CN107239707B - Threat data processing method for information system - Google Patents
Threat data processing method for information system Download PDFInfo
- Publication number
- CN107239707B CN107239707B CN201710418915.8A CN201710418915A CN107239707B CN 107239707 B CN107239707 B CN 107239707B CN 201710418915 A CN201710418915 A CN 201710418915A CN 107239707 B CN107239707 B CN 107239707B
- Authority
- CN
- China
- Prior art keywords
- threat
- security
- index
- information
- information system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a threat data processing method for an information system, which comprises the following steps: mapping the acquired information security event into a potential threat index and an existing threat index; carrying out threat frequency calculation on the existing threat indexes, and assigning the frequency calculation result to a security domain threat index associated with the information security event; according to a preset period, carrying out information acquisition, normalization and association on potential threat indexes into a threat tuple according to a preset threat source; indexing each threat element in the log of the target information system, calculating the occurrence probability of each tuple according to an exponential calculation method by using the threat tuples, and assigning and mapping the threat tuples into threat values; and generating a corresponding data model according to the security domain threat index and the threat value so as to evaluate the security of the information system. The establishment of the data model is convenient for a user to visually observe the probability of possible occurrence of various threats in the information security event, and the threats faced by the information system are objectively evaluated.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a threat data processing method for an information system.
Background
Along with the interconnection and intercommunication of networks, the information service is applied more and more closely, the security threat faced by an organized information system presents the situation of 'inside and outside pinch', and the threat of the virtual network world and the physical threat tend to be consistent.
In order to ensure the security of the information, the threats need to be identified, classified and the like, and corresponding countermeasures need to be taken. Threat identification requires analysis of the underlying cause of the accident. The threat causes are various and are roughly divided into two categories of human factors and environmental factors, the information resources of the power system have enough attraction, face the threat from the whole world, and face the huge virtual space, the threat causes have two aspects: one is the resources and skills owned by the attacker; secondly, the information system has attraction. At present, information systems of various organizations, enterprises and the like do not have standard management on information security, and can not objectively reflect threats faced by the information systems.
Therefore, how to achieve index management of information security and objectively understand the threat faced by the target information system is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide a threat data processing method for an information system, which realizes index management of information security and can objectively know the threat faced by a target information system.
In order to solve the technical problems, the invention provides the following technical scheme:
a threat data processing method for an information system, comprising:
mapping the acquired information security event into a potential threat index and an existing threat index;
carrying out threat frequency calculation on the existing threat indexes, and assigning the frequency calculation result to a security domain threat index associated with the information security event;
according to a preset period, carrying out information acquisition and normalization on the potential threat indexes according to a preset threat source and associating the information acquisition and normalization into a threat tuple;
indexing each threat element in a log of a target information system, calculating the occurrence probability of each tuple according to an exponential calculation method by using the threat multi-tuple, and assigning and mapping the threat multi-tuple to be a threat value;
and generating a corresponding data model according to the security domain threat index and the threat value so as to evaluate the security of the information system.
Preferably, the performing threat frequency calculation on the existing threat indicators and assigning the result of the frequency calculation to the security domain threat indicators associated with the information security events includes:
acquiring the threat category of the existing threat index;
calculating a corresponding security threat index according to the frequency of each type of threat corresponding to the existing threat index;
and calculating an arithmetic mean value of each security threat index, and recording the arithmetic mean value as a security domain threat index associated with the information security event.
Preferably, the acquiring, normalizing and associating the information of the potential threat indicators into a threat tuple according to a preset threat source according to a preset period includes:
according to a preset period, carrying out information acquisition and normalization on the potential threat indexes according to preset national standards, industrial standards, group systems, industrial threat information and risk assessment;
and combing and classifying all threat elements and forming a threat tuple according with the current state of the target information system.
Preferably, the combing, classifying, clipping and forming a threat tuple according with the current state of the target information system, includes:
and combing all threat elements, and dividing the threat elements into a compliance audit class, a threat attack class, a Trojan horse virus class, a threshold value alarm class, a fault alarm class, a backbone link alarm class and an anomaly detection class.
