Summary of the invention
The present invention has proposed a kind of new corporate intranet information security mandatory system and method after the defective and deficiency of having analyzed above-mentioned medium-sized and small enterprises intranet security management-control method and system.
Core concept of the present invention is: construct a safe support guard system of supporting message detection and assets management and control, being used for that enterprise is stressed the message that orientation comes detects and the assets running state data that enterprise's side is submitted to by vpn tunneling is handled, and after various anomalous events are carried out individual event analysis, event chain analysis and risk assessment, respond based on default security strategy; Native system provides strict authentication and data permission management and control, after enterprise-level attendant signs in to system, can and only can carry out security management and control to its Intranet assets, can and only can browse the safe operation form relevant with corporate intranet.
A kind of medium-sized and small enterprises safe support guard system comprises assets security management and control module, message detection module, security strategy module, terminal security management and control module, Host Security management and control module and network equipment security management and control module;
Described assets security management and control module, link to each other with the message detection module with described terminal security management and control module, Host Security management and control module, network equipment security management and control module, security strategy module, be used for according to the information architecture corporate intranet assets security of operation snapshot that reports, handle security incident, manual long-range management and control Intranet assets and the safe operation form is provided according to default security strategy;
Described message detection module, link to each other with the security strategy module with described assets security management and control module, be used for handling the redirection message of described enterprise, and submit to security incident to described assets security management and control module according to the default security strategy of described security strategy module;
Described security strategy module links to each other with the message detection module with described assets security management and control module, is used to set assets security benchmark, event handling rule, event response strategy and application layer protocol response policy in violation of rules and regulations;
Described terminal security management and control module links to each other with described assets security management and control module, is used to collect the health data and the daily record data of described corporate intranet terminal computer, and is submitted to described assets security management and control module; Receive and handle the control command of described assets security management and control module;
Described Host Security management and control module links to each other with described assets security management and control module, is used to collect the health data and the daily record data of described corporate intranet main frame, and is submitted to described assets security management and control module; Receive and handle the control command of described assets security management and control module;
Described network equipment security management and control module, link to each other with described assets security management and control module, be used for collecting and receiving described corporate intranet supporting that SNMP (is Simple Network Management Protocol, Simple Network Management Protocol) health data of the network equipment of agreement and SNMP Trap (being the self-trapping message of Simple Network Management Protocol) data, and be submitted to described assets security management and control module; Receive the control command of described assets security management and control module, and after being converted into the SNMP instruction, be submitted to destination network device.
Preferably, described assets security management and control module comprises assets snapshot module, vulnerability scanning module, security incident administration module, security monitoring module and Security Report module;
Described assets snapshot module receives the data that described terminal security management and control module, described Host Security management and control module and described network equipment security management and control module report, and according to the safe operation snapshot of the data construct assets that report; According to default assets security baseline, produce security incident, and be submitted to described security incident administration module; Receive the Long-distance Control message that described security monitoring module issues, and be relayed to described terminal security management and control module, described Host Security management and control module and described network equipment security management and control module;
Described vulnerability scanning module is used for the leak information and the network topological information of the described corporate intranet action message of remote scanning assets, and scanning result is submitted to described assets snapshot module;
Described security incident administration module receives the security incident that described assets snapshot module and described message detection module are submitted to, and according to predetermined strategy, from dynamic response, and the default enterprise security manager personnel of notice; The final result that security incident is handled is submitted to described Security Report module;
Described security monitoring module receives and shows the security alarm that described security incident administration module is submitted to; The operating system of submitting the attendant to is to described assets snapshot module;
Described Security Report module receives the security incident that described security incident administration module is submitted to, and generates the safe operation form automatically according to default report form template.
Preferably, described message detection module comprises application layer protocol proxy module, intrusion detection module, anti-virus module and security incident client modules;
Described application layer protocol proxy module receives the redirection message that described enterprise submits to, and message is submitted to described intrusion detection module and anti-virus module successively, and will act on behalf of the message by detecting; Submit to the local security incident to described security incident client modules;
Described intrusion detection module receives the message that described application layer protocol proxy module is submitted to, and based on local preset rules message is carried out intrusion detection, submits to testing result to described application layer protocol proxy module; Submit to the local security incident to described security incident client modules;
Described anti-virus module receives the message that described application layer protocol proxy module is submitted to, and based on local preset rules message is carried out virus and detect, and submits to testing result to described application layer protocol proxy module; Submit to the local security incident to described security incident client modules;
Described security incident client modules is used for receiving the local security incident that other module of described message detection module is submitted to, and regular turn to consolidation form after, be submitted to the described security incident administration module of described assets security management and control module.
Preferably, described terminal security management and control module, described Host Security management and control module and described network equipment security management and control module, be deployed in the Intranet of described enterprise, by IPSec VPN between described enterprise and described medium-sized and small enterprises safe support guard system (is Internet Protocol Security Virtual Private Network, VPN based on ipsec protocol) tunnel is with described assets security management and control module communication; The content-encrypt of described communication information;
The leak information and the network topological information of the described corporate intranet action message of described remote scanning assets only can carry out remote scanning by IPSec vpn tunneling between described enterprise and described medium-sized and small enterprises safe support guard system.
Preferably, the attendant of described enterprise only can browse the safe operation form relevant with described corporate intranet assets; Only can carry out remote scanning to described corporate intranet; Only can browse and control described corporate intranet assets;
The attendant of described enterprise can only visit described medium-sized and small enterprises safe support guard system by IPSec vpn tunneling between described enterprise and described medium-sized and small enterprises safe support guard system; Described IPSec vpn tunneling can only initiatively be created by described enterprise.
The present invention also provides a kind of medium-sized and small enterprises Intranet information security trustship method, and its core is: at first, enterprise and security service provider are signatory, rent its file space and message and detect flux capacity; Secondly, on the borde gateway equipment that corporate intranet links to each other with public network, with the message detection server of default application layer protocol message redirecting to security service provider; Again secondly, on described border, client modules is downloaded and installed to the IPSec vpn tunneling between foundation and security service provider on the Intranet assets by this tunnel; At last, the medium-sized and small enterprises Intranet information safety system by security service provider carries out security management and control to the Intranet assets of this enterprise.
A kind of medium-sized and small enterprises Intranet information security trustship method, wherein enterprise leases the bandwidth that is used for redirection message and is used to preserve the file space that message detects daily record and form to security service provider, also comprises:
(a) on interior network termination and main frame, provide security service terminal security management and control function that provider is provided and Host Security management and control function respectively; The security service network equipment security management and control function that provider is provided is provided at least one main frame, and the network equipment of all support snmp protocols of management and control;
(b) on the outlet edge device, the message detection system that the message redirecting of preset protocol is provided to security service provider;
(c) be established to the IPSec vpn tunneling of security service provider, sign in to the medium-sized and small enterprises Intranet information security mandatory system that is arranged in security service provider network, and described terminal security management and control function, Host Security management and control function and network equipment security management and control function in the step (a) are carried out security control by this tunnel.
