Biblio

The technology advance and convergence of cyber physical systems, smart sensors, short-range wireless communications, cloud computing, and smartphone apps have driven the proliferation of Internet of things (IoT) devices in smart homes and smart industry. In light of the high heterogeneity of IoT system, the prevalence of system vulnerabilities in IoT devices and applications, and the broad attack surface across the entire IoT protocol stack, a fundamental and urgent research problem of IoT security is how to effectively collect, analyze, extract, model, and visualize the massive network traffic of IoT devices for understanding what is happening to IoT devices. Towards this end, this paper develops and demonstrates an end-to-end system with three key components, i.e., the IoT network traffic monitoring system via programmable home routers, the backend IoT traffic behavior analysis system in the cloud, and the frontend IoT visualization system via smartphone apps, for monitoring, analyzing and virtualizing network traffic behavior of heterogeneous IoT devices in smart homes. The main contributions of this demonstration paper is to present a novel system with an end-to-end process of collecting, analyzing and visualizing IoT network traffic in smart homes.

DDoS attacks are usually accompanied by IP spoofing, but the availability of existing DDoS defense systems for high-speed networks decreases when facing DDoS attacks with IP spoofing. Although IP traceback technologies are proposed to focus on IP spoofing in DDoS attacks, there are problems in practical application such as the need to change existing protocols and extensive infrastructure support. To defend against DDoS attacks under IP spoofing in high-speed networks, we propose a novel DDoS defense system, IM-Shield. IM-Shield uses the address pair consisting of the upper router interface MAC address and the destination IP address for DDoS attack detection. IM-Shield implements fine-grained defense against DDoS attacks under IP spoofing by filtering the address pairs of attack traffic without requiring protocol and infrastructure extensions to be applied on the Internet. Detection experiments using the public dataset show that in a 10Gbps high-speed network, the detection precision of IM-Shield for DDoS attacks under IP spoofing is higher than 99.9%; and defense experiments simulating real-time processing in a 10Gbps high-speed network show that IM-Shield can effectively defend against DDoS attacks under IP spoofing.

Volumetric Distributed Denial of Service attacks forcefully disrupt the availability of online services by congesting network links with arbitrary high-volume traffic. This brute force approach has collateral impact on the upstream network infrastructure, making early attack traffic removal a key objective. To reduce infrastructure load and maintain service availability, we introduce ReCEIF, a topology-independent mitigation strategy for early, rule-based ingress filtering leveraging deep reinforcement learning. ReCEIF utilizes hierarchical heavy hitters to monitor traffic distribution and detect subnets that are sending high-volume traffic. Deep reinforcement learning subsequently serves to refine hierarchical heavy hitters into effective filter rules that can be propagated upstream to discard traffic originating from attacking systems. Evaluating all filter rules requires only a single clock cycle when utilizing fast ternary content-addressable memory, which is commonly available in software defined networks. To outline the effectiveness of our approach, we conduct a comparative evaluation to reinforcement learning-based router throttling.

Global traffic data are proliferating, including in Indonesia. The number of internet users in Indonesia reached 205 million in January 2022. This data means that 73.7% of Indonesia’s population has used the internet. The median internet speed for mobile phones in Indonesia is 15.82 Mbps, while the median internet connection speed for Wi-Fi in Indonesia is 20.13 Mbps. As predicted by many, real-time traffic such as multimedia streaming dominates more than 79% of traffic on the internet network. This condition will be a severe challenge for the internet network, which is required to improve the Quality of Experience (QoE) for user mobility, such as reducing delay, data loss, and network costs. However, IP-based networks are no longer efficient at managing traffic. Named Data Network (NDN) is a promising technology for building an agile communication model that reduces delays through a distributed and adaptive name-based data delivery approach. NDN replaces the ‘where’ paradigm with the concept of ‘what’. User requests are no longer directed to a specific IP address but to specific content. This paradigm causes responses to content requests to be served by a specific server and can also be served by the closest device to the requested data. NDN router has CS to cache the data, significantly reducing delays and improving the internet network’s quality of Service (QoS). Motivated by this, in 2019, we began intensive research to achieve a national flagship product, an NDN router with different functions from ordinary IP routers. NDN routers have cache, forwarding, and routing functions that affect data security on name-based networks. Designing scalable NDN routers is a new challenge as NDN requires fast hierarchical name-based lookups, perpackage data field state updates, and large-scale forward tables. We have a research team that has conducted NDN research through simulation, emulation, and testbed approaches using virtual machines to get the best NDN router design before building a prototype. Research results from 2019 show that the performance of NDN-based networks is better than existing IP-based networks. The tests were carried out based on various scenarios on the Indonesian network topology using NDNsimulator, MATLAB, Mininet-NDN, and testbed using virtual machines. Various network performance parameters, such as delay, throughput, packet loss, resource utilization, header overhead, packet transmission, round trip time, and cache hit ratio, showed the best results compared to IP-based networks. In addition, NDN Testbed based on open source is free, and the flexibility of creating topology has also been successfully carried out. This testbed includes all the functions needed to run an NDN network. The resource capacity on the server used for this testbed is sufficient to run a reasonably complex topology. However, bugs are still found on the testbed, and some features still need improvement. The following exploration of the NDN testbed will run with more new strategy algorithms and add Artificial Intelligence (AI) to the NDN function. Using AI in cache and forwarding strategies can make the system more intelligent and precise in making decisions according to network conditions. It will be a step toward developing NDN router products by the Bandung Institute of Technology (ITB) Indonesia.

The phenomenon known as "Internet ossification" describes the process through which certain components of the Internet’s older design have become immovable at the present time. This presents considerable challenges to the adoption of IPv6 and makes it hard to implement IP multicast services. For new applications such as data centers, cloud computing and virtualized networks, improved network availability, improved internal and external domain routing, and seamless user connectivity throughout the network are some of the advantages of Internet growth. To meet these needs, we've developed Software Defined Networking for the Future Internet (SDN). When compared to current networks, this new paradigm emphasizes control plane separation from network-forwarding components. To put it another way, this decoupling enables the installation of control plane software (such as Open Flow controller) on computer platforms that are substantially more powerful than traditional network equipment (such as switches/routers). This research describes Mininet’s routing techniques for a virtualized software-defined network. There are two obstacles to overcome when attempting to integrate SDN in an LTE/WiFi network. The first problem is that external network load monitoring tools must be used to measure QoS settings. Because of the increased demand for real-time load balancing methods, service providers cannot adopt QoS-based routing. In order to overcome these issues, this research suggests a router configuration method. Experiments have proved that the network coefficient matrix routing arrangement works, therefore it may provide an answer to the above-mentioned concerns. The Java-based SDN controller outperforms traditional routing systems by nine times on average highest sign to sound ratio. The study’s final finding suggests that the field’s future can be forecast. We must have a thorough understanding of this emerging paradigm to solve numerous difficulties, such as creating the Future Internet and dealing with its obliteration problem. In order to address these issues, we will first examine current technologies and a wide range of current and future SDN projects before delving into the most important issues in this field in depth.

Smart Security Solutions are in high demand with the ever-increasing vulnerabilities within the IT domain. Adjusting to a Work-From-Home (WFH) culture has become mandatory by maintaining required core security principles. Therefore, implementing and maintaining a secure Smart Home System has become even more challenging. ARGUS provides an overall network security coverage for both incoming and outgoing traffic, a firewall and an adaptive bandwidth management system and a sophisticated CCTV surveillance capability. ARGUS is such a system that is implemented into an existing router incorporating cloud and Machine Learning (ML) technology to ensure seamless connectivity across multiple devices, including IoT devices at a low migration cost for the customer. The aggregation of the above features makes ARGUS an ideal solution for existing Smart Home System service providers and users where hardware and infrastructure is also allocated. ARGUS was tested on a small-scale smart home environment with a Raspberry Pi 4 Model B controller. Its intrusion detection system identified an intrusion with 96% accuracy while the physical surveillance system predicts the user with 81% accuracy.

The Network-on-Chip (NoC) is the communication heart in Multiprocessors System-on-Chip (MPSoC). It offers an efficient and scalable interconnection platform, which makes it a focal point of potential security threats. Due to outsourcing design, the NoC can be infected with a malicious circuit, known as Hardware Trojan (HT), to leak sensitive information or degrade the system’s performance and function. An HT can form a security threat by consciously dropping packets from the NoC, structuring a Black Hole Router (BHR) attack. This paper presents an end-to-end secure interconnection network against the BHR attack. The proposed scheme is energy-efficient to detect the BHR in runtime with 1% and 2% average throughput and energy consumption overheads, respectively.

The security of manycore systems has become increasingly critical. In system-on-chips (SoCs), Hardware Trojans (HTs) manipulate the functionalities of the routing components to saturate the on-chip network, degrade performance, and result in the leakage of sensitive data. Existing HT detection techniques, including runtime monitoring and state-of-the-art learning-based methods, are unable to timely and accurately identify the implanted HTs, due to the increasingly dynamic and complex nature of on-chip communication behaviors. We propose AGAPE, a novel Generative Adversarial Network (GAN)-based anomaly detection and mitigation method against HTs for secured on-chip communication. AGAPE learns the distribution of the multivariate time series of a number of NoC attributes captured by on-chip sensors under both HT-free and HT-infected working conditions. The proposed GAN can learn the potential latent interactions among different runtime attributes concurrently, accurately distinguish abnormal attacked situations from normal SoC behaviors, and identify the type and location of the implanted HTs. Using the detection results, we apply the most suitable protection techniques to each type of detected HTs instead of simply isolating the entire HT-infected router, with the aim to mitigate security threats as well as reducing performance loss. Simulation results show that AGAPE enhances the HT detection accuracy by 19%, reduces network latency and power consumption by 39% and 30%, respectively, as compared to state-of-the-art security designs.

Soft real-time applications, including multimedia, gaming, and smart appliances, rely on specific architectural characteristics to deliver output in a time-constrained fashion. Any violation of application deadlines can lower the Quality-of-Service (QoS). The data sets associated with these applications are distributed over cores that communicate via Network-on-Chip (NoC) in multi-core systems. Accordingly, the response time of such applications depends on the worst-case latency of request/reply packets. A malicious implant such as Hardware Trojan (HT) that initiates a delay-of-service attack can tamper with the system performance. We model an HT that mounts a time-delay attack in the system by violating the path selection strategy used by the adaptive NoC router. Our analysis shows that once activated, the proposed HT increases the packet latency by 17% and degrades the system performance (IPC) by 18% over the Baseline. Furthermore, we propose an HT detection framework that uses packet traffic analysis and path monitoring to localise the HT. Experiment results show that the proposed detection framework exhibits 4.8% less power consumption and 6.4% less area than the existing technique.

The Network Security and Risk (NSR) management team in an enterprise is responsible for maintaining the network which includes switches, routers, firewalls, controllers, etc. Due to the ever-increasing threat of capitalizing on the vulnerabilities to create cyber-attacks across the globe, a major objective of the NSR team is to keep network infrastructure safe and secure. NSR team ensures this by taking proactive measures of periodic audits of network devices. Further external auditors are engaged in the audit process. Audit information is primarily stored in an internal database of the enterprise. This generic approach could result in a trust deficit during external audits. This paper proposes a method to improve the security and integrity of the audit information by using blockchain technology, which can greatly enhance the trust factor between the auditors and enterprises.

Distributed Denial of Service (DDoS) attacks are among the most harmful cyberattack types in the Internet. The main goal of a DDoS defense mechanism is to reduce the attack's effect as close as possible to their sources to prevent malicious traffic in the Internet. In this work, we examine the DDoS attacks as a rate management and congestion control problem and propose a collaborative fair rate throttling mechanism to combat DDoS attacks. Additionally, we propose anomaly detection mechanisms to detect attacks at the victim site, early attack detection mechanisms by intermediate Autonomous Systems (ASes), and feedback mechanisms between ASes to achieve distributed defense against DDoS attacks. To reduce additional vulnerabilities for the feedback mechanism, we use a secure, private, and authenticated communication channel between AS monitors to control the process. Our mathematical model presents proactive resource management, where the victim site sends rate adjustment requests to upstream routers. We conducted several experiments using a real-world dataset to demonstrate the efficiency of our approach under DDoS attacks. Our results show that the proposed method can significantly reduce the impact of DDoS attacks with minimal overhead to routers. Moreover, the proposed anomaly detection techniques can help ASes to detect possible attacks and early attack detection by intermediate ASes.

Currently, the technology of wireless mesh networks is actively developing. In 2021, Gartner included mesh network technologies and the tasks to ensure their security in the TOP global trends. A large number of scientific works focus on the research and modeling the traffic transmission in such networks. At the same time, they often bring up the “bottle neck” problem, characteristic of individual mesh network nodes. To address the issue, the authors of the article propose using the data caching mechanism and placing the cache data straight on the routers. The mathematical model presented in the article allows building a route with the highest access speed to the requested content by the modified Dijkstra algorithm. Besides, if the mesh network cache lacks the required content, the routers with the Internet access are applied. Practically, the considered method of creating routes to the content, which has already been requested by the users in the mesh network, allows for the optimal efficient use of the router bandwidth capacity distribution and reduces the latency period.

Security is a key component of the network. Software Defined Networking (SDN) is a refined form of traditional network management system. It is a new encouraging approach to design-build and manage networks. SDN decouples control plane (software-based router) and data plane (software-based switch), hence it is programmable. Consequently, it facilitates implementation of security based applications for the prevention of DOS attacks. Various solutions have been proposed by researches for handling of DOS attacks in SDN. However, these solutions are very limited in scope, complex, time consuming and change resistant. In this article, we have proposed a novel model driven framework i.e. MDAP (Model Based DOS Attacks Prevention) Framework. Particularly, a meta model is proposed. As tool support, a tree editor and a Sirius based graphical modeling tool with drag drop palette have been developed in Oboe designer community edition. The tool support allows modeling and visualization of simple and complex network topology scenarios. A Model to Text transformation engine has also been made part of framework that generates java code for the Floodlight SDN controller from the modeled scenario. The validity of proposed framework has been demonstrated via case study. The results prove that the proposed framework can effectively handle DOS attacks in SDN with simplicity as per the true essence of MDSE and can be reliably used for the automation of security based applications in order to deny DOS attacks in SDN.

Internet of Things (IoT) devices use different types of media and protocols to communicate to Internet, but security is compromised since the devices are not using encryption, authentication and integrity. Virtual Private Network of Things (VPNoT) is a new technology designed to create end to end encrypted tunnels for IoT devices, in this case, the VPNoT device is based on OpenVPN that provides confidentiality and integrity, also based on Raspberry Pi as the hardware and Linux as the operating system, both provide connectivity using different types of media to access Internet and network management. IoT devices and sensors can be connected to the VPNoT device so an encrypted tunnel is created to an IoT Server. VPNoT device uses a profile generated by the server, then all devices form a virtual private network (VPN). VPNoT device can act like a router when necessary and this environment works for IPv6 and IPv4 with a great advantage that OpenVPN traverses NAT permitting private IoT servers be accessible to the VPN. The annual cost of the improvement is about \$455 USD per year for 10 VPNoT devices.

The router's buffer size imposes significant impli-cations on the performance of the network. Network operators nowadays configure the router's buffer size manually and stati-cally. They typically configure large buffers that fill up and never go empty, increasing the Round-trip Time (RTT) of packets significantly and decreasing the application performance. Few works in the literature dynamically adjust the buffer size, but are implemented only in simulators, and therefore cannot be tested and deployed in production networks with real traffic. Previous work suggested setting the buffer size to the Bandwidth-delay Product (BDP) divided by the square root of the number of long flows. Such formula is adequate when the RTT and the number of long flows are known in advance. This paper proposes a system that leverages programmable switches as passive instruments to measure the RTT and count the number of flows traversing a legacy router. Based on the measurements, the programmable switch dynamically adjusts the buffer size of the legacy router in order to mitigate the unnecessary large queuing delays. Results show that when the buffer is adjusted dynamically, the RTT, the loss rate, and the fairness among long flows are enhanced. Additionally, the Flow Completion Time (FCT) of short flows sharing the queue is greatly improved. The system can be adopted in campus, enterprise, and service provider networks, without the need to replace legacy routers.

Cyber attacks are increasing at a rapid pace targeting financial institutions and the corporate sector, especially during pandemics such as COVID-19. Honeypots are implemented in data centers and servers, to capture these types of attacks and malicious activities. In this work, an experimental prototype is created simulating the attacker and victim environments and the results are consolidated. Attacker information is extracted using the Meterpreter framework and uses reverse TCP for capturing the data. Normal honeypots does not capture an attacker and his identity. Information such as user ID, Internet Protocol(IP) address, proxy servers, incoming and outgoing traffic, webcam snapshot, Media Access Control(MAC) address, operating system architecture, and router information of the attacker such as ARP cache can be extracted by this honeypot with "biteback" feature.

The ecosystem of the Internet of Things (IoT) continues growing now and covers more and more fields. One of these areas is the Industrial Internet of Things (IIoT) which integrates sensors and actuators, business applications, open web applications, multimedia security systems, positioning, and tracking systems. Each of these components creates its own data stream and has its own parameters of the probability distribution when transmitting information packets. One such distribution, specific to the TrumpfTruPrint 1000 IIoT system, is the beta distribution. We described issues of the processing of such a data flow by an agent model of the \$5\textbackslashtextbackslashtimes5\$ NoC switch fabric. The concepts of modern telecommunication networks 5G/6G imply the processing of “small” data in the place of their origin, not excluding the centralized processing of big data. This process, which involves the transmission, distribution, and processing of data, involves a large number of devices: routers, multiprocessor systems, multi-core systems, etc. We assumed that the data stream is processed by a device with the network structure, such as NoC, and goes to its built-in router. We carried out a study how the average queues of the \$5\textbackslashtextbackslashtimes5\$ router change with changes in the parameters of a data stream that has a beta distribution.

Numerous measurement researches have been performed to discover the IPv4 network security issues by leveraging the fast Internet-wide scanning techniques. However, IPv6 brings the 128-bit address space and renders brute-force network scanning impractical. Although significant efforts have been dedicated to enumerating active IPv6 hosts, limited by technique efficiency and probing accuracy, large-scale empirical measurement studies under the increasing IPv6 networks are infeasible now. To fill this research gap, by leveraging the extensively adopted IPv6 address allocation strategy, we propose a novel IPv6 network periphery discovery approach. Specifically, XMap, a fast network scanner, is developed to find the periphery, such as a home router. We evaluate it on twelve prominent Internet service providers and harvest 52M active peripheries. Grounded on these found devices, we explore IPv6 network risks of the unintended exposed security services and the flawed traffic routing strategies. First, we demonstrate the unintended exposed security services in IPv6 networks, such as DNS, and HTTP, have become emerging security risks by analyzing 4.7M peripheries. Second, by inspecting the periphery's packet routing strategies, we present the flawed implementations of IPv6 routing protocol affecting 5.8M router devices. Attackers can exploit this common vulnerability to conduct effective routing loop attacks, inducing DoS to the ISP's and home routers with an amplification factor of \textbackslashtextbackslashgt 200. We responsibly disclose those issues to all involved vendors and ASes and discuss mitigation solutions. Our research results indicate that the security community should revisit IPv6 network strategies immediately.

From the beginning of technology and Wi-Fi based systems wireless networks had a prominent threat upon data security. Without security measures many organizations contribute on these flaws of security to make it better. There are many vulnerabilities of security models which are discussed in this article such as hacking through Wi-Fi security by Aircrack-ng, previous security model vulnerabilities and also the performance of Aircrack-ng attack on Wi-Fi modem or routers. In order to crack WPA/WPA2, kali Linux operating system will be needed along with Aircrack-ng packages installed on any compatible PC. Some of the new standard WPA3 such like downgrade problem on which the system will let the device to downgrade from WPA3 to WPA2 in order to connect with incompatible devise. Further, it makes a way for hackers to obtain Wi-Fi passwords even from new model defined such as WPA3 by using old techniques. The new model introduced Wi-Fi security protocol WPA3 is also no longer a secure model it can be penetrated. Researchers have discovered some new vulnerability enables hackers to get out the Wi-Fi passwords.

Network security is of vital importance, and Information Technology admins must always be vigilant. But they often lack the expertise and skills required to harden the network properly, in with the emergence of security threats. The router plays a significant role in maintaining operational security for an organization. When it comes to information security, information security professionals mainly focus on protecting items such as firewalls, virtual private networks, etc. Routers are the foundation of any network's communication method, which means all the network information passes through the routers, making them a desirable target. The proposed automation of the router security hardening solution will immediately improve the security of routers and ensure that they are updated and hardened with minimal human intervention and configuration changes. This is specially focused on small and medium-sized organizations lacking workforce and expertise on network security and will help secure the routers with less time consumption, cost, and increased efficiency. The solution consists of four primary functions, initial configuration, vulnerability fixing, compliance auditing, and rollback. These focus on all aspects of router security in a network, from its configuration when it is initially connected to the network to checking its compliance errors, continuously monitoring the vulnerabilities that need to be fixed, and ensuring that the behavior of the devices is stable and shows no abnormalities when it comes to configuration changes.

The usage of wireless devices is increased from last decade due to its reliable, fast and easy transfer of data. Ensuring the security to these networks is a crucial thing. There are several types of network attacks, in this paper, DDoS attacks on networks and techniques, consequences, effects and prevention methods are focused on. The DDoS attack is carried out by multiple attackers on a system which floods the system with a greater number of incoming requests to the system. The destination system cannot immediately respond to the huge requests, due to this server crashes or halts. To detect, or to avoid such scenarios Intrusion prevention system is designed. The IPS block the network attacker at its first hop and thus reduce the malicious traffic near its source. Intrusion detection system prevents the attack without the prior knowledge of the attacker. The attack is detected at the router side and path is changed to transfer the files. The proposed model is designed to obtain the dynamic path for efficient transmission in wireless neworks.

Though currently a “hot topic”, over the past fifteen years [1][2], there has been significant work on the use of machine learning to design large scale computer-communication networks, motivated by the complexity of the systems that are being considered and the unpredictability of their workloads. A topic of great concern has been security [3] and novel techniques for detecting network attacks have been developed based on Machine Learning [8]. However the main challenge with Machine Learning methods in networks has concerned their compatibility with the Internet Protocol and with legacy systems, and a major step forward has come from the establishment of Software Defined Networks (SDN) [4] which delegate network routing to specific SDN routers [4]. SDN has become an industry standard for concentrating network management and routing decisions within specific SDN routers that download the selected paths periodically to network routers, which operate otherwise under the IP protocol. In this paper we describe our work on real-time control of Security and Privacy [7], Energy Consumption and QoS [6] of packet networks using Machine Learning based on the Cognitive Packet Network [9] principles and their application to the H2020 SerIoT Project [5].

The key feature of NDN is in-network caching that every router has its cache to store data for future use, thus improve the usage of the network bandwidth and reduce the network latency. However, in-network caching increases the security risks - cache pollution attacks (CPA), which includes locality disruption (ruining the cache locality by sending random requests for unpopular contents to make them popular) and False Locality (introducing unpopular contents in the router's cache by sending requests for a set of unpopular contents). In this paper, we propose a machine learning method, named Triangle Area Based Multivariate Correlation Analysis (TAB-MCA) that detects the cache pollution attacks in NDN. This detection system has two parts, the triangle-area-based MCA technique, and the threshold-based anomaly detection technique. The TAB-MCA technique is used to extract hidden geometrical correlations between two distinct features for all possible permutations and the threshold-based anomaly detection technique. This technique helps our model to be able to distinguish attacks from legitimate traffic records without requiring prior knowledge. Our technique detects locality disruption, false locality, and combination of the two with high accuracy. Implementation of XC-topology, the proposed method shows high efficiency in mitigating these attacks. In comparison to other ML-methods, our proposed method has a low overhead cost in mitigating CPA as it doesn't require attackers' prior knowledge. Additionally, our method can also detect non-uniform attack distributions.

Nowadays, simple tools such as traceroute can be used by attackers to acquire topology knowledge remotely. Worse still, attackers can use a lightweight fingerprinting technique, based on traceroute and ping, to retrieve the routers brand, and use that knowledge to launch targeted attacks. In this paper, we show that the hardware ecosystem of network operators can greatly vary from one to another, with all potential security implications it brings. Indeed, depending on the autonomous system (AS), not all brands play the same role in terms of network connectivity. An attacker could find an interest in targeting a specific hardware vendor in a particular AS, if known defects are present in this hardware, and if the AS relies heavily on it for forwarding its traffic.

The purpose of the work was to study the fault- tolerant pattern of secure access of computer system nodes to external network resources - the pattern of secure access `Connecting node'. The pattern of secure access `Connecting node' includes a group/cluster (or several groups) of routers, a computing node that includes hardware and software for information protection and communication channels that connect it to the end nodes of the computing system and the external network (network resources that are not controlled by the information protection system). The efficiency assessment and comparative analysis of options for designing a pattern of secure access `Connecting node' according to various efficiency criteria were carried out. In this work, an assessment of the individual and comprehensive efficiency index was carried out. It was assumed that the system is recoverable. The effectiveness of using some options of designing a pattern of secure access in terms of the operational availability factor, as well as a group of parameters - the operational availability factor, service delays of information protection system and the grade of information protection.