Preferably, the indexing each threat element in the log of the target information system, calculating the occurrence probability of each tuple according to an exponential calculation method for the threat tuples, and assigning and mapping the threat tuples to a threat value includes:
indexing the threat factors to obtain tuples to which the threat factors belong;
calculating the threat degree of each tuple through an arc tangent function algorithm;
and assigning values to the threat degrees and mapping the threat degrees to corresponding threat values.
Preferably, the mapping the obtained information security event into a potential threat indicator and an existing threat indicator includes:
acquiring a plurality of events from the logs after the target information system is normalized;
auditing each event, and judging whether each event is a threat index event;
judging the threat index event passing the audit as an information security event;
and establishing mapping from the event to the threat, and mapping the information security event into a potential threat index and an existing threat index.
Preferably, the generating a corresponding data model according to the security domain threat indicators and the threat values for evaluating the security of the information system includes:
calculating a threat index for the information system, the threat index being an arithmetic mean of threat values for each of the tuples of the threat tuples;
the arithmetic mean and the security domain threat indicators are represented by a dashboard.
Preferably, the generating a corresponding data model according to the security domain threat indicators and the threat values to evaluate the security of the information system further includes:
and establishing a radar graph model, and displaying the threat value of each tuple of the threat multiple tuples.
Preferably, the generating a corresponding data model according to the security domain threat indicators and the threat values to evaluate the security of the information system further includes:
and establishing a pareto chart model, and displaying the threat value of each tuple of the threat multiple tuples.
Compared with the prior art, the technical scheme has the following advantages:
the threat data processing method for the information system provided by the embodiment of the invention comprises the following steps: mapping the acquired information security event into a potential threat index and an existing threat index; carrying out threat frequency calculation on the existing threat indexes, and assigning the frequency calculation result to a security domain threat index associated with the information security event; according to a preset period, carrying out information acquisition, normalization and association on potential threat indexes into a threat tuple according to a preset threat source; indexing each threat element in the log of the target information system, calculating the occurrence probability of each tuple according to an exponential calculation method by using the threat tuples, and assigning and mapping the threat tuples into threat values; and generating a corresponding data model according to the security domain threat index and the threat value so as to evaluate the security of the information system. In the technical scheme, the information security event is mapped into the existing threat indexes which have already occurred and the potential threat indexes which have not occurred, and the corresponding security domain threat indexes are obtained according to the calculated occurrence frequency of the existing threat indexes; meanwhile, the operations such as information acquisition, paradigm and the like are carried out on the potential threat indexes according to the threat sources, the operations are associated into threat tuples, the occurrence probability of each tuple in the threat tuples is calculated, wherein one tuple represents one type of threat elements, and therefore the threat value corresponding to each tuple of the potential threat indexes is obtained. And generating a corresponding data model according to the security domain threat index and the threat value so that a user can visually observe the probability of possible occurrence of various threats in the information security event, and objectively evaluating the threats faced by the information system by the threat data so as to facilitate the user to maintain and safely prevent the information system.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a threat data processing method for an information system according to an embodiment of the invention;
FIG. 2 is a schematic diagram of an arctangent function for calculating the threat level according to an embodiment of the present invention.
Detailed Description
The core of the invention is to provide a threat data processing method for an information system, which realizes the index management of information security and can objectively know the threat faced by a target information system.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
In the following description, specific details are set forth in order to provide a thorough understanding of the present invention. The invention can be implemented in a number of ways different from those described herein and similar generalizations can be made by those skilled in the art without departing from the spirit of the invention. Therefore, the present invention is not limited to the specific embodiments disclosed below.
Referring to fig. 1, fig. 1 is a flowchart illustrating a threat data processing method for an information system according to an embodiment of the present invention.
A specific embodiment of the present invention provides a threat data processing method for an information system, including:
s11: and mapping the acquired information security event into a potential threat index and an existing threat index.
In this embodiment, mapping the obtained information security event into a potential threat indicator and an existing threat indicator includes: acquiring a plurality of events from the logs after the target information system is normalized; auditing each event, and judging whether each event is a threat index event; judging the threat index event passing the audit as an information security event; and establishing mapping from the event to the threat, and mapping the information security event into a potential threat index and an existing threat index.