Preferably, the message detection system of security service provider is carried out after attack protection, anti-virus detect the redirection message of enterprise, and acts on behalf of the legal message of transfer by application layer protocol; The bandwidth of described redirection message only can be used the described capacity of leasing bandwidth; And,
The described medium-sized and small enterprises Intranet information safety system of security service provider is analyzed log event information and health information that described terminal security management and control function, Host Security management and control function and the network equipment security management and control function of corporate intranet reports, and responds based on default safe benchmark.
Preferably, described application layer protocol agency comprises SMTP agency, POP3 agency, HTTP Proxy, MSN communication agent and transparent transmission agency, is respectively applied for the inspection of contact Mail Contents, url filtering, MSN communication content audit and transparent transmission message; Suspicious Mail Contents and annex, and MSN communication message summary info all are kept at described leasing in the file space with document form.
Preferably, customizable data entries kind and the content that is reported to the described medium-sized and small enterprises Intranet information safety system of described security service provider of described terminal security management and control function, Host Security management and control function and network equipment security management and control function; Described medium-sized and small enterprises Intranet information safety system only allows the enterprise-level attendant to check the Intranet assets security of operation situation of this enterprise; Described medium-sized and small enterprises Intranet information safety system provides the safe operation form to described enterprise, comprises daily paper, weekly, monthly magazine, quarterly report and annual report.
Preferably, the vpn tunneling that the described medium-sized and small enterprises Intranet information safety system of described security service provider can be set up by described step (c), the leak information and the network topological information of remote scanning Intranet assets; And,
The described medium-sized and small enterprises Intranet information safety system of described security service provider in time notifies described enterprise default safety manager after finding security risk.
The invention provides a kind of corporate intranet information security trustship method, enterprise need not to purchase new complete security management and control equipment, also need not to be provided with the corporate intranet safety officer, but can rely on the existing product and service that security service operator provides, can obtain the security service of specialty.Not only reduce the security maintenance cost of enterprise, simultaneously, also improved the intranet security of enterprise.
The invention provides in the medium-sized and small enterprises safe support guard system that is provided, information interaction between the safe support guard system of corporate intranet information assets and security service provider, all-pass is crossed the IPSec vpn tunneling carrying between enterprise and security service provider, has guaranteed information private; The enterprise customer can customize the run case that need report; Simultaneously, enterprise by enterprise's active maintenance, has strengthened enterprise customer's independence to the vpn tunneling between security service provider;
The invention provides in the medium-sized and small enterprises safe support guard system that is provided; the enterprise customer only can sign in to the safe support guard system by the vpn tunneling between itself and security service provider; and only can browse and control its corresponding Intranet assets, further protect enterprise's privacy information.
The invention provides in the medium-sized and small enterprises safe support guard system that is provided, can carry out anti-virus and intrusion detection to the message that enterprise is redirected, realized that message content detects in real time between enterprise and public network, can carry out effective management and control mail, communication, internet access in time.
Embodiment
As shown in Figure 1, for medium-sized and small enterprises Intranet information security mandatory system functional block diagram of the present invention, comprise assets management and control module M0, message detection module M1, security strategy module M2, terminal security management and control module M3, Host Security management and control module M4, network equipment security management and control module M5 and authentication module M6.
Wherein, terminal security management and control module M3, Host Security management and control module M4 and network equipment security management and control module M5 download for SME users, and be installed on terminal, main frame and the PC server of the Intranet of enterprise, be used to collect host's terminal, main frame and controlled network equipment running status data, and reception sources is from the control command of assets management and control module M0.
Assets management and control module M0, message detection module M1, security strategy module M2 and authentication module M6 are deployed in the protected machine room of security service provider.
The module that is positioned at corporate intranet is passed through IPSec VPN (based on the VPN of ipsec protocol) tunnel communication with the module that is positioned at security service provider side, to realize running state monitoring and security management and control.
Assets management and control module M0 is used for the corporate intranet assets security management and control of medium-sized and small enterprises Intranet information security mandatory system of the present invention, and self can be encapsulated as stand-alone service, to support that the enterprise customer carries out management and control to its Intranet assets.Logon message and heartbeat message that reception and processing terminal security management and control module M3, Host Security management and control module M4 and network equipment security management and control module M5 submit to; Response policy according to security strategy module M2 configuration generates response instruction automatically, and is issued to terminal security management and control module M3 and/or Host Security management and control module M4 and/or network equipment security management and control module M5; Receive attendant's configuration-direct, and be issued to terminal security management and control module M3 and/or Host Security management and control module M4 and/or network equipment security management and control module M5; Receive and handle the security event data that message detection module M1 submits to; Receive response policy and the safe reference data of security strategy module M2.
Assets management and control module M0 inside comprises assets snapshot module M01, security incident administration module M02, Security Report module M03, security monitoring module M04 and reveals from scan module M05.
Assets snapshot module M01 links to each other with network equipment security management and control module with the terminal management and control module M3 that is deployed in corporate intranet, Host Security management and control module M4, is used for reception and handles these modules submission registration message and heartbeat message; Simultaneously, control command is issued to these modules.Assets snapshot module M01 utilizes registration message and heartbeat message to make up the operation conditions safety snapshot of Intranet assets, and the attribute that has departed from default safe benchmark in the snapshot warned and construct security incident, simultaneously, make up security incident according to the daily record data that meets the log information filtercondition, and incident is submitted to security incident administration module M02; Assets snapshot module M01 links to each other with security monitoring module M04 with vulnerability scanning module M05 simultaneously, receives and handles vulnerability scanning module M05 and submit leak information, topology information and operation system fingerprint information to; Receive and handle the control command that security monitoring module M04 submits to.
Security incident administration module M02, link to each other with assets snapshot module M01, message detection module M1, security monitoring module M04 and Security Report module M03, be used for the incident that is derived from riskless asset snapshot module M01 submission, the security incident that message detection module M1 submits to are handled, comprise that individual event is handled, event chain is handled and risk assessment is handled; Simultaneously,, incident and response command are submitted to security monitoring module M04, all incidents after treatment are submitted to Security Report module M03 according to the response policy of security strategy module M2.
Security Report module M03, M02 links to each other with the security incident administration module, is used to receive the incident that security incident administration module M02 submits to, and generates form according to default report form template; This module provides user interface, so that the operator defines, revises, deletes report form template.Can be set to make enterprise-class tools only can manage the safe operation form of own Intranet assets.
Security monitoring module M04, link to each other with assets snapshot module M01 with security incident administration module M02, be used to receive event data and the automatic response command that security incident administration module M02 submits to, and event data warned with acousto-optic, simultaneously, according to response command indication, notify the business administration people with Email or MSN or QQ with event data; Perhaps,, order is submitted to assets snapshot module M01, order is sent to correct execution body by the latter according to the response command indication.
Vulnerability scanning module M05, M01 links to each other with the assets snapshot module, is used to scan leak information, operation system fingerprint information and network topological information in the intended target equipment and/or the target network segment, and the information that scans is submitted to assets snapshot module M01.
Message detection module M1 links to each other with security strategy module M2 with assets management and control module M0, is used to receive and handle the redirection message that medium-sized and small enterprises borde gateway equipment is submitted to.Redirection message after intrusion detection processing, anti-virus are handled, is acted on behalf of transparent transfer by application layer protocol; After detecting unusually, produce security incident, and be submitted to assets management and control module M0; The journal file that produces during message detects is kept in the file space that the enterprise customer rents.
Message detection module M1 inside comprises application layer protocol proxy module M11, intrusion detection module M12, anti-virus module M13 and security incident client modules M14.
Application layer protocol proxy module M11 links to each other with intrusion detection module M12 with security incident client modules M14, anti-virus module M13, is used to receive and handle the redirection message that enterprise's borde gateway equipment is submitted to.At being derived from the redirection message that enterprise submits to, will cross after intrusion detection processing, anti-virus handle, act on behalf of transparent transfer message by different application layer protocols; At the returned packet that is derived from internet, applications, after intrusion detection and anti-virus processing, just be issued to the borde gateway equipment of enterprise.Legal borde gateway equipment need be configured to this module, and this module detects at the message of coming in and going out, and abandons all unregistered message of source address or destination address automatically.This inside modules is integrated smtp protocol agency, POP3 agency by agreement, http protocol agency, MSN agency, QQ agency and do not distinguish agency by agreement, be respectively applied for handle postal matter, WEB page browsing, in time communication and transparent transfer message.When each agency by agreement notes abnormalities when operation, can create corresponding security incident, and be submitted to security incident client modules M14; The application layer protocol proxy module is submitted to security incident client modules M14 at the message flow statistical information in the mode of security incident.
Application layer protocol proxy module M11 during the transfer message, utilizes token bucket to carry out flow control, is derived from the message of same legitimate enterprise, a shared bucket.Surpass the message of flow threshold, will directly be abandoned.
Intrusion detection module M12, M11 links to each other with the application layer protocol proxy module, receives the message that application layer protocol proxy module M11 submits to, and carries out intrusion detection and handle.This module finishes to be derived from the detection rule that security strategy module M2 submits to, and message is carried out global detection.Detect when attacking, produce security incident, be submitted to security incident client modules M14; Simultaneously, request application layer protocol proxy module M11 interrupts the associated session of current exception message.
Anti-virus module M13, M11 links to each other with the application layer protocol proxy module, receives the message that application layer protocol proxy module M11 submits to, and carries out anti-virus and handle; The result that anti-virus is handled saves as journal file, and function is excavated in the integrated daily record in inside can regularly detect log content, after the discovery virus, produces security incident, and submits security incident client modules M14 to; Simultaneously, request application layer protocol proxy module M11 interrupts the associated session of current exception message.
Security incident client modules M14, link to each other with anti-virus module M13 with application layer protocol proxy module M11, intrusion detection module M12, be used to receive the security incident that these modules are submitted to, after the row format of going forward side by side is checked, be submitted on the security incident administration module M02 of assets management and control module M0, security incident handled by the latter.This module receives the control of security strategy module M2, the security incident that a reporting policy is specified.When default, report all security incidents.
Security strategy module M2 links to each other with message detection module M1 with assets management and control module M0, is used for the attendant and disposes different security baseline, security incident processing policy, inbreak detection rule, security incident and report etc.Security baseline data and security incident processing policy data are submitted to assets management and control module M0; Report regular data to be submitted to message detection module M1 inbreak detection rule, security incident.The strategy that system-level keeper of the present invention sets, to all enterprise-class tools as seen; And the strategy that enterprise-class tools sets, only as seen to other keeper of this enterprise.Selected strategy must be enabled by each enterprise-class tools, when default, and the equal not enabled of All Policies.
Terminal security management and control module M3, link to each other with authentication module M6 with the assets snapshot module M01 of assets management and control module M0, be used to report the operation conditions of Windows terminal, simultaneously, receive the control command of assets snapshot module M01, realize corporate intranet terminal wealth security management and control.Collect hardware information, neighbor information and software information structure message identifying after utilizing startup, apply for the registration of to assets snapshot module M01; Simultaneously, utilize the log information structure heartbeat message that regularly collects hardware information, neighbor information, software information and excavate in service, report operation conditions to assets snapshot module M01.Alternatively, terminal security management and control module M3 irregularly initiates authentication to authentication module M6, have only authentication to pass through after, terminal security management and control module M3 just enters the operate as normal attitude, otherwise, can locking terminal, cause terminal unavailable.
Host Security management and control module M4, link to each other with authentication module M6 with the assets snapshot module M01 of assets management and control module M0, be used to report the operation conditions of main frame, simultaneously, receive the control command of assets snapshot module M01, realize the management and control of corporate intranet main frame class assets security.This module is at first initiated ID authentication request to authentication module M6, after the authentication intercommunication, just registers and report heartbeat message to assets snapshot module M01.Log-on message comprises hardware device and the software information that collects; Heartbeat message comprises hardware information, software information that regularly collects and the log information that filters out.Host Security management and control module M4 allows administrative staff that the content of registration message and heartbeat message is customized, so that masked segment process and information on services.
Network equipment security management and control module M5, link to each other with authentication module M6 with the assets snapshot module M01 of assets management and control module M0, be used to report the operation conditions of each network equipment of the pipe of having jurisdiction over, simultaneously, receive the control command of assets snapshot module M01, after being converted into standard SNMP order, be submitted to destination network device, realize security management and control target device.This module can a plurality of support snmp protocols of management and control the network equipment.This module immediately to authentication module M6 application authentication, after checking is passed through, gather the hardware information and the software information of host's machine of this module, and based on these information, the structure logon message is registered to assets snapshot module M01 after startup; Simultaneously, according to default order and temporal frequency, gather the running state data of each network equipment, and be reported to assets snapshot module M01, this assets snapshot module M01 will be with this type of status data building network equipment running status snapshot; Receive SNMPTrap (Simple Network Management Protocol the is self-trapping) message of the network equipment, and be saved in buffer area after the format, the information of this buffer area will regularly be submitted to assets snapshot module M01.
Authentication module M6 links to each other with network equipment security management and control module M5 with terminal security management and control module M3, Host Security management and control module M4, is used for each module that is deployed in corporate intranet is carried out the node authentication; Simultaneously, when the enterprise administrator is signed in to system of the present invention, carry out subscriber authentication.This module adopts the X 509 digital certificate node two-way authentication modes of PKI mechanism that node is carried out authentication defaultly; Adopt X 509 digital certificate user unidirectional authentications that user identity is verified.After the authentication success, this module request firewall system is decontroled client to the communication path between system service of the present invention; Regularly detection node and user's online state, find not enough line after, ask the wall firewall system to close client immediately to the communication path between system service of the present invention.
As shown in Figure 2, for medium-sized and small enterprises Intranet information security trustship method flow diagram of the present invention, comprise the steps:
Step S1: intranet security management and control software is installed, comprise from the service network of security service provider and download Windows terminal security management and control software, Linux Host Security management and control software, Unix Host Security management and control software, Windows Host Security management and control software, network equipment security management and control software, and be respectively installed on terminal computer, main frame and the idle computer.
Before carrying out this step, enterprise must sign an agreement with security service provider, just lease redirection message flow detection dedicated bandwidth capacity and preserve the file space capacity that Security Report, safety inspection daily record use and reach an agreement, and acquisition security service provider is the access of VPN the client usemame/password, safe support guard system administrator/password of its distribution; And general vpn server IP address, safe support guard system IP address etc.
The enterprise customer is after obtaining above-mentioned access information, at first utilize VPN client user name/password, after successfully being established to the IPSec VPN of security service provider network, by this vpn tunneling access security mandatory system, and from its Web website download terminal security management and control software, Host Security management and control software and network element security management and control software.
Described terminal security management and control software, be the terminal security management and control module M3 in the medium-sized and small enterprises Intranet information security mandatory system of the present invention, only support Windows Terminal Type security management and control, inside comprises software white list management and control, file protection management and control, safety operation log searching and assets management and control function.When mounted, generate the local software white list automatically, white list management and control and file safeguard function module are driver, load automatically with operating system; The file destination of white list content and file management and control all is reported on the safe support guard system automatically, so that the maintenance person of enterprise is by the Windows terminal in this security management and control system its Intranet of centralized control; File protection management and control protects white list driving, white list file not visited by unauthorized process automatically, and promptly the terminal use can not visit these files.During terminal security management and control software startup, can initiatively report assets information, comprise hardware information, the hardware assets information of in " equipment manager " of Windows, tabulating as CPU, internal memory, hard disk, monitor, network adapter, video card etc.; User profile comprises user and group information; Information on services comprises Service name, state, process number, description, executable file long filenames etc.; Active port comprises port numbers, agreement; Flexibly connect, comprise local IP, local port, the other side IP, the other side's port, agreement; Share directory information; Network configuration information; Neighbor information comprises MAC (being Media Access Control, medium access control) address, IP address; Active process information comprises process name, process IP, process context module information; Startup group information comprises the EXENAME of registry key, title and band absolute path; Kernel module information comprises short filename, long filenames; All these information, obtain by WMI (being the Windows management interface) or windows kernel function, and the medium-sized and small enterprises Intranet information security mandatory system of submission security service provider side, this system will rebuild assets operation snapshot with the data of terminal security management and control software submission; Simultaneously, in this system, except hardware assets, the maintenance person of enterprise can carry out management and control to software asset, comprise the service of closing, end process, close connection, close shared etc.Terminal security management and control software need move with keeper's identity.
Described terminal security management and control software, in running, regularly report heartbeat message to the medium-sized and small enterprises Intranet information security mandatory system of security service provider, in this heartbeat message except comprising the content item that reporting information is comprised when starting, also comprise the daily record that from running log, retrieves, comprise the time, OS Events ID, event description etc., and be translated into unified log event form, comprise detector (terminal security management and control software), event flag (OS Events ID), time (OS Events time), source IP (terminal IP or from journal entries, filter and the source IP that comes), source port (ANY or from journal entries, filter and the source port that comes), Target IP (terminal IP or from journal entries, filter and the Target IP that comes), target port (ANY or from journal entries, filter and the target port that comes), event content (event description).Log searching adopts the LUA regular expression, and each incident to needs are paid close attention to defines a different LUA regular expression.
Described Host Security management and control software, the Host Security management and control module M4 in the medium-sized and small enterprises Intranet information security mandatory system promptly of the present invention comprises the management and control of Windows Host Security, the management and control of Linux Host Security and the management and control of Unix Host Security totally 3 big classes.This class software needs at first to issue digital certificate for it on the medium-sized and small enterprises Intranet information security mandatory system of security service provider, otherwise, do not enable X 509 entity authentications between this type of software and described medium-sized and small enterprises Intranet information security mandatory system.During Host Security management and control software startup, the local runtime environmental information can be reported to described medium-sized and small enterprises Intranet information security mandatory system; Simultaneously,, can control, comprise forced termination process, defrag file, close flexible connection, force users rolls off the production line, restarts service etc. running environment information by described medium-sized and small enterprises Intranet information security mandatory system.Running environment information described here comprises load information, include disk size and load, memory size and be responsible for, CPU capacity and load, network capacity and load; Active port information includes port numbers, process number; Active process information includes the module name (long filenames and SOCKET) of CPU consumption, memory consumption, fill order name, the user name that starts, association etc.; Active user information includes user name, terminal name, IP address, on-line time etc.; Flexible connection information includes local IP, local port, far-end IP, remote port and active state; The safety operation log information includes time, user name, IP address, description as a result etc.; All information all adopt api function but not the SHELL order is gathered.
Described Host Security management and control software, normally in service, also regularly report the condition information of main frame, in this information when starting the content item in the reporting information, also comprise the journal entries information of from safety operation daily record, operating system daily record, passing through the character string comparison match, include the description of time, operating result, content of operation; And be translated into unified log event form, comprise detector (Host Security management and control software), event flag (event id that finds according to the keyword of coupling), time (OS Events time), source IP (host ip or from log information, filter and the source IP that comes), source port (ANY or from log information, filter and the source port that comes), Target IP (host ip or from log information, filter and the Target IP that comes), target port (ANY or from log information, filter and the target port that comes), event content (union of operating result and content of operation).The log event collection also is to utilize LUA (being the LUA language) regular expression to extract content.
Described network element security management and control software, network equipment security management and control software just, be the network equipment security management and control module M5 in the medium-sized and small enterprises Intranet information security mandatory system of the present invention, the network equipment that is used for the management and control corporate intranet comprises that router, switch and fire compartment wall etc. support the equipment of snmp protocols.This network element security management and control software independent part is deployed at least one the main frame, in order to the network equipment of energy management and control different sub-network section.Network element security management and control software is compared with terminal security management and control software in front, Host Security management and control software, and a cover network element security management and control software can a plurality of network equipments of management and control.Network element security management and control software is subjected to the health data of watch-dog by the snmp protocol collection, and embedded mainstream vendor is as Huawei, H3C, Cisco, D-Link company disclosed MIB storehouse.Simultaneously, the SNMP Trap message of receiving equipment.When configuration is subjected to the IP address of the management and control network equipment, can only dispose the IP address of its management mouth; Network element security management and control software is supported the running state data of CLI (being Command Line Interface, command line interface) order collecting device simultaneously; But when enabling the CLI mode, must dispose producer, the unit type that is subjected to management and control devices, because the CLI order is tightly coupled with the equipment of different manufacturers different model.
Behind the described network element security management and control software startup, self is to described medium-sized and small enterprises Intranet information security mandatory system transmit status message, the assets information content unanimity that this message reports with described terminal security management and control software; In service subsequently, can be at interval based on frequency preset, gather the service data of each controlled network equipment, as network throughput, cpu load, internal memory load etc., simultaneously, with current time circle every the SNMP of interior this equipment Trap message, resolve to the event data of set form, comprise detector (network element security management and control software), event flag (according to SNMP Trap message content retrieval event label table gained), time (event time), source IP (network element IP or from SNMP Trap content, filter and the source IP that comes), source port (ANY or from the Trap content, filter and the source port that comes), Target IP (network element IP or from SNMP Trap content, filter and the Target IP that comes), target port (ANY or from SNMP Trap content, filter and the target port that comes), event content (character string that SNMP Trap changes into) is reported to described medium-sized and small enterprises Intranet information security mandatory system.By the operation interface of medium-sized and small enterprises Intranet information security mandatory system, the business data that the keeper can manual extraction specified network equipment is as routing table, generate tree and rule etc.Whether simultaneously, can specify the configuration information to equipment to carry out integrity verification, network element security management and control software will regularly be gathered the configuration data of the network equipment of having specified integrity verification, and compare, when finding change, will create log event immediately, it is cached in the log event formation.Described log event formation is made up of a plurality of subqueues, and the head node of all subqueues is the IP address designation that is subjected to management and control devices.
Simultaneously, syslog (being the syslog agreement) service function that described network element security management and control software is embedded, as long as opened this function, the syslog daily record of supporting the equipment of syslog agreement can be forced to upload on the host at this network element security management and control software place; In case opened the syslog service function, then the daily record analytical capabilities is opened automatically.Further, described network element security management and control software is also integrated simultaneously, and TFTP (is Trivial File Transfer Protocol, TFTP) service function, in case open this TFTP service, can require then to support that the equipment of TFTP agreement uploads to local daily record on the host at this network element security management and control software place.This function is according to default filtering rule (being the LUA regular expression), filtering content from the described journal entries of uploading, in case be filled into content, then construct log event, comprise detector (network element security management and control software), event flag (filtercondition that mates according to the journal entries content and decide), time (daily record time of origin), source IP (daily record comes the IP of source machine), source port (ANY or from log content, filter and the source port that comes), Target IP (daily record comes the IP of source machine or filters and next Target IP from log content), target port (ANY or from log content, filter and the target port that comes), event content (daily record description), and be cached in the log event formation, described network element security management and control software can read content in this formation with constant interval, and is reported on the described medium-sized and small enterprises Intranet information security mandatory system.Only report success, just the log event clauses and subclauses in the buffer area are removed; In case buffer area is full, then dumps to local file, and empties the buffer area content; The file of unloading will be uploaded when finding that described medium-sized and small enterprises Intranet information security mandatory system can reach immediately.
Step S2: be redirected outer outgoing packet and detect service system to message; The enterprise administrator is within it on the edge device between net and public network, and predetermined application layer protocol message redirecting is detected service system to the message of described medium-sized and small enterprises Intranet information security mandatory system, by this system the message that is redirected detected.
Described message detects service system, the message detection module M1 in the medium-sized and small enterprises Intranet information security mandatory system promptly of the present invention, and this module can independently be disposed, thereby externally shows as the independent message detection service system that is.
If the edge device support is redirected by agreement,, the message redirecting of specified protocol (or not distinguishing agreement) can be detected service system to message as application level gateway equipment; If all edge devices are not all supported message redirecting, then need at first to be established to the vpn tunneling that message detects service system, this tunnel adopts IP-over-IP (being IP encapsulation IP) mode encapsulated message, then by sending out all messages outside this tunnel; Utilize when the vpn tunneling transmission is outer transmits messages literary composition, may when message flow is big, can influence performance, therefore, need build many tunnels, simultaneously according to actual conditions, again plan the enterprises topological structure,, arrive different tunnels in the Intranet active shunt by different routing relation is set.
The flow of the redirection message that enterprise submits to can not surpass its flux capacity of leasing.The message detection system of security service provider side by Token Bucket Policing restriction transfer flow, if surpassed the flux capacity of leasing, then directly abandons the message of exceed capacity.
After the message detection system that is positioned at security service provider machine room is received redirection message, at first can be to the source end, and/or destination verifies, and a process source end or the registered message of destination IP, other message will directly abandon; Then the message foundation is submitted to inner different application layer protocol proxy module M11 successively.
Application layer protocol agency comprises smtp protocol agency, POP3 agency by agreement, http protocol agency, MSN agency, QQ acts on behalf of and do not distinguish agency by agreement, be respectively applied for the network mail management and control, based on the visit management and control of webpage, the communicate by letter simple management and control of management and control and branch agreement in time.When default, the application layer protocol message can be submitted on the application corresponding layer protocol agency, but the enterprise administrator can specify a message detection system individual processing part agreement, and as http protocol, and other agreement all is submitted to and does not distinguish agency by agreement.
The smtp protocol agency adopts similar treatment mechanism with the POP3 agency by agreement: at first based on the movable Mail Contents of protocol-decoding, then to the mail of going out, filter based on keyword, if the information of being filled into then writes Mail Contents the file space of renting; If be filled into the content of core engine level of confidentiality, then preserve content to the file space, simultaneously, produce warning information, this mail of not transfer; At the annex in the mail, be saved in the file space simply, so that artificial audit, attachment content is not decoded; Last transparent transmission message.
Http protocol is acted on behalf of at first record protocol header field information; Then based on default URL ?list, directly dropping packets; Based on default time period and client's section relation strategy, directly abandon visit in violation of rules and regulations then; And final transparent transmission HTTP message.All header field information, are saved on the file space according to the time period with the XML file format.
MSN agency and QQ agency adopt similar treatment mechanism: its line duration is also upgraded and the message transmission frequency in the IP address of record source end; Alternatively, conversation content and contact annex are saved in the file space; Last transparent transmission message.Because the conversation content of MSN and QQ is all encrypted, default is not preserve talk information.
Do not distinguish the only simple record source end IP of agency by agreement, source end port, agreement, Target IP, target port and message length information, and transparent transfer message;
The application layer protocol agency carries out intrusion detection and anti-virus earlier and handles before handling the contact message.Message at first is submitted to intrusion detection module M12, and this module can be handled based on the intrusion detection of known regimes message from as NIDS (being Network Intrusion Detection System, Network Intrusion Detection System).After intrusion detection module M12 detects definite attack signature, directly notify application layer protocol proxy module M11 to close related with it session, and produce alarm event; If detect attack signature but when uncertain, then only produce alarm event; Message can be submitted to anti-virus module M13 subsequently, this module is certainly as Anti-Virus, embedded processing module can be gathered the running log (utilizing regular expression to extract content) of Anti-Virus in real time, when finding virus, can produce alarm equally, and require application layer protocol proxy module M11 to close related with it active session.
The alarm that produces in the message detection system is submitted to assets management module M0 by its inner security incident client modules M14.Security incident client modules M14 checks at first whether the event format of other module submission is correct, after the submission time attribute is gone up in interpolation then, is submitted to assets management module M0 by famous pipeline or network interface.The attribute of incident comprises detector (concrete module id), event flag (concrete event identifier), time (event time), source IP (fill in according to concrete incident by detector, the source IP address of incident), (detector is filled in according to concrete incident for source port (ANY or concrete port), Target IP, default preferred object IP address is a source IP address during driftlessness IP address), target port (ANY or concrete port), event content (event content of filling in according to actual conditions by detector).
IDS (being Intrusion Detection System, the intruding detection system) strategy that message detection system module M1 is used can be provided with by security strategy module M2 by the attendant of enterprise; The file process strategy of preserving, and the security incident strategy that reports is all set by the attendant of enterprise, security service provider can set this type of strategy that all enterprises all are suitable for by security strategy module M2, but the attendant of enterprise can control this class strategy, as not enabling.The strategy that each enterprise sets up on their own only detects effectively the redirection message of this enterprise.
Step S3: the intranet security management and control, enterprise administrator can sign in to enterprise's content information safe support guard system of security service provider by vpn tunneling, and its Intranet IT assets are carried out security management and control.
Enterprise administrator at first is established to the IPSec vpn tunneling of safe support guard system, detect the daily record of the terminal security management and control software, Host Security management and control software and the network equipment security management and control software that are installed in Intranet then, determine that this type of software can submit to message to the safe support guard system by this IPSec vpn tunneling, " waiting for the service end response timeout " or " data send failure " class promptly in daily record, occurs and point out.Default ground, this IPSec vpn tunneling exists always.
Enterprise administrator will be preserved the hardware unit of identity information, as USB KEY, be connected to computer, and by browser access safe support guard system, in " authentication mode ", select " USBKEY ", and input enterprise numbering, enterprise's password, keeper's name and password;
Web plug-in unit on the safe support guard system can be a fiducial value with current enterprise's numbering, enterprise's password, keeper's name and password and random number, after utilizing its HASH of MD5 algorithm computation (being Hash) value, call the signature interface of USB KEY, the HASH value is signed; And be content with the HASH value behind fiducial value, the signature, construct message identifying, and call the encipher interface of USB KEY, to the message identifying content-encrypt; Message identifying after will encrypting at last sends to the authentication module M6 of safe support guard system.On USB KEY, integrated PKI (being Public Key Infrastructure, PKIX) supporting chip, the public key data of having preserved the private key and the safe support guard system of user identity in this chip, signature is all carried out on sheet with encryption, and private key data can't be derived by the external world.USB KEY can adopt PKI supporting chip ready-made on the market can realize this function.
The authentication functional module M6 of safe support guard system is after receiving the authentification of user message, and at first with self PKI decrypted message content, and after extracting enterprise's numbering and user name, the retrieve data table is to obtain this user's public key data; And separate label with the public key data that obtains, obtain original HASH value; Simultaneously, utilize MD5 (being Message DigestAlgorithm5, message digest algorithm 5) algorithm, calculate the HASH value of message identifying content, when having only original HASH value consistent, just confirm the identity success with calculating HASH value; And generate the dynamic-configuration rule, require fire compartment wall to decontrol the message path of this user to safe support guard system internal services.Password in the message, this is kept at the password in the database as by the calculated value behind the MD5, is the MD5 calculated value equally.
After enterprise administrator successfully signs in to system, can carry out management and control to the IT assets of its internal network, comprise and browse topological diagram, check the assets security state, check security incident, revise white list, rev down process rev and service, force users roll off the production line, vulnerability scanning, topologically sweeping, all kinds of strategies of setting, patch installing and restart system etc.Administrative staff can also handle oneself renting the file of preserving in the file space, comprise retrieval, browse, delete and download; Administrative staff can also serve the Security Report that window is checked to be provided by the safe support guard system at Security Report, simultaneously, when not surpassing the report form type amount of norm, can also define the form of oneself, and specify the form authority and send strategy.
Logon message, heartbeat message and the event message of terminal security management and control module M3, Host Security management and control module M4 and network equipment security management and control module M5 in the assets security management and control module M0 reception of safe support guard system and the processing corporate intranet; Receive and handle the incident that message detection module M1 submits to; Receive and handle operation user's control operation.
Be derived from the message of terminal security management and control module M3, Host Security management and control module M4 and network equipment security management and control module M5, after being submitted to assets snapshot module M01, this module is at each logon message, at first testing this IP address and MAC (is Media Access Control, medium access control) whether the definite assets of address information exist, if new assets is current assets then according to its IP address and new assets of MAC Address structure, and with new assets; Otherwise, be current assets with the assets that retrieve; Then, utilize the hardware information in the logon message, fill the hardware attributes of current assets; Fill the user profile attribute of current assets with user profile; Fill the Service Properties of current assets with information on services; Fill the flexible connection attribute of current assets with flexible connection information; Fill the network configuration attributes of current assets with network configuration information; Fill the active process attribute of current assets with active process information; Fill the startup group attribute of current assets with startup group information; Fill the kernel module attribute of current assets with kernel module information; Upgrade annexation attribute between current assets and neighbours' assets with neighbor information, and redraw the connecting line between assets; Neighbor information is used for finding new assets equally, if do not existed by the definite assets of neighbor information (IP, MAC Address), then a new assets node has been found in expression.
When utilizing the operation snapshot of log-on message structure assets, can find the inner modification information of assets immediately, comprise property content increase, modification and deleted, simultaneously, can also pass through to compare the currency of attribute and the gap between safe benchmark, send alarm departing from.Alarm event comprises detector (assets snapshot module), event flag (according to the actual conditions growth, can be hardware change, software change, violate baseline or find new assets), time (current time), source IP address (real ip address of assets), source port (NULL), Target IP (NULL), target port (NULL), event content (specific descriptions), asset identification (internal indicators of current assets), time of reception (current time), confidence level (10), handles sign (1) and processing policy (NULL).
Similarly, assets snapshot module M01 is at terminal security management and control module M3, the heartbeat message that Host Security management and control module M4 and network equipment security management and control module M5 submit to, except with carry out logon message handles the samely, to the log event clauses and subclauses in the heartbeat message, carry out individual processing, comprise: at first construct internal event, and from the detector of log event, event flag, time, the IP address, port, the attribute of event content directly copies the corresponding field of the internal event of neotectonics to, simultaneously, be internal event affix asset identification (internal indicators of current assets), time of reception (current time), confidence level (0), handle sign (0) and processing policy (NULL); Then,, the internal event of current neotectonics is filtered,, then upgrade confidence level and handle and indicate according to filtercondition if meet filtercondition according to the default daily record sensitive words filtercondition relevant with these assets.Default ground directly is revised as 1 if confidence level, is then handled sign greater than 5, is used to point out this incident to be sure of to be anomalous event, and the module of back can be accelerated the processing to this type of incident.At last, the numbering of the incident of neotectonics is saved in the corresponding log event tabulation of assets, simultaneously, if confidence level greater than 5, then this event identifier is shown in red, reminds the attendant to note.
Assets snapshot module alarm event that M01 produces, or internal event can be submitted to security incident administration module M02.Security incident administration module M02 unifies to handle to being derived from all kinds of incidents that assets snapshot module M01, message detection module M1 submit to.
Simultaneously, assets snapshot module M01 receives the scanning result of vulnerability scanning module M05, and the leak data of utilizing scanning to be obtained, upgrades the leak tabulation of current assets; The network node data and the link data that utilize scanning to obtain, more link information between new node and node simultaneously, is upgraded topological diagram.In case found new node or annexation, then construct alarm event immediately, simultaneously, show new node and be connected, with the caution attendant with special color.Assets snapshot module M01 receives the control command from the initiation of attendant on security management and control module M04, as force users roll off the production line, rev down process rev or service, extraction document etc., and by with corresponding desired asset between existing active tunnel, be issued on terminal security management and control module M3 and/or Host Security management and control module M4 and/or the network equipment security management and control module M5.
Integrated vulnerability scanning functional module among the vulnerability scanning module M05 is as the Nessus instrument; Integrated TCP function is as the Nmap instrument; Integrated operation system fingerprint identification is as the P0f instrument; Integrated link layer discovery feature is as CDP (being Cisco Discovery Protocol, CISCO discovery protocol) and SNMP MIB (being SNMP ManagementInformation Base, snmp management information) storehouse; Integrated IP subnet scan function; And other function, as ARPWatch instrument, fornication outer net checking tool etc.Can carry out remote scanning to intended target, specified network, so that find leak and network topology.After the attendant successfully signed in to the safe support guard system, the function that can use this module scanned the Intranet of oneself.
The safe support guard system allows the attendant of the security service provider level of mandate to check all information of default enterprise, comprises topological diagram, security strategy and Security Report; But, do not allow to visit enterprise and rent file in the file space.This class file only allows enterprise-level operator visit.
In the intranet security management and control, are cores of this step, after all kinds of incidents are carried out safety analysis, calculate security risk, thereby instruct the attendant correctly Intranet to be carried out security management and control at the processing of all kinds of incidents.The process chart of incident comprises as shown in Figure 3:
Step S31: incident preliminary treatment.Preliminary treatment is mainly used in event data and detects and the event handling rule search, to accelerate event handling.
Security incident administration module M02 is at the standardized internal event that is derived from assets snapshot module M01, the local event cache pool writes direct, and to being derived from the incident that message detection module M1 submits to, behind additional asset identification (internal indicator that arrives according to the IP address search of incident), time of reception (current time), confidence level (0), processing sign (0) and processing policy (NULL) after this incident, write the local event cache pool again.
Whether at every incident in the incident pond, at first testing asset identification is empty, if be empty, the processing policy of then filling in this incident does not promptly carry out any processing for (NULL); Otherwise, be condition according to the detector properties and the event identifier attribute of incident, the corresponding processing policy of retrieval in the event handling strategy.When there were many in processing policy, selecting the strategy of limit priority was processing policy; If limit priority is identical, then up-to-date strategy is a processing policy entry-into-force time.Processing policy comprises attributes such as tactful numbering, policy name, detection sign, event identifier, rise time, entry-into-force time, priority level, processing sign.Wherein handle sign and comprise that single event is handled sign, event chain is handled sign and risk assessment sign.The priority of processing policy will be attached to the back of event data, be expressed as the priority of this incident.Described priority is 0~5 grade, and 5 grades is highest.
In the present invention, all incidents are all produced by detector and report, therefore, and type (being event identifier) that can control event, thereby, can be that all event types are set processing policies.Processing policy initialization during by system start-up of the present invention, the attendant of enterprise of mandate can revise this type of strategy, to meet the present situation of own enterprise.
Step S32: incident independent process.The incident independent process is that individual event is analyzed.
Being masked as very if the single event of event handling strategy is handled, then needing current event is carried out independent analysis, mainly is leak association analysis and asset association analysis.
The leak association analysis is the tabulation of the leak on incident and the assets to be carried out related, if be successfully associated, then improves the confidence level of this incident.Otherwise the incident independent process finishes.The asset association analysis is after the leak association analysis, when having confirmed that incident is related with leak, again the trigger condition of leak is compared with the actual operating state of assets, verifying that can this leak trigger, thereby further improve the confidence level (being successfully associated) of incident or reduce confidence level (related failure) and accuse to eliminate false-alarm.Leak association analysis and asset management are only analyzed, and processing events is masked as 0 incident.
The leak association analysis is described below: in default leak and event correlation table, (this relation table is manual to be safeguarded to retrieve the associated leaky sign of current event sign, new events, new leak to each system supports all need to increase leak, event relation); Leak tabulation on the comparison object assets (the asset identification attribute of incident determine) the leak set of whether coming out with retrieval exists and occurs simultaneously then, if be sky, then is successfully associated, and the confidence level of incident brings up to 5; Otherwise the confidence level of incident remains unchanged, and the End Event independent process.
The asset association analysis is described below: during determined leak occurs simultaneously in the leak association analysis, at each leak, (this table is manual to be safeguarded from leak Back ground Information table, be used to preserve the essential information of leak, comprise leak numbering, title, operating system and version thereof, application and version thereof, port, agreement, consequence etc.) retrieve operating system and version, application and version thereof, port and protocol, and form set A; At first, whether the operating system and the version thereof of test target assets (asset identification by incident is determined) are included in determined operating system of set A and the version thereof, if, then the confidence level of incident increases 1, if do not match, then the incident confidence level puts 0, and finishes asset association; Secondly, test target assets co-relation is right<active port, agreement whether with set A in<port, agreement common factor is arranged, if having, then the confidence level of incident is constant, otherwise port and agreement do not match, the incident confidence level puts 0, and the end asset association; At last, whether application on the test target assets and version thereof are complementary with determined application of set A and version thereof, if coupling, then the confidence level of incident puts 10, otherwise confidence level puts 0.
Step S33: event chain is handled.Event chain is handled to be mainly used in current incident to be analyzed and known event chain rule is mated, thereby excavates new events.
Be masked as very if the event chain of event handling strategy is handled, then need current event is carried out the event chain association analysis.The event chain association analysis is mainly used in based on the leading incident on the known event chain, the incident of deriving and making new advances, thereby forecast in advance, and caution the attendant take measures.
The inter-process flow process that event chain is handled is described below:
Step 1: based on experience accumulation, network is disclosed and the event chain rule of third party's instrument, structure is fit to the event chain rule that reasoning of the present invention is used.Among the present invention, event chain always has an inlet incident, i.e. root incident, and this incident is the first incident in the event chain; A plurality of branches are arranged under the root incident, and each branch can cause different new events.Therefore, event chain always is organized into tree.This tree is not the tree of a standard, because may there be ring, promptly different leading incidents may be derived same incident.
The rule attribute comprises: attributes such as the target port of the detector of new events sign, new events description, new events confidence level, the event identifier of incident to be analyzed, incident to be analyzed, the time interval, statistical value, the source IP of incident to be analyzed, the source port of incident to be analyzed, the Target IP of incident to be analyzed, incident to be analyzed, source IP rule, source port rule, Target IP rule, target port rule, level, child node pointer.
