CN113486351A

CN113486351A - Civil aviation air traffic control network safety detection early warning platform

Info

Publication number: CN113486351A
Application number: CN202010541480.8A
Authority: CN
Inventors: 唐屹; 陈宝刚; 刘志磊; 李萌; 杨锐; 侯保国; 胡滨
Original assignee: Air Traffic Administration Of China Civil Aviation Administration
Current assignee: Air Traffic Administration Of China Civil Aviation Administration
Priority date: 2020-06-15
Filing date: 2020-06-15
Publication date: 2021-10-08

Abstract

The application discloses civil aviation air traffic control network safety detection early warning platform. The system comprises a safety information collector, a website, an application monitoring center, a situation analysis center and distributed computing storage nodes; the safety information collector comprises an asset collector, a log collector, a full-flow collection system, a vulnerability collector and a safety configuration collector; monitoring of websites and applications provides real-time security monitoring; the situation analysis center adopts various intelligent analysis methods to analyze the situation elements, senses various network security situations and carries out security monitoring; providing a security situation visual display and application interactive interface; the distributed computing storage nodes implement distributed storage, full-text indexing and analysis of security events. By adopting the scheme provided by the invention, a long-acting monitoring mechanism and unified website monitoring and early warning can be established, so that the centralized management, batch processing and automatic safety monitoring of the safety of each website can be realized, and the safety risks of important websites and information systems can be comprehensively summarized.

Description

Civil aviation air traffic control network safety detection early warning platform

Technical Field

The application relates to the technical field of network security, in particular to a civil aviation air traffic control network security detection early warning platform.

Background

When a new generation of threats penetrates a network to steal information, it is common to take various measures and through various stages. Attackers attack using Web, email and file-based attack modalities in combination. Current firewall, IPS, anti-virus and Web security gateways have little ability to block attackers using zero-day vulnerabilities, one-time malware, and APT advanced attack approaches.

These mixed multi-phase attacks are successful because traditional security techniques rely on static signature-based or list-based pattern matching techniques. Many zero-day and targeted threats infiltrate the system by hiding new types of implanted malware on innocent web pages or in downloadable files such as JPEG pictures and PDF documents. Or they send to carefully chosen victims using personalized phishing mail with seemingly legitimate messages and malicious attachments to zero-day vulnerabilities. Or they embed a microblog on a social media website, containing a malicious URL. Each time the victim visits the web site or opens an attachment, a body of malware is installed on the victim's computer. The code of such malware often contains multiple unknown vulnerabilities that exploit operating systems, plug-ins, browsers, or applications to ensure that it achieves a point of foothold in the system.

Eventually, the code will go back to the network criminal to obtain further instructions and a new principal, or to transmit login credentials, financial data and other valuable information. The criminal may also explore further or augment his botnet with new goals.

In addition to taking advantage of technical advantages, cyber criminals also realize that they can be divided and cured because traditional defense and IT departments are organized. Traditional security defense measures are typically arranged to take each attack mode as a separate path, with each phase being examined as a separate event, rather than detecting and analyzing the phases and modes as a carefully planned series of network events. By exploiting technical and commercial barriers within the IT department, a water-pit site infection looks like a random event due to a poor decision of an end user to access a suspicious site. It cannot trace back to the original spearphishing mail which was used to fool the user and initiate a multi-stage, high-level, directed attack. Therefore, through multiple stages of web and mail attacks, network criminals can acquire data without being discovered by the defenders until late.

The prior art generally adopts the following ways for network security:

firewall: the firewall detects and controls http and Web traffic based on the policy rules, the next generation firewall adds the policy rules based on users and applications, strengthens the traditional protection technologies such as IPS and AV, but does not add dynamic detection on traffic content or behavior.

IPS: signature, packet inspection, DNS resolution, and heuristic analysis do not detect an abnormal attack that exploits zero-day vulnerabilities, especially if malicious code is heavily disguised or delivered in segments.

And (3) virus prevention: the malware and its exploit are unknown (zero day) and the Web site has a normal reputation that traditional antivirus gateways and Web filters will let pass.

Anti-spam: fake phishing sites use constantly changing domain names and web addresses, so the blacklist lags behind the changes of phishing sites, and the average time required to close a phishing site exceeds 26 hours.

Web filtering: most outbound filters block adult content or time consuming entertainment websites, less than one-fourth of businesses limit social networking sites. In addition, dynamic URLs, blacked out legitimate web sites, and short lived addresses make static URL blacklists obsolete.

Data Leak Prevention (DLP): DLP tools are primarily directed to Personal Identification Information (PII), such as identification numbers, social security numbers, license numbers, or health data. The quality of these tools depends on their rules, but are more granular and tedious to detect the leakage of vouchers or intellectual property. And the encryption of the outgoing channel prevents the data leakage content from being seen, and the static detection method of the outgoing channel is not matched with the dynamic property of the new threat generation.

From the above, the prior art has the following defects for network security:

(1) traditional safety equipment is not self-contained: the user deploys about dozens of types of safety equipment with different manufacturers and different types, the number of alarms is large, and real threats are submerged in massive alarm and log information and are difficult to find.

(2) Abnormal files and new threats are difficult to discover: the filtering and dynamic detection capabilities of files and mails are insufficient, and hidden malicious codes and behaviors cannot be found.

(3) Threat intelligence capability is weak: novel threats such as malicious URL or IP of data external connection, APT high-persistence attack, low-frequency account violence crack and the like are not found in time.

(4) Internal threats are difficult to protect: the phenomena of inside person forwarding and springboard attack cannot be effectively detected and discovered.

(5) Lack of rapid means to trace the source: the analysis efficiency of the mass logs is low, the visualization capability is poor, and the tracing difficulty and the period of events are increased.

Disclosure of Invention

The application provides a civil aviation air traffic control network safety inspection early warning platform, include: the system comprises a safety information collector, a website and application monitoring and situation analysis center and distributed computing storage nodes, wherein the various collectors, the website and application monitoring and situation analysis center and the distributed computing nodes are respectively deployed in an internal network and an external network;

the safety information collector comprises an asset collector, a log collector, a full-flow collection system, a vulnerability collector and a safety configuration collector;

monitoring the website and the application, specifically, aiming at a network group and an APP, providing 7-24-hour real-time safety monitoring for the website application by adopting a remote monitoring technology; aiming at a management information network, adopting an intranet deployment monitoring technology to provide 7-24-hour real-time safety monitoring for an intranet website and application;

the situation analysis center is used for storing various security situation element data, analyzing the situation elements by adopting various intelligent analysis methods, sensing various network security situations, carrying out security monitoring, finding security problems, and carrying out early warning and response; providing a security situation visual display and application interactive interface; and carrying out centralized management on distributed computing storage nodes dispersed in the network;

the distributed computing storage nodes are installed and operated on an independent server to realize distributed storage, full-text indexing and analysis of security events; and when the data scale is continuously enlarged, carrying out horizontal expansion by adding distributed computing storage nodes.

The safety detection and early warning platform for the civil aviation air traffic control network comprises an asset collector, a data acquisition unit and a data acquisition unit, wherein the asset collector comprises a server, network equipment, safety equipment, a database, an application system and the like, and can automatically scan and detect assets in the network and accurately identify the assets;

the log collector is used for collecting logs and events of various network devices, safety devices and special safety analysis systems which are deployed in the whole network and are to be deployed in the project;

the full-flow acquisition system acquires full-flow data of a mirror image port of an area switch of an extranet, an intranet home, an AFTN (auto-ranging, auto-ranging and intelligence) system through key node positions of an extranet and an intranet deployed in a network, performs deep packet inspection, deep flow inspection and deep content inspection on the data, and finds out security threats and attacks of a network layer and an application layer in the flow;

the vulnerability collector is a network vulnerability scanning system planned and constructed, a platform drives a vulnerability scanner to work, and asset vulnerabilities discovered in the whole network are collected;

the security configuration collector is used for collecting security configuration information of the whole network terminal, the server, the network equipment, the security equipment, the database, the middleware and the application system and analyzing security configuration compliance.

The civil aviation air traffic control network safety detection and early warning platform comprises a function application layer, a scene analysis layer and a monitoring and early warning sub-platform from the viewpoint of architecture design;

the functional application layer comprises a safety monitoring module, a safety inspection module, a risk assessment module, an emergency response module, a safety threat early warning module, a safety configuration checking module, a report management module and an information resource management module;

the scene analysis layer defines an analysis method of the safety monitoring and early warning system, and the analysis method adopts the respective definitions of an analysis engine, an analysis scene and analysis output; the analysis engine provides analysis computing power for scene analysis, and comprises an analysis algorithm, an offline computing engine and a real-time computing engine; the analysis scenes comprise a network threat analysis scene suitable for external attack analysis, a system security analysis scene and a user behavior analysis scene for internal threat analysis; the analysis and output comprises comprehensive security situation display, real-time attack situation display, malicious operation situation display, abnormal flow situation display and attack image display;

the monitoring and early warning sub-platform is a safe big data center with independent service capability, realizes the capabilities of collecting, processing, gathering, storing and retrieving various kinds of safe data, and provides a data subscription interface.

