TWI835113B - System for executing task based on an analysis result of records for achieving device joint defense and method thereof - Google Patents

Abstract

A system for executing a task based on an analysis result of records for achieving device joint defense and a method thereof are provided. By analyzing operation records of network nodes to select a corresponding maintenance task, and executing the selected maintenance task for performing a corresponding operation plan by a network node, the system and the method can analyze security event and implement protection effectively, and can achieve the effect of network device joint defense automation.

Description

System and method for performing tasks based on record analysis results to achieve joint defense of equipment

An equipment joint defense system and its method, in particular, refers to a system and method that performs tasks based on recorded analysis results to realize equipment joint defense.

With the emergence of various emerging technology applications, hacking techniques are constantly updated, and security vulnerabilities have been exposed in various existing technologies that have been used for many years. Therefore, modern security personnel must face a huge amount of complex information. , also complicates the protection mechanism. For this reason, systems/software related to Security Incident Event Management (SIEM) were born that can help security personnel grasp the status of security incidents and make decisions.

However, most of the current information security event management systems/software focus on the storage of event logs (Event Log), and the filter conditions and association rules used are too rigid. As a result, the information security event management system/software only provides information security personnel with Neatly classified and statistical data (Data) is not enough help for information security personnel to grasp information security incidents and make decisions. Therefore, even if the company invests a large number of professional information security personnel, the information security personnel will not be able to understand the information security incidents. The response processing efficiency is still low, resulting in time to detect (TTD) and effective response time (Time to Response, TTR) It is getting longer and longer, making the deployment time of attackers who cause information security incidents longer and longer, not to mention relying on information security personnel to establish an effective and reliable joint defense mechanism.

To sum up, it can be seen that there has long been a problem in the previous technology that cannot effectively automatically analyze information security events and implement protection. Therefore, it is necessary to propose improved technical means to solve this problem.

In view of the problem that the prior art cannot effectively automatically analyze information security events and perform protection, the present invention discloses a system and method for performing tasks based on recorded analysis results to achieve joint defense of equipment, wherein: the disclosed analysis results based on recorded analysis results are disclosed in the present invention A system that performs tasks to achieve joint defense of equipment must at least include: a task setting module to set multiple maintenance and operation tasks; an event monitoring module to read and analyze operation records to obtain abnormal events; a threat analysis module The group is used to analyze abnormal events to select maintenance and operation tasks; the task execution module is used to execute the selected maintenance and operation tasks so that the first network node executes the corresponding first operation plan, and is used to receive and communicate with the first network node. According to the operation report corresponding to the network node, and when it is judged that there is an information security problem based on the operation report, the selected maintenance operation task is executed so that the second network node executes the first operation plan.

The method disclosed in the present invention performs tasks according to the record analysis results to realize joint defense of equipment. The steps include at least: setting multiple maintenance tasks; reading operation records and analyzing the operation records to obtain abnormal events; analyzing abnormal events to select maintenance tasks. operation task; execute the selected maintenance operation task so that the first network node executes the corresponding first operation plan; receive the operation report corresponding to the first network node, And when it is judged that there is an information security problem based on the operation report, the selected maintenance and operation task is executed so that the second network node executes the first operation plan.

The system and method disclosed by the present invention are as described above. The difference between the system and the prior art is that the present invention selects the corresponding maintenance and operation tasks by analyzing the operation records of the network nodes, and executes the selected maintenance and operation tasks to enable the network nodes to execute The corresponding operation plan is used to conduct joint defense with network nodes to solve the problems existing in the previous technology and achieve the technical effect of automated joint defense of network equipment.

100:Computing equipment

110:Task setting module

120:Event monitoring module

130:Information collection module

150:Threat Analysis Module

160:Equipment communication module

170:Task Execution Module

410:Network node

411:Computer

413:Server

415: Data circuit end

490:Mobile device

Step 210: Set maintenance tasks

Step 230: Read the operation record and analyze the operation record to obtain abnormal events

Step 240: Gather threat intelligence

Step 250: Analyze abnormal events to select maintenance tasks

Step 255: Analyze threat intelligence to select maintenance tasks

Step 261: Determine the risk level based on abnormal events

Step 263: Select a mobile device according to the risk level and send a notification message to the mobile device

Step 265: Receive the confirmation message sent by the mobile device and perform the maintenance tasks corresponding to the confirmation message.

Step 270: Execute the selected maintenance task so that the first network node executes the corresponding first operation plan

Step 271: Notify the third network node to execute the second operation plan on the first network node and receive the operation report generated by the third network node

Step 275: Notify the first network node to implement the first operation plan when it is determined based on the operation report that there is an information security problem.

Step 280: Receive the operation report corresponding to the first network node, and when it is determined that an information security problem exists based on the operation report, execute the selected maintenance task to enable the second network node to execute the first operation plan.

Figure 1 is a system architecture diagram of the present invention for performing tasks based on record analysis results to achieve joint defense of equipment.

Figure 2A is a flow chart of a method for performing tasks based on recorded analysis results to achieve joint defense of equipment proposed by the present invention.

Figure 2B is a flow chart of an additional method for performing tasks based on record analysis results to achieve joint defense of equipment proposed by the present invention.

Figure 2C is a flow chart of a method for analyzing threat information and selecting and executing corresponding tasks according to the present invention.

Figure 2D is a flowchart of the method of judging the risk level and selecting and notifying the corresponding mobile device according to the present invention.

The features and implementations of the present invention will be described in detail below with reference to the drawings and examples. The content is sufficient to enable any person familiar with the relevant art to easily fully understand the technical means used to solve the technical problems of the present invention and implement them accordingly, thereby achieving The effect that the present invention can achieve.

The present invention can analyze the operation records generated by various network nodes on the network to determine the information security situation and perform corresponding maintenance tasks, so that network nodes on the same network can conduct joint defense.

Among them, the network node mentioned in the present invention can be a data circuit end (DCE), such as an access point, a repeater, a hub, a bridge, a switch, a router, a modem, etc. The network node can also be a data terminal. (DTE), such as computers, workstations, servers, etc.; operation records include but are not limited to server logs (logs) of servers, firewall records of network nodes, anti-virus software records, intrusion detection (IDS) records, intrusion prevention ( IPS) records, network terminal account login records, etc.; the information security situation can be defined by the information security personnel themselves, and the information security personnel can base on various information security events (such as the device is attempted to be invaded, the device has been invaded, the device is attacked, the device Poisoning, etc.) may occur when defining the qualifying conditions of the corresponding information security situation; maintenance tasks include adjusting (adding/modifying/deleting) settings, rules, or policies and other operational plans, as well as Operation plans may include virus scanning, vulnerability scanning, installation of system updates or software updates, etc., but the maintenance tasks mentioned in the present invention are not limited to the above.

The system operation of the present invention is first described below with reference to "Figure 1", a system architecture diagram of performing tasks according to the recorded analysis results to realize joint defense of equipment proposed by the present invention. As shown in "Figure 1", the system of the present invention is applied in a network environment and includes a computing device 100 and a network node 410. The computing device 100 includes a task setting module 110, an event monitoring module 120, and a threat analysis module. The module 150 and the task execution module 170 are the additional intelligence collection module 130 and the equipment communication module 160. It should be noted that the calculation design The device 100 includes a processing unit and a memory unit. The processing unit can execute one or a series of computer instructions stored in the memory unit to generate each of the above modules. Each module will be further described below.

The task setting module 110 is responsible for setting one or more maintenance tasks. Each maintenance task set by the task setting module 110 may include one or more operation plans and may correspond to an information security situation. It should be noted that an operation plan may be included in different maintenance tasks.

The task setting module 110 can provide a user setting interface for text editing or graphic editing to provide setting maintenance tasks.

The event monitoring module 120 is responsible for reading one or more operation records generated by one or more network nodes 410 . The event monitoring module 120 can read the operation records pre-stored in the storage medium (not shown in the figure) of the computing device 100, or can also be connected to a specific network node 410 to download the operation records, for example, the event monitoring module 120 can download the operation record through the application programming interface (API) provided by the network node 410, but the present invention is not limited to this.

The event monitoring module 120 can analyze the read operation records to obtain one or more abnormal events. In more detail, the event monitoring module 120 can perform correlation analysis, classification statistics and other analysis operations on various data in the operation records to determine whether there are abnormal events in the operation records. For example, if the operation record is a firewall record, the operation record can include the device identification data of the source device and the destination device, communication port number, connection time, operation result (allow or deny), etc.; if the operation record is an account login, record, the operation record can include the device identification data of the logged-in (and logged-in) device, login time, login account, operation result (successful login or refused login) and other information; if the operation record is a virus/weakness scanning record, the operation record It can include the device identification data of the scanned device, scan time, operation results (scanned vulnerabilities/viruses and processing methods and results) and other information; if the operation record is an intrusion detection/prevention record, the operation record can include the source device's information. device identifier data, source communication port number, destination communication port number, intrusion time, intrusion behavior and other information. The event monitoring module 120 can correlate data such as time (connection time, login time, intrusion time) and device identification data (source device and/or destination device) in various operation records to perform correlation analysis, and can also perform correlation statistics. Device identification data (source device and/or destination device), communication port number, operation results and other data can be used to determine whether there are abnormal events based on whether the statistical values of various data exceed the corresponding statistical thresholds. However, the way in which the event monitoring module 120 determines whether an abnormal event exists is not limited to the above.

In some embodiments, the event monitoring module 120 can also perform pre-processing on the operation records, such as text analysis, semantic analysis, conditional filtering, etc., so as to delete prompts to security personnel in the operation records that are irrelevant to the actual operation. data or information, and then perform correlation analysis, classification statistics and other analysis operations on the pre-processed operation records, thereby increasing the accuracy of judgment of abnormal events.

The event monitoring module 120 may also obtain the risk level of the abnormal event when obtaining the abnormal event. For example, the event monitoring module 120 can pre-establish the risk levels of various abnormal events, so that when determining the existence of an abnormal event, the event monitoring module 120 can read and determine the risk level of the abnormal event, but the present invention is not limited thereto.

The intelligence collection module 130 can collect threat intelligence. In more detail, the intelligence collection module 130 can obtain threat information from open source free network resources (including dark websites or free malware analysis websites or malware discussion areas or forums, etc.) or commercial paid resource providers. Threat information can also be obtained from information security centers such as Information Sharing and Analysis Center (ISAC), but the method by which the intelligence collection module 130 obtains threat information is not limited to the above. Among them, the information collection module 130 can be based on the data format specified by the free network resource, the data format set by the resource provider or the information security center, and the web page or resource provider provided by the network resource. Or obtain threat information from the data provided by the information security center; the intelligence collection module 130 can also perform text and/or semantic analysis on network resources or data files that do not have a predetermined format to obtain threat information.

The threat information collected by the intelligence collection module 130 includes target information and corresponding operating methods. Among them, the target information can include a blacklist of network addresses/domain names that generate threats, file names or hash values of malicious programs, or other characteristic values. In other words, the target information can include intrusion threat indicators (Indicators). of Compromise (IOC), but the present invention is not limited to this; the target information may also include the scope of influence and degree of damage of the threat; the operating methods may include the tools, techniques, and/or program codes used to generate the threat.

The threat analysis module 150 is responsible for analyzing abnormal events obtained by the event monitoring module 120 . In more detail, the threat analysis module 150 can use big data analysis combined with artificial intelligence (AI) and/or machine learning (Machine Learning) to analyze abnormal events. For example, big data analysis can analyze the operations of different sources that record abnormal events. The recorded characteristics (such as Volume, Velocity, Variety, etc.) are used to classify and fuse the data representing the same abnormal event in the operation records from different sources into a group of abnormal events (also represented by the "abnormal event group" in the present invention) , and artificial intelligence or machine learning algorithms can calculate the characteristic values of each abnormal event group (each group of abnormal events that has been classified and merged), and can classify each group of abnormal events according to the threshold value that the characteristic value meets, threatening The analysis module 150 can determine the information security situation represented by each group of abnormal events based on the classification results of the artificial intelligence or machine learning algorithm.

The threat analysis module 150 is also responsible for selecting corresponding maintenance tasks from the maintenance tasks set by the task setting module 110 based on the analysis results of abnormal events. Generally speaking, the threat analysis module 150 can select corresponding maintenance tasks based on the information security situation represented by the classification of each group of abnormal events based on artificial intelligence or machine learning algorithms.

In some embodiments, when selecting maintenance tasks, the threat analysis module 150 may, in addition to referring to the classification results of abnormal events, also refer to the threat information collected by the intelligence collection module 130 . That is to say, the threat analysis module 150 can select a corresponding maintenance task based on the threat information collected by the intelligence collection module 130 and the maintenance task set by the task setting module 110 .

It should be noted that the maintenance task does not necessarily include only adding or adjusting the operation plan of settings/rules/policies, but may also include the operation plan of deleting settings/rules/policies. For example, when the threat analysis module 150 operates based on threat intelligence, When confirming that specific targets such as websites/domains that have generated threats in the past are no longer recorded in the threat information or are marked for deregistration in the threat information, the maintenance tasks can include deleting the settings/rules/policies related to the specific target. Operational plan.

The threat analysis module 150 can also obtain the corresponding risk level based on the classification results of abnormal events. For example, the threat analysis module 150 can read the corresponding risk level according to the information security situation represented by the classification of abnormal events, where the correspondence between the information security situation and the risk level can be determined by the information that sets the information security situation and risk level. Security personnel pre-define; the threat analysis module 150 can also determine the risk level based on parameters such as the possible impact scope, processing complexity, and degree of damage of the abnormal event classification. For example, the threat analysis module 150 can define corresponding parameters for various parameters. , and after adding up the values corresponding to each parameter, the risk level is determined based on the sum value, but the present invention is not limited to this.

The device communication module 160 can send a notification message to the mobile device 490 when the event monitoring module 120 analyzes an abnormal event; the device communication module 160 can also send a notification message to the mobile device 490 when the event monitoring module 120 or the threat analysis module 150 determines the risk level. , select a mobile device 490 based on the judged risk level, and send a notification message to the selected mobile device 490. For example, the device communication module 160 can preset permissions corresponding to each risk level, and can also set each action. Device user rights Limit, so that the mobile device of the user with corresponding permissions can be selected according to the judged risk level; in addition, the device communication module 160 can also receive the confirmation message returned by the mobile device 490.

It should be noted that the device communication module 160 is not limited to sending notification messages to only one mobile device 490. That is to say, the device communication module 160 can also select one or more mobile devices 490 and send notification messages to all mobile devices 490. The selected mobile device 490; the device communication module 160 may also receive confirmation messages returned by one or more mobile devices 490.

The device communication module 160 can send notification messages to the mobile device 490 through SMS, instant messaging, email, push, etc., and can also receive notification messages from the mobile device 490 through SMS, instant messaging, email, push, etc. confirmation message.

The task execution module 170 is responsible for executing the maintenance and operation tasks selected by the threat analysis module 150, so that one or more first network nodes execute the first operation plan corresponding to the executed maintenance and operation tasks, so that the computing device 100 Conduct joint defense with each first network node. Taking a practical example, if the first network node is a data circuit end such as a router or a switch, the task execution module 170 can be connected to the first network node to adjust the access control list (Access Control List) of the first network node. Control List (ACL) to prevent abnormal connections or open connections to specific websites or domains; and if the first network node is a data terminal such as a computer 411 or a server 413, the task execution module 170 can The API provided by the first network node remotely adjusts the system settings/software settings of the first network node and/or adjusts security rules/security policies, or scans the first network node for specific vulnerabilities and scans the first network node for specific vulnerabilities. When a network node has the vulnerability, the first network node is notified to perform a system update or software update, or the first network node is notified to perform a vulnerability scan and determine whether to perform a system or software update based on the scan results. The first network node is usually a network node related to the abnormal event obtained by the event monitoring module 120, for example, the generation node or occurrence node of the abnormal event, etc.

The task execution module 170 may also receive an operation report corresponding to the first network node. The operation reports received by the task execution module 170 include but are not limited to vulnerability/virus scanning reports, attack test reports, etc., but the present invention is not limited thereto. The operation report received by the task execution module 170 may be generated by the first network node executing the first operation plan, or may be generated by a third network node different from the first network node. Generated by executing the second operation plan.

Taking a practical example, the task execution module 170 can notify the third network node to execute the second operation plan and receive an operation report generated by the third network node executing the second operation plan, and based on the received operation report When it is determined that an information security problem exists, the first network node is notified to execute the first operation plan. For example, if the first network node is the computer 411 and the third network node vulnerability/virus scanning server 413, the task execution module 170 can cause the third network node to perform maintenance tasks for the first network node after executing the maintenance task. Weakness/virus scanning, and after scanning, the generated vulnerability/virus scanning report and other operational reports are sent back to the task execution module 170. The task execution module 170 can generate the vulnerability/virus scanning report on the third network node ( The content of the operation report) indicates that when a vulnerability/virus is detected on the first network node, the first network node is notified to perform a system update or software update, or delete the virus file, etc., to repair the vulnerability/remove the virus.

The task execution module 170 can also determine whether an information security problem exists based on the received operation report. As mentioned above, the task execution module 170 can determine whether there is a vulnerability or virus in the first network node through the content of the operation report such as the vulnerability/virus scanning report or the attack test report, but the invention is not limited thereto.

The task execution module 170 can also choose to directly execute the maintenance and operation task selected by the threat analysis module 150 based on the risk level judged by the event monitoring module 120 or the threat analysis module 150, or choose to wait for the device communication module 160 to receive The confirmation message sent by the mobile device 490, and execution and confirmation The maintenance and operation task corresponding to the confirmation message. For example, when the confirmation message indicates confirmation of execution of the maintenance and operation task, the task execution module 170 can execute the maintenance and operation task selected by the threat analysis module 150 for confirmed execution; and when the confirmation message indicates execution of the maintenance and operation task, When specifying the maintenance task, the task execution module 170 can execute the maintenance task specified in the confirmation message.

In some embodiments, if the device communication module 160 receives confirmation messages returned by multiple mobile devices 490, the task execution module 170 may choose to execute the task corresponding to the earliest confirmation message received by the device communication module 160. Maintenance tasks; the task execution module 170 can also select the confirmation message returned by the mobile device of the user with the highest authority from the confirmation message received by the device communication module 160, and execute the task corresponding to the selected confirmation message. Maintenance tasks. The task execution module 170 may also send an execution message indicating the executed maintenance task to all mobile devices 490 that previously sent notification messages.

When the task execution module 170 determines that an information security problem exists based on the received operation report, it can execute the selected maintenance task again to enable one or more second network nodes to execute the first operation plan. The way in which the task execution module 170 causes the second network node to execute the first operation plan is the same as the way in which the first network node executes the first operation plan, so the details will not be described again. The second network node can be all other network nodes on the network that are not the first network node, or other network nodes with the same identity as the first network node. For example, the first network node is a server When the first network node is a switch or router, the second network node can be all other switches or routers or All other data circuit terminals, etc.

It should be noted that in some embodiments, the above-mentioned modules are not necessarily included in the computing device 100 at the same time. For example, the event monitoring module 120 and other modules can be respectively provided in two different computing devices. , but the present invention is not limited to this.

Next, an embodiment will be used to explain the operating system and method of the present invention, and please refer to "Figure 2A" for the flow chart of the method of performing tasks based on the recorded analysis results to achieve joint defense of equipment according to the present invention.

First, the administrator needs to set maintenance tasks on the computing device 100 executing the present invention through the task setting module 110 (step 210). In this embodiment, it is assumed that the user can preset various information security scenarios, and set the conditions for satisfying various information security scenarios and corresponding maintenance tasks.

After the computing device 100 starts running, the event monitoring module 120 can read the operation records of each network node 410 and analyze the read operation records to obtain abnormal events after analysis (step 230). In this embodiment, assuming that the operation records include server logs of multiple servers and traffic data of multiple network nodes, the event monitoring module 120 can determine whether there is a problem based on each server log and traffic data of each network node. Abnormal events, for example, whether you connect or log in at an unreasonable time, connect or log in incorrectly multiple times in a short period of time, etc. If so, it means that an abnormal event has occurred.

After the task setting module 110 completes the setting of the maintenance task (step 210) and the event monitoring module 120 analyzes the operation record to obtain abnormal events (step 230), the threat analysis module 150 can analyze the abnormal events through artificial intelligence/machine learning to Select the corresponding maintenance task (step 250). In this embodiment, it is assumed that the task setting module 110 can perform big data analysis on operation records related to abnormal events to correlate abnormal data of multiple abnormal events, and will analyze one or more abnormal events that are related to the same abnormal event. The abnormal data are provided one by one to the classification model generated by the artificial intelligence or machine learning algorithm, so that the classification model outputs the classification of each abnormal event, such as classifying the abnormal events into vulnerability attacks and/or abnormal logins, etc. In this way, the threat analysis module 150 You can select maintenance tasks corresponding to the information security situation corresponding to the classification of abnormal events.

After the threat analysis module 150 selects the maintenance and operation task, the task execution module 170 can execute the maintenance and operation task selected by the threat analysis module 150, so that the first network node executes the corresponding first operation plan (step 270), thereby Let the computing device 100 and the first network node perform joint defense. In this embodiment, it is assumed that the maintenance task executed by the task execution module 170 includes notifying the data terminal (first network node) such as the attacked computer 411 or server 413 to perform vulnerability scanning, so that the data terminal can perform vulnerability scanning after scanning. When vulnerabilities and other vulnerabilities occur, system/software updates are performed to patch the exploited vulnerabilities and other vulnerabilities. At the same time, the maintenance tasks performed by the task execution module 170 may also include access to the configuration data circuit end 415 (another first network node). The command of the control list is to deny most connections of the attacked data terminal, and only retain the specific communication port between the attacked data terminal and the computing device 100 and the download between the attacked data terminal and the file server storing the update file. The connection of the communication port of the file, etc., until the attacked data terminal completes the vulnerability repair, that is, the task execution module 170 can send a vulnerability/virus detection report on the attacked data terminal to indicate the vulnerability and other vulnerabilities of the data terminal being attacked. After it no longer exists, the data circuit terminal 415 is notified to delete the instruction regarding rejecting the data terminal connection in the access control list (another first operation plan).

After the task execution module 170 executes the maintenance and operation task selected by the threat analysis module 150 so that the first network node executes the corresponding first operation plan (step 270), the task execution module 170 may receive the information from the first network node. Corresponding operation report, and when it can be judged that an information security problem exists based on the received operation report, the maintenance operation task selected by the threat analysis module 150 is executed again so that the second network node executes the maintenance operation task corresponding to the selection. The first operation plan (step 280). In this embodiment, it is assumed that the task execution module 170 can receive the operation report returned by the first network node, and can include in the operation report information such as when a vulnerability/virus has been scanned or a vulnerability has been repaired/virus has been removed. It is determined that the information security problem exists. In this way, the task execution module 170 can notify other data terminals (second network nodes) to perform vulnerability scanning, so that when the vulnerabilities and other weaknesses are scanned, the second network node performs system/software updates to fix them. quilt Attack vulnerabilities and other vulnerabilities, and the access control list of the data circuit terminal 415 can be set to deny most connections from the vulnerable data terminal until the vulnerable data terminal completes the patching of the vulnerability.

When the task execution module 170 executes the maintenance and operation task selected by the threat analysis module 150 so that the first network node executes the corresponding first operation plan (step 270), as shown in the process of "Figure 2B", the task The execution module 170 can also notify the vulnerability/virus scanning server 413 (the third network node) to execute the second operation plan on the first network node, that is, notify the vulnerability/virus scanning server 413 to execute the second operation plan on the first network node. Vulnerability/virus scanning is performed and a corresponding operation report is generated (step 271). The task execution module 170 can determine that the information security problem exists in the first network node based on the operation report returned by the vulnerability/virus scanning server 413. Notify the first network node to execute the first operation plan (step 275).

In addition, if the computing device 100 includes the intelligence collection module 130, as shown in the process of "Figure 2C", after the task setting module 110 completes the setting of the maintenance task (step 210), the intelligence collection module 130 Threat information can be collected (step 240), the threat analysis module 150 can analyze the threat information collected by the intelligence collection module 130 to select corresponding maintenance tasks (step 255), and the task execution module 170 can execute the threat The maintenance task selected by the analysis module 150 causes the first network node to execute the corresponding first operation plan (step 270). In this embodiment, when a specific target such as a website/domain that has generated threats in the past is deregistered from the threat information, the threat analysis module 150 may choose to include the operation plan of deleting the settings/rules/policies related to the specific target. task, so that after the task execution module 170 executes the maintenance task selected by the threat analysis module 150, each data circuit end (first network node) can execute the operation plan of deleting the connection of the specific target.

In addition, if the computing device 100 also includes a device communication module 160, as shown in the process of "Figure 2D", after the event monitoring module 120 obtains the abnormal event (step 230), the event monitoring module 120 or the threat analysis module Group 150 can determine the risk level based on abnormal events (step 261), and the device communicates The module 160 can choose whether to send the notification message based on the risk level determined by the event monitoring module 120 or the threat analysis module 150. If not, the execution will be terminated without sending the notification message. If so, the device communication module 160 can choose based on the risk. The level selects the mobile device 490 of the user that meets the authority, and sends the generated notification message to the selected mobile device 490 (step 263). The task execution module 170 can execute the maintenance and operation task selected by the threat analysis module 150. (Steps 250, 270).

The device communication module 160 may also wait for the mobile device 490 to return a confirmation message after sending the notification message to the selected mobile device 490 . When the device communication module 160 receives the confirmation message returned by the mobile device 490, the task execution module 170 can execute the maintenance task corresponding to the confirmation message received by the device communication module 160 (step 265). For example, the maintenance task selected by the threat analysis module 150 confirmed by the confirmation message is executed, or the maintenance task specified by the confirmation message is executed.

In summary, it can be seen that the difference between the present invention and the prior art lies in the ability to analyze the operation records of network nodes to select corresponding maintenance and operation tasks, and execute the selected maintenance and operation tasks to enable the network nodes to execute corresponding operation plans. , a technical means for joint defense with network nodes. This technical means can solve the problem of the inability of previous technologies to effectively automatically analyze information security events and implement protection, thereby achieving the technical effect of automated joint defense of network equipment.

Furthermore, the method of performing tasks based on the recorded analysis results to achieve joint defense of equipment according to the present invention can be implemented in hardware, software, or a combination of hardware and software. It can also be implemented in a centralized manner in a computer system or distributed with different components. Implemented in a decentralized manner across several interconnected computer systems.

Although the embodiments of the present invention are disclosed above, the content described is not intended to directly limit the scope of patent protection of the present invention. Any person with ordinary knowledge in the technical field to which the present invention belongs can make no reservations about the form and details of the implementation of the present invention without departing from the spirit and scope of the present invention. Slight modifications and modifications made above all fall within the scope of patent protection of the present invention. The scope of patent protection for this invention must still be defined by the scope of the attached patent application.

Step 210: Set maintenance tasks

Step 230: Read the operation record and analyze the operation record to obtain abnormal events

Step 250: Analyze abnormal events to select maintenance tasks

Step 270: Execute the selected maintenance task so that the first network node executes the corresponding first operation plan

Step 280: Receive the operation report corresponding to the first network node, and when it is determined that an information security problem exists based on the operation report, execute the selected maintenance task to enable the second network node to execute the first operation plan.

Claims (10)

A system that performs tasks based on recorded analysis results to achieve joint defense of equipment. The system at least includes: a plurality of network nodes, including at least one first network node and at least one second network node. The at least one second network node be other network nodes different from the at least one first network node or other network nodes with the same identity as the at least one first network node; and a computing device, which further includes: a task setting module, Used to set multiple maintenance and operation tasks; an event monitoring module used to read at least one operation record of the network nodes, and analyze the at least one operation record to obtain at least one abnormal event, and the at least one abnormal event is related to The at least one first network node is related; a threat analysis module is used to analyze the at least one abnormal event to select one of the maintenance tasks; and a task execution module is used to execute the selected one. The maintenance operation task is to enable the at least one first network node to execute a corresponding first operation plan, and to receive the at least one first network node after the at least one first network node executes the first operation plan. The node corresponds to an operation report, and when it is determined that the at least one first network node has a security problem based on the operation report, the selected maintenance task is executed so that the at least one second network node performs the first operation. plan. As described in claim 1, the system performs tasks according to the record analysis results to realize joint defense of devices, wherein the computing device further includes an intelligence collection module for collecting threat intelligence, and the threat analysis module is further for analyzing the Threat intelligence is selected from one of these maintenance tasks. The system for performing tasks based on record analysis results to achieve joint defense of equipment as described in request 1, wherein the computing device further includes a device communication module for transmitting when the event monitoring module analyzes the at least one abnormal event. A notification message is sent to at least one mobile device, or is used to select at least one mobile device and send a notification message to the at least one mobile device based on a risk level determined by the event monitoring module or the threat analysis module. As described in request item 3, the system for executing tasks based on record analysis results to achieve joint defense of equipment, wherein the equipment communication module is further used to receive a confirmation message returned by the at least one mobile device, and the task execution module is further used Select whether to automatically execute the maintenance task or execute one of the maintenance tasks corresponding to the confirmation message according to the risk level. The system for executing tasks based on record analysis results to achieve joint defense of equipment as described in claim 1, wherein the task execution module is further used to notify a third network node to perform a second operation on at least one first network node. Plan and receive the operation report generated by the third network node, and notify the at least one first network node to execute the first operation plan when it is judged that an information security problem exists based on the operation report. A method for executing tasks based on record analysis results to achieve joint device defense, applied to a computing device, the method at least includes the following steps: setting multiple maintenance tasks; reading at least one operation record of multiple network nodes, and analyzing the At least one operation record is used to obtain at least one abnormal event, wherein the at least one abnormal event is related to at least one first network node; the at least one abnormal event is analyzed to select one of the maintenance tasks; and the selected one is executed. The maintenance task is to enable at least one first network node to execute a corresponding first operation plan; and After the at least one first network node executes the first operation plan, an operation report corresponding to the at least one first network node is received, and based on the operation report, it is determined that the at least one first network node has an information security problem. When executing the selected maintenance task, at least one second network node executes the first operation plan, wherein the at least one second network node is another network different from the at least one first network node. network node or other network nodes having the same identity as the at least one first network node. The method of performing tasks based on record analysis results to achieve joint defense of equipment as described in claim 6, wherein the method further includes collecting a threat information and analyzing the threat information before executing the step of the selected maintenance task. To select one of the steps from these maintenance tasks. The method of performing tasks based on record analysis results to achieve joint defense of equipment as described in request item 6, wherein the method further includes the step of sending a notification message to at least one mobile device after analyzing the abnormal event, or includes a basis The at least one abnormal event determines a risk level, selects at least one mobile device according to the risk level, and sends a notification message to the at least one mobile device. The method of performing tasks based on record analysis results to achieve joint defense of devices as described in claim 8, wherein the method further includes receiving a message sent by the at least one mobile device after the step of sending the notification message to the at least one mobile device. Confirm the message and execute the steps of the maintenance task corresponding to the confirmation message. As described in claim 6, the method for executing tasks based on record analysis results to achieve joint defense of equipment, wherein the step of executing the selected maintenance task to enable the first network node to execute the corresponding first operation plan is to notify a The third network node performs a second operation on the at least one first network node Plan and receive the operation report generated by the third network node, and notify the at least one first network node to execute the first operation plan when it is judged that an information security problem exists based on the operation report.