the database containing a description of the filtering rules management teams, and committed management team, and from the difference of two sets determine which control commands are untrusted.

A comparison of resolved and fixed control actions performed by the rules of comparison sets.

If the identification parameters of active network equipment resulting from fixation transmitted over the network control commands, are not included in many of the controlled active network equipment, the current control action is considered untrusted.

If the identification parameters of the control system of network equipment, resulting from the fixation transmitted over the network control commands that do not match the description of the management system of network equipment, the current driving�e impacts are considered to be untrusted.

Then block administrative action, if they are untrusted, or pass control of active network equipment, unless they are untrusted. Then continue to cyclically record is transmitted on the network control command, thereby providing continuous filtering commands control of active network equipment.

To automate the way a trusted system integration control of active network equipment in distributed computer systems use the system (Fig.2), which includes the module of control of technical condition of active network equipment, the module define rules, filtration control commands, the filtering module commands the control module specifications control actions and the accounting module of active network equipment.

Method a trusted systems integration control of active network equipment in a distributed computing system implement in the proposed system as follows.

Module specifications control actions populates a database containing a description of the control actions of the control system of network equipment, including a set of protocols, types of teams within the protocols, as well as individual teams. The result of this module is �Aza admissible control actions, coming from the systems of control of active network equipment.

The accounting module of active network equipment collects identification of parameters of a controlled active network equipment and management systems in network equipment, which are used as network names and IP addresses of these devices. This module provides storage of the identification device parameters and supports editing of this set, allowing the user to add and remove devices from the list of controlled. The result of this module is the set of parameters describing the controlled active network equipment and control of active network equipment.

The module define rules, filtration control commands contains a description of filtering rules control commands, including the rules that maps a set of control actions of the control systems in a variety of controlled active network devices, thereby defining the set of allowed control actions.

The filtering module control commands collects network traffic received at the input gateway from the control system of network equipment, its primary processing, during which allocates the data level is applied�th stack OSI/ISO, compares the extracted identification parameters with the set of parameters describing the controlled active network equipment and control system of network equipment, resulting from the operation of the module of active network equipment. Next, the module verifies the current control action for compliance with the types of messages, control Protocol, types of teams and individual teams control Protocol in accordance with the basis of admissible control actions resulting from operation of the module specifications control actions. The module then compares the allowed values of control actions, formulated in a database containing a description of the filtering rules, and provided a control system for active network equipment, and from the difference of two sets determines which operating influences are untrusted, blocking them.

Consider the example of the implementation of the proposed technical solutions in the implementation of a trusted system integration control of active network equipment WhatsUpGold in a distributed computer system, containing in its composition network switches Alcatel OmniSwitch 6850, many components of the controlled active network equipment.

Database containing description m�of egesta controlled active network equipment and management systems, active network equipment contains the following identification parameters (IP address) of active network equipment: 192.168.1.1/24 and 192.168.1.2/24 and control systems in network equipment: 10.0.10.1/24.

A database containing a description of the control actions of the control system of network equipment WhatsUpGold, including the following:

many management protocols: SSH, Telnet, SNMP, ICMP;

many types of teams management Protocol SNMP: GetRequest, SetRequest, GetNextRequest, GetResponse, Trap, GetBulRequest, InformRequest, Report;

many individual teams management Protocol SNMP, recorded in the format of a MIB-2: 1.3.1.6.12.3.1.1.

A database containing a description of the filtering rules control commands, written in the form of access rules. These rules display a variety of control actions of the control systems in a variety of controlled active network devices, thereby defining the plurality of authorized control actions:

10.0.10.1192.168.1.1192.168.1.2
Control ProtocolSNMPSSH, SNMP
The command types-GetRequest
Separate teams 1.3.1.6.12.3.1.1-

In the filter rules allow command control type GetRequest management Protocol SNMP and send commands via SSH directed to a network switch ID 192.168.1.2 with the system management ID 10.0.10.1. Also allowed control commands through the command ID 1.3.1.6.12.3.1.1 management Protocol SNMP aimed at a network switch ID is 192.168.1.1 on the system side of the control with the ID of 10.0.10.1.

Processing control commands coming from the control systems, active network equipment, includes the allocation of identification parameters of active network equipment, which is directed to this impact, and identification of the parameters of the control system of network equipment, for each fixed control action. For example, in this example, committed management team and a dedicated following identification parameters of active network equipment: 192.168.1.1; the identification parameters of the control system network equipment: 10.0.10.1.

The content of the recorded control flow showed the presence of a control action from the control system of network equipment, suitable for�setup portion described previously (10.0.10.1); the focus of this thread on the active network equipment, which is part of a plurality of controlled active network equipment (192.168.1.1); the Protocol included in the set of control actions of the control system of active network equipment (management Protocol, SNMP, command 1.3.1.6.4.1.2.2); which suggests that the current control flow is not considered untrusted.

A comparison of the allowed values of control actions formulated in the description of the filtering rules for a given active network equipment (management Protocol, SNMP, and command 1.3.1.6.12.3.1.1), and fixed values of the control action, authenticated according to the totality of control actions of the control system of active network equipment (management Protocol, SNMP, command 1.3.1.6.4.1.2.2), showed that the difference of two sets is the empty set. Accordingly, this control action is considered untrusted and blocked.

In the example, the control action is blocked, as the team management Protocol SNMP is not included in the allowed list.

The invention allows a trusted systems integration control of active network equipment in a distributed computing system, providing protection active set�new equipment, reduce time and resource costs of securing access to active network equipment due to the possibility of using a single instance of the control system for all kinds of active network equipment. Filtration control actions at the level of management protocols, the command types control protocols and specific Protocol commands control is a universal mechanism in relation to various types of end devices and accordingly makes the proposed method a trusted integration of management systems in the distributed computing system independent of the type and purpose of active network equipment and management systems, which form a distributed computing system.

1. Method a trusted systems integration control of active network equipment in a distributed computing system, namely that populate the database containing a description of control actions of the control system of network equipment, including a set of protocols, types of teams within the protocols and control commands, populate the database containing the description of a set of controlled active network equipment and management systems, active network equipment, including identification of the parameters d�steering equipment: IP addresses and network names populate the database containing a description of the filtering rules control commands in the form of records that describe a corresponding pair of sets of admissible control actions of the control systems and sets of controlled active network devices, fix transmitted on the network control commands received at the active network equipment management systems, active network equipment, and perform their processing, while providing identification parameters (IP addresses and network names) of active network equipment and management systems, active network equipment, and perform the filtering control commands by comparing the allowed control actions specified in the database containing a description of the filtering rules management teams, and committed management team, and from the difference of two sets determine what control actions are untrusted, block administrative action, if they are untrusted, or missing control action further active network equipment, if they are untrusted, then cyclically continue to fix transmitted on the network control command, thereby providing continuous filtering commands control of active network equipment, wherein the pre-Fi�were a reference to the technical condition of active network equipment: list of open network ports, checksum of configuration files, and software files, the checksum results of control actions of the control system of active network equipment and perform periodic condition monitoring of active network equipment by comparing the reference and current (at the time of comparison) technical conditions of active network equipment and display a message in case of lack of conformity of the current technical state of the reference.

2. The system is a trusted system integration control of active network equipment in a distributed computing system that contains the module of control of technical condition of active network equipment, the module define rules, filtration control commands, the filtering module commands the control module specifications control actions and the accounting module of active network equipment, wherein the outputs of modules for control of technical state of active network equipment, preparation of filter rules control commands, specifications of control actions and active network equipment are connected to the input of the filter module control commands.



 

Same patents:

FIELD: physics, communications.

SUBSTANCE: invention relates to means of controlling packet processing. The method includes generating a processing rule which sets a matching and processing rule for a packet corresponding to a matching rule; generating processing and first identifier rules for identifying said first processing rule, wherein the processing rule includes a matching rule for matching with information included in the packet, and a packet processing instruction corresponding to the matching rule; sending the processing and first identifier rules to a node, said node determining whether to process the received packet according to the instruction depending on whether a second identifier attached to the first packet corresponds to the first identifier.

EFFECT: shorter time for establishing a connection.

21 cl, 33 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention discloses a system for achieving traffic wholesale based on a soft switch, which includes a soft switch and one or more trunk gateways connected with the soft switch via an IP network. Logical resources of the soft switch include one or more trunk groups, and each trunk group includes a plurality of trunk circuits. Each trunk gateway corresponds to one or more trunk groups, and part or all of main circuits of the trunk gateways establish a corresponding relationship with the trunk circuits of corresponding trunk groups. The logical resources including the trunk groups and the trunk circuits of the trunk groups are allocated to lessees, and charging and service configurations for the trunk groups allocated to the lessees are set.