The civil aviation air traffic control network security detection early warning platform comprises an analysis engine, an analysis engine and a data mining engine, wherein the analysis engine comprises correlation analysis, statistical analysis and data mining; the security event correlation analysis is to perform feature matching analysis on a plurality of heterogeneous events by adopting a rule matching-based method; the event statistical analysis is to calculate the state, frequency and occurrence period of various events by adopting a statistical method to obtain the distribution condition, main characteristics, trend of time sequence, whether abnormal values exist or not and an event summary result of event data; data mining refers to the process of extracting and further modeling previously unknown but potentially useful information and knowledge from a given business objective from a large, incomplete, noisy, fuzzy, random amount of actual application data;

an off-line calculation engine in the analysis engine is a core data storage area in the whole big data center, stores the total amount of historical detail data and calculates all off-line services;

the real-time computing engine in the analysis engine adopts a distributed real-time computing architecture, and can dynamically adjust the storage capacity and separate the read-write and off-line data of the analysis data.

The civil aviation air traffic control network security detection early warning platform comprises a network threat analysis model, an abnormal security flow detection model, a system malicious operation analysis model and a threat intelligence analysis model, wherein the analysis scene comprises the network threat analysis model, the abnormal security flow detection model, the system malicious operation analysis model and the threat intelligence analysis model;

network threat analysis model: by filtering and analyzing original data such as a security device alarm log, a system log and the like in a network, the overall attack situation in the network and the system is counted and analyzed, and clear alarm information, trend early warning information after analysis and prediction and situation information of network threats are output;

abnormal safe flow detection model: the method comprises the steps of describing a flow baseline of an important asset application system through flow data and safety equipment log analysis and big data intelligent learning, determining the time point of occurrence of abnormal flow behaviors through characteristics of network flow changes, analyzing flow behavior characteristic parameters at the time point of occurrence of each abnormal flow behavior to find out a target IP address corresponding to the abnormal behavior, extracting flow related to the abnormal behavior, performing comprehensive analysis, and finding out abnormal flow attack behaviors;

the system malicious operation analysis model comprises the following steps: by filtering and analyzing the system alarm log and the original data of the system security log in the system resources, counting and analyzing the attacks in the system, and outputting clear alarm information, early warning information after analysis and prediction and situation information of system security threats;

threat intelligence analysis model: automatically creating an analysis rule by acquiring machine-readable threat information from a cloud, and comparing data acquired in a local network in real time to find suspicious connection behaviors; meanwhile, historical data can be compared by using threat intelligence to find out the APT attack behavior which occurs once or a Botnet host in a local network, and security events can be traced by using intelligence.

The civil aviation air traffic control network security detection and early warning platform comprises a network threat analysis model, a network threat analysis model and a network threat analysis model, wherein the network threat analysis model specifically comprises attack detection analysis, brute force cracking detection analysis, Web attack detection analysis, malicious scanning detection analysis and malicious program detection analysis;

the attack detection analysis is to carry out multi-dimensional statistical analysis after carrying out standardized processing on the original data of the attack from the Internet, and carry out warning, situation and trend early warning output according to different analysis results, and the attack detection analysis is used for supporting network threat situation and safety warning monitoring display;

brute force cracking detection analysis adopts a data comparison and analysis based mode to detect partial password guessing attack behaviors which are not discovered by the security equipment, and guesses the attack behaviors by predicting passwords with higher probability;

the Web attack detection analysis carries out detection analysis through a security device attack alarm log, WEB flow, a WEB site log, a WEB middleware access log, a WEB server log and the like, counts and analyzes the overall situation of attack behaviors such as CC attack, injection attack, WebShell attack, cross-site attack and the like suffered by the WEB site, and predicts the situation of the possible WEB attack through the historical situation;

the malicious program detection and analysis is to identify the malicious program in the network by analyzing the alarm log and the network flow of the security device, and to perform statistical analysis on the threat situation.

