The content of the invention
It is an object of the invention to provide a kind of threat data processing method for information system, the finger of information security is realized
Markization is managed, and can objectively understand the threat that target information system is faced.
In order to solve the above technical problems, the invention provides following technical scheme:
A kind of threat data processing method for information system, including:
The information security events of acquisition are mapped as potential threat index and existing threat index;
The frequency that impended to the existing threat index is calculated, and the result assignment that frequency is calculated is arrived and described information
The security domain of security incident association is threatened in index;
According to the default cycle, information gathering, normal form are carried out to the potential threat index according to default threat source
And be associated as threatening multi-component system;
Each threat key element in the daily record of target information system is indexed, by the threat multi-component system according to finger
Numberization computational methods calculate the probability of happening of each tuple, and evaluation mapping is threat value;
Index and the threat value is threatened to generate corresponding data model according to the security domain, with to described information system
Safety be estimated.
Preferably, the frequency that impended to the existing threat index is calculated, and the result assignment that frequency is calculated
Threatened to the security domain associated with described information security incident in index, including:
Obtain the threat category of the existing threat index;
Corresponding security threat index is calculated according to the existing frequency for threatening the corresponding all kinds of threats of index;
The arithmetic mean of instantaneous value of each security threat index is calculated, the security domain associated with described information security incident is designated as
Threat index.
Preferably, it is described according to the default cycle, row information is entered to the potential threat index according to default threat source
Collection, normal form simultaneously are associated as threatening multi-component system, including:
According to the default cycle, information and wind are threatened according to default national standard, professional standard, group's system, industry
Danger is assessed carries out information gathering and normal form to the potential threat index;
All threat key elements are combed and the prestige that meets the target information system current state of being classified and formed
Coerce multi-component system.
Preferably, described pair of all threat key element, which is combed, classified, cut and formed, meets the target information system
The threat multi-component system for current state of uniting, including:
All threat key elements are combed, and the threat key element is divided into conjunction rule audit class, attack class, wood is threatened
Horse virus type, threshold alarm class, fault warning class, backbone links alarm class and abnormality detection class.
Preferably, each threat key element in the daily record to target information system is indexed, and is threatened described
Multi-component system calculates the probability of happening of each tuple according to indexation computational methods, and evaluation mapping is threat value, including:
The threatening factors are indexed, the tuple belonging to the threatening factors is obtained;
The Threat of each tuple is calculated by arctan function algorithm;
Assignment is carried out to each Threat, each Threat is mapped as corresponding threat value.
Preferably, it is described that the information security events of acquisition are mapped as potential threat index and existing threat index, including:
Some events are obtained in daily record of the target information system after normal form;
Each event is audited, whether judge each event is to threaten index event;
The threat index event that examination & verification passes through is determined as information security events;
Event is set up to the mapping threatened, described information security incident is mapped as potential threat index and existing threat refers to
Mark.
Preferably, it is described to threaten index and the threat value to generate corresponding data model according to the security domain, with right
The safety of described information system is estimated, including:
The threat index of described information system is calculated, the threat index is each tuple of the threat multi-component system
The arithmetic mean of instantaneous value of threat value;
Represent that the arithmetic mean of instantaneous value and the security domain threaten index by meter diagram.
Preferably, it is described to threaten index and the threat value to generate corresponding data model according to the security domain, with right
The safety of described information system is estimated, in addition to:
Radar graph model is set up, the threat value of each tuple for threatening multi-component system is shown.
Preferably, it is described to threaten index and the threat value to generate corresponding data model according to the security domain, with right
The safety of described information system is estimated, in addition to:
Pareto diagram model is set up, the threat value of each tuple for threatening multi-component system is shown.
Compared with prior art, above-mentioned technical proposal has advantages below:
A kind of threat data processing method for information system that the embodiment of the present invention is provided, including:By acquisition
Information security events are mapped as potential threat index and existing threat index;The frequency that impended to existing threat index is calculated,
And the result assignment for calculating frequency is threatened in index to the security domain associated with information security events;According to the default cycle,
Information gathering, normal form are carried out to potential threat index according to default threat source and are associated as threatening multi-component system;Target is believed
Each threat key element in the daily record of breath system is indexed, and will be threatened multi-component system according to indexation computational methods and is calculated each tuple
Probability of happening, and evaluation mapping be threat value;Index and threat value is threatened to generate corresponding data model according to security domain, with
Safety to information system is estimated.In the technical program, by the way that information security events are mapped as into what is had occurred and that
The existing potential threat index for threatening index and having not occurred, according to the occurrence frequency of the existing threat index of calculating, is obtained
Corresponding security domain threatens index;Meanwhile, the operation such as information gathering and normal form is carried out to potential threat index according to the source of threat,
And be associated as it to threaten multi-component system, the probability of happening for threatening each tuple in multi-component system is calculated, wherein, a class of element group representation one
Key element is threatened, so that the corresponding threat value of each tuple for obtaining potential threat index.Index and threat value are threatened according to security domain
Corresponding data model is generated, intuitively to observe that full spectrum of threats in information security events may occur general in order to user
Rate, realizes the threat objectively faced to information system by these threat datas and is estimated, so that user is to information system
System is safeguarded and safety precautions.
Embodiment
The core of the present invention is to provide a kind of threat data processing method for information system, realizes the finger of information security
Markization is managed, and can objectively understand the threat that target information system is faced.
In order that the above objects, features and advantages of the present invention can become apparent it is understandable, below in conjunction with the accompanying drawings to this hair
Bright embodiment is described in detail.
Detail is elaborated in the following description to fully understand the present invention.But the present invention can with it is a variety of not
It is same as other manner described here to implement, those skilled in the art can do class in the case of without prejudice to intension of the present invention
Like popularization.Therefore the present invention is not limited by following public embodiment.
It refer to Fig. 1, the threat data processing side for information system that Fig. 1 is provided by one embodiment of the present invention
Method flow chart.
A kind of embodiment of the present invention provides a kind of threat data processing method for information system, bag
Include:
S11:The information security events of acquisition are mapped as potential threat index and existing threat index.
In the present embodiment, the information security events of acquisition are mapped as potential threat index and existing threat index,
Including:Some events are obtained in daily record of the target information system after normal form;Each event is audited, each thing is judged
Whether part is to threaten index event;The threat index event that examination & verification passes through is determined as information security events;Event is set up to prestige
Information security events are mapped as potential threat index and existing threat index by the mapping of the side of body.
The primary source threatened is attack, when attack is not present in network, and the index of threat is not 0,
Refer to 4 threaten key elements impend assignment work, it is so-called 4 threaten key element include:The heat of national authority mechanism issue
Point threat early warning report;Authority, generally acknowledged threat information source;The major accident information of group company's issue;The third-party institution
Risk assessment, penetration testing report.Thus, when there is attack in network, information security events can be mapped as existing
Threaten index and potential threat index;When attack is not present in network, information security events can be mapped as potential prestige
Coerce index.
With reference to threaten key element impend assignment work premise be elements recognition to be impended, threaten key element extraction
Process includes:
1st, elements recognition will be threatened and is formatted as threatening factors;
2nd, threatening factors and information security events are indexed respectively, in order to which threat is sorted out and analyzed, together
The attack of type is likely to occur between different source addresses and destination address, but can be by medelling to extract
Same attack, therefore each threatening factors frequency can be obtained by pattern match;
3rd, by Threat moulding, collection information security events disturbance degree (threat degree of attack), binding factor are quick-fried
Frequency is sent out, calculate the Threat of each factor (will threaten the frequency occurred with level calculation into 0-5's according to default model
One threat value);
4th, in units of security domain, arithmetic mean of instantaneous value calculating is carried out to domain Zhong Ge addresses threat value, the prestige of security domain is obtained
Coerce desired value.
S12:The frequency that impended to existing threat index is calculated, and the result assignment that frequency is calculated is arrived and information security
The security domain of event correlation is threatened in index.
Existing threat index is to threatening (attack) to carry out frequency calculating, by result assignment to associated security domain prestige
Coerce in index.
In one embodiment of the invention, the frequency that impended to existing threat index is calculated, and frequency is calculated
Result assignment threatened to the security domain that is associated with information security events in index, including:Obtain the threat of existing threat index
Species;Corresponding security threat index is calculated according to the frequency of the corresponding all kinds of threats of existing threat index;Calculate each safe prestige
The arithmetic mean of instantaneous value of index is coerced, the security domain threat index associated with information security events is designated as.
Wherein, it is that threat is quantitatively portrayed to threaten assignment.The foundation for threatening assignment is the frequency that full spectrum of threats occurs
Rate is counted.Impend classification purpose be by it is abstract, qualitatively threatening description, change into can be with the prestige of quantitative analysis
Side of body value.Threat identification needs to consider three aspects:Historical record, the threat occurred in conventional security incident report and its
The statistics of frequency;Scene evidence taking, by the threat and its statistics of frequency that detect instrument and daily record discovery;Authority's issue, international,
Domestic authoritative institution, the threat report of group company's issue.
In the present embodiment, it is preferred to use the mode of classification carries out assignment to threatening, in the present embodiment to threatening
Assignment table is defined, as shown in table 1, and table 1 is threat assignment table:
Table 1 threatens assignment table
S13:According to the default cycle, information gathering, normal form are carried out to potential threat index according to default threat source
And be associated as threatening multi-component system.
In one embodiment of the invention, according to the default cycle, potential threat is referred to according to default threat source
Mark carries out information gathering, normal form and is associated as threatening multi-component system, including:According to default cycle, such as season, year, according to
Default national standard, professional standard, group's system, industry threaten the adjustable information such as information and risk assessment to potential threat
Index carries out information gathering and normal form;All threat key elements are combed and classified and formed and meet target information system
The threat multi-component system of current state.
Wherein, including will periodically threaten, key element is arranged with specific coding, specific format, form is dissolved into for information gathering
Storehouse, forms the threat assessment factor;Cutting-out method is set using threatening, threatening factors inventory is generated, and it is mapped as threat index;Number
According to collection:The event (after normal form) that comes from is threatened, but not all event is all to threaten.In the present embodiment, one is set up
Individual automatic threat index system, needs to set up an event to the mapping threatened in the system.Data source in normal formization it
Daily record afterwards, what treated data can be selective is mapped as threatening, and (is made by the scheduler task of timing with five minutes
For the cycle), by the threat information persistence of acquisition;Security threat index is finely divided according to threat types, threat is formed and refers to
Number, each threat index has several characteristic indexs, and typical characteristic index includes:The frequency (quantity) of threat and threaten
Menace level (information such as synthetic threat source, attacking wayses).
Wherein, Threat computational methods of the calculating of Threat based on a kind of arctan function, as shown in Fig. 2, each
The threat index event being reviewed, its frequency, two key element of the rank of event itself with generation, utilizes arc tangent letter
Method modeling is figured, with the continuous increase of event occurrence frequency, Threat will be substantially equal to fatal.Included in arctan function
Level metrics and the event frequency measurement of event.
Further, all threat key elements are combed, are classified, cut and formed that to meet target information system current
The threat multi-component system of state, including:All threat key elements are combed, and key element will be threatened to be divided into conjunction rule audit class, prestige
Side of body attack class, trojan horse class, threshold alarm class, fault warning class, backbone links alarm class and abnormality detection class.
Impend the cutting work of source tree according to the actual requirements, for prominent threat, is refined, and it combs knot
Fruit is as follows:
Close rule audit class:Information security compliance audit purpose is to disclose and investigated and prosecuted by the unlawful practice of auditing system,
Business operation is promoted to meet the audit of the requirements such as information security policy and internal control risk.Information security is closed rule audit class and realized
Safety means logins, the login time of server account and address, the login of interchanger, the statistics of operation etc..Active threat
Key element can be added flexibly according to the event and up-to-date information information that actually occur.
Threaten attack class, refer to someone, thing, event or concept to the confidentiality of a certain resource, integrality, availability or
It is legal to use caused danger.Outside the big class of threat attack class removing, event content, with narrow attack, invasion visual angle
It is the theme, emphasis proposes the assault process unified plannings such as power to security sweep, vulnerability exploit, system, mainly realizes information
What safe attacking and defending was alerted collects.Active threat key element can be added flexibly according to the event and up-to-date information information that actually occur.
Trojan horse class, monitor and alerted wooden horse far control, Botnet attack, virus warning, worm-type virus attack etc.
Deng, and according to the event actually occurred, can flexibly add.
Threshold alarm class, is used to determine when that monitor control index has exceeded normal value, the foundation of such Main Basiss baseline and
Maintenance process, such as:CPU threshold alarms, viral early warning max-thresholds, mailbox system event max-thresholds, wide area network acceleration equipment
Daily record max-thresholds, switch CPU exceed limitation, Anti-Virus daily record most more than CPCAR values, switch A RPMISS speed
Small threshold value, WEB security protection system daily record amounts minimum threshold, Firewall Log amount max-thresholds, IPS daily record amounts max-thresholds,
IPS daily record amount minimum thresholds, etc., and according to the event actually occurred, can flexibly add.
Fault warning class, including any influence business such as system crash, hardware and software failure is used and system is normally run
Failure, and according to the event actually occurred, can flexibly add.
Backbone links alert route, a failure for switching equipment in class, backbone links and frequently can lead in whole network
Disconnected, its seriousness is fatal, and it is individually classified and is subject to real-time early warning, and according to the event actually occurred, can flexibly be added
Plus.
Abnormality detection class, also referred to as separate-blas estimation (deviation detection), because the property value of exception object is obvious
Deviate desired or common property value.
Wherein, abnormality detection is also referred to as exception and excavates (exception mining), is divided into three classes:
1, non-audit log exception class
During training data, data are divided into the event being reviewed and the event do not audited.Not by
The event audited is that under normal circumstances, never occurred.It means that data can not possibly be sent out under normal circumstances
It is raw, that is to say, that these data are once occurred in that, just conscientiously must be gone to analyze and be investigated.Present embodiment emphasis will not audit day
Will exception class is listed and monitored as one kind of threat member.
2, daily record entropy exception class
All there is redundancy in any information, redundancy size and the appearance of each symbol in information (numeral, letter or word) are general
Rate is uncertain in other words relevant.Call " comentropy " the average information after redundancy is eliminated in information, comentropy is exactly
One measurement of system order degree.System by the magnanimity security incident in a period of time to being collected into reporting and submitting IP
Location carries out entropy calculating, obtains the amplitude of variation that the IP degree of polymerization is reported and submitted in these security incidents, and this is portrayed in this period with this
The safe condition of a little security incident belonging networks, and predict the general safety tendency of next step.
Describe address entropy situation curve systems stay, and show the address situation origin cause of formation figure of each period.By to three
The pattern analysis of typical situation origin cause of formation figure is planted, the typical situation of two kinds of identification are abnormal, and support to abnormal situation information successively
Lower to bore, until navigating to the key safety event for causing situation abnormal, the entropy alarm beyond confidential interval is then included in abnormality detection
In alarm.
3, focus polymerization exception class
If focus refers to that event occurrence frequency is significantly higher than in a certain region or less than normal frequency, this is special
Region is defined as focus, and our usual focuses of concern are the zonules that high concentration occurs for event, in numerous space-time
In analysis method, analysis of central issue is the effective tool of implication relation between understanding event., can be effectively to thing by analysis of central issue
Part makes regression analysis and Potential Prediction, helps researcher to draw the conclusion of science.
In the present embodiment, source IP, purpose IP, Asset Type, event using clustering algorithm constantly from event etc.
Level, 5 dimensions (vector) of event number carry out cluster computing towards terminal, three groups of network and application, find when the last period
Between event focus, so as to realize the real-time macroscopic analysis to magnanimity event.
Further, by event focus on group's target Dynamic Announce, obtain a certain focus, you can produce while obtaining
The associated safety event of the focus.Abnormality detection class will be classified as beyond the focus warning information of confidential interval.
S14:Each threat key element in the daily record of target information system is indexed, multi-component system will be threatened according to indexation
Computational methods calculate the probability of happening of each tuple, and evaluation mapping is threat value.
In the present embodiment, each threat key element in the daily record of target information system is indexed, will threatened polynary
Group calculates the probability of happening of each tuple according to indexation computational methods, and evaluation mapping is threat value, including:To threatening factors
It is indexed, obtains the tuple belonging to threatening factors;The Threat of each tuple is calculated by arctan function algorithm;Threaten each
Degree carries out assignment, and each Threat is mapped as into corresponding threat value.
As above described in an embodiment, set up a set of dynamic multidimensional and threaten index system, can by pareto analysis method
To distinguish the current threat origin cause of formation, realize and crucial deterrent is seen from macroscopic view to middle, then to microcosmic analysis, until
Navigate to the key safety event for causing threat situation abnormal.
In the present embodiment, to threatening operation index to formulate standard, as shown in table 2:
Table 2 threatens operation index standard
In the present embodiment, can be periodically continuous in actual environment using 7 indexs in table 2 as example multi-component system
Each two-level index is adjusted, increases and deletes, to better adapt to information security management.
The event category of Threat moulding for convenience, present embodiment has also set up threat index classification dictionary, such as the institute of table 3
Show:
Table 3 threatens index classification dictionary
Wherein, the purpose of table 3 is mainly used in illustrating the classification after daily record normal form, using the event category as Threat moulding
Correspondence.
In the present embodiment, also to threatening index system to carry out practical explanation, the automation prestige based on multi-component system
The index system that index is calculated is coerced, threat index is equal to the arithmetic mean of instantaneous value of all kinds of threats, i.e., is mapped as according to each Threat
Corresponding threat value calculates overall safety threat index:
N is the species number that multi-component system is threatened, and i refers to event level, TiExist for T
Threat value during i grades of events.
S15:Threaten index and threat value to generate corresponding data model according to security domain, entered with the safety to information system
Row is assessed.
In one embodiment of the invention, index and threat value is threatened to generate corresponding data mould according to security domain
Type, is estimated with the safety to information system, including:The threat index of information system is calculated, threat index is polynary to threaten
The arithmetic mean of instantaneous value of the threat value of each tuple of group;Instrument graph model is set up, represents that arithmetic mean of instantaneous value and security domain threaten index,
It is estimated with the safety to information system.Radar graph model is set up, displaying threatens the threat value of each tuple of multi-component system, with right
The safety of information system is estimated.Pareto diagram model is set up, displaying threatens the threat value of each tuple of multi-component system, with to letter
The safety of breath system is estimated.
In the present embodiment, the threat that user is intuitively faced to information system for convenience understands, and passes through
Meter diagram, radar map and Pareto diagram is set up threat is described, wherein, in Pareto diagram, different classes of data
Arranged according to its frequency descending, and accumulative perception figure is drawn in same figure, the threat value of quantization is exactly to constitute handkerchief to tire out
Data one by one inside the basic array of support figure.For each threat types Threat, each finger is clear that using radar map
The change of mark system;For overall safety threat index, the change of nearest half an hour threat index can be reacted by meter diagram;
Different classes of data are arranged according to its threat level descending, and draw in same figure accumulative perception figure, Pareto
Figure can embody pareto efficient allocation:The overwhelming majority of data is present in few categories, and few remaining data are dispersed in big portion
In sub-category.
In summary, a kind of threat data processing method for information system provided by the present invention, by information security
Event is mapped to potential threat index and existing threat index, and existing threat index carries out frequency calculating to threatening, result is assigned
It is worth in associated asset threats index.To the threat that did not occurred then according to cycle certain time, according to national standard, OK
Industry standard, group's system, industry threaten the adjustable information gatherings such as information, risk assessment, generalized and are associated as threatening polynary
Group;By multi-component system threaten index according to indexation computational methods, calculate the probability of happening of each tuple, finally by each tuple according to
Special algorithm, calculates the Threat of each systems face.Index and threat value is threatened to generate corresponding data mould according to security domain
Type, in order to which user intuitively observes the probability that full spectrum of threats may occur in information security events, by these threat datas
Realize the threat for objectively facing information system to be estimated, so that user to information system safeguard and safe pre-
It is anti-.
A kind of threat data processing method for information system provided by the present invention is described in detail above.
Specific case used herein is set forth to the principle and embodiment of the present invention, and the explanation of above example is to use
Understand the present invention and its core concept in help.It should be pointed out that for those skilled in the art, not taking off
On the premise of from the principle of the invention, some improvement and modification can also be carried out to the present invention, these are improved and modification also falls into this
In invention scope of the claims.