The way to detect distributed attacks on computer network
(57) Abstract:The invention relates to computing. It helps to ensure the technical result in the form of easier way to detect distributed attacks on computer network in which the communication between subscribers is carried out by transmitting data packets according to the TCP Protocol. The method includes monitoring traffic incoming to the subscriber data packets, check these packets according to the defined rules and the signal for the adoption of measures to protect against unauthorized access when inspection reveals the compliance with these rules. The technical result is achieved due to the fact that for the detection of unauthorized access attempts made from obmana assigned the name of the other party's network, conduct monitoring traffic addressed to the subscriber data packets, including the constantly renewable counting the number of packets that are performed within a series of packets coming in succession one after another at intervals of not more than specified, validation of incoming data packets according to specified rules perform every time the size of the next observed series reaches kawanago access to resources of the computer system, and in particular to methods and devices that detect distributed attacks on subscribers ' computer networks, implemented by means of a network connection, in particular, in the global computer networks, and protection against such acts.The present description assumes General familiarity with the concepts, protocols and devices used in application programs work with computer networks.We know a considerable number of methods and devices for the protection of information in computer systems for various purposes, based on limited access to information at different levels of privacy: the use of passwords during logon, lock individual memory areas, the use of cryptographic protection, suppression of spurious electromagnetic radiation computing devices and communication channels.Known attacks based on the selection of the password, how to detect such attacks and ways to protect against them is given in the book [5. David Stang, Sylvia moon, "Secrets of network security", Kiev, "Dialectics", 1996] .The network system is characterized by the fact that, along with the usual, local attacks the sufficiency of resources and information in space. This so-called network or remote attacks. Under remote attack on a computer system refers to the information a damaging effect on distributed computing system (RVS), software implemented on the communication channels, one or a group of people with evil intent. While often impossible to distinguish between intentional and accidental actions, and a good security system should respond adequately to any of them.Insufficient protection for the most common operating systems RVS and communication protocols allow the implementation of different types of remote attacks on RVS, different implementation mechanisms, character and purpose of the impact. A preliminary stage remote attacks is usually a network traffic analysis, i.e. the flow of information exchange, which allows you to explore the logic of a distributed computing system. Obtaining information about RVS is achieved by an attacker by intercepting and analyzing the transmitted data. The possibility of interception exists due to the fact that the components of any network system distributed in space and the relationship between them physically using network Saatchi are programmatically using mechanisms messages. Known types of remote attacks and mitigation methods are described, for example, in the book: I. Medvedovsky, P. Semenov, V. Platonov, "the Attack via the Internet", St. Petersburg, NGO, Peace and family - 95", 1997.A remote attack that causes a denial of service allows you to break on the attacked object the performance of the relevant services provide remote access or telecommunications services, i.e. do not allow remote access from other objects. Denial of service is achieved by passing a targeted subscriber greatest possible number of connection requests on behalf of other subscribers, or by transferring from one address such a large number of requests, what will allow the traffic.A dangerous kind of remote attacks is the substitution of a subscriber of a computer network, which is based on sending messages from obmana assigned name of an arbitrary subscriber within the network. Substitution of a subscriber of a computer network can provide unauthorized access to the resources of the victim subscriber, if you substitute the subscriber is attacked by a trusted object interaction. Attack by spoofing the subscriber's computer network m is by sending a request to a targeted subscriber connection on behalf of the substitute caller. The feature of this attack is that the attacker has attacked with only one-way communication, as the answers attacked addressed to the spoofed the caller. Because the intervention spoofed caller may hinder the achievement of the attack, the substitution of a subscriber of a computer network is usually combined with simultaneous attacks, causing a denial of service spoofed caller.The present invention provides a method for the detection of remote attacks, based on the substitution of a subscriber of a computer network.The closest to the proposed invention is described in patent US 5796942 relating to network monitoring.This system is designed to monitor a computer network regardless of the network server that contains:
network driver for data collection in the network that are not necessarily addressed to the network monitoring system;
managing process for receiving data from a network driver and storage of such data in real time;
multiple recording files to retrieve and store data before further processing;
scanning, for which one of a specified set of files is assigned to the related data, to recreate many data streams in the session network connections, and these data streams in the network connections ensure the consistent reconstruction of network traffic data in the network session connection;
the scanner session to read the data in the range of one of a specified set of sessions network connections;
a set of rules identifying stereotypes of data, which, when discovered, will cause the enable alarm;
funds for specific response actions in case of detection data corresponding to the specified rules.System for monitoring a computer network, characterized by the above formula of the invention under the patent US 5796942 focused on total control of network traffic data in local area networks, primarily to monitor the behavior of legitimate users of these networks and identifying unauthorized access attempts to resources RVS. This system requires a high performance computer system with multiple processors operating at frequencies 233 - 500 MHz. In order to detect unauthorized attempts to access resources subscribers comp and serial read data, transmitted in different sessions, and verification in accordance with a set of rules that are executed to identify unauthorized attempts to access the resources of the subscribers, are directly transmitted data. Although this system collects data in real time, but then on the sequential analysis of multiple sessions network connections detection of unauthorized activities in a controlled computer network is the inevitable delay relative to the beginning of such actions. In many cases, a delay in the adoption of measures to prevent unauthorized actions can lead to irreparable damage and make the protection ineffective.The present of the invention is to create a simple way, the minimum means of providing detection in real time of unauthorized attempts to access the resources of the subscriber computer network, particularly the Internet, carried out by remote connection and based on the actions from obmana assigned behalf of another subscriber within the computer network.The problem is solved in that in the method for detecting attempts nesanktsionirovanno, in which conduct monitoring of the traffic incoming to the subscriber data packets, checks in accordance with set rules and give the signal for the adoption of measures to protect against unauthorized access when inspection reveals the compliance with these rules, according to the invention to detect unauthorized attempts to access the resources of the subscriber of a computer network in which the communication between subscribers is carried out by transmitting data packets according to the TCP Protocol, produced from obmana assigned name of another person for a specified network, conduct monitoring traffic addressed to the subscriber data packets, including the constantly renewable counting the number of packets that are performed within a series of packets, coming in succession one after another at intervals of not more than specified, validation of incoming data packets according to specified rules perform every time the size of the next observed a series of packets reaches a critical number of packages.The method is designed to protect subscriber by warning of the attack, by substituting the subscriber's computer network and based on the analysis of the necessary conditions to establish the o false packets messages send attacking a targeted subscriber, were perceived as sent spoofed by the subscriber, it is necessary that these packages have specific values of the identification parameters used in the TCP Protocol. These values can be known to the attacker only with some approximation, which is dependent on the operating system of the victim subscriber and the number of nodes of a computer network through which data packets sent by the attacker reach attacked subscriber. Therefore, for the selection of identity parameters, the attacker is forced to send the victim instead of one package a series of packets with different values of the identification parameters.Potentially dangerous to protect the subscriber's computer networks are a series of packets, with the following small periods of time, as the probability of successful matching of the identification parameters decreases with increasing spent on selection time. In this regard, the proposed method includes the continuous monitoring of a size series of packets coming from small periods of time.The critical size of the series, from which this series of packages can ensure a successful selection of identifies substitution of at least one of his trusted objects interaction.Maximum time interval between adjacent packets related to the same series, is preferably set not less than the time required for the subscriber on the primary processing of the received packet.Obtaining a series, the amount of which reaches a critical number of packets is the signal to begin the verification of incoming packets. Such verification includes, for example, the signal generation for the adoption of measures to protect against unauthorized access when within a specified time interval from the achievement of one series of size not less than the critical number of packets detected by the second series, which also reaches a critical.It is advisable to monitor traffic addressed to the subscriber data packets, including the constantly renewable counting the number of packets that are performed within a series of packets coming in succession one after another at intervals of not more than specified, be performed using a specialized computing device that exchanges signals with the specified subscriber.Hardware implementation monitoring series size package provides the minimum diversion of resources of the protected computer for detecting the tion in relation to the Internet, with reference to the drawings, in which:
Fig. 1 depicts the scheme of attack, carried out by substituting a subscriber of a computer network.Fig. 2 depicts a block diagram of a device that implements the observation of the size of the series entering the protected subscriber data packets, when carrying out detection of remote attacks on a computer network according to the present invention.Fig. 3 depicts a block diagram of the algorithm checks the incoming protected subscriber data packets that are performed when performing a detection of remote attacks on a computer network according to the present invention, if the observation with the help of the device depicted in Fig. 2, revealed a series, having a size of not less than a given number of packets.Fig. 4 depicts a timing diagram of operation of the device depicted in Fig. 2, and actions in the performance of the algorithm depicted in Fig. 3.On the Internet the underlying transport layer Protocol is TCP. In accordance with the TCP Protocol information over a computer network is transmitted in the form of packets of fixed size. TCP allows you to correct errors that may occur during packet transmission, and is FR the I packets with registration sequence, manages the flow of packets is organized retransmission of corrupted packets, and at the end of the session channel is broken. While TCP is a Protocol that has additional identification system messages and connections. The application level protocols, providing users with remote access to other subscribers of the Internet, are based on TCP.A TCP packet has a header that contains two identification package parameter representing a 32-bit binary numbers. The values of the first and second identification parameters of the service function of the current value assigned to this package, respectively, the sender and the recipient. A pair of current non-package indicates where the packet in the sequence of packets in the session. In addition, the TCP header contains the commands for the subscriber, which is designed package, as well as his address.Establishing a TCP connection between two subscribers of the Internet, if the initiative is the first of them, in the following order.First, the subscriber sends the address of the second subscriber, the packet header which contains the knowledge is in the sequence of current numbers of packets of the same session.The second user answers the first parcel second batch session, the title of which contains the value of the first identification parameter, representing assigned to this work package by the second subscriber starting number, and the second value is equal to increment by one the value of the start number contained in the first packet of the session received from the first subscriber.The connection ends with the sending of the first subscriber to the second package, containing increased per unit values of both the initial numbers of the second service session.Since the establishment of the first connection, the subscriber can send the second subscriber packets that contain data. Each packet received during a session of his party, they will be interpreted as another package this session, if this package has current numbers that exceed the per unit value of current issues of the previous packet, otherwise, the received packet will be discarded as erroneous.The vulnerability to attacks based on the substitution of the subscriber, is the imperfection of the principles of formation of initial numbers of packets of session inherent in most rasprostraneniya breathability algorithm generate initial batch number of the TCP connection. For example, in Windows NT 4.0, this value increases by approximately 10 every millisecond.This gives the attacker the possibility to approximately determine the type of the function, which generates the initial value of the packet identifier. For research OS subscriber of the Internet to the attacker, who is also a subscriber of this network, you want to send the subscriber the normal sequence of requests to create a TCP connection and to take an appropriate number of response packets having the initial numbers assigned to the investigational OS in each moment of time. If this measured time intervals between a request and its reply and the time elapsed between requests. As it is clear to the specialist in numerical mathematical methods, as a result of this research can be built empirical temporal dependence of the initial numbers generated by the analyzed Windows, which allows to predict its value in the form of interval estimates. For example, in the case where the attacker in the same network segment with the selected target of attacks by the subscriber, this technique allows for a short period of time to extrapolate the value of the start number for Windows N is adowanie OS subscriber network, the Internet provides a real opportunity current selection of rooms package for the substitution of a subscriber of a computer network.A significant danger due to better conditions for the attack is the substitution of a trusted party who has simplified the access mode without password authentication used in some common OS, for example, on UNIX.The scheme of attack, based on the substitution of the subscriber is illustrated in Fig. 1.In Fig. 1 depicts a substitute subscriber 1, subscriber 2, which is the object of attack, and attacking the attacker 3.Attacking 3 sends to the subscriber 2 package containing a request for a connection on behalf of the spoofed caller 1. This package contains the initial number N03 set the attacking 3, after some time reaches the subscriber 1. The subscriber 2, in accordance with the procedure established TCP connection, responds to the received request packet is an acknowledgement packet containing the first current is equal to the initial number specified by the subscriber 2, N2= N02, and the second current is equal to the increased per unit initial number of the request packet, N3= N03+1.The essential feature of the attack, based on the substitution of the subscriber, is that the attacking 3 does not receive responses from the victim subscriber 2, since all packets sent attacked by a subscriber 2 in the proof connection which the subscriber 1 is not requested, it will prevent the continuation of the attack. Therefore, in this scheme, attack, attacking 3 it is necessary to attack the subscriber 1, for example, a series of requests to establish connections to create it a denial of service attack.To complete the establishment of a false connection attacking 3 should be sent to the subscriber package 2 having the correct values of both the current rooms. One of these rooms, N3, known to the attacker 3, as formed from given them the start number of the request packet. Attacking 3 of the preliminary study can be also known interval within which with a given probability value is the initial non N02. However, the attacker 3 can be guided only by the evaluation of the initial non N02, since the moment of receiving by the subscriber 2 false request packet and, accordingly, the moment of assigning the subscriber 2 initial non N02 the acknowledgement packet depend on the delay of a packet on the Internet. This delay may randomly vary from a few milliseconds to one second, depending on the load of the network segment between the attacking 3 and subscriber 2 at the moment of sending of the request packet. Pack subscriber 2 a series of packets, providing through the values of the initial non N02 in a certain attacking 3 interval. The value of the time sequence of packets in the series determines the total duration of the series, and because the error of the extrapolation of the initial non N02 proportional to the extrapolation interval, the more time the following packages in the series, the greater the required size of the series.Authors conducted the calculations show that the probability of a successful attack decreases with increasing time sequence of packets in the series, so favorable to the attacker's strategy is to make a series with minimum time intervals between packets.The second series of packets, each of which can contain commands to obtain further access to the resources of the subscriber 2, should be sent to attacker 3 with a time interval relative to the previous series, chosen so that with high probability, a random transmission delay over the network, the packet of the second series with the correct value of the current non N2= N02+1 reached a subscriber 2 after receiving the package with the initial number N02 of the first series of packets, as otherwise the attack will fail. This means that on the side of Absalom, exceeding the time intervals between packets in the series.The attack is also possible during a session connection between two subscribers of the Internet by trying to substitute one of the participants in the connection. In this case, even if the connection between the subscribers is set with a password, the attacker does not require the knowledge of the password, because once the connection is established, the password is not already in use by the participants in the connection.Attack during a session connection between subscribers 1 and 2 can be carried out basically as described above to establish a false connection, and also requires the creation of a denial of service spoofed caller 1. The main difference is that the attack during a session requires the selection of both current rooms, respectively, N1 and N2, for the false packet. The size of the series of the sent packets is increased in the square in relation to the size of the series, is necessary for establishing a false connection. That is, the greatest danger is trying to establish a false connection on behalf of another person, as this requires a minimum batch size of packets, which in the most favorable for the attacker terms is any case is characterized by the arrival of this person at some interval of at least two series of packets, in which packets are followed by small periods of time.According to the present invention, a method for detecting unauthorized attempts to access the resources of the subscriber computer network consists of two phases: the first is the constant observation of the amount of incoming protected subscriber series of TCP packets, which packets follow at intervals of not more than specified, and the second is a further test for deciding whether there is an attack, if the observation revealed a series of packets whose size exceeds the specified number of packets.If the protected subscriber is a personal computer, the present invention can be implemented completely in software, i.e. using these devices, equipped with appropriate processing program to be executed by the Central processor of such devices. However, the preferred option is for the hardware implementation of monitoring batch size packages and software implementation phase of the test, which, on the one hand, provides the minimum diversion of resources of the protected computer to the detection of attacks, and on the other hand, allows for maximum flexibility in the use of various PTO series of packages according to the present invention. The device 4 is depicted in cooperation with the protected computer, the subscriber 2, through the interface 5, a device which, for example, when connecting to the shared computer bus is obvious to a person skilled in the art and has no features associated with the present invention.From a subscriber 2 to device 4 via the interface 5 receives digital codes of natural numbers t0, a given maximum time interval between adjacent packets attributable to one series, and k0, given the critical size of a series of packets, denoted, respectively, positions 6 and 7; the pulses of clock frequency internal oscillator subscriber 2 - position 8; pulses of packets matching the moments of the end of primary processing of incoming subscriber 2 TCP packets - position 9; logical signal installation device 4 in original condition - item 10.Back from the device 4 to the subscriber 2 is transmitted Boolean variables: position 11 denoted by the variable S which is TRUE from the moment when the first time the size of the observed series has reached the value of k0, until the end of this series, and FALSE outside this period of time; and also a designated position 12 signal logicheskie from subscriber 2 signal installation device 4 in the initial state, the variable Flag is set to FALSE outside of this time period.The pulses of clock frequency from the output 8 of the UI 5 arrive at the counting input of the counter 13 which acts as a timer to measure time-distance packages. The counter 13 is set to "0" each pulse packet from the output 9 of the interface 5. Thus, the number of tp in the time of arrival of the next pulse packet is proportional to the time interval between this packet and the previous one. The outputs of bits of the counter 13 is connected to the inputs of the comparator 14 codes that perform the function of comparator period of time tp calculated by the counter 13, with the specified value to that recorded from the interface 5 in register 15 memory, coupled to the comparator 14.Through the device 16 that implements the function of logical "And", at the counting input of counter 17 packets received pulses packages. The counter 17 counts the number k of packets that belong to the current series until the value of tp in the counter 13 reaches the value t0. When "tp is equal to t0" from the output of the comparator 14 to the reset input of counter 17 packet arrives logical setting signal to "0".The maximum value t0 of the time interval between adjacent packets is compiuternoi network on the primary processing of the received packet, for example, 3 msec. Typically, the bandwidth of the network interface through which the subscriber is connected to a computer network has a power reserve that provides the network interface without overflow under normal traffic transmitted messages. The fact of the increasing flow of incoming packets to a number greater than the bandwidth of the network interface used in the present method, as a preliminary indication of a possible attack.The counter 17 is connected to the output bits from the comparator 18 codes, which compares the counted by the counter 17 size k series with a given critical size k0, the value of which is entered from the interface 5 in register 19 memory, coupled to the comparator 18.The logical signal at the output of the comparator 18 is a Boolean variable S. the Logical output signal from the comparator 18 is supplied to the inverting input device 16, and stops the feeding of pulses of the packages on the counter 17 when the condition "k is k0". Fixing the values of k in the counter 17 at the level of k0 until the end of the current series, if it is larger than k0, eliminates the overflow of the counter 17 when long-term overload of the network interface of the subscriber 2.
< / tp is equal to t0 and k is k0". Output the trigger signal 21 represents a logical variable Flag containing information about obtaining a series of TCP packets with a size of not less than a given critical size k0. Reset trigger 21 is a signal from a subscriber 2-level information on output 10 interface 5.Thus, with the help of the device 4 performs ongoing monitoring of traffic addressed to the protected subscriber data packets, which is achieved by the detection of a series of packets with a size of not less critical. The critical size k0 series can be selected minimum value, from which this series packages are able to provide a successful attack. For example, if the protected subscriber uses WINDOWS NT 4.0, the value of k0 can be set equal to 10. However, it is preferable to select the value of k0 on the basis of a compromise between the sensitivity of the method with attack detection and false alarm level defined by the modeling results of substitution of at least one of the trusted entities interact protected subscriber.As indicated above, the preferred software implementation of the algorithm validation.The test phase entering the protected subscriber TCP PSA with operations 22 checks the value of a logical variable S. A poll this value may be a time interval approximately equal to the length of the series of size k0 without the risk of delayed detection attacks.If S is FALSE, the operation is performed 23 checks the value of a logical variable Flag, and if its value is FALSE, then this cycle of execution of the algorithm ends.If one of the variables S, or the Flag is TRUE, then the operation is performed 24 to verify the values of the auxiliary logical variable R used for a single operation 25 preset memory the torque value Ts, when the first series of packets reaches the size k0, after the operation 25 operation 26 destination variable R value of TRUE. With repeated operation 24, when the variable R is set to TRUE, the operation is performed 27, which compares the difference between the current time to which the second series of packets has reached a size of k0, and fixed by time Tsthe specified maximum interval tm time. This interval can be set equal to the maximum time established protected by the subscriber to wait for continuation of the communication session, usually several tens of seconds after which the connection reserval time between successively received lots of critical size does not exceed a specified, surgery is carried out 28 assigning a Boolean variable Alarm set to TRUE, representing the alarm, which measures protection from attack.If the condition of operation 27 fails, then made the transition to operations 29, 30 assignment to the variables R and Flag to FALSE. The last operation 30 is carried out by transmitting the reset signal to the trigger 21 through the interface 5 (Fig. 2)
In Fig. 4 depicts an exemplary view of the timing values of k, S, Flag, Alarm during the attack.Perhaps the use of more complex algorithms validation. In particular, after the discovery of a series of packets having a size greater than critical, can be further assessment of the size of this series and the use of different measures of protection depending on the size of the series. Verification may also include storage for a certain period of time, information about all facts obtain series of critical size, including not caused directly alarm, for adoption at a certain period of time for additional protective measures.In the example implementation of the present invention under the protected subscriber meant personal computer. However, this does not impose ohmer, the local network server connected to the Internet, or a peripheral device. 1. The method for detecting unauthorized remote access to the resources of a subscriber of a computer network in which the communication between subscribers is carried out by transmitting a data packet in accordance with TCP, including monitoring traffic incoming to the subscriber data packets, check these packets according to the defined rules and the signal for the adoption of measures to protect against unauthorized access when inspection reveals the compliance with these rules, characterized in that to detect unauthorized access attempts made from obmana assigned the name of the other party's network, conduct monitoring traffic addressed to the subscriber data packets, including the constantly renewable counting the number of packets performed within a series of packets coming in succession one after another at intervals of not more than specified, validation of incoming data packets according to specified rules perform every time the size of the next observed series reaches a critical number of packages.2. The method according to p. 1, characterized in that maximini, you want the subscriber to the primary processing of the received packet.3. The method according to p. 1, characterized in that the signal for the adoption of measures to protect against unauthorized access serves, when within a specified time interval from the end of one series of data packets having a size not less than the critical number of packets, the size of the next observed series reaches a critical.4. The method according to p. 1, wherein monitoring the traffic addressed to the subscriber data packets, including the constantly renewable counting the number of packets that are performed within a series of packets coming in succession one after another at intervals of not more than specified, comply with designed for such purpose computing device that exchanges signals with the specified subscriber.
SUBSTANCE: device has commutation block, checked microcontroller, block of read-only memory devices of checked microcontroller, block of operative memory devices, PC, controlling microcontroller, block 7 of serial interface, indication block, commutation block of serial interface, block for forming a signal of starting setting of block for forming ROM addresses, block for forming addresses of Rom of checked microcontroller, block for decoding control signals, data-reading block, RAM recording block, block of memory access constants for checked microcontroller, block for forming addresses of checked microcontroller, block for forming start setting signal for controlling microcontroller, RAM reading block, block for forming RAM addresses and power buses.
EFFECT: higher efficiency.