EFFECT: improved efficiency of allocating traffic.

12 cl, 2 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention relates to a communication unit, a communication system, a communication method for measurement of state of a communication route. The communication system contains an adder section, a measurement section, a section of notification on measurement results, a processing rule storage section and a processing section. The adder section adds data for measurement of the communication state to the reception frame when the communication unit is an input boundary node of a network. The measurement section measures the communication state on the basis of data of measurement of the communication state when the communication unit is an output boundary node of a network. The section of notification notifies on measurement result the control unit which controls a network. The processing rule storage section addresses to data of the reception frame identifier and saves the processing rule, correlating the data of identification of the reception frame and processing of the reception frame. The processing section processes the reception frame on the basis of the processing rule.

EFFECT: possibility to switch a route at a high rate by means of server control according to network communication network.

16 cl, 15 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention relates to means of enabling one communication device to obtain access to data, such as a set of media items, accessible through another communication device. The method includes transmitting identification code information between a first communication device, a second communication device and a server; associating the identification code with the first communication device or providing said identification code with a set of media items accessible through the first communication device, wherein the set of media items is associated with access rules; sending, by the first communication device, information relating to said set of media items to the server, wherein the information includes access rules; receiving, by the server, the information relating to said set of media items; generating, by the server, account data relating to said set of media items and associated access rules; sending, by the server, the account data to the second communication device; receiving the account data by the second communication device, which enables the second communication device to access said set of media items.

EFFECT: obtaining access to a set of media items accessible through a different communication device.

39 cl, 9 dwg

FIELD: radio engineering, communication.

SUBSTANCE: method comprises: detecting change in the connection between an external station (E1) and a proxy gateway (G1); generating, if change has been detected, a proxy information serial number (PISN) either (i) through increment of the existing proxy information serial number (EPISN) for a specific MAC address pair (SMACAP) by at least one, or (ii) using the serial number of a message of item encoded by a standard hybrid wireless mesh protocol, wherein said serial number is greater than the serial number of a previously created message or item, encoded by the standard hybrid wireless mesh protocol; generating an extended proxy information item (EPI) through: a first field (F1), which indicates addition or removal of a connection, presence of a third field (F3) and presence of a fifth field (F5); a second field (F2), which includes an external MAC address (EMACA); a third field (F3), which includes a proxy MAC address (PMACA), wherein presence of the third field (F3) is indicated by the first field (F1); a fourth field (F4), which includes the proxy information serial number (PISN); a fifth field (F5), which includes the proxy information life (PILIFE), wherein presence of the fifth field (F5) is indicated by the first field (F1).

EFFECT: faster data transmission in a network.

7 cl, 5 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to a method of transmitting information over a network. The method comprises transmitting from a first station to a second station, wherein the first station comprises at least one buffer memory for storing data packets intended for transmission, wherein the method includes steps where (a) the first station estimates the status of at least one buffer memory, (b) the first station transmits at least one buffer status packet which is the buffer memory status, wherein the method further includes a step (c) of adapting the value of the first parameter of the buffer status packets based on data traffic characteristics.

EFFECT: buffer status reporting (BSR) providing sufficient information on the real state of buffers of the second station during high activity thereof.

13 cl, 6 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to wireless cellular/self-organizing (ad hoc) networks, particularly, to processing of route request messages at routing protocols to request. Proposed is the method of detection of route between source node and destination node including intermediate replay flag of reply of route request message by source node, avalanche distribution in said wireless network and reply to said request by means of the first intermediate node and having an actual route to destination node. Described are system and method for detection of the best route. Note here that route reply message becomes the first route message. Here, selection of the best route is effected between them and source node on the basis of cumulative metrics received in route request messages receive by destination node. Extra route reply message is created to perform single-address transmission thereof to source node.

EFFECT: fast detection of the route with optimum metrics between source node and one or more destination nodes.

