System and method of reducing false responses when detecting network attack

FIELD: information technology.

SUBSTANCE: system comprises the following modules: a control module for storing statistics on previous network attacks for correcting filtering rules for filtering centres; collectors for compiling filtering rules based on traffic information from the filter centres and sensors; filter centres for filtering traffic based on filtering rules; sensors for aggregating traffic information for further transmission to collectors.

EFFECT: reduced false responses when detecting network attack.

14 cl, 6 dwg

 

The technical field

The invention relates to systems for determining the distributed network attacks, and more specifically, to reduce false positives in the detection of network attacks through behavioral analysis of user interaction with the protected resource.

The level of technology

Currently, almost all companies and organizations, or otherwise presented on the Internet, and many use the Internet as a business tool. At the same time, the Internet does not provide protection services "by default". In addition, from a number of threats on the Internet today, it is impossible to protect personal protection equipment like firewalls, intrusion prevention, antivirus, etc. Striking example of such threats are DDoS attacks.

A DoS attack is an attack on the computing system in order to bring it up, that is, the creation of such conditions under which legitimate (legitimate) users cannot access the system-provided resources (servers), or the access is difficult. The motives for such attacks can vary greatly - they can serve as elements of competition, by means of extortion, revenge, complaining, demonstrate the capabilities and attract attention, which is often interpreted as cyberterrorism. If the Taka is performed simultaneously with a large number of computers, talk about DDoS attack (from the English. Distributed Denial of Service, distributed attack denial of service). There are two types of DDoS attacks: attacks on bandwidth and attacks on the application.

Attacks on bandwidth - the attacker acts by filling the communication channels allocated bandwidth and equipment a large number of packets. Selected as victims routers, servers and firewalls, each of which has only limited processing resources, under the action of the attack may become unavailable for correct processing of transactions, or to fail under heavy load. The most common form of attack with the filling of the bandwidth is flood attack packets, in which a large number of externally trustworthy packets TCP Protocol user datagram (UDP) or Internet Protocol control messages on the Internet (ICMP) is directed at a specific point.

Attacks on applications attacker, exploiting the behavior of protocols computer interaction (TCP, HTTP, and so on), as well as the behavior of services and applications, captures the computing resources of the computer running the object of attack, which does not allow the latter to handle legitimate transactions and requests. Examples of applications attacks are attacks on Otkrytye HTTP connections and wrong with HTTP connections. Learn more about these attacks can be found in the article on the website of Cisco http://www.cisco.com/web/RU/products/ps5887/products_white_paper0900aecd80 lle927.html.

Typically, DDoS attack is carried out using a botnet, also known as a network of computers-"zombie". A botnet (also a botnet is a network of compromised computers infected with malicious software that allows you to remotely control infected computers without the knowledge of their users. Programs that allow you to perform such actions, called bots.

Figure 1 shows the algorithm of such attacks. From the computer 100 of the owner of the botnet sends signals to the computer 110 controls the bot-networks, each of which monitors a significantly larger number of computers 120, are running bots. The use of computers 110 botnet control complicates the definition of the computer 100 of the owner of the botnet, also increasing the potential size of the botnet to millions of machines and more. Next, bots on computers 120 start a DDoS attack on the service 130. Under the service means any web service that provides users with certain services or resources. Examples of services may be an online store or a file server. It may seem that, for example, at a certain point in time, the online store is experiencing an influx of buyers, to the which he is unable to cope. During a DDoS attack on the tools 130 are the first to suffer as its owners, and its potential clients.

It should be noted that to solve DDoS attacks using different technologies, for example, using statistics collected data to build a user profile. The collection of such statistics can be used to separate potential bots. In the application US 20090031244 described method of collecting statistics during data transfer by the user. In the application US 20080010247 described system to collect information about the user's actions and preparation of the final profile using a set of rules. In the patent EP 2109282 describes the possibility of building a histogram of the query (profile) of the user for further action by cutting off traffic.

