System protection of workstations and information servers, computer systems and networks

 

(57) Abstract:

The invention relates to computing, and in particular to information and computer systems and networks, and can be used to protect information resources in workstations and information servers. The technical result is to increase the level of security protection through the implementation it is possible to prevent unauthorized access to information, to detect the fact LMI and in the absence of distortion of information by an attacker. For this purpose, the information security system contains a memory block, the block forming the current checksum, block compare checksums, M blocks the formation of lists of current events, M blocks compare lists of current and sanctioned events, M blocks production team for "destruction" (termination) of the current event, block generate signal comparing checksums. 3 Il.

The invention relates to computing, and in particular to information and computer systems and networks, and can be used to protect information resources in workstations and information servers.

Known protection system of information resources of the computing soloboy software package, installed on a standalone computer or on computers in a computer network. The system solves the problem of the integrity monitoring (neiskrennosti) programs and data when the system is turned on.

Closest to the technical nature of the claimed (prototype) is a system of information protection built into the operating system Windows NT Server 4.0 (see kN. Valda of Hilla "Secrets of Windows NT Server 4.0". - K. "Dialectics", 1997, S. 14-15). There is a finding checksums of files at system startup. If the contents of the file was somehow changed, adapted, and the current checksum of the file, which will not coincide with the reference amount. If not, displays a message about the violation of integrity.

The system shown in Fig. 1. The information security system 1 includes the memory block 2, containing the functional block of the software (FPO) 3 data block 4, block storage checksums FPO 5, the storage unit checksum data 6, in addition, the block forming the current checksum 7, block compare checksums 8, and the output unit FPO 3 (the first output of the memory block 2) connected to the first input of the block forming the current control su is x amount 7, the third input of which is connected with the control input of the comparing checksums 9 (first input of the information security system 1), the output of the storage unit checksum FPO 5 (third output of the memory block 2) connected to the first input unit of the comparing checksums 8, the output of the storage unit checksum data 6 (the fourth output of the memory block 2) - with the second input of the comparison checksum 8, a third input connected to the first and fourth input to the second output unit forming a current checksum 7, the fifth input unit comparing checksums 8 is connected with the control input of the comparison checksum 10 (a second input of the information security system 1), the output unit comparing checksums 8 is connected to control the output of the comparing checksums 11 (output protection system 1).

Information security is part of the integrity monitoring (neiskrennosti) programs (FPO) and the data that follows. In the memory blocks 5 and 6 respectively are stored checksum controlled units 3 and 4. On command from the control input 9 of the block 7 are formed current checksum information stored in blocks 3 and 4, and on command from the control input 10 is imisa in blocks 5 and 6. Unit 8 compares the current and the original checksum, the result of the comparison is given on the control output 11. When detecting a mismatch checksum recorded the fact of unauthorized access to information.

The disadvantage of this system is inefficient use of the control mechanism integrity, which is caused by the following fact LMI is recorded only when the distortion of the attacker information (when reading information without distortion fact LMI is not registered), the use of this mechanism does not allow to prevent unauthorized access.

The aim of the invention is to improve the level of security protection system that implements the principles of integrity control information, through the implementation of not only detect, but also to prevent unauthorized access to information, to detect the fact LMI and in the absence of distortion of information by an attacker, and including implements the detection and prevention fact LMI and if the attacker errors and bookmarks, as well as to improve effectiveness of monitoring the integrity of programs and data.

This is achieved by the fact that in the system of protection of information containing block pam is Umm FPO, the storage unit checksum data, and a memory block - forming unit current checksum, block compare checksums, and the output unit FPO - first out memory block connected to the first input of the block forming the current checksum, the output of block data to the second output of the memory block to the second input of the block forming the current checksum, a third input connected with the control input of the comparing checksums - first input of the system, the output of the storage unit checksum FPO - third the output of the memory block connected to the first input unit of the comparing checksums, the output of the storage unit checksum data of the fourth output of the memory block to the second input of the comparing checksums, a third input connected to the first and fourth input to the second output unit forming a current checksum, the output unit comparing checksums connected to control the output of the comparing checksums-second output system, wherein the system additionally introduced: in the memory block M block storing lists of sanctioned events, M storage units checksum lists of sanctioned events, in addition sectionrowindex events M blocks production team for "destruction" (termination) of the current event, block generate signal comparing checksums, and outputs M blocks storing lists of sanctioned event outputs 5 through M+4 memory block connected to inputs 4 and M+3 block forming the current checksum with M first inputs of blocks compare lists of current and sanctioned events and blocks production team for "destruction" (termination) of the current event, the first inputs of the blocks forming lists of current events connected with M information inputs register of current events - M third inputs of the system, the second inputs connected to M control inputs of registration of current events - M fourth inputs system outputs respectively connected with the second inputs of the blocks compare lists of current and sanctioned events, the third inputs of which are connected with M control inputs compare current and sanctioned events-M fifth inputs system outputs are connected with the control outputs comparison results lists current and sanctioned events - M second outputs of the system, with the second inputs of blocks production team for "destruction" (termination) of the current event, with the m sign-compare checksums - the first input of the system, the output is connected to the fifth input of the unit comparing checksums, the outputs of blocks production team for "destruction" (termination) of the current event connected with M management outputs "destruction" (termination) of the current event, the outputs of the storage units checksum lists sanctioned event outputs are connected to inputs 6 through M+5 unit comparing checksums.

Scheme information security system 1 shown in Fig. 2, it includes: a memory block 2, containing the functional block of the software (FPO) 3 data block 4, block storage checksums FPO 5, the storage unit checksum data 6, M block storing lists of sanctioned events 12, M storage units checksum lists sanctioned events 13, in addition, the information security system 1 includes: a forming unit current checksum 7, block compare checksums 8, M blocks the formation of lists of current events 14, M blocks compare lists of current and sanctioned events 15, M blocks production team for "destruction" (termination) of the current event 16, block generate signal comparing checksums 17, and the output unit FPO 3 (first output unit platboy memory 2) - with the second input of the block forming the current checksum 7, a third input connected with the control input of the comparing checksums 9 (first input of the information security system 1), the output of the storage unit checksum FPO 5 (third output of the memory block 2) connected to the first input unit of the comparing checksums 8, the output of the storage unit checksum data 6 (the fourth output of the memory block 2) - with the second input of the comparison checksum 8, a third input connected to the first and fourth input to the second output unit forming a current checksum 7, the output of block compare checksums 8 is connected to control the output of the comparing checksums 11 (first exit system protection 1), the outputs of blocks storing lists of sanctioned events 12 (outputs 5 through M+4 block memory 2) connected to inputs 4 and M+3 unit forming a current checksum 7, with M first inputs of blocks compare lists of current and sanctioned events 16 and blocks production team for "destruction" (termination) of the current event 16, the first inputs of the blocks forming lists of current events 14 is connected with M information inputs register of current events 18 (M third inputs silvertech inputs protection system 1), outputs are respectively connected with the second inputs of the blocks compare lists of current and sanctioned event 15, the third inputs of which are connected with M control inputs compare current and sanctioned events 20 (M-fifths of inputs protection system 1), the outputs are connected with the control outputs comparison results lists current and sanctioned events 21, with the second inputs of blocks production team for "destruction" (termination) of the current event 16, with the first M inputs of the block generate signal comparing checksums 17, M+1 input of which is connected with the control input of the comparison checksum 10 (second input of the information security system 1), the output is connected to the fifth input of the unit comparisons checksums 8, the outputs of blocks production team for "destruction" (termination) of the current event 16 is connected to the M management outputs "destruction" (termination) of the current event, the outputs of the storage units checksum lists sanctioned events 13 are connected to inputs 6 through M+5 unit comparing checksums 8.

The system works as follows. The problem of information security in the framework of the proposed method, which is implemented by the claimed device is to control neiskaiciuota put multifunction serial control integrity). Control lists-sanctioned events may be synchronous (on schedule), or asynchronously, implemented according to the principle "provided that...". In General, the idea of the approach is illustrated by Fig. 3, and is that when access to information is fast serial analysis of neiskrennosti (integrity monitoring) lists events. In case of unauthorized access at least one event from the analyzed set of lists should be broken (otherwise have authorized access to information) - to be unauthorized. Such lists can be classified as:

the list of authorized users;

table of access rights of users (files, directories, devices, servers, and so on);

the list of allowed to run processes;

the list of open ports;

the list of connected devices;

the list of allowed interaction of IP addresses or DNS names;

the state of registry keys, etc.

The idea of the approach is that (this was confirmed by research) background analysis of the lists of sanctioned events are so fast that allows you to prevent unauthorized exposure (for example, NESARC the purpose, prevents the unauthorized access attempt.

The difference in the use of the proposed technology for alternative operating environments (operating systems) is the set of lists (levels of integrity control) unauthorized events that can be supported by specific operating systems.

The difference in the use of the proposed technology for alternative options for implementing the information security policy of the company is only in the set of controlled lists (levels of integrity control), in the order and periodicity of their control.

This allows us to assert the possibility of unification of the proposed approach for alternative uses, where the conditions of use of the system can be taken into account by means of the settings of its parameters within a single, unified approach, illustrated in Fig. 3.

Now consider how the above method is implemented by the circuit shown in Fig. 2. The scheme involves the introduction into the system of protection in the General case of M lists of sanctioned events. The blocks 12 are stored in the memory of the actual lists of sanctioned events. On command from the control input 19 in a given sequentially 19) blocks 14 with information inputs 18 are formed (recorded) current lists of sanctioned events (for example, read the table of registered users and a table of access rights, the table of connected devices, fixed running processes, program open ports and so on), which upon command from input system 20 blocks 15 are compared with lists of sanctioned events, located in blocks 12. Blocks 15 generates control signals at the output 21, which then provides the reaction, for example, are registered in the corresponding command file - the file /bat/ operating system. In addition, the data signals are transferred in blocks 16 and block 17. Blocks 16 form the signals at the output 22 for "destruction" unauthorized actions such as termination signal to the running unauthorized process, the signal to restore the original table of permitted users, user access rights, the signal in the software closing the respective port, and so on, Unit 17 generates a signal by comparing the current and the original checksum FPO, data and the actual checksum lists sanctioned events (which can also be changed) stored in blocks 13. Thus, in this system there can be two modes of monitoring the integrity of programs ivadene checksum is the distortion condition (integrity) list of sanctioned events from the output unit 15. This feature of the system operation is very important, because the control of large amounts of data can take a long time (minute), while the control list sanctioned event takes milliseconds. Using this approach allows to significantly improve system performance with asynchronous start-up procedure checks the integrity of programs and data.

The relevance of modern problems of dealing with bugs and bookmarks due to the fact that on the one hand, they are almost impossible to detect, on the other hand, in particular for errors, due to the high intensity of the change of software tools on the market of information technologies, as a consequence, reduce development time, by the increase of their share in modern software tools. The likelihood of having bookmarks programmatically, perhaps, the value is relatively constant, depends more on the practical use of the system. To find errors before the system is put into operation using the appropriate program-testers that contains some database known means, such analyze errors for a few years. The disadvantage Yes the rhenium find errors, I can say that, unfortunately, most of them detected it is in the process of functioning of the systems, by the way, this fully illustrate all the time appearing patches on the widely used operating systems and other software tools. In other words, to talk about the high level of protection from the risks associated with errors in modern software tools, probably not possible. Safe from the point of view of the considered threats become only after some (sometimes quite long) period of time of their operation and their "testing" by hackers. And only when the attackers finally "weary", which can be estimated from the corresponding statistics of attacks and hacks, we can talk about the relative security software from the point of view of the considered threats. Unfortunately, to this point, this tool is already obsolete and requires replacement with a new, more complex and, as a rule, developed in a shorter time frame, and, consequently, contains more errors. Probably no more than a comforting situation and finding bookmarks, although their number in the software tool is limited. These prestwood its implementation. This is because the bookmarks, as a rule, establish qualified programmers, taking all necessary measures for the complexity of their search. Unfortunately, despite ongoing research in the field of search bookmarks, today it can be argued that effective approaches to search bookmarks are missing, the authors of the study even do not know any reasonable mathematical apparatus that allows to formalize this process and quantify results of investigations.

Thus, the critical issue is implemented in the system protection method information - a method to effectively deal with errors and bookmarks in the software. In the General case there are two options:

The first detection of unauthorized access to information (change data, files, programs, etc). In this case, the main load is on the system integrity. The disadvantage of this approach is that it can be fixed only the fact of changes in the information, note that no matter how produced - through the use of error or bookmarks.

Second - prevention (no assumption) nesmere memory register new users, and so on). Here is a great role for audit events. The idea of using this method is as follows. Does the attacker error, or a bookmark in software, it must do some illegal actions (otherwise, he authorized user, operating within authorized rights), for example, make a new user, assign yourself as the user with higher access rights to run unauthorized process to open the port, change some registry settings, etc. Method is that in the background to monitor the lists of sanctioned events, restoring them in case of detection of distortion with the corresponding functional responses (e.g., to complete the process, to close the port to restore the state of registry, database user access rights and so on). High efficiency of such control (and note that these lists typically small) there is an opportunity to prevent the actions of the attacker, regardless of the nature of its unauthorized access to information, including using errors and bookmarks.

Blocks, use the are region, separate blocks of memory, or RAM, or located on an external media - represent stored data arrays.

Block 7 is a software or hardware checksum. This block stores the current value of the checksum, before entering the next command to count the current checksum.

Block 8 is a software or hardware tool pairwise comparison values checksums.

Block 14 is a software or hardware blocks read or analysis of the lists of current events, for example, the read program table of required memory, the standard program for detecting open ports, running processes, etc.

The block 15 is a software or hardware tool line-by-line comparison of the two tables (authorized and current events), recording the discrepancies.

The blocks 16 is a software or hardware blocks production team on "destruction" unauthorized events - here, depending on the controlled events, possible different implementations, for example, restoring the original table rows in the tables of permitted users, access rights, podclass, software closing the port, etc.

The block 17 is a software or a hardware tool to generate a signal comparing checksums - implemented some rule of "Mathematical logic", in the simplest case - a rule "OR", then the detection of distortion of any list leads to the checksum comparison.

Thus, the implementation of all used blocks is achieved by standard means, based on the classical principles of the foundations of computing.

The advantages of the proposed system of information protection can be attributed to the following.

1. Implementation of a fundamentally new approach to data protection, which is based on the principle of integrity.

2. A fundamentally new capability information protection not only against attempts by an attacker to bypass the defenses of information, but also to use errors and bookmarks in software and hardware. Essentially, the inventive system protection is not important the way in which an attacker tries to overcome the defense.

3. A fundamentally new ability to effectively control the integrity of the programs and the detection of unauthorized access attempts on circumstantial evidence - attempts distortion lists of sanctioned events, the integrity of which is orders of magnitude faster than the control programs and data. This advantage should not be seen as an opportunity to improve the effectiveness of control procedures integrity, and as the possibility of its use in the process of functioning of the system (and not only when it is loaded), because otherwise, when using the procedure of monitoring the integrity synchronously, information system begins to work not according to its functional purpose, and for his own protection.

The system of protection of information containing the memory block containing the block functional software (FPO), the data block storage unit checksum FPO, the storage unit checksum data and, in addition to the memory block, the block forming the current checksum, block compare checksums, and the output unit FPO - first out memory block connected to the first input of the block forming the current checksum, the output of block data to the second output of the memory block to the second input of the block forming the current checksum, the third input of which is connected with the control input of the comparison or control the first input of the comparing checksums, the output of the storage unit checksum data of the fourth output of the memory block to the second input unit of the comparing checksums, a third input connected to the first and fourth input to the second output unit forming a current checksum, the output unit comparing checksums connected to control the output of the comparing checksums - first out system, wherein the system additionally introduced: in the memory block M block storing lists of sanctioned events, M storage units checksum lists of sanctioned events, in addition, in the system of protection introduced M blocks the formation of lists of current events, M blocks compare lists of current and sanctioned events, M blocks production team for "destruction" (termination) of the current event, block generate signal comparing checksums, and outputs M blocks storing lists of sanctioned event outputs 5 through M+4 memory block connected to inputs 4 and M+3 block forming the current checksum with M first inputs of blocks compare lists of current and sanctioned events and blocks production team for "destruction" (termination) of the current event, the first inputs Blu - M third inputs of the system, the second inputs connected to M control inputs of registration of current events - M fourth inputs system outputs respectively connected with the second inputs of the blocks compare lists of current and sanctioned events, the third inputs of which are connected with M control inputs compare current and sanctioned events - M fifth inputs system outputs are connected with the control outputs comparison results lists current and sanctioned events - M second outputs of the system, with the second inputs of blocks production team for "destruction" (termination) of the current event, with the first M inputs of the block generate signal comparing checksums, M+1 input of which is connected with the control input of the comparing checksums - second input of the system, the output is connected to the fifth input of the unit comparing checksums, the outputs of blocks production team for "destruction" (termination) of the current event connected with M management outputs "destruction" (termination) of the current event, the outputs of the storage units checksum lists sanctioned events are connected with inputs from 6 to M+5 unit comparing checksums.

 

Same patents:

The invention relates to digital computing and can be used to build tools switching multiprocessor computer networks

The invention relates to computing, and in particular to information and computer systems and networks, and can be used to protect information resources in workstations, informational, and functional servers

The invention relates to computing, and in particular to computing and information systems, implemented on computer networks, and can be used to protect information resources in corporate networks

The invention relates to computer technology and can be used in computer systems for various applications to transfer information between different parts of the distributed computing systems

The invention relates to information management systems and is designed for collecting information, missions and develop control signals weapons systems and technical means, in particular naval weapons

The invention relates to computer technology, in particular to the means of processing and displaying information, and can be used to create systems of information exchange with floating objects of various types, including subway trains

The invention relates to distributed information and control systems, mainly for systems operating in real time, and can be used in various application systems, operating information of a confidential nature

The invention relates to computing, and in particular to information and computer systems and networks, and can be used to protect information resources in workstations, informational, and functional servers

The invention relates to distributed information and control systems (RIUS), mainly to RIUS with "star" topology, operating information of a confidential nature

The invention relates to computing, and in particular to computing and information systems, implemented on computer networks, and can be used to protect information resources in corporate networks

The invention relates to a method of accessing files on the operating system level

The invention relates to distributed information and control systems, mainly for systems operating in real time, and can be used in various application systems, operating information of a confidential nature
The invention relates to computing and can be used to protect the software from unauthorized use, distribution, and research

The invention relates to microelectronic technology and is intended for use in both analog and digital microelectronic devices

The invention relates to distributed information and control systems (RIUS), mainly to RIUS, operating in real time, and can be used in various application systems, operating information of a confidential nature

The invention relates to computing, and in particular to information and computer systems and networks, and can be used to protect information resources in workstations, informational, and functional servers
Up!