CN107239707A - A kind of threat data processing method for information system - Google Patents
A kind of threat data processing method for information system Download PDFInfo
- Publication number
- CN107239707A CN107239707A CN201710418915.8A CN201710418915A CN107239707A CN 107239707 A CN107239707 A CN 107239707A CN 201710418915 A CN201710418915 A CN 201710418915A CN 107239707 A CN107239707 A CN 107239707A
- Authority
- CN
- China
- Prior art keywords
- threat
- index
- information
- information system
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a kind of threat data processing method for information system, including:The information security events of acquisition are mapped as potential threat index and existing threat index;The frequency that impended to existing threat index is calculated, and the result assignment that frequency is calculated is threatened in index to the security domain associated with information security events;According to the default cycle, information gathering, normal form are carried out to potential threat index according to default threat source and are associated as threatening multi-component system;Each threat key element in the daily record of target information system is indexed, by the probability of happening for threatening multi-component system to calculate each tuple according to indexation computational methods, and evaluation mapping is threat value;Threaten index and threat value to generate corresponding data model according to security domain, be estimated with the safety to information system.The foundation of data model is easy to user intuitively to observe the probability that full spectrum of threats may occur in information security events, realizes the threat objectively faced to information system and is estimated.
Description
Technical field
The present invention relates to field of information security technology, more particularly to a kind of threat data processing side for information system
Method.
Background technology
With interconnecting for network, information service application is more and more closer, the peace that an information system organized faces
Complete to threaten the situation for increasingly showing " inside and outside pincer attack ", the threat in the virtual network world is threatened with physics to reach unanimity.
In order to ensure the safety of information, it is necessary to threat is identified and classified, and makes corresponding countermeasure.And prestige
Side of body identification is accomplished by the potential cause of analysis accident.The reason for threatening is diversified, is roughly divided into human factor and ring
The major class of border factor two, power system information resource has enough attractions in itself, and it faces the threat from the whole world, in face of Pang
Big Virtual Space, it threatens cause to have two aspects:One is the resource and technical ability that attacker is possessed;Two be information system in itself
The attraction possessed.At present, the information system of each tissue, enterprise etc. is lack of standardization for the management of information security, it is impossible to objectively
Reflect the threat that information system is faced.
Therefore, the indexing management of information security how is realized, and can objectively understand target information system and is faced
Threat, be the current technical issues that need to address of those skilled in the art.
The content of the invention
It is an object of the invention to provide a kind of threat data processing method for information system, the finger of information security is realized
Markization is managed, and can objectively understand the threat that target information system is faced.
In order to solve the above technical problems, the invention provides following technical scheme:
A kind of threat data processing method for information system, including:
The information security events of acquisition are mapped as potential threat index and existing threat index;
The frequency that impended to the existing threat index is calculated, and the result assignment that frequency is calculated is arrived and described information
The security domain of security incident association is threatened in index;
According to the default cycle, information gathering, normal form are carried out to the potential threat index according to default threat source
And be associated as threatening multi-component system;
Each threat key element in the daily record of target information system is indexed, by the threat multi-component system according to finger
Numberization computational methods calculate the probability of happening of each tuple, and evaluation mapping is threat value;
Index and the threat value is threatened to generate corresponding data model according to the security domain, with to described information system
Safety be estimated.
Preferably, the frequency that impended to the existing threat index is calculated, and the result assignment that frequency is calculated
Threatened to the security domain associated with described information security incident in index, including:
Obtain the threat category of the existing threat index;
Corresponding security threat index is calculated according to the existing frequency for threatening the corresponding all kinds of threats of index;
The arithmetic mean of instantaneous value of each security threat index is calculated, the security domain associated with described information security incident is designated as
Threat index.
Preferably, it is described according to the default cycle, row information is entered to the potential threat index according to default threat source
Collection, normal form simultaneously are associated as threatening multi-component system, including:
According to the default cycle, information and wind are threatened according to default national standard, professional standard, group's system, industry
Danger is assessed carries out information gathering and normal form to the potential threat index;
All threat key elements are combed and the prestige that meets the target information system current state of being classified and formed
Coerce multi-component system.
Preferably, described pair of all threat key element, which is combed, classified, cut and formed, meets the target information system
The threat multi-component system for current state of uniting, including:
All threat key elements are combed, and the threat key element is divided into conjunction rule audit class, attack class, wood is threatened
Horse virus type, threshold alarm class, fault warning class, backbone links alarm class and abnormality detection class.
Preferably, each threat key element in the daily record to target information system is indexed, and is threatened described
Multi-component system calculates the probability of happening of each tuple according to indexation computational methods, and evaluation mapping is threat value, including:
The threatening factors are indexed, the tuple belonging to the threatening factors is obtained;
The Threat of each tuple is calculated by arctan function algorithm;
Assignment is carried out to each Threat, each Threat is mapped as corresponding threat value.
Preferably, it is described that the information security events of acquisition are mapped as potential threat index and existing threat index, including:
Some events are obtained in daily record of the target information system after normal form;
Each event is audited, whether judge each event is to threaten index event;
The threat index event that examination & verification passes through is determined as information security events;
Event is set up to the mapping threatened, described information security incident is mapped as potential threat index and existing threat refers to
Mark.
Preferably, it is described to threaten index and the threat value to generate corresponding data model according to the security domain, with right
The safety of described information system is estimated, including:
The threat index of described information system is calculated, the threat index is each tuple of the threat multi-component system
The arithmetic mean of instantaneous value of threat value;
Represent that the arithmetic mean of instantaneous value and the security domain threaten index by meter diagram.
Preferably, it is described to threaten index and the threat value to generate corresponding data model according to the security domain, with right
The safety of described information system is estimated, in addition to:
Radar graph model is set up, the threat value of each tuple for threatening multi-component system is shown.
Preferably, it is described to threaten index and the threat value to generate corresponding data model according to the security domain, with right
The safety of described information system is estimated, in addition to:
Pareto diagram model is set up, the threat value of each tuple for threatening multi-component system is shown.
Compared with prior art, above-mentioned technical proposal has advantages below:
A kind of threat data processing method for information system that the embodiment of the present invention is provided, including:By acquisition
Information security events are mapped as potential threat index and existing threat index;The frequency that impended to existing threat index is calculated,
And the result assignment for calculating frequency is threatened in index to the security domain associated with information security events;According to the default cycle,
Information gathering, normal form are carried out to potential threat index according to default threat source and are associated as threatening multi-component system;Target is believed
Each threat key element in the daily record of breath system is indexed, and will be threatened multi-component system according to indexation computational methods and is calculated each tuple
Probability of happening, and evaluation mapping be threat value;Index and threat value is threatened to generate corresponding data model according to security domain, with
Safety to information system is estimated.In the technical program, by the way that information security events are mapped as into what is had occurred and that
The existing potential threat index for threatening index and having not occurred, according to the occurrence frequency of the existing threat index of calculating, is obtained
Corresponding security domain threatens index;Meanwhile, the operation such as information gathering and normal form is carried out to potential threat index according to the source of threat,
And be associated as it to threaten multi-component system, the probability of happening for threatening each tuple in multi-component system is calculated, wherein, a class of element group representation one
Key element is threatened, so that the corresponding threat value of each tuple for obtaining potential threat index.Index and threat value are threatened according to security domain
Corresponding data model is generated, intuitively to observe that full spectrum of threats in information security events may occur general in order to user
Rate, realizes the threat objectively faced to information system by these threat datas and is estimated, so that user is to information system
System is safeguarded and safety precautions.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
The threat data process flow figure for information system that Fig. 1 is provided by one embodiment of the present invention;
The arctan function schematic diagram for being used to calculate Threat that Fig. 2 is provided by one embodiment of the present invention.
Embodiment
The core of the present invention is to provide a kind of threat data processing method for information system, realizes the finger of information security
Markization is managed, and can objectively understand the threat that target information system is faced.
In order that the above objects, features and advantages of the present invention can become apparent it is understandable, below in conjunction with the accompanying drawings to this hair
Bright embodiment is described in detail.
Detail is elaborated in the following description to fully understand the present invention.But the present invention can with it is a variety of not
It is same as other manner described here to implement, those skilled in the art can do class in the case of without prejudice to intension of the present invention
Like popularization.Therefore the present invention is not limited by following public embodiment.
It refer to Fig. 1, the threat data processing side for information system that Fig. 1 is provided by one embodiment of the present invention
Method flow chart.
A kind of embodiment of the present invention provides a kind of threat data processing method for information system, bag
Include:
S11:The information security events of acquisition are mapped as potential threat index and existing threat index.
In the present embodiment, the information security events of acquisition are mapped as potential threat index and existing threat index,
Including:Some events are obtained in daily record of the target information system after normal form;Each event is audited, each thing is judged
Whether part is to threaten index event;The threat index event that examination & verification passes through is determined as information security events;Event is set up to prestige
Information security events are mapped as potential threat index and existing threat index by the mapping of the side of body.
The primary source threatened is attack, when attack is not present in network, and the index of threat is not 0,
Refer to 4 threaten key elements impend assignment work, it is so-called 4 threaten key element include:The heat of national authority mechanism issue
Point threat early warning report;Authority, generally acknowledged threat information source;The major accident information of group company's issue;The third-party institution
Risk assessment, penetration testing report.Thus, when there is attack in network, information security events can be mapped as existing
Threaten index and potential threat index;When attack is not present in network, information security events can be mapped as potential prestige
Coerce index.
With reference to threaten key element impend assignment work premise be elements recognition to be impended, threaten key element extraction
Process includes:
1st, elements recognition will be threatened and is formatted as threatening factors;
2nd, threatening factors and information security events are indexed respectively, in order to which threat is sorted out and analyzed, together
The attack of type is likely to occur between different source addresses and destination address, but can be by medelling to extract
Same attack, therefore each threatening factors frequency can be obtained by pattern match;
3rd, by Threat moulding, collection information security events disturbance degree (threat degree of attack), binding factor are quick-fried
Frequency is sent out, calculate the Threat of each factor (will threaten the frequency occurred with level calculation into 0-5's according to default model
One threat value);
4th, in units of security domain, arithmetic mean of instantaneous value calculating is carried out to domain Zhong Ge addresses threat value, the prestige of security domain is obtained
Coerce desired value.
S12:The frequency that impended to existing threat index is calculated, and the result assignment that frequency is calculated is arrived and information security
The security domain of event correlation is threatened in index.
Existing threat index is to threatening (attack) to carry out frequency calculating, by result assignment to associated security domain prestige
Coerce in index.
In one embodiment of the invention, the frequency that impended to existing threat index is calculated, and frequency is calculated
Result assignment threatened to the security domain that is associated with information security events in index, including:Obtain the threat of existing threat index
Species;Corresponding security threat index is calculated according to the frequency of the corresponding all kinds of threats of existing threat index;Calculate each safe prestige
The arithmetic mean of instantaneous value of index is coerced, the security domain threat index associated with information security events is designated as.
Wherein, it is that threat is quantitatively portrayed to threaten assignment.The foundation for threatening assignment is the frequency that full spectrum of threats occurs
Rate is counted.Impend classification purpose be by it is abstract, qualitatively threatening description, change into can be with the prestige of quantitative analysis
Side of body value.Threat identification needs to consider three aspects:Historical record, the threat occurred in conventional security incident report and its
The statistics of frequency;Scene evidence taking, by the threat and its statistics of frequency that detect instrument and daily record discovery;Authority's issue, international,
Domestic authoritative institution, the threat report of group company's issue.
In the present embodiment, it is preferred to use the mode of classification carries out assignment to threatening, in the present embodiment to threatening
Assignment table is defined, as shown in table 1, and table 1 is threat assignment table:
Table 1 threatens assignment table
S13:According to the default cycle, information gathering, normal form are carried out to potential threat index according to default threat source
And be associated as threatening multi-component system.
In one embodiment of the invention, according to the default cycle, potential threat is referred to according to default threat source
Mark carries out information gathering, normal form and is associated as threatening multi-component system, including:According to default cycle, such as season, year, according to
Default national standard, professional standard, group's system, industry threaten the adjustable information such as information and risk assessment to potential threat
Index carries out information gathering and normal form;All threat key elements are combed and classified and formed and meet target information system
The threat multi-component system of current state.
Wherein, including will periodically threaten, key element is arranged with specific coding, specific format, form is dissolved into for information gathering
Storehouse, forms the threat assessment factor;Cutting-out method is set using threatening, threatening factors inventory is generated, and it is mapped as threat index;Number
According to collection:The event (after normal form) that comes from is threatened, but not all event is all to threaten.In the present embodiment, one is set up
Individual automatic threat index system, needs to set up an event to the mapping threatened in the system.Data source in normal formization it
Daily record afterwards, what treated data can be selective is mapped as threatening, and (is made by the scheduler task of timing with five minutes
For the cycle), by the threat information persistence of acquisition;Security threat index is finely divided according to threat types, threat is formed and refers to
Number, each threat index has several characteristic indexs, and typical characteristic index includes:The frequency (quantity) of threat and threaten
Menace level (information such as synthetic threat source, attacking wayses).
Wherein, Threat computational methods of the calculating of Threat based on a kind of arctan function, as shown in Fig. 2, each
The threat index event being reviewed, its frequency, two key element of the rank of event itself with generation, utilizes arc tangent letter
Method modeling is figured, with the continuous increase of event occurrence frequency, Threat will be substantially equal to fatal.Included in arctan function
Level metrics and the event frequency measurement of event.
Further, all threat key elements are combed, are classified, cut and formed that to meet target information system current
The threat multi-component system of state, including:All threat key elements are combed, and key element will be threatened to be divided into conjunction rule audit class, prestige
Side of body attack class, trojan horse class, threshold alarm class, fault warning class, backbone links alarm class and abnormality detection class.
Impend the cutting work of source tree according to the actual requirements, for prominent threat, is refined, and it combs knot
Fruit is as follows:
Close rule audit class:Information security compliance audit purpose is to disclose and investigated and prosecuted by the unlawful practice of auditing system,
Business operation is promoted to meet the audit of the requirements such as information security policy and internal control risk.Information security is closed rule audit class and realized
Safety means logins, the login time of server account and address, the login of interchanger, the statistics of operation etc..Active threat
Key element can be added flexibly according to the event and up-to-date information information that actually occur.
Threaten attack class, refer to someone, thing, event or concept to the confidentiality of a certain resource, integrality, availability or
It is legal to use caused danger.Outside the big class of threat attack class removing, event content, with narrow attack, invasion visual angle
It is the theme, emphasis proposes the assault process unified plannings such as power to security sweep, vulnerability exploit, system, mainly realizes information
What safe attacking and defending was alerted collects.Active threat key element can be added flexibly according to the event and up-to-date information information that actually occur.
Trojan horse class, monitor and alerted wooden horse far control, Botnet attack, virus warning, worm-type virus attack etc.
Deng, and according to the event actually occurred, can flexibly add.
Threshold alarm class, is used to determine when that monitor control index has exceeded normal value, the foundation of such Main Basiss baseline and
Maintenance process, such as:CPU threshold alarms, viral early warning max-thresholds, mailbox system event max-thresholds, wide area network acceleration equipment
Daily record max-thresholds, switch CPU exceed limitation, Anti-Virus daily record most more than CPCAR values, switch A RPMISS speed
Small threshold value, WEB security protection system daily record amounts minimum threshold, Firewall Log amount max-thresholds, IPS daily record amounts max-thresholds,
IPS daily record amount minimum thresholds, etc., and according to the event actually occurred, can flexibly add.
Fault warning class, including any influence business such as system crash, hardware and software failure is used and system is normally run
Failure, and according to the event actually occurred, can flexibly add.
Backbone links alert route, a failure for switching equipment in class, backbone links and frequently can lead in whole network
Disconnected, its seriousness is fatal, and it is individually classified and is subject to real-time early warning, and according to the event actually occurred, can flexibly be added
Plus.
Abnormality detection class, also referred to as separate-blas estimation (deviation detection), because the property value of exception object is obvious
Deviate desired or common property value.
Wherein, abnormality detection is also referred to as exception and excavates (exception mining), is divided into three classes:
1, non-audit log exception class
During training data, data are divided into the event being reviewed and the event do not audited.Not by
The event audited is that under normal circumstances, never occurred.It means that data can not possibly be sent out under normal circumstances
It is raw, that is to say, that these data are once occurred in that, just conscientiously must be gone to analyze and be investigated.Present embodiment emphasis will not audit day
Will exception class is listed and monitored as one kind of threat member.
2, daily record entropy exception class
All there is redundancy in any information, redundancy size and the appearance of each symbol in information (numeral, letter or word) are general
Rate is uncertain in other words relevant.Call " comentropy " the average information after redundancy is eliminated in information, comentropy is exactly
One measurement of system order degree.System by the magnanimity security incident in a period of time to being collected into reporting and submitting IP
Location carries out entropy calculating, obtains the amplitude of variation that the IP degree of polymerization is reported and submitted in these security incidents, and this is portrayed in this period with this
The safe condition of a little security incident belonging networks, and predict the general safety tendency of next step.
Describe address entropy situation curve systems stay, and show the address situation origin cause of formation figure of each period.By to three
The pattern analysis of typical situation origin cause of formation figure is planted, the typical situation of two kinds of identification are abnormal, and support to abnormal situation information successively
Lower to bore, until navigating to the key safety event for causing situation abnormal, the entropy alarm beyond confidential interval is then included in abnormality detection
In alarm.
3, focus polymerization exception class
If focus refers to that event occurrence frequency is significantly higher than in a certain region or less than normal frequency, this is special
Region is defined as focus, and our usual focuses of concern are the zonules that high concentration occurs for event, in numerous space-time
In analysis method, analysis of central issue is the effective tool of implication relation between understanding event., can be effectively to thing by analysis of central issue
Part makes regression analysis and Potential Prediction, helps researcher to draw the conclusion of science.
In the present embodiment, source IP, purpose IP, Asset Type, event using clustering algorithm constantly from event etc.
Level, 5 dimensions (vector) of event number carry out cluster computing towards terminal, three groups of network and application, find when the last period
Between event focus, so as to realize the real-time macroscopic analysis to magnanimity event.
Further, by event focus on group's target Dynamic Announce, obtain a certain focus, you can produce while obtaining
The associated safety event of the focus.Abnormality detection class will be classified as beyond the focus warning information of confidential interval.
S14:Each threat key element in the daily record of target information system is indexed, multi-component system will be threatened according to indexation
Computational methods calculate the probability of happening of each tuple, and evaluation mapping is threat value.
In the present embodiment, each threat key element in the daily record of target information system is indexed, will threatened polynary
Group calculates the probability of happening of each tuple according to indexation computational methods, and evaluation mapping is threat value, including:To threatening factors
It is indexed, obtains the tuple belonging to threatening factors;The Threat of each tuple is calculated by arctan function algorithm;Threaten each
Degree carries out assignment, and each Threat is mapped as into corresponding threat value.
As above described in an embodiment, set up a set of dynamic multidimensional and threaten index system, can by pareto analysis method
To distinguish the current threat origin cause of formation, realize and crucial deterrent is seen from macroscopic view to middle, then to microcosmic analysis, until
Navigate to the key safety event for causing threat situation abnormal.
In the present embodiment, to threatening operation index to formulate standard, as shown in table 2:
Table 2 threatens operation index standard
In the present embodiment, can be periodically continuous in actual environment using 7 indexs in table 2 as example multi-component system
Each two-level index is adjusted, increases and deletes, to better adapt to information security management.
The event category of Threat moulding for convenience, present embodiment has also set up threat index classification dictionary, such as the institute of table 3
Show:
Table 3 threatens index classification dictionary
Wherein, the purpose of table 3 is mainly used in illustrating the classification after daily record normal form, using the event category as Threat moulding
Correspondence.
In the present embodiment, also to threatening index system to carry out practical explanation, the automation prestige based on multi-component system
The index system that index is calculated is coerced, threat index is equal to the arithmetic mean of instantaneous value of all kinds of threats, i.e., is mapped as according to each Threat
Corresponding threat value calculates overall safety threat index:
N is the species number that multi-component system is threatened, and i refers to event level, TiExist for T
Threat value during i grades of events.
S15:Threaten index and threat value to generate corresponding data model according to security domain, entered with the safety to information system
Row is assessed.
In one embodiment of the invention, index and threat value is threatened to generate corresponding data mould according to security domain
Type, is estimated with the safety to information system, including:The threat index of information system is calculated, threat index is polynary to threaten
The arithmetic mean of instantaneous value of the threat value of each tuple of group;Instrument graph model is set up, represents that arithmetic mean of instantaneous value and security domain threaten index,
It is estimated with the safety to information system.Radar graph model is set up, displaying threatens the threat value of each tuple of multi-component system, with right
The safety of information system is estimated.Pareto diagram model is set up, displaying threatens the threat value of each tuple of multi-component system, with to letter
The safety of breath system is estimated.
In the present embodiment, the threat that user is intuitively faced to information system for convenience understands, and passes through
Meter diagram, radar map and Pareto diagram is set up threat is described, wherein, in Pareto diagram, different classes of data
Arranged according to its frequency descending, and accumulative perception figure is drawn in same figure, the threat value of quantization is exactly to constitute handkerchief to tire out
Data one by one inside the basic array of support figure.For each threat types Threat, each finger is clear that using radar map
The change of mark system;For overall safety threat index, the change of nearest half an hour threat index can be reacted by meter diagram;
Different classes of data are arranged according to its threat level descending, and draw in same figure accumulative perception figure, Pareto
Figure can embody pareto efficient allocation:The overwhelming majority of data is present in few categories, and few remaining data are dispersed in big portion
In sub-category.
In summary, a kind of threat data processing method for information system provided by the present invention, by information security
Event is mapped to potential threat index and existing threat index, and existing threat index carries out frequency calculating to threatening, result is assigned
It is worth in associated asset threats index.To the threat that did not occurred then according to cycle certain time, according to national standard, OK
Industry standard, group's system, industry threaten the adjustable information gatherings such as information, risk assessment, generalized and are associated as threatening polynary
Group;By multi-component system threaten index according to indexation computational methods, calculate the probability of happening of each tuple, finally by each tuple according to
Special algorithm, calculates the Threat of each systems face.Index and threat value is threatened to generate corresponding data mould according to security domain
Type, in order to which user intuitively observes the probability that full spectrum of threats may occur in information security events, by these threat datas
Realize the threat for objectively facing information system to be estimated, so that user to information system safeguard and safe pre-
It is anti-.
A kind of threat data processing method for information system provided by the present invention is described in detail above.
Specific case used herein is set forth to the principle and embodiment of the present invention, and the explanation of above example is to use
Understand the present invention and its core concept in help.It should be pointed out that for those skilled in the art, not taking off
On the premise of from the principle of the invention, some improvement and modification can also be carried out to the present invention, these are improved and modification also falls into this
In invention scope of the claims.
Claims (9)
1. a kind of threat data processing method for information system, it is characterised in that including:
The information security events of acquisition are mapped as potential threat index and existing threat index;
The frequency that impended to the existing threat index is calculated, and the result assignment that frequency is calculated arrives safe with described information
The security domain of event correlation is threatened in index;
According to the default cycle, information gathering, normal form are carried out to the potential threat index according to default threat source and closed
Join to threaten multi-component system;
Each threat key element in the daily record of target information system is indexed, by the threat multi-component system according to indexation
Computational methods calculate the probability of happening of each tuple, and evaluation mapping is threat value;
Index and the threat value is threatened to generate corresponding data model according to the security domain, with the peace to described information system
It is estimated entirely.
2. according to the method described in claim 1, it is characterised in that the frequency meter that impended to the existing threat index
Calculate, and the result assignment that frequency is calculated is threatened in index to the security domain associated with described information security incident, including:
Obtain the threat category of the existing threat index;
Corresponding security threat index is calculated according to the existing frequency for threatening the corresponding all kinds of threats of index;
The arithmetic mean of instantaneous value of each security threat index is calculated, the security domain for being designated as associating with described information security incident is threatened
Index.
3. according to the method described in claim 1, it is characterised in that described according to the default cycle, according to default threat source
Information gathering, normal form are carried out to the potential threat index and is associated as threatening multi-component system, including:
According to the default cycle, information and risk is threatened to comment according to default national standard, professional standard, group's system, industry
Estimate and information gathering and normal form are carried out to the potential threat index;
All threat key elements are combed and classified and formed meet the target information system current state threat it is many
Tuple.
4. method according to claim 3, it is characterised in that described pair of all threat key element is combed, classified, cut out
The threat multi-component system for meeting the target information system current state is cut and is formed, including:
All threat key elements are combed, and the threat key element is divided into conjunction rule audit class, attack class, wooden horse disease is threatened
Malicious class, threshold alarm class, fault warning class, backbone links alarm class and abnormality detection class.
5. method according to claim 4, it is characterised in that each prestige in the daily record to target information system
Side of body key element is indexed, and the threat multi-component system is calculated into the probability of happening of each tuple according to indexation computational methods, and assign
Value is mapped as threat value, including:
The threatening factors are indexed, the tuple belonging to the threatening factors is obtained;
The Threat of each tuple is calculated by arctan function algorithm;
Assignment is carried out to each Threat, each Threat is mapped as corresponding threat value.
6. according to the method described in claim 1, it is characterised in that described that the information security events of acquisition are mapped as potential prestige
Index and existing threat index are coerced, including:
Some events are obtained in daily record of the target information system after normal form;
Each event is audited, whether judge each event is to threaten index event;
The threat index event that examination & verification passes through is determined as information security events;
Event is set up to the mapping threatened, described information security incident is mapped as potential threat index and existing threat index.
7. the method according to any one of claim 1 to 6, it is characterised in that described that index is threatened according to the security domain
Corresponding data model is generated with the threat value, is estimated with the safety to described information system, including:
The threat index of described information system is calculated, the threat index is the threat of each tuple of the threat multi-component system
The arithmetic mean of instantaneous value of value;
Instrument graph model is set up, represents that the arithmetic mean of instantaneous value and the security domain threaten index, with to described information system
Safety is estimated.
8. method according to claim 7, it is characterised in that described that index and the threat are threatened according to the security domain
The corresponding data model of value generation, is estimated with the safety to described information system, in addition to:
Radar graph model is set up, the threat value of each tuple for threatening multi-component system is shown, with to described information system
Safety is estimated.
9. method according to claim 8, it is characterised in that threaten index and the threat value to give birth to according to the security domain
Into corresponding data model, it is estimated with the safety to described information system, in addition to:
Pareto diagram model is set up, the threat value of each tuple for threatening multi-component system is shown, with to described information system
Safety be estimated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710418915.8A CN107239707B (en) | 2017-06-06 | 2017-06-06 | Threat data processing method for information system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710418915.8A CN107239707B (en) | 2017-06-06 | 2017-06-06 | Threat data processing method for information system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107239707A true CN107239707A (en) | 2017-10-10 |
| CN107239707B CN107239707B (en) | 2020-09-29 |
Family
ID=59985366
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710418915.8A Active CN107239707B (en) | 2017-06-06 | 2017-06-06 | Threat data processing method for information system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107239707B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107832943A (en) * | 2017-11-02 | 2018-03-23 | 国网浙江省电力公司电力科学研究院 | A kind of power system mobile terminal safety intimidation estimating method |
| CN107911231A (en) * | 2017-10-25 | 2018-04-13 | 北京神州绿盟信息安全科技股份有限公司 | The appraisal procedure and device of a kind of threat data |
| CN108833389A (en) * | 2018-06-05 | 2018-11-16 | 北京奇安信科技有限公司 | A kind of shared processing method and processing device of information data |
| CN108989097A (en) * | 2018-06-29 | 2018-12-11 | 中国人民解放军战略支援部队信息工程大学 | A kind of mimicry system of defense threat warning method for visualizing and device |
| CN109962916A (en) * | 2019-03-19 | 2019-07-02 | 国家计算机网络与信息安全管理中心 | One kind being based on multiattribute industry internet security postures evaluation method |
| CN110098961A (en) * | 2019-04-25 | 2019-08-06 | 北京天融信网络安全技术有限公司 | A kind of Data Quality Assessment Methodology, device and storage medium |
| CN110351280A (en) * | 2019-07-15 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract |
| CN110730175A (en) * | 2019-10-16 | 2020-01-24 | 杭州安恒信息技术股份有限公司 | Botnet detection method and detection system based on threat information |
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN111083172A (en) * | 2019-12-31 | 2020-04-28 | 厦门耐特源码信息科技有限公司 | Link communication monitoring view construction method based on data packet analysis |
| CN111125720A (en) * | 2019-12-27 | 2020-05-08 | 国网四川省电力公司电力科学研究院 | Information security and function security association analysis method |
| CN111413681A (en) * | 2020-04-30 | 2020-07-14 | 柳州达迪通信技术股份有限公司 | Flight target threat degree identification method and system based on entropy weight method and storage medium |
| CN114019942A (en) * | 2021-11-04 | 2022-02-08 | 哈尔滨工业大学 | Industrial robot system security threat evaluation method based on time-sharing frequency |
| CN114139210A (en) * | 2021-12-15 | 2022-03-04 | 智谷互联网科技(廊坊)有限公司 | Big data security threat processing method and system based on intelligent service |
| CN114666145A (en) * | 2022-03-30 | 2022-06-24 | 成都安恒信息技术有限公司 | Safety early warning method and system based on network acquisition |
| CN115357911A (en) * | 2022-10-24 | 2022-11-18 | 中国人民解放军国防科技大学 | Method for establishing security threat model of satellite navigation system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075356A (en) * | 2010-12-31 | 2011-05-25 | 深圳市永达电子股份有限公司 | Network risk assessment method and system |
| CN102148820A (en) * | 2011-01-14 | 2011-08-10 | 中国科学技术大学 | System and method for estimating network security situation based on index logarithm analysis |
| CN103366244A (en) * | 2013-06-19 | 2013-10-23 | 深圳市易聆科信息技术有限公司 | Method and system for acquiring network risk value in real time |
| CN103996006A (en) * | 2013-02-17 | 2014-08-20 | 中国移动通信集团山西有限公司 | Information system security risk assessment method and device |
| WO2015065380A1 (en) * | 2013-10-30 | 2015-05-07 | Hewlett-Packard Development Company, L.P. | Domain name and internet protocol address approved and disapproved membership inference |
| CN105959131A (en) * | 2016-04-15 | 2016-09-21 | 贵州电网有限责任公司信息中心 | Electric power information network security measuring method based on security log data mining |
| CN106713333A (en) * | 2016-12-30 | 2017-05-24 | 北京神州绿盟信息安全科技股份有限公司 | Information system risk assessment method and apparatus |
| CN106778253A (en) * | 2016-11-24 | 2017-05-31 | 国家电网公司 | Threat context aware information security Initiative Defense model based on big data |
-
2017
- 2017-06-06 CN CN201710418915.8A patent/CN107239707B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075356A (en) * | 2010-12-31 | 2011-05-25 | 深圳市永达电子股份有限公司 | Network risk assessment method and system |
| CN102148820A (en) * | 2011-01-14 | 2011-08-10 | 中国科学技术大学 | System and method for estimating network security situation based on index logarithm analysis |
| CN103996006A (en) * | 2013-02-17 | 2014-08-20 | 中国移动通信集团山西有限公司 | Information system security risk assessment method and device |
| CN103366244A (en) * | 2013-06-19 | 2013-10-23 | 深圳市易聆科信息技术有限公司 | Method and system for acquiring network risk value in real time |
| WO2015065380A1 (en) * | 2013-10-30 | 2015-05-07 | Hewlett-Packard Development Company, L.P. | Domain name and internet protocol address approved and disapproved membership inference |
| CN105959131A (en) * | 2016-04-15 | 2016-09-21 | 贵州电网有限责任公司信息中心 | Electric power information network security measuring method based on security log data mining |
| CN106778253A (en) * | 2016-11-24 | 2017-05-31 | 国家电网公司 | Threat context aware information security Initiative Defense model based on big data |
| CN106713333A (en) * | 2016-12-30 | 2017-05-24 | 北京神州绿盟信息安全科技股份有限公司 | Information system risk assessment method and apparatus |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911231B (en) * | 2017-10-25 | 2020-12-25 | 北京神州绿盟信息安全科技股份有限公司 | Threat data evaluation method and device |
| CN107911231A (en) * | 2017-10-25 | 2018-04-13 | 北京神州绿盟信息安全科技股份有限公司 | The appraisal procedure and device of a kind of threat data |
| CN107832943A (en) * | 2017-11-02 | 2018-03-23 | 国网浙江省电力公司电力科学研究院 | A kind of power system mobile terminal safety intimidation estimating method |
| CN108833389A (en) * | 2018-06-05 | 2018-11-16 | 北京奇安信科技有限公司 | A kind of shared processing method and processing device of information data |
| CN108989097A (en) * | 2018-06-29 | 2018-12-11 | 中国人民解放军战略支援部队信息工程大学 | A kind of mimicry system of defense threat warning method for visualizing and device |
| CN109962916A (en) * | 2019-03-19 | 2019-07-02 | 国家计算机网络与信息安全管理中心 | One kind being based on multiattribute industry internet security postures evaluation method |
| CN109962916B (en) * | 2019-03-19 | 2021-11-05 | 国家计算机网络与信息安全管理中心 | Multi-attribute-based industrial internet security situation evaluation method |
| CN110098961A (en) * | 2019-04-25 | 2019-08-06 | 北京天融信网络安全技术有限公司 | A kind of Data Quality Assessment Methodology, device and storage medium |
| CN110351280A (en) * | 2019-07-15 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract |
| CN110730175A (en) * | 2019-10-16 | 2020-01-24 | 杭州安恒信息技术股份有限公司 | Botnet detection method and detection system based on threat information |
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN111125720A (en) * | 2019-12-27 | 2020-05-08 | 国网四川省电力公司电力科学研究院 | Information security and function security association analysis method |
| CN111125720B (en) * | 2019-12-27 | 2023-06-20 | 国网四川省电力公司电力科学研究院 | Information security and functional security association analysis method |
| CN111083172A (en) * | 2019-12-31 | 2020-04-28 | 厦门耐特源码信息科技有限公司 | Link communication monitoring view construction method based on data packet analysis |
| CN111413681A (en) * | 2020-04-30 | 2020-07-14 | 柳州达迪通信技术股份有限公司 | Flight target threat degree identification method and system based on entropy weight method and storage medium |
| CN111413681B (en) * | 2020-04-30 | 2023-06-30 | 柳州达迪通信技术股份有限公司 | Method, system and storage medium for identifying threat degree of flying target based on entropy weight method |
| CN114019942A (en) * | 2021-11-04 | 2022-02-08 | 哈尔滨工业大学 | Industrial robot system security threat evaluation method based on time-sharing frequency |
| CN114019942B (en) * | 2021-11-04 | 2023-08-29 | 哈尔滨工业大学 | Industrial robot system security threat evaluation method based on time-sharing frequency |
| CN114139210A (en) * | 2021-12-15 | 2022-03-04 | 智谷互联网科技(廊坊)有限公司 | Big data security threat processing method and system based on intelligent service |
| CN114139210B (en) * | 2021-12-15 | 2022-10-11 | 中软数智信息技术(武汉)有限公司 | Big data security threat processing method and system based on intelligent service |
| CN114666145A (en) * | 2022-03-30 | 2022-06-24 | 成都安恒信息技术有限公司 | Safety early warning method and system based on network acquisition |
| CN114666145B (en) * | 2022-03-30 | 2024-04-26 | 成都安恒信息技术有限公司 | Security early warning method and system based on network acquisition |
| CN115357911A (en) * | 2022-10-24 | 2022-11-18 | 中国人民解放军国防科技大学 | Method for establishing security threat model of satellite navigation system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107239707B (en) | 2020-09-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107239707A (en) | A kind of threat data processing method for information system | |
| Maglaras et al. | Combining ensemble methods and social network metrics for improving accuracy of OCSVM on intrusion detection in SCADA systems | |
| CN108040493B (en) | Method and apparatus for detecting security incidents based on low confidence security events | |
| Ye et al. | Robustness of the Markov-chain model for cyber-attack detection | |
| CN111404909B (en) | Safety detection system and method based on log analysis | |
| CN105868629B (en) | Security threat situation assessment method suitable for electric power information physical system | |
| EP2936772B1 (en) | Network security management | |
| Krishnaveni et al. | Ensemble approach for network threat detection and classification on cloud computing | |
| CN110896386B (en) | Method, device, storage medium, processor and terminal for identifying security threat | |
| CN102447707B (en) | DDoS (Distributed Denial of Service) detection and response method based on mapping request | |
| CN108200067A (en) | Big data information network adaptive security guard system based on trust computing | |
| CN108111463A (en) | The self study of various dimensions baseline and abnormal behaviour analysis based on average value and standard deviation | |
| CN111726342A (en) | Method and system for improving alarm output accuracy of honeypot system | |
| Siraj et al. | Multi-level alert clustering for intrusion detection sensor data | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| CN110149303B (en) | Party-school network security early warning method and early warning system | |
| Gyanchandani et al. | Intrusion detection using C4. 5: performance enhancement by classifier combination | |
| Gabra et al. | Classification of ids alerts with data mining techniques | |
| Kim et al. | Hybrid intrusion forecasting framework for early warning system | |
| Rakshe et al. | Anomaly based network intrusion detection using machine learning techniques | |
| CN108769032A (en) | Intranet security specialist analytical method and system | |
| Ali et al. | Securing cloud environments: a Convolutional Neural Network (CNN) approach to intrusion detection system | |
| Fegade et al. | Network Intrusion Detection System Using C4. 5 Algorithm | |
| Yang et al. | Computer Forensics System Based on Artificial Immune Systems. | |
| Torres¹ et al. | Check for updates |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200507 Address after: No. 10, Huanghe East Road, Zhengdong New District, Zhengzhou City, Henan Province Applicant after: State Power Investment Group Henan Electric Power Co., Ltd Applicant after: TECHNOLOGY INFORMATION CENTER OF STATE POWER INVESTMENT CORPORATION HENAN POWER Co.,Ltd. Address before: 450001 gas power plant, No. 100 Indus street, hi tech Development Zone, Henan, Zhengzhou Applicant before: TECHNOLOGY INFORMATION CENTER OF STATE POWER INVESTMENT CORPORATION HENAN POWER Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |