CN108259511A - A kind of cyberspace threatens intelligence sharing system and method - Google Patents
A kind of cyberspace threatens intelligence sharing system and method Download PDFInfo
- Publication number
- CN108259511A CN108259511A CN201810167666.4A CN201810167666A CN108259511A CN 108259511 A CN108259511 A CN 108259511A CN 201810167666 A CN201810167666 A CN 201810167666A CN 108259511 A CN108259511 A CN 108259511A
- Authority
- CN
- China
- Prior art keywords
- information
- node
- level
- producers
- consumers
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/302—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
Landscapes
- Engineering & Computer Science (AREA)
- Evolutionary Computation (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a kind of cyberspaces to threaten intelligence sharing system and method, suitable for the new network security threat intelligence sharing of large-scale private network, can all kinds of security threat information be summarized and be shared again, expanded by the way of house sources+external source and threaten information gathering range, and the foundation of shared behavior and the transmission of data are flexibly dynamically carried out according to security status, greatly improve processing and responding ability of the information security management department to security incident, reduce time delay, improve efficiency, similar information security events is avoided to occur repeatedly, to further enhancing information system security protective capacities with remarkable effect, with higher economic benefit and social benefit.
Description
Technical field
The present invention relates to Information Sharing Technology fields, and in particular to a kind of cyberspace threatens intelligence sharing system and side
Method.
Background technology
With the wide spectrum and ensured sustained development of Cyberthreat, the attack tool of system and various invasion mode make Cyberthreat
Cost is greatly reduced.In face of the network attack form of current rigorous, the passive safety protecting method of tradition is increasingly difficult to cope with.
In recent years, the relational languages such as threat information, threat information rose rapidly, and be increasingly becoming insider pass in network safety filed
The focus of note.Different from traditional risk assessment, in face of attack means rapid development, the attacking and defending situation that APT propagates its belief on a large scale incorporates
Satisfactory effect can more be obtained by threatening the security protection of information.
At present, the threat intelligence sharing standard of mainstream mainly has TAXII, STIX, CybOX etc..In the industry usually using TAXII
To carry out data transmission.
The credible automation of indication information exchanges (TAXII, Trusted Automated eXchange of
Indicator Information), for information service and message exchange is threatened to formulate standard.Meanwhile the standard can help
Cyberthreat information is shared between different tissues and product/service, so as to reach detection, prevention and the mesh for alleviating Cyberthreat
's.
Three kinds of Share Models defined in TAXII standards:Radial pattern (Hub and Spoke), subscription type (Source/
Subscriber), point-to-point type (Peer to Peer).
Radial pattern:In radial pattern Share Model, node provides service for all participation nodes centered on a tissue.
Any participation node first sends information to Centroid, then is shared with other by Centroid and participates in node.Centroid exists
Before sharing information, first it may be analyzed and be filtered.In this model, information both may flow to centromere from node is participated in
Point, and may be from center node-flow to participation node.Radial pattern Share Model is as shown in Figure 1.
Subscription type:In subscription type Share Model, a tissue is carried as unique sharer node for all subscription nodes
For information.In this Share Model, information can only flow to from sharer node and subscribe to node.Subscription type Share Model is as shown in Figure 2.
Point-to-point type:In point-to-point Share Model, institute is both in a organized way the producer of information all as peer node
It is consumer.In this mode, information two-way flow between peer node.Point-to-point Share Model is as shown in Figure 3.
In China, many industries have certain particularity, therefore it is required that threatening the Share Model of information has higher spirit
Activity directly can not then meet current demand using three kinds of Share Models defined in TAXII standards.
Invention content
In view of the deficiencies of the prior art, the present invention is intended to provide a kind of cyberspace threatens intelligence sharing system and method,
Can all kinds of security threat information be summarized and be shared again, it is wider by the way of house sources+external source
Ground, which is collected, threatens information, the foundation of shared behavior and the transmission of data is flexibly dynamically carried out according to practical security status, together
When also allow for relevant departments by it is intensive it is efficient in a manner of carry out safety case investigation, summarize threaten information, carry out threaten information be total to
Enjoy service and application, study special countermeasure and exchanged with the threat information of national departments concerned and information network security industry,
Shared, cooperation and exchange of technology cooperation.
To achieve these goals, the present invention adopts the following technical scheme that:
A kind of cyberspace threatens intelligence sharing system, including external network and internal network;The internal network includes
Central core, convergence key-course and terminal control layer, the central core are mainly made of Centroid, and the convergence key-course is main
Node is participated in by level-one consumers and producers to form, the terminal control layer mainly is participated in saving by two level consumers and producers
Point composition, each two level consumer producer participate in node and are at least under the jurisdiction of a level-one consumers and producers participation node;
The external network includes the producer and participates in node;
Centroid is used to receive the threat feelings that the producer participates in node, level-one consumers and producers participate in node offer
Report, and collected threat information is shared with level-one consumers and producers and participates in node;
The producer participates in node and is used to provide threat information, such as the related offer prestige such as manufacturer for providing threat situation
Coerce the mechanism of information;
The level-one consumers and producers participate in node and are used to provide threat information to Centroid, receive Centroid
It the threat information shared and participates in nodes sharing with other level-one consumers and producers and threatens information;
The two level consumers and producers participate in node and are used to provide prestige for level-one consumers and producers participation node
Coerce information.
Intelligence sharing system is threatened to impend the method for intelligence sharing using above-mentioned cyberspace, specially:
When Centroid, which receives the producer from external network, participates in the threat information that node provides, according to threat
In information about may impacted software or operating system information, operating system in search center node Asset List or
Software content, being sent to the level-one consumers and producers node for deploying these possible impacted operating systems or software should
Threaten information;
The Asset List includes the title of each system and software, deploys the level-one producer of these systems and software
Node is participated in consumer and two level producers and consumers participate in node;
When converge the level-one consumers and producers in key-course participate in node for the first time find threaten information X when, will threaten
Information X is sent to Centroid, Centroid according to threaten may be impacted in information X software or operating system information,
Operating system or related software in the Asset List that search center node is stored, to disposed may impacted software or
Other level-ones consumers and producers of operating system participate in node and send threat information X;
When the two level consumers and producers in terminal control layer, which participate in node, to be found to threaten information Y, information Y will be threatened
It is sent to its level-one consumers and producers being subordinate to and participates in node, level-one consumers and producers participate in node according to prestige
Coerce may be impacted in information Y software or operating system information, to be under the jurisdiction of it disposed may be impacted software
Or other two levels consumers and producers of operating system participate in node and send threat information Y.
Further, each level-one consumers and producers participation node converged in key-course can be viewed and be threatened
The relevant level-one consumers and producers of information X participate in node, and stored in a manner of information table;When for the first time, discovery threatens information
When the level-one consumers and producers participation node of X finds to threaten information X again, the information directly in information table, by prestige
Side of body information X is sent to Centroid and relevant level-one consumers and producers participate in node.
Further, when the level-one consumers and producers participation node for finding to threaten information X for the first time finds prestige again
It coerces information X and the information directly in information table will threaten information X to be sent to Centroid and relevant level-one consumer
After participating in node with the producer, Centroid can threaten possible impacted software or behaviour in information X according to received
Make the information of system, search for operating system or software content in the Asset List of its storage, verification, which is sent, threatens the one of information X
Grade consumers and producers participate in node transmitted by related level-one consumers and producers participate in node whether comprising it is all
The software or the level-one consumers and producers of system that deployment may be impacted participate in node.
Further, the timestamp for sending and threatening information X, each level-one consumers and producers ginseng are included in information table
Synchronizing information periodically is carried out with Centroid with node, the synchronous period is determined by the timestamp in information table.
The beneficial effects of the present invention are:Can all kinds of security threat information be summarized and be shared again, using interior
The mode of portion source+external source is more broadly collected and threatens information, flexibly dynamically carried out according to practical security status
The foundation of shared behavior and the transmission of data, at the same also allow for relevant departments by it is intensive it is efficient in a manner of carry out security incident point
Analyse, summarize threaten information, carry out threaten the special countermeasure of intelligence sharing service and application, research and with national departments concerned and
The threat information of information network security industry exchanges, is shared, cooperating and exchange of technology cooperation.
Description of the drawings
Fig. 1 is the schematic diagram of existing radial pattern Share Model;
Fig. 2 is the schematic diagram of existing subscription type Share Model;
Fig. 3 is the schematic diagram of existing point-to-point type Share Model;
Fig. 4 is the general illustration of the embodiment of the present invention.
Specific embodiment
Below with reference to attached drawing, the invention will be further described, it should be noted that following embodiment is with this technology
Premised on scheme, detailed embodiment and specific operating process are given, but protection scope of the present invention is not limited to this
Embodiment.
As shown in figure 4, a kind of cyberspace threatens intelligence sharing system, including external network and internal network;In described
Portion's network includes central core, convergence key-course and terminal control layer, the central core and is mainly made of Centroid, the convergence
Key-course mainly participates in node by level-one consumers and producers and forms, and the terminal control layer is mainly by two level consumer and Sheng
Production person participates in node composition, and each two level consumer producer participates in node and is at least under the jurisdiction of a level-one consumers and producers
Participate in node;The external network includes the producer and participates in node;
In the present embodiment, convergence key-course includes, there are four level-one consumers and producers participation node, respectively joining
With node 1, participate in node 2, participate in node 3 and participate in node 4, wherein be under the jurisdiction of participate in node 1 two level consumer and production
Person, which participates in node, to be had participation node 1-1, participates in node 1-2, participate in node 1-3, participate in node 1-4, is under the jurisdiction of and is participated in node 4
Two level consumers and producers, which participate in node, to be had participation node 4-1, participates in node 4-2, participate in node 4-3, participate in node 4-4.
There are four the producers in external network to participate in node.
Centroid is used to receive the threat feelings that the producer participates in node, level-one consumers and producers participate in node offer
Report, and collected threat information is shared with level-one consumers and producers and participates in node.The Centroid can be
Information is threatened to use the safety responsibility department in unit.
The producer participates in node and is used to provide threat information, such as the related offer prestige such as manufacturer for providing threat situation
Coerce the mechanism of information.
The level-one consumers and producers participate in node and are used to provide threat information to Centroid, receive Centroid
It the threat information shared and participates in nodes sharing with other level-one consumers and producers and threatens information.
The two level consumers and producers participate in node and are used to provide prestige for level-one consumers and producers participation node
Coerce information.
It is single for information is threatened to use that level-one consumers and producers participate in node, two level consumers and producers participate in node
The internal department of position.
Further, Asset List is stored in the Centroid, the Asset List includes each system and software
Title, the level-one producers and consumers that deploy these systems and software participate in node and two level producers and consumers
Participate in node.In the present embodiment, the form of the Asset List is as shown in table 1.
1 Centroid Asset List of table
When Centroid, which receives the producer from external network, participates in the threat information that node provides, according to threat
In information about may impacted software or operating system information, operating system in search center node Asset List or
Software content, being sent to the level-one consumers and producers node for deploying these possible impacted operating systems or software should
Threaten information.Above-mentioned sharing mode can be effectively prevented the information leakage of internal network while expanding and threatening information source,
Ensure the safety that large-scale private network boundary information exchanges.
It is sent out for the first time when converging the participation node of the level-one consumers and producers in key-course (the participation node 1 in such as Fig. 4)
When now threatening information X, information X will be threatened to be sent to Centroid, Centroid according to threaten may be impacted in information X it is soft
The information of part or operating system, operating system or related software in the Asset List that search center node is stored, to portion
The software or other level-ones consumers and producers of operating system that administration may be impacted participate in node and send threat information X, converge
Each level-one consumers and producers in poly- key-course, which participate in node, can view and threaten the relevant level-one consumption of information X
Person and the producer participate in node, and stored in a manner of information table.In the present embodiment, described information tableau format and content be such as
Shown in table 2.
2 each level-one consumers and producers of table participate in the information table of node itself storage
Prestige is found again when finding to threaten the level-one consumers and producers participation node (participating in node 1) of information X for the first time
When coercing information X, information that can be directly in information table will threaten that information X is sent to Centroid and relevant level-one disappears
The person of expense and the producer participate in node.Meanwhile Centroid according to it is received threaten may be impacted in information X software or
The information of operating system searches for operating system or related software in the Asset List of its storage, and verification, which is sent, threatens information X's
The related level-one consumers and producers that level-one consumers and producers are participated in transmitted by node (participating in node 1), which participate in node, is
It is no to participate in node comprising all level-one consumers and producers for having disposed possible impacted software or system, to prevent because each
Level-one consumers and producers participate in node information system deployment happen variation and caused by leak heat condition.
Further, the timestamp for sending and threatening information X is included in information table, each level-one consumers and producers participate in
Node periodically carries out synchronizing information with Centroid, and the synchronous period is determined by the timestamp in information table.With this solution may be used
To reduce the load of Centroid.
Above-mentioned shared system and method can largely reduce the load of the central core of internal network, can be timely
Effectively transmission threatens information, is particularly suitable for level-one consumers and producers and participates in the more situation of node.
Further, when the two level consumers and producers in terminal control layer participate in node (the participation node in such as Fig. 4
When 1-1) finding to threaten information Y, information Y will be threatened to be sent to its level-one consumers and producers being subordinate to and participate in node (ginseng
With node 1), level-one consumers and producers participate in node and are according to software that may be impacted in threat information Y or operation
The information of system, to be under the jurisdiction of it disposed may impacted software or operating system other two levels consumers and producers
It participates in node and sends threat information Y.
For those skilled in the art, it can be provided various corresponding according to above technical solution and design
Change and deform, and all these change and deformation should be construed as being included within the protection domain of the claims in the present invention.
Claims (5)
1. a kind of cyberspace threatens intelligence sharing system, which is characterized in that including external network and internal network;The inside
Network includes central core, convergence key-course and terminal control layer, the central core and is mainly made of Centroid, the convergence control
Preparative layer mainly participates in node by level-one consumers and producers and forms, and the terminal control layer is mainly by two level consumer and production
Person participates in node composition, and each two level consumer producer participates in node and is at least under the jurisdiction of a level-one consumers and producers ginseng
With node;The external network includes the producer and participates in node;
Centroid is used to receive the threat information that the producer participates in node, level-one consumers and producers participate in node offer,
And collected threat information is shared with level-one consumers and producers and participates in node;
The producer participates in node and threatens information for providing, such as related provide such as manufacturer for providing threat situation threatens feelings
The mechanism of report;
The level-one consumers and producers participate in node and are used for Centroid provides threat information, reception Centroid divides
It the threat information enjoyed and participates in nodes sharing with other level-one consumers and producers and threatens information;
The two level consumers and producers participate in node and are used to provide threat feelings for level-one consumers and producers participation node
Report.
2. the method for the intelligence sharing that impended using cyberspace threat intelligence sharing system described in claim 1, special
Sign is, specially:
When Centroid, which receives the producer from external network, participates in the threat information that node provides, according to threat information
In about may impacted software or operating system information, operating system or software in search center node Asset List
Content sends the threat to the level-one consumers and producers' node for deploying these possible impacted operating systems or software
Information;
The Asset List includes the title of each system and software, deploys the level-one producer of these systems and software and disappear
The person of expense participates in node and two level producers and consumers participate in node;
When converge the level-one consumers and producers in key-course participate in node for the first time find threaten information X when, will threaten information X
Be sent to Centroid, Centroid according to threaten may be impacted in information X software or operating system information, in search
Operating system or related software in the Asset List that heart node is stored are to having disposed possible impacted software or having operated
Other level-ones consumers and producers of system participate in node and send threat information X;
When the two level consumers and producers in terminal control layer, which participate in node, to be found to threaten information Y, information Y will be threatened to send
The level-one consumers and producers being subordinate to it participate in node, and level-one consumers and producers participate in node according to threat feelings
Report in Y may be impacted software or operating system information, to be under the jurisdiction of it disposed may be impacted software or behaviour
Other two levels consumers and producers participation node for making system sends threat information Y.
3. according to the method described in claim 2, it is characterized in that, converge each level-one consumers and producers in key-course
Participating in node can view and threaten the relevant level-one consumers and producers of information X to participate in node, and with the side of information table
Formula stores;When finding that the level-one consumers and producers of information X is threatened to participate in node to be found to threaten information X again for the first time, directly
The information in information table is connect, information X will be threatened to be sent to Centroid and relevant level-one consumers and producers ginseng
With node.
4. according to the method described in claim 3, it is characterized in that, the level-one consumer and Sheng of threat information X ought be found for the first time
Production person's participation node finds to threaten information X again and the information directly in information table will threaten information X to be sent to centromere
After point and relevant level-one consumers and producers participate in node, Centroid can be according to received threat information X
The information of middle software that may be impacted or operating system, is searched in the operating system in the Asset List of its storage or software
Hold, verification, which is sent, threatens the level-one consumers and producers of information X to participate in the related level-one consumer transmitted by node and production
Person participates in whether node participates in saving comprising all level-one consumers and producers for having disposed possible impacted software or system
Point.
5. according to the method described in claim 3, it is characterized in that, include the timestamp that sends and threaten information X in information table,
Each level-one consumers and producers participate in node and periodically carry out synchronizing information with Centroid, and the synchronous period is by information table
Timestamp determines.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810167666.4A CN108259511A (en) | 2018-02-28 | 2018-02-28 | A kind of cyberspace threatens intelligence sharing system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810167666.4A CN108259511A (en) | 2018-02-28 | 2018-02-28 | A kind of cyberspace threatens intelligence sharing system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108259511A true CN108259511A (en) | 2018-07-06 |
Family
ID=62745222
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810167666.4A Withdrawn CN108259511A (en) | 2018-02-28 | 2018-02-28 | A kind of cyberspace threatens intelligence sharing system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108259511A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900515A (en) * | 2018-07-09 | 2018-11-27 | 赖洪昌 | A kind of cyberspace loophole merger platform data forward service system |
CN111343169A (en) * | 2020-02-19 | 2020-06-26 | 中能融合智慧科技有限公司 | System and method for gathering security resources and sharing information under industrial control environment |
CN114095204A (en) * | 2021-10-14 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Information equipment linkage method based on subscription mechanism, protection center and safety equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106453235A (en) * | 2016-08-15 | 2017-02-22 | 武汉腾烽信息技术有限公司 | Network security method |
CN107046543A (en) * | 2017-04-26 | 2017-08-15 | 国家电网公司 | A kind of threat intelligence analysis system traced to the source towards attack |
CN107547526A (en) * | 2017-08-17 | 2018-01-05 | 北京奇安信科技有限公司 | The data processing method and device combined a kind of cloud |
-
2018
- 2018-02-28 CN CN201810167666.4A patent/CN108259511A/en not_active Withdrawn
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106453235A (en) * | 2016-08-15 | 2017-02-22 | 武汉腾烽信息技术有限公司 | Network security method |
CN107046543A (en) * | 2017-04-26 | 2017-08-15 | 国家电网公司 | A kind of threat intelligence analysis system traced to the source towards attack |
CN107547526A (en) * | 2017-08-17 | 2018-01-05 | 北京奇安信科技有限公司 | The data processing method and device combined a kind of cloud |
Non-Patent Citations (2)
Title |
---|
宫月等: "威胁情报使用方法和共享方式研究", 《第32次全国计算机安全学术交流会论文集》 * |
杨泽明等: "面向攻击溯源的威胁情报共享利用研究", 《信息安全研究》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900515A (en) * | 2018-07-09 | 2018-11-27 | 赖洪昌 | A kind of cyberspace loophole merger platform data forward service system |
CN108900515B (en) * | 2018-07-09 | 2021-06-04 | 赖洪昌 | Data forwarding service system of network space vulnerability merging platform |
CN111343169A (en) * | 2020-02-19 | 2020-06-26 | 中能融合智慧科技有限公司 | System and method for gathering security resources and sharing information under industrial control environment |
CN114095204A (en) * | 2021-10-14 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Information equipment linkage method based on subscription mechanism, protection center and safety equipment |
CN114095204B (en) * | 2021-10-14 | 2024-03-15 | 北京天融信网络安全技术有限公司 | Subscription mechanism-based information equipment linkage method, protection center and safety equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108259511A (en) | A kind of cyberspace threatens intelligence sharing system and method | |
MY181255A (en) | Physical security system having multiple server nodes | |
CN203225778U (en) | Central monitoring system used for new energy power generation | |
Li et al. | Detecting Sybil attack based on state information in underwater wireless sensor networks | |
CN105375631B (en) | Buried cable monitoring system for power network | |
Lu et al. | Robustness test of multiple protection strategies for ecological networks from the perspective of complex networks: Evidence from Wuhan Metropolitan Area, China | |
CN104598606A (en) | Integration method aiming at dynamic heterogeneous spatial information plotting data | |
CN105281950A (en) | Physical position-based terminal monitoring method and system in local area network | |
Xu et al. | LCH: A local clustering H-index centrality measure for identifying and ranking influential nodes in complex networks | |
CN102231743A (en) | Attack-graph-based intrusion response mode | |
CN107483413B (en) | Bidirectional intrusion detection method and system based on cloud computing | |
Li et al. | Coverage blind area repair based on perceived multimedia data driven in mobile wireless sensor networks | |
CN102288836A (en) | Electromagnetic signal monitoring method based on wireless sensor network | |
CN105307175A (en) | Method for selecting IDA (intrusion detection agent) start strategies of wireless sensor network | |
Sharma et al. | Enhanced Cluster-head selection using round robin technique in WSN | |
Dong et al. | Localized attack on networks with clustering | |
Hossain | History of commercial development in Dhaka and the spatial significance of spontaneous retail growth | |
Chen et al. | Topology evolution of wireless sensor networks among cluster heads by random walkers | |
CN102143495A (en) | Method for detecting node attack in wireless sensor network | |
CN103279899B (en) | Electric network operation panoramic model extended method and system | |
Li et al. | Intrusion detection model based on hierarchical structure in wireless sensor networks | |
Dutta et al. | Indigenous irrigation system linking people, place and the planet: The practice of Jamfwi on the India–Bhutan borderlands | |
EffatParvar et al. | Determining a central controlling processor with fault tolerant method in distributed system | |
CN104780583A (en) | Hierarchical clustering algorithm on basis of energy consumption of path and residual energy of nodes | |
CN202662053U (en) | Device and system for deigning smart city |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20180706 |