Step 2: whether the test current event is subordinated to the successor of the current chain of life event; With all active rules on all movable event chain rule trees in current event and the buffer area relatively, if coupling, then the event chain processing finishes, and produces new events; Simultaneously, the content of source IP, source port, Target IP and the target port of current event is saved in the target port of the source IP of the incident to be analyzed of rule, the source port of incident to be analyzed, the Target IP of incident to be analyzed, incident to be analyzed; And revise the active rule chain of current event chain rule, all child nodes of current matched rule are inserted in the active rule chain, current matched rule is deleted from the active rule chain.Otherwise, change step 3.
When carrying out the active rule coupling, verify at first whether the detector of current event and event flag are comprised by desired detector of certain active rule and event flag collection, if comprise, then top level of matched success; Then, content according to regular bottom matching constraint (source IP rule, source port rule, Target IP rule, target port rule), the respective attributes of existing incident compares on the event chain that source IP, source port, Target IP and the target port of current event and bottom matching constraint is indicated, if comparative result is true, be only the success of incident and rule match.
The new events that is produced, its event identifier, event content and confidence level are from the defined new events sign of rule, new events description and letter incident confidence level, detector (security incident administration module), outside the time (current time), other attribute directly copies the respective attributes content of current event; New events writing events pond is so that analyze this incident.
Event chain rule tree in the buffer area can be empty at the active rule chain, or after the time-to-live inefficacy, be disposed automatically.
Step 3: whether the test current event belongs to the inlet incident of event chain.The root rule of the default event chain rule that current event and system is all compares, if the match is successful, then current event is the root incident of particular event chain, the event chain rule tree of current coupling is copied in the buffer area, simultaneously, the content with source IP, source port, Target IP and the target port of current event is saved in the target port of the source IP of the incident to be analyzed of root rule on the event chain rule tree, the source port of incident to be analyzed, the Target IP of incident to be analyzed, incident to be analyzed; And all child nodes of root rule are inserted in the active rule chain.
Incident and root rule is relatively the time, and whether the detector of only simple relatively incident and an event identifier are comprised by the detector of rule and sign, in case comprise, think that then the match is successful, and no longer with the root rule of other event chain of relatively not crossing as yet relatively.The necessary mutual exclusion of root rule of strictly all rules chain, otherwise the rule chain that comes the back can't trigger.
Step S34: event risk assessment.Calculate the value-at-risk and the risk class of current event.
If the risk assessment of the processing policy of pending incident is masked as very, then need this incident is carried out the risk assessment operation.
At first, detect the confidence level and the additional priority of incident, if any one zero, then the value-at-risk of current event is 0; Otherwise, asset identification attribute by incident, (this table is manual to be safeguarded from the assets value table, be used to preserve the business value of assets, professional value by 0~5 grade, 5 grades are the highest) after, utilize object risk=confidence level * priority * assets value grade/10, calculate the object risk (being target device) of incident; If the source IP and the Target IP of incident are inconsistent, after then utilizing source IP attribute to obtain asset identification (being the main body of assets sign), after utilizing this asset identification from the assets value table, to obtain the value of these assets again, utilize main body risk=confidence level * priority * assets value grade/10, calculate the main body risk (being source device) of incident.And be the value-at-risk of current event with the big person in object risk, the main body risk;
Secondly, the risk class of update event main body and incident object; If the value-at-risk of incident is greater than 0, then produce serial number for this incident, the object value-at-risk that previous step is calculated, utilize the incident object default value-at-risk and risk class mapping relations on the corresponding assets, calculate the pairing risk class of object value-at-risk, and, in the risk tabulation of the determined assets of asset identification attribute of insertion current event, upgrade the risk class statistical number of these assets simultaneously with current event serial number, risk class; The main body value-at-risk that previous step is calculated, the main body of assets sign of utilizing previous step to retrieve retrieve value-at-risk and risk class mapping relations on the corresponding assets, calculate the pairing risk class of main body value-at-risk, and with current event serial number, risk class, insert main body of assets and identify in the risk tabulation of determined assets, upgrade the risk class statistical number of these assets simultaneously.
Further, as long as change has taken place the risk class statistical number of assets, then upgrade the risk class statistical number of this assets place subnet automatically.
Step S35: warn and handle from dynamic response.According to default response policy, the attendant that warns, and from dynamic response.
The response policy that security incident administration module M02 sets according to security strategy module M2, to the event alarm of value-at-risk greater than threshold value, and from dynamic response.Described threshold value is set by the attendant, and the value-at-risk of incident is 0~25, and when default, alarm threshold is 5.
The response policy that security strategy module M2 sets comprises attributes such as strategy number, the sign that comes into force, the time started of coming into force, the concluding time of coming into force, inner execute flag, outside execute flag, regular expression and order.Wherein, regular expression is used for extracting content from incident, as source IP, Target IP; Order is concrete executable instruction, is explained by security monitoring module M04.Placeholder in the order is filled by the content that regular expression extracts.Order can be simply for warning, send Email or sending timely message; Also can be Shell order, SNMP instruction etc.
By being condition with event identifier property value in the incident, (this table is manual safeguards that be used for strategy and event correlation, every new events sign that increased if desired from dynamic response, then needs to be this event configuration strategy for search strategy and event correlation table; Every New Policy that increased, after then needing to be assigned to incident, this strategy just may be performed), can retrieve corresponding security strategy, thereby can accurately respond at the incident that system supported.
Security incident administration module M02 comprises event identifier, event content, source IP, source port, Target IP, target port, time of origin with event data, and the specific instructions of response policy, submits security monitoring module M04 to.
Security monitoring module M04 carries out from dynamic response according to the specific instructions of response policy, comprises that incident is showed, sound alarm; Event data is sent to default enterprise administrator's mailbox; Or utilize GSM Modem (promptly supporting the cat of GSM) to give default enterprise administrator's cell phone number transmission note; Maybe order is packaged into the interface message bag, be submitted to assets snapshot module M01, by the current active channel, send to correct terminal security management and control module M3 and/or Host Security management and control module M4 and/or network equipment security management and control module M5 by the latter, instruct latter's fill order.
Security monitoring module M04 receives operator's hand-guided equally, on control panel, after the Control Parameter that the collection operator selectes and the value of input, is configured to standard interface message bag, and is submitted to assets snapshot module M01.
Step S36: Security Report is handled.To the incident after handling through security incident administration module M02, add up automatically and aggregation process.
The incident that security incident administration module M02 handled the most at last behind the affix incident serial number, is submitted to Security Report module M03; Security Report module M03 will focus on incident, comprise by event identifier statistics, by the detector statistics, by source IP statistics, IP statistics etc. according to target.
In addition, Security Report module M03 is to having comprised the incident of source IP, source port, agreement, Target IP, target port and message length information in the security incident of submitting to from message detection module M1, to further handle its event content, utilize these to generate statistical report form, comprise agreement distribution form, IP distribution form, TOPN form etc.All forms, default daily paper, weekly, monthly magazine, quarterly report and the annual report of all providing.
The automatic attribute of all report form templates is genuine form, and its report file will be saved in the file space that enterprise leases after generating.