The primary source of the threat is an attack event, when the attack event does not exist in the network, the index of the threat is not 0, 4 threat elements are referred to for carrying out threat assignment work, and the 4 threat elements comprise: a hotspot threat early warning report issued by a national authority; an authoritative, recognized source of threat intelligence; major accident information released by group companies; risk assessment of third party institutions, penetration test reports. Thus, information security events may be mapped into existing threat indicators and potential threat indicators when there is an attack event in the network; when there is no attack event in the network, the information security event may be mapped to a potential threat indicator.
The premise of referring to the threat elements to carry out threat assignment work is to carry out threat element extraction, and the process of extracting the threat elements comprises the following steps:
1. extracting and formatting the threat elements into threat factors;
2. the threat factors and the information security events are respectively indexed so as to facilitate classification and analysis of threats, attack events of the same type may occur between different source addresses and different destination addresses, but the same attack event can be extracted through modeling, so that the frequency of each threat factor can be obtained through pattern matching;
3. by threat modeling, acquiring influence degree of information security events (threat degree of attack events) and combining factor explosion frequency, and calculating threat degree of each factor (namely calculating threat occurrence frequency and level into a threat value of 0-5 according to a preset model);
4. and taking the security domain as a unit, and carrying out arithmetic mean calculation on the address threat values in the domain to obtain the threat index value of the security domain.
S12: and carrying out threat frequency calculation on the existing threat indexes, and assigning the frequency calculation result to the security domain threat indexes associated with the information security events.
The existing threat indicators perform frequency calculation on threats (attack events), and the results are assigned to the associated security domain threat indicators.
In one embodiment of the present invention, performing threat frequency calculation on an existing threat indicator, and assigning a result of the frequency calculation to a security domain threat indicator associated with an information security event, includes: acquiring the threat category of the existing threat index; calculating a corresponding security threat index according to the frequency of each type of threat corresponding to the existing threat index; and calculating the arithmetic mean value of each security threat index, and recording as the security domain threat index associated with the information security event.
Wherein the threat valuation is a quantitative characterization of the threat. The basis of the threat assignments is to count the frequency of occurrence of various threats. The purpose of threat classification is to translate abstract, qualitative threat descriptions into threat values that can be analyzed quantitatively. Threat identification requires a comprehensive consideration of three aspects: history, statistics of threats and their frequency that have occurred in previous security incident reports; evidence is obtained on site, and threats and frequency statistics are found through detection tools and logs; authority issuing, and threat reports issued by international and domestic authorities and group companies.
In this embodiment, it is preferable to assign a threat in a hierarchical manner, and in this embodiment, a threat assignment table is defined, as shown in table 1, table 1 is a threat assignment table:
table 1 threat assignment table
S13: and according to a preset period, carrying out information acquisition, normalization and association on the potential threat indexes into a threat tuple according to a preset threat source.
In an embodiment of the present invention, according to a preset period, performing information acquisition, normalization and association on potential threat indicators according to a preset threat source to form a threat tuple, including: according to a preset period, such as a quarter, a year and the like, carrying out information acquisition and normalization on potential threat indexes according to preset adjustable information, such as national standards, industrial standards, group systems, industrial threat information, risk assessment and the like; and combing and classifying all threat elements and forming a threat tuple according with the current state of the target information system.
The information acquisition comprises the steps of regularly sorting and formatting the threat elements into a warehouse in a specific coding and specific format to form a threat assessment factor; generating a threat factor list by using a threat tree cutting method, and mapping the threat factor list into a threat index; data acquisition: the threats come from events (after paragramming), but not all events are threats. In this embodiment, an automated threat-indicator system is established in which an event-to-threat mapping is established. The data is derived from the logs after the normalization, the processed data can be selectively mapped into threats, and the obtained threat intelligence is persisted through a timed scheduling task (taking five minutes as a period); the security threat indexes are subdivided according to the threat types to form threat indexes, each threat index has a plurality of characteristic indexes, and typical characteristic indexes comprise: the frequency (number) of threats and the severity level of the threat (information such as the source of the threat and the attack technique).
The threat degree calculation is based on an arctan function threat degree calculation method, as shown in fig. 2, each audited threat index event is modeled by an arctan function algorithm along with two elements of the occurrence frequency and the level of the event, and the threat degree approaches to be fatal infinitely along with the continuous increase of the occurrence frequency of the event. The arctangent function includes a level measure of the event and a frequency measure of the event.