26 cl, 6 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention relates to means of receiving/transmitting data in a wireless communication system. The method includes fragmenting a data packet into two or more fragments; configuring a medium access control protocol data unit (MAC PDU), the MAC PDU including at least one of the two or more fragments, a first header containing control information about the MAC PDU which includes the at least one of the two or more fragments, and a fragmentation extended header (FEH) providing information on the data packet fragment, wherein the first header contains an indicator indicating that the FEH is present following the first header, wherein the FEH contains a type field identifying a type of the FEH and the FEH has a variable length depending on whether the fragmented data packet is a real-time data packet or not, and wherein the FEH has a shorter length when the fragmented data packet is a real-time data packet than when the fragmented data packet is a non-real-time data packet; and transmitting the configured MAC PDU to a receiving side.

EFFECT: shorter header processing time.

12 cl, 13 dwg, 17 tbl

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to Internet communication. The system employs network elements, which include an acceleration server, clients, agents and peers, where communication requests generated by applications are intercepted by a client in the same computer. The IP address of the server is transmitted to the acceleration server, which provides a list of agents for use for said IP address. One or more agents respond with a list of peers who previously possessed some or all of the content, which is a response to said request. The client then downloads data from said peers in parallel and in parts.

EFFECT: reducing network overload for content owners and Internet service providers.

16 cl, 15 dwg

FIELD: radio engineering, communication.

SUBSTANCE: invention relates to handover between technologies for multi-mode mobile devices and is designed for handover of a multi-mode mobile device from a first network technology to a second network technology. The method includes initiating by the multi-mode mobile device a first packet session in a first wireless network in an area of multi-technology wireless coverage and detecting by a multi-mode mobile device a second wireless network supporting a different access network technology than the first wireless network; determining a quality of service requirement for services supported by the session, and completing initial network entry and session establishment procedures by the multi-mode mobile device for a second session in the second wireless network when the first session includes at least one of a QoS sensitive service and real time service by the first wireless network and mobile device, and not completing initial network entry and session establishment procedures by the multi-mode mobile device when no QoS sensitive service and real time services are supported by the mobile device and first wireless network.

EFFECT: high throughput.

8 cl, 4 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to computer engineering. A robust and secure hardware-computer system in a cloud computing environment includes, interconnected and connected over a network, a first group of operating computers and a second group of computers for storing program sessions, as well as a control computer, through which the second group of computers for storing program sessions, high-performance computing resources and partitioned file storages are connected, wherein the system additionally includes a hypervisor, a security system which includes an attack detection and prevention module, a firewall module and a module for protection from unauthorised access and a system for providing fault-tolerance, which includes a module for providing fault-tolerance at the hardware resource level, a module for monitoring service virtual machines and a module for providing fault-tolerance of services.

EFFECT: improved reliability of the system and fast recovery of resources lost due to faulty equipment.

FIELD: physics, computation hardware.

SUBSTANCE: invention relates to computer engineering. Programme module code is loaded to main memory by safety system processor unless the actuation of OS execution in main memory address range located outside that used by said OS. Started OS readdress the access to said programme module from user programme to main memory address whereto programme module is loaded before OS execution actuation. This is performed with the help of file system which associates automatically the programme module address in user programme virtual memory space with physical address of main memory programme module.

EFFECT: ruled out faults on OS operation.

15 cl, 5 dwg

FIELD: information technology.

SUBSTANCE: method is performed by using the principle of masking the side electromagnetic radiation and leakage (SEMRL) of the main tablet computer similar to false SEMRL of the second tablet computer, the identical false SEMRL inseparable from the main SEMRL are created, masking the operation of the main tablet computer. At that the main and the additional tablet computer completely identical in hardware components and internal topology are used. The additional tablet computer is located with its screen under the bottom of the main tablet computer in parallel and symmetrically on the same-name sides without mutual touching at a distance of less than a quarter of the wavelength of oscillation of the same processor speed.

EFFECT: providing protection of the tablet computer from information leakage without the use of a noise generator.

FIELD: radio engineering, communication.

SUBSTANCE: method is carried out by inputting identification code information of identified objects into the differential time offset of noise-like signals used as request and response signals. The system consists of an identifier placed on an aircraft and a ground-based identification device. The main parts of said devices are correlation meters for determining the differential time offset of noise-like signals used for identification.

EFFECT: high security of the identification owing to invariance to interception of confidential information, high noise-immunity of the system.

4 cl, 3 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to computer engineering. A method of preventing unauthorised use of vehicle equipment, based on use of software, the method comprising determining, using a vehicle computer system, that the infotainment system is turned on; receiving a unique identification number of the vehicle from a vehicle network associated with the vehicle in which the infotainment system is installed; comparing the unique identification number of the vehicle with a stored identification number of the vehicle, previously associated with the infotainment system; providing access to the infotainment system only if the unique identification number of the vehicle matches the stored identification number of the vehicle; otherwise blocking use of the infotainment system.

EFFECT: effective prevention of unauthorised use of stolen equipment in another vehicle.

3 cl, 5 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to computer engineering. A method for electronic notary certification of text information, which includes preliminary registration of a contractor in an "electronic notary" system; when sending information by electronic mail, indicating in the "copy" field the address of the automatic "electronic notary" system; upon receiving a copy of the sent information, the automatic mail enters the copy into the personal accounts of the sender and the receiver with indication of the time of sending, the sender, the addressee of the information and all attachments comprising the information, wherein the automatic mail further notifies the addressee on the sending of information and storage of the certified copy of the sent information on the website in the personal account of the contractor.

EFFECT: confirming the sending of a document or file with indication of the date and time of sending via electronic mail.

4 cl

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to data processing. A data processing system has a browser with scripting engine means for executing a script. The scripting engine means implements a public scripting engine and a private scripting engine. The browser is configured to have the script executed by the public scripting engine if the script does not require access to a pre-determined resource at the system. The browser is configured to have the script executed by the private scripting engine if the script requires access to the pre-determined resource. Only the private scripting engine has an interface for enabling the script to access the predetermined resource. The scripting engine means is configured to prevent the private scripting engine from communicating data to the public scripting engine or to a server external to the data processing system if said data communication is not confirmed.

EFFECT: protecting private user data.

5 cl, 1 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to data memory method for storage of software product and to devices for secure data transmission. The device contains the assignment unit (2) for assigning of connections of data (DV) from various initial components (SK) through, respectively, at least, one intermediate component (ZK) to the common target component (ZK), the combining unit (3) for combining of intermediate components (ZK) depending on cryptographic information (KI) in one intermediate component (ZK) by means of, at least, one exchange of messages, and the exchange of messages is performed according to a method with a shared key, to Http-Digest-Authentication method, a request-answer method, key hash method, hash function, to Diffie-Hellman method and/or to the digital signature method and the data transmission unit (4) for data transmission (D) from initial components (SK) through the integrated intermediate component (ZK) to the target component (ZK).

EFFECT: improvement of security of data transmission.

14 cl, 12 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to activation of services using algorithmically configured keys. The method of user subscription to the service comprises: identification in the computer of issuer of the user who is authorized for subscription to a service on the basis of a criteria determined by an issuer; extraction by a computer of the issuer of data associated with the user and shared data element which is shared by the issuer computer and the service provider computer; formation of the first activation code by the issuer computer and sending the first activation code to the user; and the user sends the first activation code and data associated with the user to the service provider computer; and the service provider computer forms the second activation code and authorizes the user for subscription to service, if the first and the second activation codes are identical.

EFFECT: prevention of violation of security of data processing system.

20 cl, 9 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to a media device and a system for controlling access of a user to media content. Disclosed is a device (100, 200) for controlling access of a user to media content, the device comprising: an identification code output (102, 103, 202) for providing an identification code to the user, the identification code identifying the media device; a control code generator (104, 204) for generating a control code depending on the identification code and an access right; an access code input (106, 107, 206) for receiving an access code from the user. The access code is generated depending on the identification code and the access right by a certain access code device, and an access controller (108, 208) enables to compare the access code to the control code, and when the access code matches the control code, grants the user access to the media content in accordance with the access right.

EFFECT: managing user access to media content, wherein access is granted specifically on the selected media device.

14 cl, 6 dwg

FIELD: engineering of devices and methods for using server for access to processing server, which performs given processing.

SUBSTANCE: for this in accordance to method reservation is requested, reservation is confirmed, authentication information included in reservation information is stored, service is requested on basis of authentication information, server utilization is authenticated and server is utilized on basis of authentication result, while on stage of reservation confirmation device for controlling reservation transfers reservation setting information, and on stage of authentication server utilization is only confirmed when authentication information matches authentication information transferred from user terminal. Device contains receiving means, information generation device and transmitting means.

EFFECT: creation of method for using server, device for controlling server reservation and means for storing a program, capable of providing multiple users with efficient utilization of functions of processing server with simultaneous decrease of interference from unauthorized users without complicated processing or authentication operations.

6 cl, 51 dwg

Up!