Collaborative linked system of network security and method
Technical field
The invention belongs to network safety filed, relate in particular to collaborative linked system of network security and method.
Background technology
Along with the fast development of information technology and Internet technology, become more and more diversified and complicated to the malicious attack of network information system, these security incidents have greatly threatened the national security and the people's lives of China, and the network security situation is severe day by day.For this reason; Various circles of society such as science, industry have carried out going deep into comprehensive research work to network security technology; And obtained comparatively ripe achievement in research; Like intrusion detection, vulnerability scanning, Botnet discovery, Detection of Distributed Denial of Service Attacks, Spam filtering, anti-virus, anti-Trojan or the like technology and system; Yet existing research work also is faced with following two problems: the one, and the isolated research of monotechnics has been difficult to reduce significantly the rate of false alarm and the rate of failing to report of network safety event, such as intrusion detection; The 2nd, the monotechnics means have been difficult to satisfy complicated day by day application demand, such as in-depth analysis and the knowledge excavation to network safety event.Therefore, the research to the collaborative linkage technique of network security has important significance for theories and real value.
In recent years, having certain representational research work in the collaborative interlock of security incident association area comprises:
1) UTM (Unified Threat Management; Be called for short UTM); Proposed in 2002 by Fortinet company the earliest, in September, 2004, the famous IDC of the U.S. proposed anti-virus, intrusion detection and firewall security equipment called after UTM.Also be called as multifunctional fire-proof wall, multifunctional safe gateway.Such technology can be good at related anti-virus, intrusion detection and firewall security equipment, and constitutes the management platform of a standard.Compare with the conventional gateway safety means, UTM equipment merges multiple security capabilities, has convenient management, less investment, advantage that defence capability is strong.Yet this technology also has own inherent inferior position, can fix by related equipment with management, cannot add new equipment and carry out association.Therefore, UTM is dumb and autgmentability is poor.
2) safe operation center (Security Operation Center is called for short SOC) generally is positioned as: be core with assets; With the security incident management is critical workflow, and the thought that adopts security domain to divide is set up the real-time asset risk model of a cover; The person of assisting management is carried out event analysis; Risk analysis, the concentrated safety management system that forewarning management and emergency response are handled.But because industry does not form a unified understanding at present, the SOC between each manufacturer realizes and disunity, still lacks collaborative interlock ability between different vendor's product.
Summary of the invention
Therefore, the objective of the invention is to overcome the defective of above-mentioned prior art, provide a kind of network security to work in coordination with linked system, can compatible multiple secure resources.
In order to realize the foregoing invention purpose, on the one hand, the invention provides the collaborative linked system of a kind of network security, comprising:
The secure resources interface module is used to that a plurality of secure resources provide coffret so that between said collaborative linked system and each secure resources, carry out file transfer, and said secure resources is meant relevant network safety system;
The secure resources adaptation module, the security event information that is used for that corresponding secure resources is provided converts the reference format of said collaborative linked system into from its specific format;
Collaborative interlock engine modules is used for according to collaborative interlock demand association analysis and excavation being carried out in the security incident that each secure resources provides, to obtain more valuable information.
In the said system, the corresponding secure resources of each secure resources adaptation module.
In the said system, the secure resources interface module adopts FTP or SSH as the interface host-host protocol.
In the said system, said collaborative interlock engine modules comprises:
Instruction set, it has comprised usual instructions, and the collaborative interlock function on basis is provided for collaborative interlock engine;
Set of patterns, it has comprised collaborative linkage pattern, and said collaborative linkage pattern is to adopt the instruction institute written program in the instruction set according to collaborative interlock demand;
The pattern Executive Module is used to carry out collaborative linkage pattern to accomplish corresponding collaborative interlock task.
In the said system, also comprise the PA collection, it provides non-existent computing in the instruction set, and said collaborative linkage pattern is to adopt the instruction institute written program in instruction set and/or the PA collection according to collaborative interlock demand.
In the said system, collaborative interlock engine is to use C, Python or Java to realize.
In the said system; Said secure resources interface module uses the mode of FTP resource vector to identify the FTP resource of each secure resources and a plurality of FTP resource vectors have been formed the FTP resource table, and said FTP resource vector is: < NUM, SERVER; USER; PASSWORD >, wherein, NUM i.e. the numbering of this FTP resource; SERVER is the IP address of this FTP place main frame; USER is the user name of FTP; PASSWORD is the password of FTP.
In the said system, said secure resources interface module is used FTP to number when visiting concrete FTP resource and is obtained link information, and adds new secure resources through adding new FTP resource vector at the FTP resource table.
Another aspect the invention provides the collaborative interlock method of the network security that is used for said system, said method comprising the steps of:
Step 1) will be worked in coordination with all related in interlock demand secure resources and will be articulated in the cooperative system;
Step 2) writes corresponding collaborative linkage pattern according to collaborative interlock demand;
Step 3) is carried out said collaborative linkage pattern to obtain required data in collaborative interlock engine.
In the said method, said step 1) may further comprise the steps:
For each secure resources is developed corresponding secure resources adaptation module, the security event information that said secure resources adaptation module provides corresponding secure resources converts the reference format of said collaborative linked system into from its specific format;
In the secure resources interface module, for each secure resources provides coffret to be used between said collaborative linked system and each secure resources, carrying out file transfer.
In the said method, said step 2) may further comprise the steps:
If the instruction in the instruction set can be satisfied collaborative interlock demand, then use instruction set to come to write collaborative linkage pattern according to collaborative interlock demand; Otherwise develop corresponding PA collection, and the instruction of using instruction set and corresponding PA to concentrate to write collaborative linkage pattern according to collaborative interlock demand.
In the said method, said step 3) may further comprise the steps:
Obtain the security incident file according to collaborative interlock demand from each secure resources;
Successively association analysis and excavation are carried out in the security incident that each secure resources provides by collaborative interlock engine according to said collaborative linkage pattern, to obtain more valuable information.
Compared with prior art, the invention has the advantages that:
Above-mentioned collaborative linked system possesses the collaborative analysis of following the network security resource of deciding interface through consultation and interlock control ability, has better generality.And the multiple network secure resources can join through the safe adaptation module of corresponding special use in the collaborative linked system quickly and easily, has better extensibility.
Description of drawings
Followingly the embodiment of the invention is described further with reference to accompanying drawing, wherein:
Fig. 1 is according to the collaborative linked system structure chart of the network security of the embodiment of the invention;
Fig. 2 is the collaborative interlock engine structure figure according to the embodiment of the invention;
Fig. 3 is the malicious host sketch map of excavating according to the embodiment of the invention;
Fig. 4 is the malice domain name sketch map of excavating according to the embodiment of the invention;
Fig. 5 is according to controlled main frame comparison diagram before and after the excavation of the embodiment of the invention.
Embodiment
In order to make the object of the invention, technical scheme and advantage are clearer, pass through specific embodiment to further explain of the present invention below in conjunction with accompanying drawing.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Fig. 1 shows the configuration diagram of an embodiment of the collaborative linked system of network security.As shown in Figure 1, network security is worked in coordination with linked system (also can abbreviate collaborative linked system or system hereinafter as) and is comprised collaborative interlock engine modules, secure resources interface module, storage resources module, secure resources adaptation module.Collaborative interlock engine modules is the arithmetic element of collaborative linked system, is responsible for association analysis is carried out in the security incident that secure resources provides, thereby excavates more valuable information.Wherein secure resources is meant relevant network safety system, like fire compartment wall, intruding detection system, intrusion prevention system, Anti-Virus or the like.The secure resources interface module mainly is responsible for and storage resources module and secure resources adaptation module exchange message, and its interface host-host protocol can use technology such as FTP, SSH.The storage resources module mainly is responsible for the storage data, and the data of collaborative interlock engine modules, secure resources interface module and secure resources adaptation module can leave the storage resources module in, such as internal memory, database or file system or the like.The security incident file conversion that the secure resources adaptation module is responsible for each secure resources is provided becomes reference format information, and passes to other modules through the secure resources interface module.
The groundwork flow process of this system is at first to obtain the security incident file through secure resources interface module and secure resources adaptation module from each secure resources, the security incident file that provides such as intruding detection system; Then the security incident of storing in these security incident files is saved in the storage resources module; Then, the association according to the collaborative engine modules that links of the real needs of working in coordination with interlock (collaborative interlock demand is the joint demand of network safety event) taking-up incident from the storage resources module, and process in order obtains required data with excavating.
More specifically, the secure resources interface module through coffret being provided for each secure resources so that and carry out file transfer between each secure resources.Can adopt FTP, SSH etc. as the interface host-host protocol.With FTP is example; For each secure resources one or several FTP resources can be arranged; Each secure resources all is put into detected security incident file on the own corresponding FTP resource, and the secure resources interface module uses the mode of FTP resource vector to identify specific FTP resource.This vector is: < NUM, SERVER, USER, PASSWORD >, and wherein, NUM i.e. the numbering of this FTP resource; SERVER i.e. the IP address of this FTP place main frame; USER is the user name of FTP; PASSWORD is the password of FTP.Many FTP resource vector is formed the FTP resource table, used the FTP numbering just can directly obtain link information when visiting concrete FTP resource like this.And only need to add new FTP resource vector at the FTP resource table when adding new secure resources and get final product, have very high flexibility.
After receiving security incident file from secure resources through the secure resources interface module; Need convert security incident the reference format (TXT or XML can as reference format) of collaborative linked system into from the specific format of corresponding secure resources through the secure resources adaptation module, send it to the storage resources module through the secure resources interface module then and preserve.Collaborative linked system can comprise a plurality of secure resources adaptation module.Can develop corresponding secure resources adaptation module to each secure resources, can use any language to develop, as long as can accomplish corresponding format conversion function.
Then, collaborative interlock engine modules is carried out association analysis to the security incident that each secure resources provides, thereby excavates more valuable information.In the present embodiment, write collaborative linkage pattern according to collaborative interlock demand.That is to say and from the storage resources module, to extract corresponding security incident successively according to collaborative interlock demand, and obtain desired data with excavating through the association of collaborative interlock engine.
Fig. 2 shows the structural representation of collaborative interlock engine modules.As shown in Figure 2, this module comprises instruction set, PA collection, set of patterns and pattern Executive Module.Instruction set has comprised whole usual instructions, and the collaborative interlock function on basis is provided for collaborative interlock engine.PA (handle the agency, Processing Agent is called for short PA) is replenishing of instruction set, and PA can provide non-existent computing in the instruction set, thereby the ability of feasible collaborative interlock engine is further improved and expands; The program that pattern is made up of the instruction in instruction set and the PA collection, this program can be moved on the pattern Executive Module, accomplishes corresponding collaborative interlock task at last; The pattern Executive Module is the Executive Module of collaborative interlock engine, and the instruction of instruction set and PA collection all will be passed through this module at last and explain execution, and each concrete pattern also will be passed through this module could accomplish collaborative interlock task.Collaborative interlock engine can use various language to realize, such as C, Python and Java etc.This internal structure makes collaborative interlock engine have very strong extensibility.
More specifically, according to collaborative interlock demand, use the instruction in the instruction set in the collaborative interlock engine modules to write corresponding collaborative linkage pattern, and the collaborative linkage pattern that operation is write is accomplished collaborative interlock task.If instruction set can not satisfy collaborative interlock demand, then need develop corresponding PA (can use any language exploitation).According to collaborative interlock demand, use instruction set and corresponding PA to write collaborative linkage pattern.The program that collaborative linkage pattern is to use the instruction of instruction set and/or PA collection to form in order in essence just can be accomplished some specific collaborative interlock tasks after this program is carried out.Compare with the collaborative interlock of UTM, the collaborative interlock of UTM is fixed, the change of cannot arbitrarily programming, and also the equipment that can link is also fixed.And native system can be developed different collaborative linkage patterns to different collaborative interlock demands, relatively flexibly, has versatility.
For example; 3 secure resources have been adopted: secure resources 1) be 863-917 network security monitoring platform (being the national network safety monitoring platform that national 863 Program is subsidized); This platform detects particular safety incident in China the Internet in real time, such as incidents such as Botnet, wooden horse communications; Secure resources 2) is the domain name mapping recorded information of some province common core name server; Secure resources 3) be the flow monitoring system in certain province, this system can provide the stream recorded information of core router.
For above-mentioned each secure resources, in system, add corresponding secure resources adaptation module and add new FTP resource vector at the FTP of secure resources interface module resource table, so just can these three secure resources be mounted to collaborative linked system and suffer.
Collaborative interlock demand for above-mentioned 3 secure resources is the malice IP that provides according to 863-917 network security detection platform; In the domain name register system, excavate the malice domain name, in the stream record, excavate more malice IP and controlled IP according to these malice domain names then.
According to this collaborative interlock demand, adopt the instruction in the instruction set to write corresponding collaborative linkage pattern.It is following to work in coordination with linkage pattern:
(1)SELECT_TO_FILE(0,″select*from?eventlog_863917″,″eventlog.txt″,″|″)
// take out the malicious host information on the same day that the 863-917 platform detects from No. 0 database, form the eventlog.txt file, use " | " at interval
(2)LOAD_TO_TABLE(2,″eventlog.txt″,″eventlog″,″|″)
// malicious host information eventlog.txt is imported in the eventlog table of No. 2 databases
(3)SELECT_TO_FILE(1,″select*from?dns″,″dns.txt″,″|″)
// take out the DNS record on the same day from No. 1 database, form the dns.txt file, use " | " at interval
(4)LOAD_TO_TABLE(2,″dns.txt″,″dns″,″|″)
// dns is write down in the dns table of No. 2 databases of dns.txt importing
(5)SELECT_TO_TABLE(2,″some?select?string″,″zoom″)
// in database 2, inquire about through a series of select, the malicious host domain-name information after excavating is formed the zoom table
(6)SELECT_TO_FILE(2,″select*from?zoom″,″zoom.txt″,″|″)
// take out the information formation zoom.txt file the zoom table from No. 2 databases, use " | " at interval
(7)PUT_FILE(0,″zoom.txt″,″zoom.txt″,″/home/ftp″)
// give stream No. 0 FTP that monitoring belongs to the transmission of zoom.txt file, stream monitoring meeting is searched relevant stream information and is formed a file that is called flow.txt according to this document
(8)GET_FILE(0,″flow.txt″,″flow.txt″,″/home/ftp″)
// obtain stream to monitor the file f low.txt that comprises malicious host and controlled host information that returns
(9)LOAD_TO_TABLE(2,″flow.txt″,″flow″,″|″)
// flow.txt is imported in the flow table in the database 2
Then, carry out this collaborative linkage pattern through the pattern Executive Module in the collaborative interlock engine modules.Fig. 3 showed 2010-03-14 to 2010-03-18 these five days through carrying out the malicious host number that collaborative interlock is excavated.Fig. 4 has showed that 2010-03-14 excavates malice domain name quantity to 2010-03-18 these five days through carrying out collaborative interlock.Fig. 5 has compared 2010-03-14 adopts collaborative linked system and the controlled main frame that adopts collaborative linked system discovery in these five days to 2010-03-18 quantity.As can beappreciated from fig. 5 adopt the discovery of collaborative linked system to reduce rate of failing to report.
Table 1-5 is mutual and instruction that the executive system interlock is related between each module of providing of the collaborative linked system in the foregoing description.
Table 1 database operating instruction
The instruction of table 2 information interaction
The instruction of table 3 data computation
Table 4 set operation instruction
Table 5 dispatch command
Though the present invention is described through preferred embodiment, yet the present invention is not limited to described embodiment here, also comprises various changes and the variation done without departing from the present invention.