【 摘 要 】

The majority of the network infrastructures of government agencies and private enterprises operate on the basis of a TCP/IP protocol stack, which has significant vulnerabilities. For illustrative purposes, it is worth mentioning the lack of verification of the interaction subject authenticity in the basic protocols and technologies of this stack. Some of the TCP/IP stack vulnerabilities can be eliminated by the intelligent functions of managed network devices: from access profiling to traffic segmentation. Complex firewalls, which include intrusion detection and prevention systems, are also an important element of the network protection. Methods of signature, heuristic, behavioral, self-similar, predictable and other approaches for analyzing network traffic and identifying network threats are further being developed by Russian and foreign scientists. However, the proposed solutions do not give an unambiguous result when using overlay technologies and cryptographic protocols. Also, due attention is not being paid to the processing, analysis of network traffic and logs of Windows/Linux operating systems and applications. The aim of this work was the research, development and software implementation of a distributed system for collecting, processing and analyzing security information events of an enterprise network infrastructure. The key task was to ensure objective monitoring of network information security. An additional task was to ensure the monitoring of the activity of users of personal computers running Windows and Linux operating systems. In order to address this challenge, a concept for complex processing of computer network traffic and security information events both on the server and on the client sides was developed. An original signature and statistical method of compiling the knowledge base system by testing and simulating known network and local attacks with tracking the response of operating systems and applications in a virtualization environment is reviewed. The approach to performing the automated analysis of correlating events with the use of deep packets inspection (DPI) and monitoring of users' local activity is described. The reviewed solution was successfully tested and used as one of the modules for providing network information security of the system for intelligent adaptive enterprise network infrastructure management, designed by author.

【 授权许可】

Unknown