Disclosure of Invention
The invention aims to provide a threat data processing method for an information system, which realizes index management of information security and can objectively know the threat faced by a target information system.
In order to solve the technical problems, the invention provides the following technical scheme:
a threat data processing method for an information system, comprising:
mapping the acquired information security event into a potential threat index and an existing threat index;
carrying out threat frequency calculation on the existing threat indexes, and assigning the frequency calculation result to a security domain threat index associated with the information security event;
according to a preset period, carrying out information acquisition and normalization on the potential threat indexes according to a preset threat source and associating the information acquisition and normalization into a threat tuple;
indexing each threat element in a log of a target information system, calculating the occurrence probability of each tuple according to an exponential calculation method by using the threat multi-tuple, and assigning and mapping the threat multi-tuple to be a threat value;
and generating a corresponding data model according to the security domain threat index and the threat value so as to evaluate the security of the information system.
Preferably, the performing threat frequency calculation on the existing threat indicators and assigning the result of the frequency calculation to the security domain threat indicators associated with the information security events includes:
acquiring the threat category of the existing threat index;
calculating a corresponding security threat index according to the frequency of each type of threat corresponding to the existing threat index;
and calculating an arithmetic mean value of each security threat index, and recording the arithmetic mean value as a security domain threat index associated with the information security event.
Preferably, the acquiring, normalizing and associating the information of the potential threat indicators into a threat tuple according to a preset threat source according to a preset period includes:
according to a preset period, carrying out information acquisition and normalization on the potential threat indexes according to preset national standards, industrial standards, group systems, industrial threat information and risk assessment;
and combing and classifying all threat elements and forming a threat tuple according with the current state of the target information system.
Preferably, the combing, classifying, clipping and forming a threat tuple according with the current state of the target information system, includes:
and combing all threat elements, and dividing the threat elements into a compliance audit class, a threat attack class, a Trojan horse virus class, a threshold value alarm class, a fault alarm class, a backbone link alarm class and an anomaly detection class.
Preferably, the indexing each threat element in the log of the target information system, calculating the occurrence probability of each tuple according to an exponential calculation method for the threat tuples, and assigning and mapping the threat tuples to a threat value includes:
indexing the threat factors to obtain tuples to which the threat factors belong;
calculating the threat degree of each tuple through an arc tangent function algorithm;
and assigning values to the threat degrees and mapping the threat degrees to corresponding threat values.
Preferably, the mapping the obtained information security event into a potential threat indicator and an existing threat indicator includes:
acquiring a plurality of events from the logs after the target information system is normalized;
auditing each event, and judging whether each event is a threat index event;
judging the threat index event passing the audit as an information security event;
and establishing mapping from the event to the threat, and mapping the information security event into a potential threat index and an existing threat index.
Preferably, the generating a corresponding data model according to the security domain threat indicators and the threat values for evaluating the security of the information system includes:
calculating a threat index for the information system, the threat index being an arithmetic mean of threat values for each of the tuples of the threat tuples;
the arithmetic mean and the security domain threat indicators are represented by a dashboard.
Preferably, the generating a corresponding data model according to the security domain threat indicators and the threat values to evaluate the security of the information system further includes:
and establishing a radar graph model, and displaying the threat value of each tuple of the threat multiple tuples.
Preferably, the generating a corresponding data model according to the security domain threat indicators and the threat values to evaluate the security of the information system further includes:
and establishing a pareto chart model, and displaying the threat value of each tuple of the threat multiple tuples.
Compared with the prior art, the technical scheme has the following advantages:
the threat data processing method for the information system provided by the embodiment of the invention comprises the following steps: mapping the acquired information security event into a potential threat index and an existing threat index; carrying out threat frequency calculation on the existing threat indexes, and assigning the frequency calculation result to a security domain threat index associated with the information security event; according to a preset period, carrying out information acquisition, normalization and association on potential threat indexes into a threat tuple according to a preset threat source; indexing each threat element in the log of the target information system, calculating the occurrence probability of each tuple according to an exponential calculation method by using the threat tuples, and assigning and mapping the threat tuples into threat values; and generating a corresponding data model according to the security domain threat index and the threat value so as to evaluate the security of the information system. In the technical scheme, the information security event is mapped into the existing threat indexes which have already occurred and the potential threat indexes which have not occurred, and the corresponding security domain threat indexes are obtained according to the calculated occurrence frequency of the existing threat indexes; meanwhile, the operations such as information acquisition, paradigm and the like are carried out on the potential threat indexes according to the threat sources, the operations are associated into threat tuples, the occurrence probability of each tuple in the threat tuples is calculated, wherein one tuple represents one type of threat elements, and therefore the threat value corresponding to each tuple of the potential threat indexes is obtained. And generating a corresponding data model according to the security domain threat index and the threat value so that a user can visually observe the probability of possible occurrence of various threats in the information security event, and objectively evaluating the threats faced by the information system by the threat data so as to facilitate the user to maintain and safely prevent the information system.
Detailed Description
The core of the invention is to provide a threat data processing method for an information system, which realizes the index management of information security and can objectively know the threat faced by a target information system.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
In the following description, specific details are set forth in order to provide a thorough understanding of the present invention. The invention can be implemented in a number of ways different from those described herein and similar generalizations can be made by those skilled in the art without departing from the spirit of the invention. Therefore, the present invention is not limited to the specific embodiments disclosed below.
Referring to fig. 1, fig. 1 is a flowchart illustrating a threat data processing method for an information system according to an embodiment of the present invention.
A specific embodiment of the present invention provides a threat data processing method for an information system, including:
s11: and mapping the acquired information security event into a potential threat index and an existing threat index.
In this embodiment, mapping the obtained information security event into a potential threat indicator and an existing threat indicator includes: acquiring a plurality of events from the logs after the target information system is normalized; auditing each event, and judging whether each event is a threat index event; judging the threat index event passing the audit as an information security event; and establishing mapping from the event to the threat, and mapping the information security event into a potential threat index and an existing threat index.
The primary source of the threat is an attack event, when the attack event does not exist in the network, the index of the threat is not 0, 4 threat elements are referred to for carrying out threat assignment work, and the 4 threat elements comprise: a hotspot threat early warning report issued by a national authority; an authoritative, recognized source of threat intelligence; major accident information released by group companies; risk assessment of third party institutions, penetration test reports. Thus, information security events may be mapped into existing threat indicators and potential threat indicators when there is an attack event in the network; when there is no attack event in the network, the information security event may be mapped to a potential threat indicator.
The premise of referring to the threat elements to carry out threat assignment work is to carry out threat element extraction, and the process of extracting the threat elements comprises the following steps:
1. extracting and formatting the threat elements into threat factors;
2. the threat factors and the information security events are respectively indexed so as to facilitate classification and analysis of threats, attack events of the same type may occur between different source addresses and different destination addresses, but the same attack event can be extracted through modeling, so that the frequency of each threat factor can be obtained through pattern matching;
3. by threat modeling, acquiring influence degree of information security events (threat degree of attack events) and combining factor explosion frequency, and calculating threat degree of each factor (namely calculating threat occurrence frequency and level into a threat value of 0-5 according to a preset model);
4. and taking the security domain as a unit, and carrying out arithmetic mean calculation on the address threat values in the domain to obtain the threat index value of the security domain.
S12: and carrying out threat frequency calculation on the existing threat indexes, and assigning the frequency calculation result to the security domain threat indexes associated with the information security events.
The existing threat indicators perform frequency calculation on threats (attack events), and the results are assigned to the associated security domain threat indicators.
In one embodiment of the present invention, performing threat frequency calculation on an existing threat indicator, and assigning a result of the frequency calculation to a security domain threat indicator associated with an information security event, includes: acquiring the threat category of the existing threat index; calculating a corresponding security threat index according to the frequency of each type of threat corresponding to the existing threat index; and calculating the arithmetic mean value of each security threat index, and recording as the security domain threat index associated with the information security event.
Wherein the threat valuation is a quantitative characterization of the threat. The basis of the threat assignments is to count the frequency of occurrence of various threats. The purpose of threat classification is to translate abstract, qualitative threat descriptions into threat values that can be analyzed quantitatively. Threat identification requires a comprehensive consideration of three aspects: history, statistics of threats and their frequency that have occurred in previous security incident reports; evidence is obtained on site, and threats and frequency statistics are found through detection tools and logs; authority issuing, and threat reports issued by international and domestic authorities and group companies.
In this embodiment, it is preferable to assign a threat in a hierarchical manner, and in this embodiment, a threat assignment table is defined, as shown in table 1, table 1 is a threat assignment table:
table 1 threat assignment table
S13: and according to a preset period, carrying out information acquisition, normalization and association on the potential threat indexes into a threat tuple according to a preset threat source.
In an embodiment of the present invention, according to a preset period, performing information acquisition, normalization and association on potential threat indicators according to a preset threat source to form a threat tuple, including: according to a preset period, such as a quarter, a year and the like, carrying out information acquisition and normalization on potential threat indexes according to preset adjustable information, such as national standards, industrial standards, group systems, industrial threat information, risk assessment and the like; and combing and classifying all threat elements and forming a threat tuple according with the current state of the target information system.
The information acquisition comprises the steps of regularly sorting and formatting the threat elements into a warehouse in a specific coding and specific format to form a threat assessment factor; generating a threat factor list by using a threat tree cutting method, and mapping the threat factor list into a threat index; data acquisition: the threats come from events (after paragramming), but not all events are threats. In this embodiment, an automated threat-indicator system is established in which an event-to-threat mapping is established. The data is derived from the logs after the normalization, the processed data can be selectively mapped into threats, and the obtained threat intelligence is persisted through a timed scheduling task (taking five minutes as a period); the security threat indexes are subdivided according to the threat types to form threat indexes, each threat index has a plurality of characteristic indexes, and typical characteristic indexes comprise: the frequency (number) of threats and the severity level of the threat (information such as the source of the threat and the attack technique).
The threat degree calculation is based on an arctan function threat degree calculation method, as shown in fig. 2, each audited threat index event is modeled by an arctan function algorithm along with two elements of the occurrence frequency and the level of the event, and the threat degree approaches to be fatal infinitely along with the continuous increase of the occurrence frequency of the event. The arctangent function includes a level measure of the event and a frequency measure of the event.
Further, combing, classifying and cutting all threat elements to form a threat tuple conforming to the current state of the target information system, comprising: and combing all threat elements, and dividing the threat elements into a compliance audit class, a threat attack class, a Trojan horse virus class, a threshold value alarm class, a fault alarm class, a backbone link alarm class and an abnormality detection class.
Cutting a threat source tree according to actual requirements, refining the prominent threats, and combing the threats according to the following results:
compliance audit class: the purpose of the information security compliance audit is to disclose and check the illegal behavior of the audited system and prompt the business operation to meet the audit requirements of information security policy, internal control system and the like. The information security compliance audit class realizes the statistics of the login of the security equipment, the login time and address of the server account, the login of the switch, the operation and the like. The related threat elements can be flexibly added according to the actually occurring events and the latest intelligence information.
The threat attack class refers to the danger of confidentiality, integrity, availability or legitimate use of a certain resource by a certain person, thing, event or concept. The threat attack class is mainly used for realizing the summary of information security attack and defense alarms by uniformly planning the hacker attack processes such as security scanning, vulnerability utilization, system privilege escalation and the like by taking a narrow attack and intrusion visual angle as a theme except large gate class and event content. The related threat elements can be flexibly added according to the actually occurring events and the latest intelligence information.
Trojan horse viruses monitor and alarm Trojan horse remote control, botnet attack, virus alarm, worm virus attack and the like, and can be flexibly added according to actually occurring events.
A threshold alarm class for determining when the monitoring indicator exceeds a normal value, the class being based primarily on baseline establishment and maintenance procedures, such as: CPU threshold alarm, virus early warning maximum threshold, mailbox system event maximum threshold, wide area network acceleration equipment log maximum threshold, switch CPU exceeding CPCAR value, switch ARPMISS rate exceeding limit, anti-virus system log minimum threshold, WEB security protection system log quantity minimum threshold, firewall log quantity maximum threshold, IPS log quantity minimum threshold, and the like, and can be flexibly added according to actually occurring events.
The fault alarm classes comprise any faults which affect service use and normal operation of the system, such as system crash, software and hardware faults and the like, and can be flexibly added according to actually occurring events.
Backbone link alarm, the failure of a routing and switching device on a backbone link often causes the interruption of the whole network, the severity of the interruption is fatal, the network is separately classified and early warned in real time, and the network can be flexibly added according to the actually occurring event.
The anomaly detection class, also known as deviation detection (deviation detection), because the attribute values of an anomaly object deviate significantly from the expected or common attribute values.
Among them, the anomaly detection is also called exception mining (exception mining), and is divided into three categories:
class of unexploded log exceptions
In the course of training the data, the data is divided into events that have already been audited and events that have not been audited. Events that have not been audited are normal and never occurred. This means that data is not likely to occur under normal circumstances, i.e. once it has occurred, it must be carefully analyzed and investigated. The embodiment focuses on listing and monitoring the unexplored log exception class as one type of threat element.
2, log entropy exceptions class
Redundancy exists for any piece of information, the magnitude of which is related to the probability of occurrence or uncertainty of each symbol (number, letter or word) in the information. The average information amount of information excluding redundancy is called information entropy, which is a measure of the degree of system ordering. The system calculates the entropy of the collected reported IP addresses of massive security events within a period of time to obtain the variation amplitude of the polymerization degree of the reported IP addresses of the security events, so as to depict the security state of the network to which the security events belong within the period of time and predict the overall security trend of the next step.
The system continuously traces the address entropy situation curve and displays the address situation cause graph of each time interval. And identifying two typical situation abnormalities through mode analysis of three typical situation cause graphs, and supporting layer-by-layer drilling of abnormal situation information until a key safety event causing the situation abnormality is positioned, and listing entropy alarms exceeding a confidence interval into an abnormality detection alarm.
3, hotspot aggregate exceptions class
The hot spot is defined as a hot spot if the occurrence frequency of events in a certain area is significantly higher or lower than the normal frequency, and the hot spot which we are interested in is a small area with high concentration of the occurrence frequency of the events. By means of hotspot analysis, regression analysis and prospect prediction can be effectively carried out on the event, and researchers are helped to draw scientific conclusions.
In the embodiment, a clustering algorithm is adopted to continuously perform clustering operation from 5 dimensions (vectors) of the source IP, the target IP, the asset type, the event grade and the event number of the event to three groups of a terminal, a network and an application to find an event hotspot in a current period of time, so that real-time macroscopic analysis on a large number of events is realized.
Furthermore, the event hot spot is dynamically displayed on the group target, and a certain hot spot is acquired, namely, the related security event generating the hot spot can be acquired at the same time. And classifying the hot spot alarm information exceeding the confidence interval into an abnormal detection class.
S14: and indexing each threat element in the log of the target information system, calculating the occurrence probability of each tuple according to the threat multi-tuple by an exponential calculation method, and assigning and mapping the threat multi-tuple into a threat value.
In this embodiment, indexing each threat element in the log of the target information system, calculating the occurrence probability of each tuple according to an exponential calculation method for the threat tuples, and assigning and mapping the threat tuples to threat values, includes: the threat factors are indexed to obtain tuples to which the threat factors belong; calculating the threat degree of each tuple through an arc tangent function algorithm; and assigning values to the threat degrees, and mapping the threat degrees into corresponding threat values.
As described in the above embodiment, a set of dynamic multi-dimensional threat index system is established, and the current threat cause can be identified by a pareto analysis method, so that the key threat factors are analyzed from macro to mesoscopic and then to microscopic until the key security event causing the abnormal threat situation is located.
In the embodiment, a standard is established for the threat indicator assessment, as shown in table 2:
TABLE 2 evaluation criteria for threat indicators
In the embodiment, 7 indexes in table 2 are used as example tuples, and each secondary index can be adjusted, added and deleted regularly in an actual environment, so as to better adapt to information security management.
In order to facilitate event classification for threat modeling, a threat indicator classification dictionary is also established in the present embodiment, as shown in table 3:
TABLE 3 threat metrics classification dictionary
The purpose of table 3 is mainly to illustrate the normalized classification of the log as event classification correspondence for threat modeling.
In this embodiment, a practical description is also given to the threat index system, and based on the index system calculated by the multi-tuple automated threat index, the threat index is equal to the arithmetic mean of various threats, that is, the overall security threat index is calculated according to the corresponding threat value mapped by each threat degree:
n is the number of categories of the multi-tuple threat, i refers to the event level, T
iIs the threat value of T at level i event.
S15: and generating a corresponding data model according to the security domain threat index and the threat value so as to evaluate the security of the information system.
In one embodiment of the present invention, generating a corresponding data model according to a security domain threat indicator and a threat value to evaluate the security of an information system includes: calculating a threat index of the information system, wherein the threat index is an arithmetic mean value of threat values of each tuple of the threat tuples; and establishing an instrument graph model, and representing an arithmetic mean value and a security domain threat index so as to evaluate the security of the information system. And establishing a radar graph model, and displaying the threat values of all tuples of the threat tuples so as to evaluate the safety of the information system. And establishing a pareto chart model, and displaying the threat values of all the threat tuples so as to evaluate the safety of the information system.
In this embodiment, in order to facilitate the user to intuitively understand the threats faced by the information system, the threats are described by establishing an instrument graph, a radar graph and a pareto graph, wherein in the pareto graph, different types of data are arranged in a descending order according to the frequencies of the data, a cumulative percentage graph is drawn in the same graph, and quantized threat values are data in the basis array of the pareto graph. For threat types, the change of each index system can be clearly seen by utilizing a radar map; for the overall security threat index, changes in the threat index in the last half hour can be reflected by an instrument map; the data of different classes are arranged in descending order according to the threat levels, and a cumulative percentage graph is drawn in the same graph, wherein the pareto graph can embody the pareto principle: the vast majority of the data is present in few categories, with very little remaining data scattered over most categories.
In summary, the threat data processing method for the information system provided by the invention maps the information security event into the potential threat index and the existing threat index, the existing threat index performs frequency calculation on the threat, and the result is assigned to the associated asset threat index. Collecting and normalizing the non-occurred threats according to a certain time period and according to the national standard, the industrial standard, the group system, the industrial threat information, the risk assessment and other adjustable information, and associating the adjustable information into a threat tuple; and calculating the occurrence probability of each tuple according to the tuple threat indexes by an exponential calculation method, and finally calculating the threat degree of each system according to a specific algorithm. And generating a corresponding data model according to the security domain threat index and the threat value so that a user can visually observe the probability of possible occurrence of various threats in the information security event, and objectively evaluating the threats faced by the information system by the threat data so as to facilitate the user to maintain and safely prevent the information system.
The threat data processing method for the information system provided by the invention is described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the present invention and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.