Further, combing, classifying and cutting all threat elements to form a threat tuple conforming to the current state of the target information system, comprising: and combing all threat elements, and dividing the threat elements into a compliance audit class, a threat attack class, a Trojan horse virus class, a threshold value alarm class, a fault alarm class, a backbone link alarm class and an abnormality detection class.
Cutting a threat source tree according to actual requirements, refining the prominent threats, and combing the threats according to the following results:
compliance audit class: the purpose of the information security compliance audit is to disclose and check the illegal behavior of the audited system and prompt the business operation to meet the audit requirements of information security policy, internal control system and the like. The information security compliance audit class realizes the statistics of the login of the security equipment, the login time and address of the server account, the login of the switch, the operation and the like. The related threat elements can be flexibly added according to the actually occurring events and the latest intelligence information.
The threat attack class refers to the danger of confidentiality, integrity, availability or legitimate use of a certain resource by a certain person, thing, event or concept. The threat attack class is mainly used for realizing the summary of information security attack and defense alarms by uniformly planning the hacker attack processes such as security scanning, vulnerability utilization, system privilege escalation and the like by taking a narrow attack and intrusion visual angle as a theme except large gate class and event content. The related threat elements can be flexibly added according to the actually occurring events and the latest intelligence information.
Trojan horse viruses monitor and alarm Trojan horse remote control, botnet attack, virus alarm, worm virus attack and the like, and can be flexibly added according to actually occurring events.
A threshold alarm class for determining when the monitoring indicator exceeds a normal value, the class being based primarily on baseline establishment and maintenance procedures, such as: CPU threshold alarm, virus early warning maximum threshold, mailbox system event maximum threshold, wide area network acceleration equipment log maximum threshold, switch CPU exceeding CPCAR value, switch ARPMISS rate exceeding limit, anti-virus system log minimum threshold, WEB security protection system log quantity minimum threshold, firewall log quantity maximum threshold, IPS log quantity minimum threshold, and the like, and can be flexibly added according to actually occurring events.
The fault alarm classes comprise any faults which affect service use and normal operation of the system, such as system crash, software and hardware faults and the like, and can be flexibly added according to actually occurring events.
Backbone link alarm, the failure of a routing and switching device on a backbone link often causes the interruption of the whole network, the severity of the interruption is fatal, the network is separately classified and early warned in real time, and the network can be flexibly added according to the actually occurring event.
The anomaly detection class, also known as deviation detection (deviation detection), because the attribute values of an anomaly object deviate significantly from the expected or common attribute values.
Among them, the anomaly detection is also called exception mining (exception mining), and is divided into three categories:
class of unexploded log exceptions
In the course of training the data, the data is divided into events that have already been audited and events that have not been audited. Events that have not been audited are normal and never occurred. This means that data is not likely to occur under normal circumstances, i.e. once it has occurred, it must be carefully analyzed and investigated. The embodiment focuses on listing and monitoring the unexplored log exception class as one type of threat element.
2, log entropy exceptions class
Redundancy exists for any piece of information, the magnitude of which is related to the probability of occurrence or uncertainty of each symbol (number, letter or word) in the information. The average information amount of information excluding redundancy is called information entropy, which is a measure of the degree of system ordering. The system calculates the entropy of the collected reported IP addresses of massive security events within a period of time to obtain the variation amplitude of the polymerization degree of the reported IP addresses of the security events, so as to depict the security state of the network to which the security events belong within the period of time and predict the overall security trend of the next step.
The system continuously traces the address entropy situation curve and displays the address situation cause graph of each time interval. And identifying two typical situation abnormalities through mode analysis of three typical situation cause graphs, and supporting layer-by-layer drilling of abnormal situation information until a key safety event causing the situation abnormality is positioned, and listing entropy alarms exceeding a confidence interval into an abnormality detection alarm.
3, hotspot aggregate exceptions class
The hot spot is defined as a hot spot if the occurrence frequency of events in a certain area is significantly higher or lower than the normal frequency, and the hot spot which we are interested in is a small area with high concentration of the occurrence frequency of the events. By means of hotspot analysis, regression analysis and prospect prediction can be effectively carried out on the event, and researchers are helped to draw scientific conclusions.
In the embodiment, a clustering algorithm is adopted to continuously perform clustering operation from 5 dimensions (vectors) of the source IP, the target IP, the asset type, the event grade and the event number of the event to three groups of a terminal, a network and an application to find an event hotspot in a current period of time, so that real-time macroscopic analysis on a large number of events is realized.
Furthermore, the event hot spot is dynamically displayed on the group target, and a certain hot spot is acquired, namely, the related security event generating the hot spot can be acquired at the same time. And classifying the hot spot alarm information exceeding the confidence interval into an abnormal detection class.
S14: and indexing each threat element in the log of the target information system, calculating the occurrence probability of each tuple according to the threat multi-tuple by an exponential calculation method, and assigning and mapping the threat multi-tuple into a threat value.
In this embodiment, indexing each threat element in the log of the target information system, calculating the occurrence probability of each tuple according to an exponential calculation method for the threat tuples, and assigning and mapping the threat tuples to threat values, includes: the threat factors are indexed to obtain tuples to which the threat factors belong; calculating the threat degree of each tuple through an arc tangent function algorithm; and assigning values to the threat degrees, and mapping the threat degrees into corresponding threat values.
As described in the above embodiment, a set of dynamic multi-dimensional threat index system is established, and the current threat cause can be identified by a pareto analysis method, so that the key threat factors are analyzed from macro to mesoscopic and then to microscopic until the key security event causing the abnormal threat situation is located.
In the embodiment, a standard is established for the threat indicator assessment, as shown in table 2:
TABLE 2 evaluation criteria for threat indicators
In the embodiment, 7 indexes in table 2 are used as example tuples, and each secondary index can be adjusted, added and deleted regularly in an actual environment, so as to better adapt to information security management.
In order to facilitate event classification for threat modeling, a threat indicator classification dictionary is also established in the present embodiment, as shown in table 3:
TABLE 3 threat metrics classification dictionary
The purpose of table 3 is mainly to illustrate the normalized classification of the log as event classification correspondence for threat modeling.
In this embodiment, a practical description is also given to the threat index system, and based on the index system calculated by the multi-tuple automated threat index, the threat index is equal to the arithmetic mean of various threats, that is, the overall security threat index is calculated according to the corresponding threat value mapped by each threat degree:
S15: and generating a corresponding data model according to the security domain threat index and the threat value so as to evaluate the security of the information system.
In one embodiment of the present invention, generating a corresponding data model according to a security domain threat indicator and a threat value to evaluate the security of an information system includes: calculating a threat index of the information system, wherein the threat index is an arithmetic mean value of threat values of each tuple of the threat tuples; and establishing an instrument graph model, and representing an arithmetic mean value and a security domain threat index so as to evaluate the security of the information system. And establishing a radar graph model, and displaying the threat values of all tuples of the threat tuples so as to evaluate the safety of the information system. And establishing a pareto chart model, and displaying the threat values of all the threat tuples so as to evaluate the safety of the information system.
In this embodiment, in order to facilitate the user to intuitively understand the threats faced by the information system, the threats are described by establishing an instrument graph, a radar graph and a pareto graph, wherein in the pareto graph, different types of data are arranged in a descending order according to the frequencies of the data, a cumulative percentage graph is drawn in the same graph, and quantized threat values are data in the basis array of the pareto graph. For threat types, the change of each index system can be clearly seen by utilizing a radar map; for the overall security threat index, changes in the threat index in the last half hour can be reflected by an instrument map; the data of different classes are arranged in descending order according to the threat levels, and a cumulative percentage graph is drawn in the same graph, wherein the pareto graph can embody the pareto principle: the vast majority of the data is present in few categories, with very little remaining data scattered over most categories.
In summary, the threat data processing method for the information system provided by the invention maps the information security event into the potential threat index and the existing threat index, the existing threat index performs frequency calculation on the threat, and the result is assigned to the associated asset threat index. Collecting and normalizing the non-occurred threats according to a certain time period and according to the national standard, the industrial standard, the group system, the industrial threat information, the risk assessment and other adjustable information, and associating the adjustable information into a threat tuple; and calculating the occurrence probability of each tuple according to the tuple threat indexes by an exponential calculation method, and finally calculating the threat degree of each system according to a specific algorithm. And generating a corresponding data model according to the security domain threat index and the threat value so that a user can visually observe the probability of possible occurrence of various threats in the information security event, and objectively evaluating the threats faced by the information system by the threat data so as to facilitate the user to maintain and safely prevent the information system.
The threat data processing method for the information system provided by the invention is described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the present invention and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Claims (7)
1. A threat data processing method for an information system, comprising:
mapping the acquired information security event into a potential threat index and an existing threat index;
carrying out threat frequency calculation on the existing threat indexes, and assigning the frequency calculation result to a security domain threat index associated with the information security event;
according to a preset period, carrying out information acquisition and normalization on the potential threat indexes according to a preset threat source and associating the information acquisition and normalization into a threat tuple;
indexing each threat element in a log of a target information system, calculating the occurrence probability of each tuple according to an exponential calculation method by using the threat multi-tuple, and assigning and mapping the threat multi-tuple to be a threat value;
generating a corresponding data model according to the security domain threat index and the threat value so as to evaluate the security of the information system;
the generating a corresponding data model according to the security domain threat indicators and the threat values to evaluate the security of the information system includes:
calculating a threat index for the information system, the threat index being an arithmetic mean of threat values for each of the tuples of the threat tuples;
establishing an instrument graph model representing the arithmetic mean and the security domain threat indicators to evaluate the security of the information system;
the performing threat frequency calculation on the existing threat indicators and assigning the frequency calculation result to the security domain threat indicators associated with the information security event includes:
acquiring the threat category of the existing threat index;
calculating a corresponding security threat index according to the frequency of each type of threat corresponding to the existing threat index;
calculating an arithmetic mean value of each security threat index, and recording as a security domain threat index associated with the information security event;
the assignment of the potential threat indexes refers to 4 threat elements, specifically including hot spot threat early warning reports issued by national authorities; an authoritative, recognized source of threat intelligence; major accident information released by group companies; risk assessment and penetration test reports of third-party institutions;
before the value of the potential threat indicator is assigned, extracting the threat elements, specifically, the extracting process of the threat elements includes:
extracting and formatting the threat elements into threat factors;
respectively indexing the threat factors and the information security events;
by threat modeling, acquiring influence degree of information security events and combining factor explosion frequency, and calculating the threat degree of each factor;
and taking the security domain as a unit, and carrying out arithmetic mean calculation on the address threat values in the domain to obtain the threat index value of the security domain.
2. The method of claim 1, wherein the collecting, normalizing and associating the potential threat indicators into threat tuples according to preset threat sources according to a preset period comprises:
according to a preset period, carrying out information acquisition and normalization on the potential threat indexes according to preset national standards, industrial standards, group systems, industrial threat information and risk assessment;
and combing and classifying all threat elements and forming a threat tuple according with the current state of the target information system.
3. The method of claim 2, wherein the combing, classifying, clipping and forming the threat tuples that conform to the current state of the target information system comprises:
and combing all threat elements, and dividing the threat elements into a compliance audit class, a threat attack class, a Trojan horse virus class, a threshold value alarm class, a fault alarm class, a backbone link alarm class and an anomaly detection class.
4. The method of claim 3, wherein indexing each of the threat elements in the log of the target information system, calculating the probability of occurrence of each tuple from the threat tuples according to an exponential calculation method, and assigning and mapping the threat tuples to threat values comprises:
indexing the threat factors to obtain tuples to which the threat factors belong;
calculating the threat degree of each tuple through an arc tangent function algorithm;
and assigning values to the threat degrees and mapping the threat degrees to corresponding threat values.
5. The method of claim 1, wherein mapping the obtained information security event into a potential threat indicator and an existing threat indicator comprises:
acquiring a plurality of events from the logs after the target information system is normalized;
auditing each event, and judging whether each event is a threat index event;
judging the threat index event passing the audit as an information security event;
and establishing mapping from the event to the threat, and mapping the information security event into a potential threat index and an existing threat index.
6. The method of claim 1, wherein generating a corresponding data model from the security domain threat metrics and the threat values to evaluate the security of the information system further comprises:
and establishing a radar graph model, and displaying the threat values of the tuples of the threat multiple tuples so as to evaluate the safety of the information system.
7. The method of claim 6, wherein generating a corresponding data model from the security domain threat metrics and the threat values to evaluate the security of the information system further comprises:
establishing a pareto chart model, and displaying the threat values of each tuple of the threat tuples so as to evaluate the safety of the information system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710418915.8A CN107239707B (en) | 2017-06-06 | 2017-06-06 | Threat data processing method for information system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710418915.8A CN107239707B (en) | 2017-06-06 | 2017-06-06 | Threat data processing method for information system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107239707A CN107239707A (en) | 2017-10-10 |
| CN107239707B true CN107239707B (en) | 2020-09-29 |
Family
ID=59985366
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710418915.8A Active CN107239707B (en) | 2017-06-06 | 2017-06-06 | Threat data processing method for information system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107239707B (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911231B (en) * | 2017-10-25 | 2020-12-25 | 北京神州绿盟信息安全科技股份有限公司 | Threat data evaluation method and device |
| CN107832943A (en) * | 2017-11-02 | 2018-03-23 | 国网浙江省电力公司电力科学研究院 | A kind of power system mobile terminal safety intimidation estimating method |
| CN108833389A (en) * | 2018-06-05 | 2018-11-16 | 北京奇安信科技有限公司 | A kind of shared processing method and processing device of information data |
| CN108989097A (en) * | 2018-06-29 | 2018-12-11 | 中国人民解放军战略支援部队信息工程大学 | A kind of mimicry system of defense threat warning method for visualizing and device |
| CN109962916B (en) * | 2019-03-19 | 2021-11-05 | 国家计算机网络与信息安全管理中心 | Multi-attribute-based industrial internet security situation evaluation method |
| CN110098961B (en) * | 2019-04-25 | 2022-04-01 | 北京天融信网络安全技术有限公司 | Data quality evaluation method and device and storage medium |
| CN110351280B (en) * | 2019-07-15 | 2022-05-27 | 杭州安恒信息技术股份有限公司 | Method, system, equipment and readable storage medium for extracting threat information |
| CN110730175B (en) * | 2019-10-16 | 2022-12-06 | 杭州安恒信息技术股份有限公司 | Botnet detection method and detection system based on threat information |
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN111125720B (en) * | 2019-12-27 | 2023-06-20 | 国网四川省电力公司电力科学研究院 | Information security and functional security association analysis method |
| CN111083172A (en) * | 2019-12-31 | 2020-04-28 | 厦门耐特源码信息科技有限公司 | Link communication monitoring view construction method based on data packet analysis |
| CN111413681B (en) * | 2020-04-30 | 2023-06-30 | 柳州达迪通信技术股份有限公司 | Method, system and storage medium for identifying threat degree of flying target based on entropy weight method |
| CN114019942B (en) * | 2021-11-04 | 2023-08-29 | 哈尔滨工业大学 | Industrial robot system security threat evaluation method based on time-sharing frequency |
| CN114139210B (en) * | 2021-12-15 | 2022-10-11 | 中软数智信息技术(武汉)有限公司 | Big data security threat processing method and system based on intelligent service |
| CN114666145B (en) * | 2022-03-30 | 2024-04-26 | 成都安恒信息技术有限公司 | Security early warning method and system based on network acquisition |
| CN115357911B (en) * | 2022-10-24 | 2023-03-24 | 中国人民解放军国防科技大学 | Method for establishing security threat model of satellite navigation system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075356A (en) * | 2010-12-31 | 2011-05-25 | 深圳市永达电子股份有限公司 | Network risk assessment method and system |
| CN102148820A (en) * | 2011-01-14 | 2011-08-10 | 中国科学技术大学 | System and method for estimating network security situation based on index logarithm analysis |
| CN103366244A (en) * | 2013-06-19 | 2013-10-23 | 深圳市易聆科信息技术有限公司 | Method and system for acquiring network risk value in real time |
| CN103996006A (en) * | 2013-02-17 | 2014-08-20 | 中国移动通信集团山西有限公司 | Information system security risk assessment method and device |
| WO2015065380A1 (en) * | 2013-10-30 | 2015-05-07 | Hewlett-Packard Development Company, L.P. | Domain name and internet protocol address approved and disapproved membership inference |
| CN105959131A (en) * | 2016-04-15 | 2016-09-21 | 贵州电网有限责任公司信息中心 | Electric power information network security measuring method based on security log data mining |
| CN106713333A (en) * | 2016-12-30 | 2017-05-24 | 北京神州绿盟信息安全科技股份有限公司 | Information system risk assessment method and apparatus |
| CN106778253A (en) * | 2016-11-24 | 2017-05-31 | 国家电网公司 | Threat context aware information security Initiative Defense model based on big data |
-
2017
- 2017-06-06 CN CN201710418915.8A patent/CN107239707B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075356A (en) * | 2010-12-31 | 2011-05-25 | 深圳市永达电子股份有限公司 | Network risk assessment method and system |
| CN102148820A (en) * | 2011-01-14 | 2011-08-10 | 中国科学技术大学 | System and method for estimating network security situation based on index logarithm analysis |
| CN103996006A (en) * | 2013-02-17 | 2014-08-20 | 中国移动通信集团山西有限公司 | Information system security risk assessment method and device |
| CN103366244A (en) * | 2013-06-19 | 2013-10-23 | 深圳市易聆科信息技术有限公司 | Method and system for acquiring network risk value in real time |
| WO2015065380A1 (en) * | 2013-10-30 | 2015-05-07 | Hewlett-Packard Development Company, L.P. | Domain name and internet protocol address approved and disapproved membership inference |
| CN105959131A (en) * | 2016-04-15 | 2016-09-21 | 贵州电网有限责任公司信息中心 | Electric power information network security measuring method based on security log data mining |
| CN106778253A (en) * | 2016-11-24 | 2017-05-31 | 国家电网公司 | Threat context aware information security Initiative Defense model based on big data |
| CN106713333A (en) * | 2016-12-30 | 2017-05-24 | 北京神州绿盟信息安全科技股份有限公司 | Information system risk assessment method and apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107239707A (en) | 2017-10-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107239707B (en) | Threat data processing method for information system | |
| US11012472B2 (en) | Security rule generation based on cognitive and industry analysis | |
| US20190342307A1 (en) | System and method for monitoring security attack chains | |
| US11245713B2 (en) | Enrichment and analysis of cybersecurity threat intelligence and orchestrating application of threat intelligence to selected network security events | |
| CN111404909B (en) | Safety detection system and method based on log analysis | |
| Kott et al. | The promises and challenges of continuous monitoring and risk scoring | |
| CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
| Xiao et al. | From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild | |
| CN112819336A (en) | Power monitoring system network threat-based quantification method and system | |
| EP2936772B1 (en) | Network security management | |
| CN115996146A (en) | Numerical control system security situation sensing and analyzing system, method, equipment and terminal | |
| Cinque et al. | Entropy-based security analytics: Measurements from a critical information system | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| KR20080079767A (en) | A standardization system and method of event types in real time cyber threat with large networks | |
| RU148692U1 (en) | COMPUTER SECURITY EVENTS MONITORING SYSTEM | |
| CN112596984B (en) | Data security situation awareness system in business weak isolation environment | |
| CN110618977A (en) | Login abnormity detection method and device, storage medium and computer equipment | |
| CN113709170A (en) | Asset safe operation system, method and device | |
| Skendžić et al. | Management and monitoring security events in a business organization-siem system | |
| CN111339050A (en) | Centralized security audit method and system based on big data platform | |
| Settanni et al. | A Collaborative Analysis System for Cross-organization Cyber Incident Handling. | |
| Ehis | Optimization of Security Information and Event Management (SIEM) Infrastructures, and Events Correlation/Regression Analysis for Optimal Cyber Security Posture | |
| Sabri et al. | Hybrid of rough set theory and artificial immune recognition system as a solution to decrease false alarm rate in intrusion detection system | |
| CN110750795B (en) | Information security risk processing method and device | |
| Kadam et al. | Various approaches for intrusion detection system: an overview |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200507 Address after: No. 10, Huanghe East Road, Zhengdong New District, Zhengzhou City, Henan Province Applicant after: State Power Investment Group Henan Electric Power Co., Ltd Applicant after: TECHNOLOGY INFORMATION CENTER OF STATE POWER INVESTMENT CORPORATION HENAN POWER Co.,Ltd. Address before: 450001 gas power plant, No. 100 Indus street, hi tech Development Zone, Henan, Zhengzhou Applicant before: TECHNOLOGY INFORMATION CENTER OF STATE POWER INVESTMENT CORPORATION HENAN POWER Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |