General principles of daemon unit synthesis and basic functions of the behavioral profile compilation algorithm of network users
The use of multifunctional daemon processes to solve the automation of complex and repetitive processes in modern information and communication systems. Stages of their creation to automate the synthesis of behavioral signatures of network users.
| Рубрика | Коммуникации, связь, цифровые приборы и радиоэлектроника |
| Вид | статья |
| Язык | английский |
| Дата добавления | 25.06.2024 |
| Размер файла | 252,6 K |
Отправить свою хорошую работу в базу знаний просто. Используйте форму, расположенную ниже
Студенты, аспиранты, молодые ученые, использующие базу знаний в своей учебе и работе, будут вам очень благодарны.
Размещено на http://www.allbest.ru/
General principles of daemon unit synthesis and basic functions of the behavioral profile compilation algorithm of network users
Azarov Serhii Igorevich Master of the Faculty of Computer Sciences (specialty 125 - Cyber security), V. N. Karazin Kharkiv National University, Kharkiv
Malakhov Serhii Vitalyovich Candidate of Technical Science, Senior researcher, Associate Professor of the Faculty of Computer Sciences, V. N. Karazin Kharkiv National University, Kharkiv
Melkozerova Olha Mikhailovna Candidate of Technical Science, Associate Professor, Associate Professor of the Faculty of Computer Sciences, V. N. Karazin Kharkiv National University, Kharkiv
Abstract
The paper considers the peculiarities of using daemon processes to solve the issues of automation of complex and repetitive processes in modern information and communication systems (ICSs). The proposed terminological clarifications create the necessary basis for considering the issues of synthesis and further use of specialized software shells - process daemons. Their use provides emulation (virtual reproduction) of the necessary processes and elements of the network infrastructure of modern ICSs with the required properties. Attention is focused on the existence of simple (monofunctional) and complex (multifunctional) blocks that form the corresponding categories of daemon processes: - daemons and, accordingly, daemon-units. Some peculiarities of creating multifunctional daemon units for solving the issues of automating the synthesis of behavioral signatures of network users are considered. Attention is drawn to the possibility of reproducing the necessary behavioral profiles for certain categories of network users or other elements of the network infrastructure. It is emphasized that the procedures for monitoring, extracting and summarizing data on the network activity of users of modem ICSs form the initial data pool for further synthesis of specialized algorithms for compiling single or group "daemon units" with specified behavioral properties. It is noted that the degree of uncertainty of the composition and timing of user data accumulation depends on the adequacy of the emulating kernel of the daemon process, even at the level of synthesis of single daemon units. At the same time, the transition to cluster processing of daemon units or an attempt to fully automate the process of synthesizing single daemon units is a difficult task to formalize. Within the framework of administration of group formations of "demon units", the most uncertain issues include: 1 - delegation of powers to autonomize certain functions for the generation and further management of cluster demon units; 2 - the substantive nature of control over the interfaces of group interaction of demon units within the ecosystems they form (demon unit bot farms). It is argued that the degree of complexity of the implementation of such processes is directly dependent on the adequacy and completeness of the extraction of personalized information and network telemetry data for each of the categories of reproducible demon units. The work is an integral part of the modeling cycle, within the framework of developing the general concept of creating a prototype algorithm for automated emulation of the network behavior of single demon units with specified parameters of their behavioral profiles.
Keywords: Behavioral Profile, Network Users, Daemon Process, DemonUnit, Bot-Farm, Compilation, Synthesis.
Анотація
Азаров Сергій Ігорович магістр факультету комп'ютерних наук (спеціальність 125 - Кібербезпека), Харківський національний університет імені В.Н. Каразіна, м. Харків
Малахов Сергій Віталійович к.т.н., ст. науковий співробітник, доцент факультету комп'ютерних наук, Харківський національний університет імені В.Н. Каразіна, м. Харків
Мелзкозьорова Ольга Михайлівна к.т.н., доцент, доцент факультету комп'ютерних наук, Харківський національний університет імені В.Н. Каразіна, м. Харків,
ЗАГАЛЬНІ ПРИНЦИПИ СИНТЕЗУ ДЕМОН ЮНІТІВ ТА ОСНОВНІ ФУНКЦІЇ АЛГОРИТМУ КОМПІЛЯЦІЇ ПОВЕДІНКОВОГО ПРОФІЛЮ МЕРЕЖЕВИХ КОРИСТУВАЧІВ
В роботі розглядаються особливості використання демон процесів для вирішення питань автоматизації складних та повторюваних процесів в сучасних інформаційно-комунікаційних системах (ІКС). Запропоновані термінологічні уточнення створюють необхідне підґрунтя для розгляду питань синтезу і подальшого використання спеціалізованих програмних оболонок - демон процесів. Їх використання забезпечує емуляцію (віртуальне відтворення) потрібних процесів і елементів мережевої інфраструктурі сучасних ІКС із потрібними властивостями. Акцентовано увагу на існування простих (монофункціональних) та складних (мультифункціональних) блоків, що утворюють відповідні категорії демон- процесів: - демонів та, відповідно, демон-юнітів. Розглянуті деякі особливості створення мультифункціональних демон-юнітів для вирішення питань автоматизації синтезу поведінкових сигнатур мережевих користувачів. Звернено увагу на можливість відтворення потрібних поведінкових профілів для визначених категорій мережевих користувачів, чи інших елементів мережевої інфраструктури. Підкреслено, що процедури моніторингу, екстракції і узагальнення даних про мережеву активність користувачів сучасних ІКС, формують вихідний пул даних для подальшого синтезу спеціалізованих алгоритмів компіляції одиничних або групових «демон- юнітів» із заданими поведінковими властивостями. Зазначено, що від ступеня невизначеності складу та термінів накопичення користувальницьких даних, залежить адекватність роботи емулюючого ядра демон-процесу, навіть на рівні синтезу одиночних демон-юнітів. При цьому перехід на кластерну обробку демон-юнітів або спроба повної автоматизації процесу синтезу одиничних демон-юнітів, є складно формалізованим завданням. В рамках адміністрування групових утворень «демон-юнітів» до найбільш невизна- чених питань слід віднести: 1 - делегування повноважень, щодо автономізації окремих функцій з генерації і подальшого управління кластерних демон- юнітів; 2 - субстантивність контролю інтерфейсів групової взаємодії демон- юнітів в межах утворюваних ними екосистем (бот-ферм демон-юнітів). Стверджується, що ступінь складності реалізації таких процесів знаходиться в прямій залежності від адекватності та повноти вилучення персоніфікованої інформації і даних мережевої телеметрії для кожної із категорій відтворюваних демон-юнітів. Робота є складовою частиною циклу моделювань, в рамках відпрацювання загальної концепції створення прототипу алгоритму автоматизованої емуляції мережевої поведінки одиночних демон-юнітів із заданими параметрами їх поведінкових профілів.
Ключові слова: Поведінковий профіль, користувачі мережі, демон- процес, демон-одиниця, ферма ботів, компіляція, синтез.
Problem statement
multifunctional daemon processes behavioral automation
In modern information and communication systems (ICSs), one of the most important aspects of countering cyber threats is ensuring the continuity of the processes of collecting, processing and summarizing targeted technological information. One of the most effective vectors of ensuring the security of corporate information resources in modern ICSs is the continuous analysis of personnel behavioral characteristics with subsequent adaptation of the functioning parameters of security tools to the existing behavioral signatures of employees, and elimination of dangerous anomalies in their network activity. Obviously, the sooner information about existing security threats and/or anomalies in network activity is obtained, the higher the chances of effectively countering the relevant threats. However, as practice shows, the vast majority of network users do not have the ability to collect relevant information, let alone send it to the relevant departments (security services or departments) for its early analysis. One possible way to solve these difficulties is to use daemon units or daemon processes. Therefore, it makes sense to define the conceptual apparatus regarding the interpretation of these terms within the issues under consideration [1].
Block is a set of configuration parameters and commands that define the functional essence of individual long-term processes (hereinafter referred to as daemons) that are executed within a certain conditional system. Example of configuration parameters and commands: - command to start a process; - dependency parameters; - startup order, etc. The use of blocks allows you to configure and manage long-term processes (or daemons) using the systemd initialization system.
Daemon is a type of block that represents mono-functional background processes that provide necessary services to the underlying system and/or other processes. The concept of a process daemon was originally introduced as part of the systemd project's efforts [2] to modernize and simplify Linux system management, and since then it has become a widely accepted standard for managing system services and processes in Linux distributions that use systemd.
Unit is a text file that describes a specific system resource or process (service, mount point, timer, etc.) that systemd can manage.
Daemon unit is a type of unit that reproduces multifunctional background processes that provide necessary services to the underlying system and/or other processes. In the context of generating behavioral profiles of users' network activity, the term "daemon unit" should be considered as an integrated unit that combines procedures for collecting, analyzing and reproducing the process of a real user's network activity with the inherent properties of network behavior (or presence).
Module is an independent part of the program code that has a clearly defined functionality and can be used to execute a required number of programs and/or projects.
Self-written module (in the context of this material) is refers to the practice of using a separately developed, tested and subsequently integrated component to perform functions that are not sufficiently implemented in third-party modules or not implemented at all.
Stage is a designation of a separate phase or part of the overall process of developing the product's program code (in the context of this work - a single daemon unit).
Process is a container for software that contains all the necessary resources to execute the corresponding program, such as memory, files and system resources.It should be emphasized that the process of compiling and updating the properties of single "daemon units" has several fundamental aspects, namely
Customization - by specifying the behavioral properties of the created daemon, the network administrator (and/or an IS specialist) can modify the behavior of a virtual user (i.e., daemon unit) of the network in accordance with specific tasks and/or needs of the organization.
Security - compiling a daemon with specified behavioral properties helps to improve network security (for example, by automating processes and relieving unnecessary workload from staff). By varying the powers of the daemon unit, you can reduce the risk of undeclared actions and/or unauthorized access to protected resources, or vice versa, recreate the illusion of a network presence with specified activity parameters [3].
Troubleshooting - The ability to compile a separate module with specified behavior properties can help the administrator troubleshoot a network collision issue. By examining the configuration of the daemon unit, the administrator can identify any misconfigured parameters or conflicting parameters that may be causing the problem.
Analysis of the recent research. The proposed terminological clarifications create the necessary basis for further consideration of issues related to the synthesis and use of specialized virtualized (VR) shells that reproduce the necessary processes and elements of the network infrastructure of modern IS. It is important to realize that due to the steady growth in the number of devices of various types connected to the Internet and the development of cloud infrastructures, network activity is becoming increasingly complex and diverse (e.g., the spread of IoT). Understanding the respective network ecosystems and the nature of interaction between their individual structural elements is important not only for improving their efficiency, but also for solving security problems (both information resources and processes). In this context, the process of analyzing the peculiarities of network activity (including the behavior of network users) is a key aspect of developing systems for emulating network communities. An example of such VR communities is the creation of so-called "bot farms" and/or "bot ecosystems" with specified properties that are oriented to reproduce very different functional tasks.
The purpose of the article is to briefly consider the main functions of the algorithm for compiling a single behavioral profile of network users. Solving the tasks of this stage is a kind of foundation for further synthesis of specialized algorithms for compiling group "demon units" with specified behavioral properties, which is the initial stage for solving more complex tasks within the synthesis of the required VR ecosystems
Summary of the main material. To date, there are many techniques and methods for monitoring network activity, but many of them face difficulties in detecting and further interpreting complex patterns of network user behavior. Obviously, the degree of uncertainty of the extracted user patterns affects the result of the work (i.e., the adequacy) of the emulating kernel, even at the level of synthesizing single daemon units. At the same time, switching to group processing or attempting to fully automate the process of synthesizing a single daemon unit becomes a difficult task to formalize. The degree of complexity of such a task is directly related to the adequacy and completeness of the extracted network data (for example, the processes of collecting information about the parameters of smartphones and applications installed in them, which are implemented (by default) in the software settings from Google (Android OS - Settings - Google Services and further settings...)).
Existing technologies do not always take into account the full range of possible scenarios, which indicates the need for further research and implementation of innovative solutions in this area. That is why this paper focuses on the issues related to the peculiarities of extracting the necessary data, which makes it possible to form the necessary starting conditions for developing an algorithm for compiling a single daemon unit with the corresponding test set of behavioral characteristics.
Known analogies and basic principles of daemon unit synthesis (on the example of a daemon unit for emulating network activity for single users)
Here are some theses that emphasize the importance of synthesizing and further using daemon units of multifunctional processes:
1. Automation of background tasks - daemons are usually used to perform automated background tasks without user (staff) intervention. They provide tasks such as system maintenance, network monitoring, data backup and/or recovery, etc.
2. Resource management - daemons help administer system resources by controlling and monitoring their use. They are used to limit the available CPU, memory and disk space resources (used by this process), thereby preventing the consumption of too many resources, reducing system efficiency.
3. Ensure system stability and reliability - help to improve system performance by monitoring its performance and taking appropriate actions in case of problems. For example, a daemon can restart an emergency service/process to prevent unwanted system/application downtime, etc.
4. Improving security settings - the use of daemons automates the processes of monitoring network traffic, detecting and blocking suspicious activity and/or behavioral collisions. In this sense, they can perform tasks such as virus scanning and intrusion detection to protect the system from malware and other security threats.
Here are some well-known examples of using daemons as the main component of another, common process (service).
1. Unix-like operating systems. Unix-like operating systems (OS), including Linux and macOS, rely heavily on the use of process daemons [1]:
Systemd is a system and service manager used in many Linux distributions. It initializes and manages system services (including other daemons) in a more simplified and efficient way;
cron is a task scheduler based on Unix-like operating systems. It allows users to schedule automatic execution of tasks or scripts at certain intervals;
OpenSSH is an implementation of the Secure Shell (SSH) protocol, including a daemon called sshd. It provides secure remote access and file transfer capabilities.
2. Web servers - Web servers often use daemons to process incoming requests and serve web content, e.g. [4]:
HTTP-сервер Apache is a popular open source web server. It uses daemon processes to process incoming client requests and serve web pages.
3. Database systems use daemons to process client connections, manage data storage, and perform background tasks [5]:
MySQL and MariaDB are widely used relational database management systems. They use daemon processes to process client connections and execute queries.
PostgreSQL - another popular open source relational database management system. It uses a daemon process called postmaster to handle client connections and manage the database.
4. Messaging systems: - Use daemons to facilitate communication between clients and handle message delivery. For example [6]:
RabbitMQ is a widely used open source message broker. It relies on daemon processes to receive, route, and deliver messages between applications.
Apache Kafka is a distributed streaming platform. It uses daemon processes - so-called brokers - to store and distribute messages.
Summarizing all of the above and keeping in mind the main goal of the general direction of research (i.e., compiling behavioral profiles of single network users), it should be emphasized that the process of synthesizing daemon units with the desired properties should be carried out in compliance with several general principles, namely:
Gradualism. When creating a daemon unit, all the component modules are developed one by one. That is, the development of the next module begins only after the previous one has been successfully tested. According to this principle, a common resource should function independently of the current composition of existing modules.
Independence. Each of the provided modules (or stages in the structure of a common daemon) can be easily replaced/removed from the resource, which will not affect the operation of the daemon unit, i.e. the resource should function.
Variability. is an obvious consequence of the previous principle and declares that each of the stages/modules in the structure of the general daemon can be easily replaced (updated, since not all releases will be relevant after a certain time).
Let's consider the main technologies that can be used (or changed to self- written modules) on the example of creating a daemon for reproducing network activity of users. The process of synthesizing this daemon can be divided into several stages:
Stage 1 - creation of a daemon unit shell that administers all the component processes;
Stage 2 - accumulation and storage of traffic data;
Stage 3 - traffic analysis and signature generation;
Stage4 - implementation of traffic restrictions based on the received behavioral signatures of the network activity of a real user (or resource);
Stage 5 - protection of behavioral signatures and traffic data.
Stage 1 - "The shell of the daemon unit".
Systemd - a popular initialization system used in many Linux distributions. It provides a simple and powerful way to manage system services, including daemons. Systemd contains the "systemctl" command, which can be used to create and manage system service units [2].
Upstart - another initialization system used in some Linux distributions, such as Ubuntu. It provides a service management framework similar to systemd and can be used to create and administer existing daemons.
SysVinit - an "old" initialization system used in many early releases of Linux distributions. It uses a series of shell scripts in the /etc/init.d directory to manage system services. Although SysV initialization is less common today, it can still be used to create and manage daemons on some systems.
Launchd - a daemon management system used in macOS and some other Unix-based systems. It provides a simple and flexible way to manage system services, including daemons. Launchd. Uses XML property list files to define services and their associated properties.
Supervisor - a process management system used to administer processes on Unix-based systems. It provides a simple and powerful way to manage long-running processes (including daemons). It uses configuration files in the /etc/supervisor/conf.d directory to define processes and their associated properties.
The 2nd and 3rd stages - "Traffic accumulation and analysis".
tcpdump: tcpdump is a command-line tool [7] used to capture and analyze network traffic. It can be used to capture traffic on a specific network interface and write the captured packets to a file for further analysis.
Wireshark is a network protocol analyzer that can capture and display network traffic in real time. It supports a wide range of protocols and can be used to analyze traffic from multiple network interfaces.
Tshark is a command-line tool that is part of the Wireshark package [8]. It can be used to capture and analyze network traffic in the same way as tcpdump, but provides more advanced filtering and analysis options.
Suricata is an open-source intrusion detection and prevention system (IDS\IPS) that can capture and analyze network traffic in real time [9]. It contains a powerful rule engine that can be used to detect and block malicious/abnormal traffic.
Snort is an open source IDS/IPS that can capture and analyze network traffic in real time [10]. It contains a powerful rule engine that can be used to detect and block malicious traffic.
Zeek is an open network analysis framework that can capture and analyze network traffic in real time. It contains a powerful scripting language that can be used to customize analysis and reporting [11].
Stage 4 - ”Behavioral restrictions”.
Firewall - controls incoming and outgoing network traffic based on defined rules. It blocks unwanted traffic from specific MAC and/or IP addresses, ports, and applications based on the analysis of network traffic in a specific network segment [12].
IPS - monitors network traffic for signs of malicious (undeclared) activity. If malicious activity is detected, it automatically blocks unwanted activity and stops the corresponding traffic.
VPN - allows users to securely access a private network over the Internet. VPN can be configured to restrict user access based on network traffic analysis, such as blocking access to certain websites or services [12].
WAF (Wireless Access Point) is a security system designed to protect web applications, including from attacks such as SQL injection and cross-site scripting. WAF can be configured to block access to web applications based on network traffic analysis [13].
Stage 5 - "Behavioral signature data protection” [14].
Full Disk Encryption (FDE) is a technology that encrypts the entire storage of a device (computer or mobile device), restricting access to information without the appropriate encryption key.
Self-Encrypting Drives (SEDs) - hard drives that have built-in encryption capabilities. By default, they use hardware encryption and can be configured to require a password or other authentication mechanism to access the data. Examples of SEDs include Samsung T7 Touch Portable SSD and Kingston IronKey D300.
Encrypted file systems - file systems that encrypt data at the file level. They provide an additional level of protection for information stored on the disk.
Virtual Disk Encryption is a technology that creates a virtual (hidden) encrypted disk on the main storage device. To a legitimate user, it looks like a regular hard disk, but all data on it is encrypted.
Hardware security modules (HSM) - Hardware security modules are physical devices that provide cryptographic data security. They provide storage of encryption keys and perform cryptographic operations, such as encryption and decryption, without revealing the keys to the underlying device (computer or mobile device).
Tasks of the main elements of the algorithm for automated compilation of a single "daemon unit” (variant)
To solve the above tasks, it is necessary to determine the general structure and clarify the main functions of the constituent elements of the algorithm for automated compilation of behavioral signatures of network users [3]. Therefore, let us briefly consider the main elements of the corresponding algorithm.
The "'parametric programmer" module - provides regulation of the required properties of network behavior for certain categories of objects (users or nodes). Before starting the process of compiling signatures, it is important to determine the list and content of the required behavioral properties [3] for the created daemon unit. First of all, this concerns the type and amount of data to be collected, the duration of periods and the cyclicity of observation sessions, the "points" of information collection, as well as the methods of data analysis and visualization.
Data extraction module - responsible for extracting and collecting the necessary data for certain categories of network objects. This module is necessary for real-time data collection. It should be configured to accumulate previously defined types of information based on the observed (or desired) behavioral properties of network users. One of the challenges in developing this module is the difficulty of collecting data from different types of networks and devices. Given the variety of potential implementations, this module may need to be updated and/or modified to support new types of network architectures, operating systems, and hardware. It should also be borne in mind that problems may arise due to redundancy of output data (data traffic and process telemetry information). This can lead to difficulties with data processing performance, which requires adaptive correction of the current parameters of its operation.
Data analysis module - provides analysis of the accumulated data and identifies the necessary patterns and actual trends in the observed processes. This module should process autonomous data clusters (personalized by type/category of users), generate reports and provide convenient selective visualization of events to control the main parameters of the behavioral profile of target users [3]. The data analysis module may encounter problems in identifying patterns and trends due to poor formalization and/or uncertainty of certain criteria for the collected data. Also, there may be some difficulties with the accuracy of the source data, which may lead to inaccurate predictive assessments of the observed processes. In addition, it may be necessary to update or change the existing settings of this module to support new data types for each of the objects (resources) under observation.
Behavioral modeling module - responsible for the formation of the main operating parameters for the created daemon unit of the target user (or resource) based on the generalization of previously obtained information. This module should extract the necessary data from the "data analysis" module and synthesize the appropriate program settings to reproduce the desired scenario field of the target category of demon units. It is the most difficult module to implement, on the one hand, because of the importance of correct behavior reproduction, and on the other hand, because of the need to develop a graphical shell to control the parameters of automated compilation of the executive part of single daemon units. This module may encounter difficulties in accurately reproducing the characteristic behavioral profiles of users, precisely because of the difficulty of formalizing the network reflections of real users. Network administrators, remote users, resource visitors (guests), internal users, service accounts, etc. are potentially different behavioral patterns that need to be structured. In this sense, there may be some problems with the accuracy of predictions regarding the content of the parametric structure of users, which may lead to erroneous (atypical) actions for the created daemon unit. In general, this module should provide the administrator with the ability to control behavioral profiles and correct the operation of the "'parametric programmer" and "data extraction " modules. This module may need to be updated to introduce new behavioral properties and expand the daemon unit profile settings to take into account new network telemetry data (for certain categories of network infrastructure elements) and the emergence of new security threats [3,15].
Integration module - after all other modules are developed, they need to be integrated into a single complex. This integration should be carried out in such a way as to guarantee the continuous operation of the algorithm for automated compilation of the behavioral profile - daemon unit and uninterrupted communication (data traffic) of individual modules among themselves. The integration module may face difficulties in the smooth interaction of different modules.
Data protection module - the module provides protection for the data obtained in the data extraction and collection module (in fact, the storage of the original behavioral telemetry log files). It should prevent potential attempts to leak the collected information. If it fails to fulfill its functions, this module should notify the process administrator and "suggest" steps to resolve the situation. This module should be considered one of the main ones, as it accumulates sensitive (personalized) information about the network activity of real groups of network users (resources). Configuration module - the configuration module provides configuration and storage of the user profile for the process administrator. It reproduces the necessary properties of the graphical interface and network interaction when using a remote management console.
A simplified structure of the prototype algorithm for automated synthesis of a single daemon unit is shown in Fig. 1.
Stage 1 - the configuration modules and the parametric programmer are used, and the entire algorithm is configured.
Stage 2 - the data extraction and protection modules are used to accumulate and protect user information.
Stage 3 - the data analysis module is used. The necessary information is separated (filtered) and the obtained data is simplified.
Stage 4 - the behavioral modeling module is used. This is the most difficult stage in which a user avatar is created with the previously obtained (accumulated) parameters.
Stage 5 - the integration module is used. At this stage, all the previously obtained data is combined into a single program (daemon unit profile).
Fig. 1 Simplified structure of the of the algorithm
As mentioned above, due to the large amount of information to be analyzed, it is extremely important to correctly define the list of parameters to be extracted in the data extraction module. Therefore, 2 groups of parameters should be preliminarily identified: - typical and non-typical.
Typical parameters are parameters that are widely used in other similar units/programs/processes. As an example, they include:
device geolocation parameters;
- parameters of the DNS service used;
- SSID (Service Set Identifier) identifiers of characteristic Wi-Fi access points;
- number of IP changes for a certain period of time;
- timing of incoming/outgoing traffic for "active" applications;
- average size of stored files;
- cloud memory usage parameters;
- frequency of network communications initiation;
- weekly and daily distribution of network operation time by type of online services and services;
- browser(s) used;
- history of obtaining network session identifiers as evidence of online sessions;
- characteristic composition and sequence of search queries (network history);
- time spent on typical Internet resources.
Atypical parameters - parameters that are not used at all when collecting information by other daemons or are used only partially:
- type of text layout with a switching chronology;
- screen resolution;
- mouse and/or touch screen sensitivity settings;
- time zone-based time service settings;
- average speed of typing characters;
- average pause between entering individual characters when using the character input mode, etc.
It should be noted that in the data analysis module (#3, in Fig. 1), atypical parameters will have a higher priority, due to the importance of obtaining user- specific (targeted) settings for the system under observation (reproduction).
Conclusion
1. The general principles of using multifunctional daemon processes are considered on the example of an algorithm for analyzing network activity of users.
2. A simplified structure of the prototype algorithm for compiling a single daemon unit is presented and the content of its main components is determined. For each of the stages of the conditional algorithm, a list of possible analogies of daemon processes is given, which provides for the possibility of replacing "self-written" modules with other open-source components. Examples of known implementations using daemon processes as the main components are given.
3. The characteristic composition of the initial parameters required for compiling personalized behavioral profiles is given and specific difficulties in the implementation of algorithms of this kind are outlined.
4. It is emphasized that the stages of extraction, accumulation and generalization of data on the network activity of users of modern ICSs are the basis
for further synthesis of specialized algorithms for compiling single and/or group "daemon units" with specified behavioral properties.
5. It is emphasized that the continuity and selectivity of collecting the necessary information regarding current network events and typical behavioral properties of individual user groups can significantly improve the quality of reproduction of the required behavioral signatures of single daemon units.
6. The integrated implementation of network surveillance tools is a key aspect for the successful solution of tasks at the next stages of creating systems for automatic emulation of network communities with the required level of clustering. This creates the necessary conditions for the further synthesis of specialized security platforms that emulate the necessary processes and elements of integrated network ecosystems with the required level of their autonomy.
7. In solving the problem of administering group formations of "demon units", the most uncertain issues include: 1 - delegation of powers regarding the degree of autonomy of certain functions for the generation and management of demon units; 2 - the issue of the nature and "depth" of control of interfaces of intergroup interaction of demon units within the virtual ecosystems they form.
References
1. Azarov, S., Malakhov, S., & Melkozorova, O. Analiz strukturi tafunktsti osnovnikh yelementiv algoritmu avtomatizovanot kompilyatsit povedinkovogo profilyu merezhevikh koristuvachiv. [Analysis of the structure and function of the main elements of the algorithm for automated compilation of the behavioral profile of network users] Proceedings of the XVI International Scientific and Practical Conference. Prague, Czech Republic. 2023. Pp. 504-509. Retrieved from https://isg-konf.com/methods-of-solving-complex-problems-in-science/ [In Ukrainian].
2. Ofitsiina dokumentatsiya proektu systemd, yaka mistit informatsiyu pro kontseptsiyu demoniv ta її vprovadzhennya v Linux-sistemi z vikoristannyam systemd [Official documentation of the systemd project, which contains information about the concept of daemons and its implementation in Linux systems using systemd]. URL: https://www.freedesktop.org/wiki/Software/systemd/
3. Kokhanovska, T., Narezhnii, O., & Dyachenko, O. (2020). Doslidzhennya mozhlivostei tekhnologi'iHoneypot. [Exploring the possibilities of Honeypot technology]. Komp'yuterm nauki ta ktoerbezpeka, 1(1), 33-42. Retrieved from https://periodicals.karazin.ua/cscs/article/view/16170 [In Ukrainian].
4. Ofitsnna dokumentatstya proektu fedora [The official documentation of the fedora project]. URL: http://surl.li/hcthe
5. Ofitsnna storinka proektu altex-soft [The official page of the altex-soft project]. URL: http ://surl.li/hcthw
6. Ofitsiina storinka proektu oreilly [The official page of the oreilly project]. URL: https://www.oreilly.com/library/view/java-message-service/0596000685/ch01.html
7. Ofitshna dokumentatstya proektu tcpdump [[The official documentation of the tcpdump project]. URL: https://www.tcpdump.org/manpages/tcpdump.Lhtml
8. Ofitsnna dokumentatstya proektu wireshark [The official documentation of the wire shark project]. URL: https://www.wireshark.org/docs/
9. Ofitsnnii User-guide proektu suricata [The official User-Guide of the suricata project]. URL: http://surl.li/hctjr
10. Ofitsiina dokumentatsiya proektu snort [The official documentation of the snort project]. URL:https://www.snort.org/documents
11. Ofitsiina dokumentatsiya proektu zeek [The official documentation of the zeek project]. URL: https://docs.zeek.org/en/master/
12. Dzhon Malleri, & Dzheison Zann (2007). Bezopasnaya set vashei kompanii [A secure network for your company], (E. Lindemann, per. s angl.). - M.: NT Press
13. Ofitsuna yentsiklopedtya britanskogo urnversitetu [The official encyclopedia of the British university]. URL:http://surl.li/hctlm
14. Ofitsiina dokumentatsiya kompanii Microsoft pro sposobi zakhistu danikh [Official Microsoft documentation on how to protect your data]. URL: http://surl.li/hctla
15. Yaremchuk, K., Voskoboinikov, D., & Melkozorova, O. (2022). Suchasni zagrozi ta sposobi zabezpechennya bezpeki veb-zastosunkiv [Modern threats and ways to ensure the security of web applications], Komp'yuterrn nauki ta kiberbezpeka, (2), 28-34. Retrieved from https://periodicals.karazin.ua/cscs/article/view/21038 [In Ukrainian].
Література
1. Азаров, С., Малахов, С., & Мелкозьорова, О. Аналіз структури та функції основних елементів алгоритму автоматизованої компіляції поведінкового профілю мережевих користувачів. Proceedings of the XVI International Scientific and Practical Conference. Prague, Czech Republic. 2023. Pp. 504-509. URL: https://isg-konf.com/methods-of-solving-complex- problems-in-science/
2. Офіційна документація проекту systemd, яка містить інформацію про концепцію демонів та її впровадження в Linux-системи з використанням systemd. URL: https:// www.freedesktop. org/wiki/Software/ systemd/
3. Кохановська, Т., Нарежний, О., & Дьяченко, О. (2020). Дослідження можливостей технології Honeypot. Комп'ютерні науки та кібербезпека, 1(1), 33-42. URL: https:// periodicals.karazin.ua/cscs/article/view/16170
4. Офіційна документація проекту fedora. URL: http://surl.li/hcthe
5. Офіційна сторінка проекту altex-soft. URL: http://surl.li/hcthw
б.Офіційна сторінка проекту oreilly. URL: https://www.oreilly.com/library/view/java- message-service/0596000685/ch01.html
7.Офіційна документація проекту tcpdump. URL: https://www.tcpdump.org/manpages/ tcpdump.1.html
8. Офіційна документація проекту wireshark. URL: https://www.wireshark.org/docs/
9. Офіційний User-guide проекту suricata. URL: http://surl.li/hctjr
10. Офіційна документація проекту snort. URL: https://www.snort.org/documents
11. Офіційна документація проекту zeek. URL: https://docs.zeek.org/en/master/
12. Джон Маллери, & Джейсон Занн (2007). Безопасная сеть вашей компании. (Е. Линдеманн, пер. с англ.). - М.: НТ Пресс
13. Офіційна енциклопедія британського університету. URL:http://surl.li/hctlm
14. Офіційна документація компанії Microsoft про способи захисту даних. URL: http://surl.li/hctla
15. Яремчук, К., Воскобойников, Д., & Мелкозьорова, О. (2022). Сучасні загрози та способи забезпечення безпеки веб-застосунків. Комп'ютерні науки та кібербезпека, (2), 28-34. https://periodicals.karazin.ua/cscs/article/view/21038
Размещено на Allbest.ru
...Подобные документы
Signals, channels and communication networks. Enabling Any-to-Any Communication. Next-Generation Mobile Networks. Challenges of Reinventing the Networking Infrastructure. Leading the Way by Providing Innovative Solutions. The review of similar schemes.
курсовая работа [629,0 K], добавлен 07.12.2015Analyses o the current situation on the project and the development of their technical realization. Brief description of the existing zonal area network. Basic requirements for communication lines. Calculation of the required number of channels.
дипломная работа [771,0 K], добавлен 20.09.2016Общие сведения о сети Integrated Services Digital Network: история создания, компоненты, инкапсуляция, использование. Типы пользовательского интерфейса, которые поддерживает технология. Адресация в сетях, стек протоколов. Подключение оборудования к сети.
курсовая работа [223,8 K], добавлен 21.07.2012The lines of communication and the basic properties of the fiber optic link. Comparison of characteristics and selection of the desired type of optical cable. The concept of building a modern transmission systems. The main function module SDH networks.
дипломная работа [2,1 M], добавлен 16.08.2016Initial data for the term paper performance. Order of carrying out calculations. Analyze uncompensated system. Synthesize the real PD-compensator ( ) which would guarantee desired phase margin at gain crossover frequency . Analyze compensated system.
курсовая работа [658,7 K], добавлен 20.08.2012Device, constructive – technological features, circuit of insert. Conditions of insert of the transistor. Static parameters. Physical processes. Differential coefficient of transmission of a current. Condition a splitting contact. Condition of saturation.
курсовая работа [129,2 K], добавлен 27.01.2003Сравнительная характеристика телекоммуникационных сервисов - обычной телефонной связи (POTS), выделенных линий, Switched 56, ISDN, frame relay, SMDS, ATM и Synchronous Optical Network (SONET), их достоинства и недостатки. Основные преимущества сетей X.25.
курсовая работа [1,1 M], добавлен 21.11.2009Развитие и структура стека TCP/IP. Прикладной, транспортный, сетевой и канальный уровень. Гибкий формат заголовка. Поддержка резервирования пропускной способности. Протокол SNMP (Simple Network Management Protocol) для организации сетевого управления.
реферат [404,3 K], добавлен 02.06.2016Цифровая сеть с интеграцией услуг (Integrated Services Digital Network), создание технологии с возможностью одновременной передачи голоса и данных. Области применения сетей ISDN, эффективность использования, преимущества, возможности; телефонная связь.
контрольная работа [27,1 K], добавлен 29.04.2011Эффективные пути развития сетевой инфраструктуры. Внедрение сетевых решений на базе технологий сетей Passive Optical Network. Основные топологии построения оптических систем. Сравнение технологий APON, EPON, GPON. Сущность и виды оптического волокна.
дипломная работа [3,3 M], добавлен 01.11.2013Next Generation Network - новая концепция построения сетей связи. Техническая характеристика ЦСК EWSD. Цифровой абонентский блок DLU. Линейные группы LTG. Оценка интенсивности телефонной нагрузки. Расчет станционного оборудования проектируемой АТС.
курсовая работа [312,4 K], добавлен 26.12.2011Signal is a carrier of new information for the observer. Concept and classification detector signals, their variety and functional features. The detection abilities of different detector’s types, methodology and milestones of their determination.
контрольная работа [1,1 M], добавлен 27.04.2014Основные понятия IP телефонии, строение сетей IP телефонии. Структура сети АГУ. Решения Cisco Systems для IP-телефонии. Маршрутизаторы Cisco Systems. Коммутатор серии Catalyst 2950. IP телефон. Настройка VPN сети. Способы и средства защиты информации.
дипломная работа [1,1 M], добавлен 10.09.2008История развития IP-телефонии. Принцип действия. Качество IP-телефонии. Интернет-телефония - частный случай IP-телефонии. Система для звонков по телефону и посылки факсов средствами IP. Стандарт Media Gateway Control. Voice Profile Internet Mail.
реферат [66,9 K], добавлен 10.04.2007Проект лабораторной установки для изучения цифрового позиционера Меtsо Automation. Характеристика систем автоматизации: конструктивные особенности, программное и техническое обеспечение систем контроля параметров и управления исполнительным устройством.
курсовая работа [1,0 M], добавлен 26.05.2012Разработка программы, реализующей таймер прямого хода на базе микроконтроллера AT90S8515. Приложение и среда программирования Algorithm Builder, ее преимущества. Принципиальная схема и назначение переменных. Описание основной программы и подпрограмм.
курсовая работа [1,2 M], добавлен 19.03.2012Найдоцільніший тип мікропроцесорного пристрою для керування обладнанням - однокристальний мікроконтролер (ОМК). Розробка принципової схеми пристрою контролю температури процесу. Складання програми мікроконтролера та її симуляція в Algorithm Builder.
реферат [2,1 M], добавлен 11.08.2012Характеристика существующей сети города Павлодар. Расчет нагрузки от абонентов сети Metro Ethernet, логическая схема включения компонентов решения Cisco Systems. Сопряжение шлюзов выбора услуг с городскими сетями передачи данных, подключение клиентов.
дипломная работа [6,8 M], добавлен 05.05.2011The modern telephone is the culmination of work done by many individuals. A. Graham Bell and the first patent of the telephone. Mobile phone, the invention of the computer, television and internet technology. Electromagnetic transmitters and receivers.
презентация [1,6 M], добавлен 23.12.2010Подключение и установка Web-камеры. Устройство и принцип работы, возможности и функции. Подключение Web-камеры к сети. Управляющее программное обеспечение: эксклюзивные программы для Web-камер. Разработка программы на языке программирования Basic.
контрольная работа [206,0 K], добавлен 12.10.2009
