An intelligently distributed system for controlling information flows

. The existing controlling software toolkit is represented by multiple software modules to ensure effective organizations management. An important most information systems component is the possibility of remote and distributed work in multi-user mode. At the same time, the disadvantages of multi-level TCP/IP routing, the presence of various CVE vulnerabilities contribute to data leakage and unauthorized changes. Based on these conclusions, the main purpose of the study can be identified – the development of an intelligently distributed traffic tunnelling system. The proposed approach uses deep learning models both for predicting IP address samples during initialization of a secure connection and for dynamic network traffic filtering in the DNS server. The proposed authentication algorithm based on the dynamic extension of the function made it possible to automate the trusted client’s authorization process, and the implementation of a combined decision – making system - to ensure the correct interaction of all software modules. The development result of the proposed system allowed both to reduce time costs when working with controlling information systems and to ensure safe interaction.


Introduction
At the moment, controlling is an modern business integral part and one of the most important areas in the business management practise, as it allows to ensure the effectiveness and sustainability of the organisation's development [1].Considering its structure, the following elements can be distinguished: • financial (planning, management and control of business financial aspects, such as budgeting, credit and investment management, accounting and reporting); • operational (planning, management and control of operational processes in the organisation, such as production, logistics, procurement, etc); • strategic (planning, management and control of business strategic aspects, such as strategy development, market and competitor analysis, new products and services development); • controlling information flows (planning, management and control of the information flows implementation in the organisation, such as database management, information security); • personnel controlling (planning, management and control of the organisation's staffing, such as recruitment and hiring, training and development of employees, evaluation and motivation).
Each of these controlling elements is interrelated and important.Moreover, these elements can be expanded (supplemented) with other components, depending on the specific goals of the organisation.
At the same time, at the moment, among all application of controlling areas and its functional areas, information flows controlling has become the most widespread, as well as visible significant practical results for organisations.The following information flow controlling tools can be distinguished that allow automating a number of business processes in an organisation: SAP Business Objects Planning and Consolidation, 1C:ERP Enterprise Management 2 ("1C:ERP UP 2"), IBM Cognos Controller, Oracle Hyperion Financial Management, Anaplan, Adaptive Insights, Prophix [2].These tools provide financial planning, budgeting and data processing capabilities.At the same time, for example, 1C:ERP UP 2 provides ample opportunities for remote administration and work with individual data -1C can be singled out as priority solutions: Link, 1C-Connect [3].These tools provide the end user with the ability to work with a remote server via a web interface, while providing additional features in the form of encryption using TLS, AES + RSA, HTTPS, and embedded electronic signature certificates.
Among the disadvantages of these solutions, one can single out the need to purchase certain solutions, or the need to adapt the 1C:ERP UP 2 server to the requirements of 1C:Link, 1C-Connect.An alternative approach to implementing remote access without purchasing additional licences is the process of connecting to a remote server via an IPv4/IPv6 address, or using Remote Desktop Protocol (RDP) in remote application mode [4][5].As can see from Fig. 1, the process of connecting to the 1C server via the RDP App works through the application layer (7) of the TCP/IP protocol using a self-signed server certificate.
The OSI channel layer, in turn, is responsible for routing data within a local network segment with support for IEEE 802.2, 802.3 standards with channel management and frame traffic functionality [6].The disadvantages of the OSI network layer (3) in the topology under consideration are the problems of IP address assignments duplication of DHCP server, as well as significant problems of conducting massive DDOS attacks -denial of service is possible when conducting such attacks on target services, however, by default, a TCP connexion involves allocating a limit on the waiting time for a response [7].At the same time, in the process of its operation, a vulnerabilities number can be identified both at the level of the server / client operating system, and when transferring the certificate, as well as the injecting malicious code possibility into the target application.For example, BlueKeep Exploit (CVE-2019-0708), implemented in 2019, currently allows to use Refresh Rect PDU, Bitmap Cache (PDU) data blocks to make changes to the core of Microsoft Windows operating systems, the result of which provides access to an administrative account without authentication [8].
As a result, can say that the existing software tools use, of course, allows to solve the task, but the presence of a problems number in their practical use based on TCP/IP protocols and the Microsoft Windows operating systems functionality does not provide an adequate security level for processing confidential data in the 1C:ERP UP 2 application.This only confirms the relevance of the traffic distribution problem between application clients when managing a modern organisation.To overcome it, an intelligently controlling information flows distributed system is proposed, the description of which is presented in this paper.The provided solution covers the ensuring secure data transmission issues in the conditions of using outdated and potentially vulnerable versions of protocols and various software prone to leaks of confidential data.
At the moment, when building various TCP/IP topologies, it is possible to distinguish two types of networks -centralised and decentralised (distributed).The centralised approach assumes the use of a file-server topology, in which all information is processed on a fixed network node (server subnet), while the distributed management approach assumes the possibility of data processing on multiple client computers.The implementation of the latter approach allows for data redundancy due to the formation of several connexions between servers, as well as the possibility of implementing a flexible approach in companies with outsourcing hiring of employees.
In general, an intelligently distributed system of controlling information flows is a closely interrelated number set of information movements about elements spaced in space, each of which does not depend on the others, but interacts with them to perform a common task and which can be aggregated into the following functional blocks: • initialising a secure connexion between individual organisations; • distribution and traffic redistribution of information flows between the system participants; • client authentication; • decision support system for managing the distribution of information flows.
A distinctive feature of this system is the ability to distribute traffic using a flexible packet routing topology and authentication based on deep network models.
2 Implementation of a secure interaction system

Structure development of the secure connexion initialization protocol between individual organisations
Most distribution topologies of client access to the processing server are carried out using the usual address distribution topology via a DHCP server, and as additional features -the priority billing use of users based on Quality of Service (QoS) [9].In the administrative management topology case of an organisation with multiple branches, the distribution topology of administrative points can be separated by subnets.The proposed approach to the implementation of a secure controlled connexion is proposed to use the following structure at the OSI transport layer, shown in Fig. 2.

Fig. 2. Client-server topology of devices TCP/IP interaction based on the OSI transport layer
As can be seen from the Fig. 2, a multi-module system for building a secure topology consists of VPN server modules DHCP server, AUTH server, DNS server, as well as a set of configured IPTABLES tables.The main interaction in the proposed topology is carried out using the remote application port based on the Internet connexion isolation.Among other things, this topology has the ability to dynamically generate and exchange certificates to provide additional security.
The DHCP server, which is a priority module in the secure connexion initialization server, is a proprietary dhcpd service that provides clients with a specified set of IP addresses [10].By default, the deployment of the address distribution server is fixed according to the principle described in Listing 1, however, in this interpretation, the main distribution of the dhcpd server is a trained neural network model based on a specific pool of IP addresses.As can see from the presented Listing 1, 8.1.1.0 is used as the main network, indicating the main DNS server.Among other things, the specified implementation allows to assign a static address for a specific MAC address, as specified for dhc hosts 1, 2. In cases of OpenVPN / WireGuard servers implementation, the configuration of the allocated pool is carried out through virtual bridge interfaces for the destination ipaddr server and traffic transmission via the tap interface (modprop / brct aadif).In this case, the binding process is carried out according to Listing 2. According to Listing 2, the process of using an external DHCP server is tied to the use of non-standard routes that define a third-party server as an internal one.A secondary point necessary for the implementation of minimal VPN server operation is the setting of iptables rules that allow redirecting, accepting or rejecting packets on a given interface [11] , '-j', 'ACCEPT',  ]) Listing 3 demonstrates the verifying the peer connexion process with the subsequent creation of an incoming packet acceptance rule on a dedicated virtual interface -this allowed, due to multiple rules, to create a unique packet routing topology both in a dedicated network and in peer-to-peer (p2p) connexion between control controllers.An alternative conditional expression is a rule for redirecting packets through a virtual interface, due to which all traffic is processed through a secure connexion [12].
The process organisation of providing an devices IP pool can be provided through a trained language model (Fig. 3).It was previously noted that in the predicting a pool process of identical data sets, it is possible to use the NARX model, however, the text model advantages allow to obtain a more accurate set of identical output samples when solving reproducing identical results problems, as a result, the main model in this implementation is a text model based on a decoder [13].
Comparing similar existing text models, it is necessary to pay attention to the models "mpt-7b-instruct", "vicuna-7b", "nous-gpt4-vicuna-13b" -Table 1 demonstrates the results of executing an identical request for generating IPv4 address in network 172.15.1.0/24.The following were used as the main parameters for testing models: batch size = 25, max_length = 1000, top-p token = 0.92, top-k token = 45.The results of the comparison of the query execution speed with the specified parameters were carried out on the M1, 16 GB RAM processor.It is also worth considering that most of the text models do not involve targeted training on IP address datasets, and therefore the request processing speed is significantly lower than the execution speed of the limited model.As can be seen from Fig. 3, the presenter model allow multi-step generation of a specific IP address for a given mask based on a trained model [14].The main data processing process in the proposed model involves feeding data to the input vectors x0, x1, followed by autoregressive processing, involving the use of time t data at time t+1.In this case, the prediction of the token (ip address cell) 8 from the input address 10.8.0.0 is based on the token 10.
It is worth noting that the implemented model also has API management, which allows to send and receive a request from a static model located on the same device.Among other things, the use of a trained model allows to set initial hardware requirements for further functional work, depending on the organisation scale, which will subsequently allow to provide the functionality of a decentralised VPN server for flexible work in organisations with a dynamic employees' location.At the moment, when implementing this solution, model 13B was used, designed for a 2048 characters sequence, with a steps number of 174335, however, when solving this problem, the generation process is possible with 7B models.

Development of a dynamic DNS server for traffic redistribution
One of the most important controlling components is the step of processing and making decisions based on up-to-date data analytically produced during a given period.Most organisations that involve the multiple locations operation of the organisation's divisions do not assume the possibility of providing high-speed Internet or support for QoS billing systems, which has a direct impact on the decision-making process for the organisation's resources / making changes redistribution to the existing development strategy.
To solve this problem, it is proposed to develop a dynamic DNS server for load optimization when working via an external Internet network, while traffic encryption via DNSCrypt can be singled out as additional features [15].The main stage in assigning a DNS server is to use the configuration of option domain-name-servers in dhcpd or dhcpoption DNS in OpenVPN server [16].In this implementation, the problem of dynamic DNS server selection is proposed to be solved using a local server installed together with a VPN server, and with the appropriate assignment of the local interface address, as reflected in Listing 2. The DNS implementation main process involves the actual measurement of the current response from global servers like Google, Cloudflare, OpenDNS, Quad9, followed by the remote server replacement with the current one, while also providing the functionality of using a DNSCrypt proxy server as an additional ensuring the transmitted data security means (Fig. 4).opportunities for monitoring packets within a network segment [17].At the stage of its work, NFStreamer allows to monitor packets at the network card level with subsequent support for the output of multiple indicators -ip and mac addressing, response time from the source and destination addresses, as well as the bytes transmitted number in two-way mode.As a result, the use of this framework allows to monitor a specific port for a dedicated client (IP address) for use for organisational purposes, which in turn allows to monitor active operating system services for additional prevention of possible attacks.
The next step in the algorithm operation under consideration is the process of analytical changes comparison in the intermediate intervals of packet transmission between identical sets of addresses -in this case, if there is a coincidence in scr / dist addressing on the management decision-making server, a comparison of third-party client packets available for processing is performed in order to obtain consumable traffic per ms.The software implementation of this algorithm is performed using a module for predicting changes in the transmitted bytes of the client using a deep network based on the LSTM-XGBoost model [18][19].
The main advantage of using this model is the combining the correlation possibility of the dependence between the traffic amount and the transmission time -in this case, the initiated Qi matrix is formed due to the vectors ti, gi, which represent data on the time interval (ms) and the amount of data (bytes) [20].The activation function in this case is PReLU, which forms the output vector (Eq.1).

(
), At the stage of obtaining the output data and the LSTM model, the vectors prediction via XGBoost, represented by Eq. 2, is performed.), where yt+i is returning function the predicted values of XGBoost; St+q is output values of vectors from the neural network.
Thus, at this stage, preliminary data on possible traffic congestion is being obtained to adapt the operation of the control server.It is also important that the work chain of the DNS server allows to consistently process requests on internal and external servers.

Client authentication based on dynamic feature build-up
As the main methodology for client authentication based on multi-factor authentication, it is proposed to use early testing of primary client authentication methods based on methods correlation for obtaining a unique digital fingerprint with dynamic offset and subsequent authentication based on modification of the RSA algorithm.The method implementation is carried out identically to the mathematical function of obtaining a dynamic key according to Eq. 3, where the actions of the time interval are determined by the variable T.
were targetcrypt is dynamic authenticated sequence; T1 is is current time value from the time package; T0 is static time offset from the starting point in UTC; T is verification interval of the generated QR code; normalise is function of bringing the identifier to a normalised form; identifierclient is the static server ID variable of the scientific and industrial cluster.The two-way obtaining process of public and private RSA keys is based on the Euler function use as the input pattern of the training sample described by Eq. 4. At the next step, the predicted values of RSA keys are obtained, set by an identical trained model based on the previously specified text model.The practical implementation of this method was performed in python, and the main library for neural network processing was tensorflow [21].
The input point for forecasting is the offset 0x, and as weights -a custom model of the h5 format.In this example, LSTM and DENSE layers are also used, with a dimension of 256 neurons and a softmax activation function, respectively.As a result, the output vector converted into a char sequence is the public RSA key of dynamic authentication.
Thus, in the proposed algorithm, secure access is carried out due to the initial installation of the organisation identifier, on the basis of which a unique sequence is generated, verification of which is carried out in a two-way mode using the decisionmaking module.

Results and discussion
As the main result of managing the implemented information flow distribution system, can single out the software module of the decision support system (DSS) for convenience, coordination and visibility of the practical operation of the VPN protocol in the organisations interaction.Taking into account the fact that several decision-making points can be identified in the developed interaction management system, such as DHCP synchronisation of clients, traffic redistribution, client authentication, it is advisable to use a distributed decision-making system based on fuzzy logic [22].The existing decisionmaking tools mostly involve working in linear mode with conditional expressions, but it is possible to use fuzzy logical methods based on multiple variations of the predicted values described earlier, which allows to optimally quickly and accurately extract the percentage of matches across two data arrays.These functions were implemented through the configuration of several logic modules (Fig. 5).As can see from the Fig. 5, the software implementation of the decision-making module is based on the FuzzyWuzzy library, where the character-by-character comparison process of authentication blocks each, address assignment, DNS, as well as possible discrepancies in traffic is applied.The described proposed system result, taking into account the receipt of various variations of responses to each of the DHCP, DNS, AUTH, TRAFFIC modules, will form an objective basis for decision-making by controlling specialists in organisations on changes in the operation of the virtual network.The Python programming language was chosen as the main means of conducting experimental testing of the implemented client authentication algorithm (Fig. 6).
The secondary window, in turn, is a client that generates a sequence and compares it with the original one on a remote server after an identical time interval.As can be seen from the test result, the requests for comparing two keys are successful, which indicates the successful development of a client authentication algorithm.

Conclusion
The study of decision support systems for controlling specialists implementing the automated information flow management functions using applied software solutions has revealed a number of urgent problems.Among them, can highlight the lack of open software development with security support and optimised work in organisations with a decentralised network.As a solution to this problem, the development of an intelligently distributed system for controlling information flows was carried out, based on the virtual VPN server formation with the work adaptation in various TCP/IP topologies.The main advantage of this development is a two-way DHCP server that performs parallel controller's synchronisation in p2p mode using a trained text model.The development of a dynamic DNS server made it possible to adaptively select an up-to-date external query processing server, and the combination of the NFStreamer framework made it possible to receive up-to-date information about transmitted packets for the traffic optimization operation module based on the LSTM-XGBoost model.The decision-making process, along with the subject authentication module, also made it possible to automate the multifactor verification process of data both at the ensuring security stages and optimising the virtual network operation.Among the limitations of the presented system, one can single out the need for the primary assignment of the key of interacting subjects, as well as the need to retrain the neural network model taking into account changing parameters for a particular organisation.The results of the study also made it possible to make a significant contribution to the theory of deep learning, decision support systems, systems for building adaptive decentralised TCP/IP topologies development.Especially particular note is the experimental testing process of client-server authentication, which can later be used as a method of two-way data verification, which also makes a significant contribution to the field of improve data security.
Thus, the proposed intelligently distributed system of controlling information flows allows not only to reduce the time spent on collecting, processing and analysing data between individual entities responsible for presenting information and making informed management decisions, but also significantly improve the safety of such work.The described solution security and reliability will facilitate the translation of an increasing amount of information about the organisations business processes into a digital format, in which they will be processed and presented to the decision-maker in a clear and understandable form.

Fig. 3 .
Fig. 3. IP pool prediction topology based on a text neural model

Fig. 4 .
Fig. 4. Algorithm of DNS server interaction software modulesThe representation of the specified algorithm for the DNS server interaction software modules uses a multi-module structure in its work, providing the possibility of flexible external DNS server selection based on the initial response from the request verification, followed by the provision of additional features -traffic encryption using DNS-over-HTTPS (DoH), filtering of certain content, as well as monitoring both by logging, and with the use of an additional traffic classification module.The main classification module uses the NFStreamer framework, which is based on the python language, and provides

Fig. 5 .
Fig. 5. Process of comparison and decision-making in a multimodule system

Fig. 6 .
Fig. 6.Testing the client authentication algorithm based on dynamic encrypted data As a result, can say that the development of the proposed solution, along with the fuzzy comparison function, will also allow for successful authentication in the presence of possible discrepancies in the event of interference in the software component of the clientserver equipment.

Table 1 .
Comparison of the speed of execution of a text generation request.