After determining the potential bots, bot network can be determined based on the detection of specific requests or identify anomalies in traffic. For example, in the applications and patents WO 06039529, US 20090037592, WO 06039529, US 7478429 fact the work of bots is determined by identifying the duplicates GET requests, incorrect return or overload the DNS server. In the patent US 7426634 method described prohibit new connections when determining the attack. Possible zombies" (bots) are identified by MAC addresses. In the patent EP 2109279 determined attack by comparing the average the number of requests from countries with the current number of requests. In patents US 7626940, US 7602731 considered analysis of DNS queries and define anomalies for further counter possible attacks. In the patent GB 2393607 described method for anomaly detection and subsequent filtration. In the application US 20080022405 definition of anomalies is based on finding the executable parts of the query.

One method of solving the problem of DDoS attacks is to clear the traffic directed to the service. For example, in the applications and patents WO 06039529, US 20090037592, WO 06039529, US 7478429 described a system for detecting the state of the server overload (service) using a SYN-Flood attacks. In the patent US 7058015 described system of sensors, responsible for monitoring traffic, routers and a control device, which is responsible for forwarding traffic according to the specified policies. As described in the application US 20040064738 method involves the use of a proxy to analyze traffic to the server. In the application US 20030172289 described method of controlling the flow of traffic using its forwarding and further processing.

Another option for unwanted traffic is routed into a "black hole". The routing process into a "black hole" is used by the service provider to block all traffic destined to the target object, at the earliest possible point. "Taken from the route" the traffic is routed to the "black waters is" to protect the network provider and its other clients. Routing "black holes" cannot be called a good solution, because together with malicious attack traffic to be rejected and trustworthy packages.

Also described methods and systems that allow us to determine the attack on the application. In the patent US 7272854 determination of the type of application (IM type), which is possible DoS attack. In the application US 20070258438 describes the ability to detect a possible attack on a web service. In patents KR 7061017, KR 7077517 described method for the detection of attacks on the web application.

You can also use firewalls (firewall) to combat DDoS attacks. This has its advantages, because firewalls are in the immediate vicinity of the protected resource, but that absolutely does not protect against attacks on the exhaustion of the channel bandwidth. Filtering methods in this case is very primitive, and, if the DDoS attack will be carried out by authorized ports and protocols, the firewall will be in front of her totally helpless.

Finally, one of the most long used technology is the use of "black" and "white" lists (we will use these words without quotation marks), which are used for sharing how to disable (black list, http://en.wikipedia.org:/wiki/Blacklist (computing)), and permissions (white list http://en.wikipedia.org/wiki/Whitelist).

However, one of the main PR the problems of existing systems and methods, there remains the problem of false positives. A false alarm may disrupt the web service - for example, not allowing regular visitors to the online shop to use his services. Thus, the required system, able to deal with possible DDoS attacks, at the same time, allowing ordinary users to easily use the possibilities of the web services.

Analysis of prior art and opportunities that appear when combining them into one system, allow you to get a new result, namely the system to reduce false positives in the detection of network attacks.

The invention

Thus, the technical result of the present invention is to reduce false positives in the detection of network attacks through behavioral analysis of user interaction with the protected resource.

According to one implementation options that are available filtering network traffic, comprising: a control module associated with collectors, cleaning and sensors and is designed to store the statistics of the previous network attacks for adjusting the filtering rules for cleaning; the collectors are connected to the centers cleaning and sensors and for the preparation of filtering rules based on the traffic information from the centers cleaning and sensors; referred to the centers cleaning filter the traffic based on the filtering rules; the aforementioned sensors are designed to aggregate traffic information for further transmission to the headers.

In one implementation options of the service is a web service that provides users with certain services or resources.

In a different implementation options of the statistics of the previous network attacks include: statistics average and peak channel during a network attack, information about malicious activity on the Internet, the number of participating network attack bot networks, the time since the start of the network attack, the duration of a network attack, the geography network attacks.

In yet another implementation options of the control module uses the white and black lists of IP addresses for adjusting the filtering rules.

In one implementation options of the white and black lists of IP addresses are defined on the basis of behavioral criteria, which include the analysis: the number of requests and sessions established with a single IP address, number of requests without confirmation from a single IP address, number of requests the same data from a single IP address, number of connections, without any further exchange of information.

In another variant implementation, the cleaning centres connected to the backbone communication channels on channels with high bandwidth.

In another variant implementation, each the center of purification consists of at least the proxy server to redirect traffic and filtering router to filter traffic.

In one implementation options of the sensors are located in the immediate vicinity of the service.

According to another variant implementation is provided a method of filtering network traffic containing phases in which: direct traffic to the service on the sensors and the cleaning centres; process sensors all requests to the service from further aggregating the received information; update the filter rules on the collectors, using the received sensor information; adjust the updated filter rules using the control module based on the statistics from the previous network attacks; filter traffic on cleaning centres, using the specified filter rules.

In one implementation options of the service is a web service that provides users with certain services or resources.

In yet another implementation options of the statistics of the previous network attacks include: statistics average and peak channel during a network attack, information about malicious activity on the Internet, the number of participating network attack bot networks, the time since the start of the network attack, the duration of a network attack, the geography network attacks.

In a different implementation options of the control module uses the white and black lists of IP addresses for adjusting the filtering rules.

Water implementation options of the white and black lists of IP addresses are defined on the basis of behavioral criteria, which include the analysis: the number of requests and sessions established with a single IP address, number of requests without confirmation from a single IP address, number of requests the same data from a single IP address, number of connections, without any further exchange of information.

In another variant implementation, the cleaning centres connected to the backbone communication channels on channels with high bandwidth.

In another variant implementation, each centre cleaning consists of at least the proxy server to redirect traffic and filtering router to filter traffic.

In one implementation options of the sensors are located in the immediate vicinity of the service.

Brief description of drawings

Additional objectives, features and advantages of the present invention will be apparent from reading the following description of the invention with reference to the accompanying drawings, on which:

Figure 1 shows the algorithm DDoS attacks.

Figure 2 shows a simplified scheme of this system.

Figure 3 shows a detailed diagram of this system.

Figure 4 illustrates the use of black and white lists filtering traffic.

Figure 5 illustrates the method of operation of the system upon detection of DDoS attacks.

6 illustrates the use of different levels is she aggregation of the data.

Description of embodiments of the invention

The objects and features of the present invention, the methods to achieve these objects and features will become apparent by reference to an exemplary implementation options. However, the present invention is not limited to the exemplary embodiments of the implementation disclosed below, it may be embodied in various forms. Essence, see, is nothing but specific details provided to assist the specialist in the field of engineering in a comprehensive understanding of the invention, and the present invention is defined only in the scope of the applied formulas.

Figure 2 shows a simplified scheme of the present system. To protect service 130 are cleaning centres 210 that filter traffic from computers 120, are running bots, and from ordinary users 220, which try to access the service 130.

To protect against attacks on the bandwidth, the traffic to the service 130 will be routed through the centers cleaning 210, which must be connected as close as possible to the main communication channels for channels with high bandwidth. Due to this, it is expected significantly to distribute traffic without overloading the communication channels, leading to the service 130.

To protect against attacks on the application 230, the system will Faure the synchronize model average traffic to the service 130, and then, during the attack, will be cut off on the basis of this model, spurious traffic. Further, under spurious traffic will be to include traffic generated by bots on computers 120. Legitimate traffic is the flow of data from the standard user 220.

Figure 3 shows a detailed diagram of this system. It consists of a control module 320, collectors 310, cleaning centres 210 and sensors 330. Let us look more closely at their interaction.

Traffic And service 130 can go from computer 120 that are running bots, and from ordinary users 220. The traffic is duplicated to redirect it to the cleaning centres 210 and the sensor 330. The sensor 330 is to process all requests to the service 130 further aggregation of the information received. As a result, sensor 330 to the collector 310 gets a brief set of information on all requests. Before you consider the main function of collector 310, it is worth to mention the second stream of traffic that comes to cleaning centres 210. The centres themselves cleanup 210 is designed as two devices - proxy server 210A and a filtering router b. The task of the proxy server 210A is to transfer the filtered traffic B to the service 130. The decision to pass traffic from a computer (and it can be as whom Luther 120 with the bot, and normal user 220) is made using a filtering router b. Filtering rules are passed to the filter router b from the manifold 310. Let us now examine each element of the system in more detail.

The control unit 320 controls the operation of all other modules (primarily collectors 310), tracking their likely congestion. The control module 320 can monitor the statistics of the channel utilization (current day, day of week, month), and malicious activity on the Internet, allowing you to build the geography of current attacks and implementing storage and collection of statistics from previous attacks (number, duration, peak and average load). Based on this information, for each attack, you can get its descriptive characteristics, such as: the number of participating bot networks, the time since the start of the attack, geography attack. Based on this information, the control unit can adjust the filtering rules ("profile filter")that are used by the centers cleaning 210. With this purpose, the calculated allowable volume of data transmitted, the number of packets based on Protocol, etc. Types of these parameters are given in table. Also, the control module 320 stores the lists black/white addresses. About them is upon the us separately.

Figure 4 illustrates that when using black and white lists of addresses (or just black and white lists), they will prevail over the rules of the filter. This means that if your computer's address is on the white list (check at step 440), then the traffic will never be blocked (i.e. not subjected to filtering at step 450), and when in the black list (step 420) on the contrary - all traffic is blocked (step 430).

Black and white lists of addresses can be generated manually by the system administrator or automatically on the basis of statistical and behavioral criteria. Examples of the formation and correction of these lists are considered, for example, in patent US 7640589. Under behavioral criteria can be considered an analysis of the number of requests and sessions established with a single IP address, number of requests without confirmation from a single IP address, number of requests the same data from a single IP address, number of connections, without any further exchange of information.

Collector 310 performs statistical processing and aggregating traffic information received from the centers cleaning 210, and also collect aggregated information from the sensors 330. It is the collector 310 performs the compilation of statistics of legitimate traffic (as from centers cleanup 210 and the sensors 330) in the so-called the th profile filter (hereinafter without the quotation marks), on the basis of which in the event of an attack by the center cleanup 210 the decision is made to filter unwanted traffic. At the same time, the control unit 320 is able to adjust the filtering profile that avoids false positives.

Center cleaning 210, as a rule, represents a single server that is connected as close as possible to the main communication channels for channels with high bandwidth. In one implementation options of the center cleanup 210 may comprise a proxy server 210A and a filtering router b to separate functions to achieve greater efficiency. A proxy server 210A redirects the traffic to the service 130. Filtering router b decides to skip one or the other traffic on the basis of data transferred from the collector 310 (i.e. the clearing of unwanted traffic generated by bots). Thus, the center cleanup 210 filters the traffic And leaving in the redirected traffic B only legitimate requests from normal users 220.

Sensors 330 are in the immediate vicinity of the service 130, which is mirrored diversion of traffic (shown in figure 3 in the form of another arrow traffic A), and aggregate information on traffic in order to aggregate traffic information to provide the population with its collector 310.

It should be noted that the system can operate during a DDoS attack, and beyond (figure 5). Outside attacks the system is aimed at the collection of statistical information and tracking anomalies (step 510). The collection of statistical information required to create a profile filter (step 520). In case of detection of significant deviations traffic at step 530 from the profile, the system enters the regime against DDoS attack and begins filtering traffic at the stages 540-550. At stage 560 is checked whether the actual current profile filter that is created by the collector 310 and may be amended at stage 570 by means of the control module 320, which has the necessary statistical information on known past attacks. When determining after the attack on the stage 580, the algorithm returns to step 510.

In one implementation options of the profile filter is constructed in relation to traffic originating from a specific individual user, resource, and estimates the parameters of such traffic for compliance with the estimated normal parameters. For anomaly detection profile is used for anomaly detection, which is the ratio of traffic that is directed towards the resource, and evaluates the total parameters such traffic in compliance with established threshold values. the La build profiles use the same set of data, which is interpreted differently for both profiles.

The data that are used to build a profile, have different levels of data aggregation, which allow to analyze the input data at different levels.

No. of aggregation levelKey fixed valuesFixed values
11) the IP address of the client is protected resource1) the Number of bytes received
2) the IP address of the protected resource2) the Number of bytes sent
3) the Protocol/port (service)3) the Number of packets received
4) time stamp4) the Number of packets sent
5) the Number of received packets with only the SYN flag set (for TCP)
21) the country Code for the IP address of the client is protected resource1)the Number of bytes received
2) the IP address of the protected resource2) the Number of bytes sent
3) the Protocol/port (service)3) the Number of packets received
4) time stamp4) the Number of packets sent
5) the Number of received packets with only the SYN flag set (for TCP)
6) the Number of unique IP addresses of clients protected resource
31) the IP address of the protected resource1) the Number of bytes received
2) the Protocol/port (service)2) the Number of bytes sent
3) time stamp3) the Number of packets received
4) the Number of packets sent
5) the Number of received packets with only the SYN flag set (for TCP)
6) the Number of unique IP addresses of clients protected resource
41) the ID of the resource group1) the Number of bytes received
2) the Protocol/port (service)2) the Number of bytes sent
3) time stamp3) the Number of packets received
4) the Number of packets sent
5) the Number of received packets with only the SYN flag set (for TCP)
6) the Number of unique IP addresses of clients protected resource
51) customer ID1) the Number of bytes received
2) the Protocol/port (service)2) the Number of bytes sent
3) time stamp3) the Number of packets received
4) the Number of packets sent
5) the Number of received packets with only the SYN flag set (for TCP)
6) the Number of unique IP addresses of clients protected resource

6 illustrates the use of different aggregation levels (in this example, 3 through 5), which allows you to track data at different levels - starting from the selected customer, and descending levels below certain services. For example, you can track not only the Client 1, but one of his HTTP services, such as Site 1.

Profile anomalies represents a set of threshold values of some size S, describing the normal traffic for one of the levels of aggregation (e.g., client or service). The threshold value can be set by the La every hour of the day and certain days of the week, to exclude possible false positives. As the value of S can be any of the fixed values, as, for example, the total number of inbound packets or the number of unique IP addresses of the users.

The present description sets forth the basic inventive concept of the authors, which may not be restricted to those hardware devices that were mentioned earlier. It should be noted that hardware devices primarily designed to solve specific problems. Over time and with the development of technical progress this task is complicated or evolves. There are new tools that are able to comply with the new requirements. In this sense, you should consider these hardware devices from the point of view of the class solved their technical problems, and not purely technical implementation on a component basis.

1. Filtering network traffic to protect the service against network attacks that contains:
a) a control module connected with the reservoir, the centers cleaning and sensors and is designed to store the statistics of the previous network attacks for adjusting the filtering rules for cleaning;
(b) the said collectors are connected to the centers cleaning and sensors and for the preparation of filtering rules based on the traffic information from the centers cleaning and is of Insarov;
C) the above-mentioned cleaning centres are designed to filter traffic based on the filtering rules, and the cleaning centres connected to the backbone communication channels on channels with high bandwidth;
g) the above-mentioned sensors are designed to aggregate traffic information for further transmission to the headers.

2. The system according to claim 1, in which the service is a web service that provides users with certain services or resources.

3. The system according to claim 1, in which the statistics of previous network attacks include:
a) statistics average and peak channel during a network attack,
b) information on malicious activity on the Internet,
C) the number of participating network attack bot networks,
d) the time since the start of the network attack,
d) duration of network attack
e) the geography network attacks.

4. The system according to claim 1, in which the control unit uses the white and black lists of IP addresses for adjusting the filtering rules.

5. The system according to claim 4, in which white and black lists of IP addresses are defined on the basis of behavioral criteria that include analysis of:
a) the number of requests and sessions established with a single IP address,
b) number of requests without confirmation from a single IP address,
C) the number of requests the same data from a single IP address,
g) amount of soy is ineni without any further exchange of information.

6. The system according to claim 1, in which each centre cleaning consists of at least the proxy server to redirect traffic and filtering router to filter traffic.

7. The system according to claim 1, in which the sensors are located in the immediate vicinity of the service.

8. Method of filtering network traffic to protect the service against network attacks containing phases in which:
(i). redirect traffic to the service on the sensors and the cleaning centres;
(ii). process sensors all requests to the service from further aggregating the received information;
(iii). update the filter rules on the collectors, using the received sensor information;
(iv). correct updated filter rules using the control module based on the statistics from the previous network attacks;
(v). filter traffic on cleaning centres, using the specified filter rules, and the cleaning centres connected to the backbone communication channels on channels with high bandwidth.

9. The method according to claim 8, in which the service is a web service that provides users with certain services or resources.

10. The method according to claim 8, in which the statistics of previous network attacks include:
W) statistics average and peak channel during a network attack,
C) information on malicious activity on the Internet,
and the number of participating network attack bot networks,
K) time since start of network attack
l) duration of network attack
m) the geography network attacks.

11. The method of claim 8 in which the control module uses the white and black lists of IP addresses for adjusting the filtering rules.

12. The method according to claim 10, in which white and black lists of IP addresses are defined on the basis of behavioral criteria that include analysis of:
d) the number of requests and sessions established with a single IP address,
e) number of requests without confirmation from a single IP address,
g) the number of requests the same data from a single IP address,
C) the number of connections without any further exchange of information.

13. The method according to claim 8, in which each centre cleaning consists of at least the proxy server to redirect traffic and filtering router to filter traffic.

14. The method according to claim 9, in which the sensors are located in the immediate vicinity of the service.



 

Same patents:

FIELD: information technology.

SUBSTANCE: according to the disclosed method, a functional module for controlling IPTV service at one's own initiative sends a request for communication session initiation for transmitting broadcast information to the user equipment. After receiving the communication session initiation request, the user equipment determines whether to reproduce the offered information, interacts with a transport functional module, connects with a multicast channel and receives a multicast information stream transmitted by the transport functional module for reproducing said information.

EFFECT: eliminating restrictions on the type of services offered by operators, which will help improve competitiveness of IPTV systems.

12 cl, 8 dwg

FIELD: information technology.

SUBSTANCE: method of transmitting data valid in an access terminal comprises the following steps: maintaining a list of an active set of access nodes; obtaining a temporary single-address key for each access node in the active set; creating a batch key for the active set; encrypting the batch key using the temporary single-address key for any access node from the active set; and sending the encrypted batch key to the corresponding access node using the temporary single-address key for which it was encrypted.

EFFECT: high security.

61 cl, 20 dwg

FIELD: information technology.

SUBSTANCE: local access is granted through one or more nodes (for example, a local access point and/or a local gateway) in a wireless network in order to simplify access to one or more local services. In connection with local access, multiple IP points of presence, associated with different service levels, may be provided for the access point. For example, one point of presence can relate to a local service and the other point of presence can relate to a service in a backbone network. The IP point of presence can be identified for a radio interface packet in order to indicate the end point for the packet.

EFFECT: high efficiency.

29 cl, 27 dwg

FIELD: radio engineering, communication.

SUBSTANCE: method includes performing of system call of data transfer, reading of flow multimedia data from disc space and their recording to user data buffer at server receiving flow multimedia data of data request from user equipment; packing of flow multimedia data saved in user data buffer into transferred packs of real time protocol using flow multimedia data packs, in which title and load are separated.

EFFECT: reduction of processor loading, arising from data copying and system calls.

6 cl, 2 dwg

FIELD: radio engineering, communication.

SUBSTANCE: conditional access system has a host configured to receive an input data stream and deliver the input data stream to a conditional access module, the conditional access module being configured to process the input data stream and provide a corresponding output stream to the host, the host and the conditional access module being configured to contact each other in an authentication protocol upon detection of a code embedded in the output stream.

EFFECT: preventing unauthorised access to information.

12 cl, 3 dwg

FIELD: radio engineering, communication.

SUBSTANCE: initialisation and control of access for communication units includes assignment of identifiers to sets of units, at the same time identifiers may be used to control access to limited units of access, which provide certain services only to determined specified sets of units. In certain aspects initialisation of the unit may contain provision of a unique identifier for sets from one or more units, such as limited points of access and terminals of access, which are authorised to receive a service from limited points of access. Access control may be provided by means of an operation of a limited point of access and/or a network unit. In certain aspects initialisation of a unit contains provision of a list of preferable roaming for a unit. In certain aspects the unit may be initialised with the help of a list of preferable roaming using a beacon radio signal of self-initialisation.

EFFECT: optimised process of access control.

36 cl, 28 dwg

FIELD: radio engineering, communication.

SUBSTANCE: system of avionics is connected with surface infrastructure with the help of at least one carrier of communication provision. The method includes at least one stage to receive service data stored in a memory of surface infrastructure related to faults of at least one functional unit, via the specified at least one carrier of communication provision, and a stage of repair of the specified at least one functional unit on the basis of received service data, at the same time the system of avionics established communication with surface infrastructure in a synchronous mode of communication.

EFFECT: reduction of costs for service and improvement of access to appropriate information for realisation of operations of aircraft servicing.

8 cl, 7 dwg

FIELD: radio engineering, communication.

SUBSTANCE: methods and devices are provided to format headings for data packages within a communication frame for use in a system of wireless communication. Formatting of headings includes determination of a size of a wireless communication frame and formatting of useful loads and related headings within a communication frame according to a certain size. Such formatting includes placement of headings in the beginning of the frame in front of data packages corresponding to these headings, in order to optimise processing of headings in a receiver. Formatting may also include formatting of headings according to the first format within the frame, when the determined size of the frame is less than the pre-determined size, in order to optimise the size of headings, and formatting according to the second format within the frame, when the size of the data package is equal or more than the predetermined size.

EFFECT: optimised processing for frames having large data packages.

52 cl, 10 dwg

FIELD: radio engineering, communication.

SUBSTANCE: server in a centre of data processing and storage may be arranged as capable of providing either a list of hashes or requested data on the basis of the fact, whether a system of cashes supported with a host node is permitted or not. The cash supported by the host node at the customer's side may provide data to the customer on the basis of hashes. Hashes may be generated to provide a reference sum of data, which may be used to efficiently index data.

EFFECT: provision of improvement in respect to delay time and reduction of total traffic of a global computing network.

20 cl, 10 dwg

FIELD: physics.

SUBSTANCE: interference detector of moving underwater object has a generator, a radiating antenna device, a signal processing unit which includes first and second receiving channels, having corresponding receiving antenna devices, a corresponding matching device and a filter unit, as well as a subtractor and an adaptive filter, an amplitude detector, a recording device, an information display unit, wherein the signal processing unit additionally includes a frequency tuning channel, which includes a third receiving antenna device, a third matching device, a third filter unit and a unit for calculating and comparing the coherence function.

EFFECT: detecting a moving underwater object in shallow water based on the changing interference pattern in the investigated region.

5 cl, 1 dwg

FIELD: information technology.

SUBSTANCE: method of protecting computer equipment from information leakage through a compromising emanation channel and noise pick up involves generating a masking signal, wherein N files are created, whose content does not need protection; the first part of 0.5N files from the common list is recorded in a first digital medium, and a second part of 0.5N files from the common list is recorded in a second digital medium; further, a file randomly selected from the list is read from the first digital medium and then recorded in the second digital medium, while simultaneously reading a file randomly selected from the list from the second digital medium and recording said file in the first digital medium; recording and reading of files is carried out repeatedly over a time period required for masking the message-bearing signal.

EFFECT: easier technical implementation of protecting information in computer equipment from leakage through a compromising emanation channel and noise pickup.

3 cl, 4 dwg

FIELD: information technology.

SUBSTANCE: configuration is provided wherein usage restrictions of an application are determined in accordance with timestamps. A certificate revocation list (CRL) in which the revocation information of a content owner who is a provider of an application recorded on a disc is recorded is referred to verify whether or not a content owner identifier recorded in an application certificate is included in the CRL, and in the case that the content owner identifier is included in the CRL, comparison between a timestamp stored in a content certificate and a CRL timestamp is executed, and in the case that the content certificate timestamp has date data coinciding with or later than the CRL timestamp, utilisation processing of the application program is prohibited or restricted. A configuration is realised wherein an unrevoked application is not subjected to utilisation restriction, and only a revoked application is subjected to utilisation restriction.

EFFECT: high protection of content from unauthorised reading and usage.

20 cl, 9 dwg

FIELD: radio engineering, communication.

SUBSTANCE: there proposed is a method of forecasting and prevention safety incidents in computer network, in which: (a) system events are detected and collected on user computer that comprise safety incident and precede this incident; (b) on the base of system events accumulated on computer of the said user and said user profile loaded from user profiles database there defined are the values of user safety parameters that characterise, at least, information links of this user, actions of this user, attributes of this user; (c) there defined are decisions for safety incident prevention depending upon certain values of safety parameters of the said user; (d) decisions are applied at users' computers.

EFFECT: reduction of safety incidents number in computer network.

19 cl, 8 dwg

FIELD: radio engineering, communication.

SUBSTANCE: system includes identification unit, conventional frontend access system unit and receiving device, in which identification unit is bi-directionally connected to receiving device, identifies receiving device, generates unique ID of receiver and identification information, and records the corresponding information in data base; conventional frontend access unit is bi-directionally connected to this data base, reads the information about the receiver from data base for coding the control information about receiver identification, and transmits the information to receiving device in relevant addressing mode; conventional frontend access unit switches on the relevant generator of identification information; receiving device uses ID and identification information for provision of safe conventional access to scrambling programs.

EFFECT: increase of safety level.

8 cl, 6 dwg

FIELD: information technology.

SUBSTANCE: invention involves checking availability of operating system resources needed for functioning of each antivirus application module. Further, operating parameters of each antivirus application module are changed such that only available resources are fully utilised. Checking availability of resources can be carried out both periodically, at the end of a certain period of time, and depending on certain events on the computer device of the user.

EFFECT: providing an optimum level of antivirus security for the current level of access to operating system resources.

14 cl, 4 dwg

FIELD: information technology.

SUBSTANCE: digital copyright protection device (20) includes a memory region (22) for storing information on the rights object which was transferred from the DRM device (20) to another DRM device, where the rights object contains conditions for accessing the digital multimedia object, and a processor (24) for receiving the rights object, having access to the memory region (22) to verify storage of information on the obtained rights object and to install the obtained rights object on the digital copyright protection device (20), if the information on the obtained rights object is not stored in the memory region (22), or block the obtained rights object if information on the obtained rights object is stored in the memory region (22).

EFFECT: broader capabilities of user management of multimedia content coupled with a high level of security of that digital media content.

23 cl, 4 dwg

FIELD: information technology.

SUBSTANCE: method comprises steps of receiving input data which determine a descriptor for digital credentials; storing the descriptor; in response to storage of the descriptor, automatically sending the user a first notification that the digital credentials are available for the user; receiving a request through a first channel to create digital credentials for the user; issuing, over a second channel, a second notification that digital credentials were requested; obtaining approval to create digital credentials creating digital credentials.

EFFECT: improved accuracy and high reliability of systems for providing digital identification data.

19 cl, 9 dwg

FIELD: information technology.

SUBSTANCE: device has a data processing unit consisting of a requesting component which requests a first document containing a first identifier which identifies a second document, requests access to the second document containing a second identifier which identifies encrypted security data of the second document containing a second key through which an action is carried out, which is authorised with respect to the second document by that key, document detection means which determines the location of the second document, and a cryptographic component which uses the first key associated with the first document to obtain the second document, and a second key for executing an action with respect to the second document. The method for cryptographic management of access to documents realised by the device and a computer-readable medium, having computer-executable commands for realising the method.

EFFECT: high protection of documents from unauthorised access using encryption.

23 cl, 6 dwg

FIELD: information technology.

SUBSTANCE: disclosed is a device for cryptographic information protection, having three AND elements, read-only memory, four shift registers and two counters with overflow triggers, characterised by that the device is built-in with an additional flip-flop, second ROM, a unit of group AND circuits, a decoder, a unit of OR circuits, a counter with an overflow trigger, an arithmetic logic unit and a self-controlled synchronisation unit, wherein the device for cryptographic information protection consists of series circuits of components and units in form of a first terminal, the self-controlled synchronisation unit having two input "Start" and "Stop" external terminals, and a second series circuit of units is formed from the output of the first ROM through a unit of AND circuits.

EFFECT: high level of cryptographic protection, while maintaining high speed of operation of the device hardware.

6 dwg, 6 tbl

FIELD: information technology.

SUBSTANCE: improved network architecture employs a super-authorised agent having an identification information catalogue for forwarding request authentication tasks to the logic input of the corresponding authorised agent. Authentication tasks can be executed by authorised agents over name space boundaries if the super-authorised agent prescribes so, resulting in principal account transition without account ID change. In a version of the present invention, identification information catalogue contains a list connecting account identifiers to the corresponding authenticating authorised agents.

EFFECT: high efficiency of authenticating principals in a network environment.

3 cl, 8 dwg

FIELD: information technologies.

SUBSTANCE: system comprises the following: client devices and a support server comprising a statistics module for tracking and generalisation of client statistics in respect of the mentioned content transfer and a bonus dispatcher, which generates client bonuses for the specified client devices on the basis of client statistics collected from the specified client devices. Client devices are configured to transfer content with the purpose of optimal exchange of required elements of content within a peer-to-peer network. The support server collects client statistics, such as common volume of downloaded content, by monitoring of different client devices. The bonus dispatcher of the support server encourages transfer of content between client devices, generating client bonuses for client devices on the basis of previously established client statistics collected from client devices.

EFFECT: reduced load at a client device when transferring content and simplified transfer of content.

13 cl, 13 dwg

Up!