The civil aviation air traffic control network safety detection early warning platform comprises a monitoring early warning sub-platform, a monitoring early warning sub-platform and a monitoring early warning sub-platform, wherein the monitoring early warning sub-platform comprises a data acquisition layer, a data processing layer, a data collection layer and a data interface layer; the data acquisition layer is used for data sources and acquisition objects of threat analysis and definitely storing various safety data in a centralized manner; cleaning, filtering, standardizing, performing correlation completion and data tagging on the acquired original data through a data processing layer to form standardized data, and standardizing the data format of the data at each stage; and defining the target storage position of the standardized safety data, intelligently retrieving the original data and the standardized data through the data collection layer, and realizing the capability of providing data to the outside through the data interface layer.

The civil aviation air traffic control network security detection early warning platform comprises a monitoring early warning sub-platform, a monitoring early warning sub-platform and a monitoring early warning sub-platform, wherein the monitoring early warning sub-platform is adapted to various collected data sources, and needs to support various collection protocols so as to realize the collection of various data, including security object attributes, running states, security events, evaluation and detection data; in order to realize the collection of the attributes, the running state, the safety event, the evaluation and the detection data of the safety object, the corresponding collection frequency is set aiming at different types of data and corresponding adaptive protocols.

As above civil aviation air traffic control network safety inspection early warning platform, wherein, data processing specifically is: cleaning/filtering, standardizing, performing correlation completion and adding labels on the acquired data, and loading the standard data into a data storage;

the data cleaning/filtering supports the conversion and processing of data aiming at the problems of data format inconsistency, data input errors and data incompleteness, wherein the data conversion component comprises field mapping, data filtering, data cleaning, data replacement, data calculation, data verification, data encryption and decryption, data merging and data splitting;

data standardization, namely, uniform formatting processing is carried out on heterogeneous original data so as to meet the requirement of data format definition of a monitoring and early warning sub-platform, and standardized original logs are stored;

the data association and completion method specifically comprises the steps of forming complete data through association and completion according to the association between the collected data, and enriching the data so as to facilitate later statistical analysis;

the data tagging specifically comprises the steps of marking on the basis of original data based on the data after the correlation and completion and by combining information such as a service system to which the data belongs, equipment types and the like;

the data collection storage is used for classifying and storing different types of collected data so as to meet the requirement of data analysis, support the storage of multiple data formats and provide multiple storage modes.

The civil aviation air traffic control network safety detection early warning platform comprises a data storage mode, a data storage mode and a data storage mode, wherein the data storage mode comprises relational data storage, distributed full-text retrieval, distributed file storage and a distributed message bus;

for relational data storage: the storage data volume is small, the change period is small, the storage of two-dimensional data is realized, and the disposition of a mainstream relational database is supported;

for distributed full-text retrieval: storing data which needs to be provided with full text retrieval externally, realizing retrieval operation on the data, and performing accurate retrieval, fuzzy retrieval, range retrieval and multi-piece combined retrieval on mass data;

for distributed file storage: the collected original data and the standardized data after ETL are stored, and various data can be stored;

for a distributed message bus: a distributed message processing mechanism is provided, and the distributed message processing mechanism has high throughput and high concurrency message publishing and message subscribing and is used for real-time data processing; the distributed message bus realizes the monitoring of real-time data and the online processing of message distribution.

The beneficial effect that this application realized is as follows: by adopting the civil aviation air traffic control network safety detection early warning platform provided by the application, a long-acting monitoring mechanism can be established, and unified website monitoring and early warning are established, so that the safety centralized management, batch processing and automatic safety monitoring of important websites of each enterprise and public institution are realized, and the safety risks of the important websites and an information system are comprehensively summarized. And mining and analyzing big data based on basic data of monitoring, checking and reporting to realize informatization of information system safety management work.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.

Fig. 1 is a structural design diagram of a security monitoring and early warning system according to an embodiment of the present disclosure;

FIG. 2 is an analysis scenario layout;

FIG. 3 is a block diagram of a monitoring and warning sub-platform;

FIG. 4 is a data flow diagram of a monitoring and forewarning sub-platform;

fig. 5 is a schematic diagram of a data interface of the monitoring and early warning sub-platform.

Detailed Description

In the following, the technical solutions in the embodiments of the present invention are clearly and completely described with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

In order to overcome the defects in the prior art, the embodiment of the application provides a civil aviation air traffic control network security detection and early warning platform, and by establishing a long-acting monitoring mechanism and unified website monitoring and early warning, the centralized management, batch processing and automatic security monitoring of the security of important websites of each enterprise and public institution are realized, and the security risks of the important websites and an information system are comprehensively summarized. And mining and analyzing big data based on basic data of monitoring, checking and reporting to realize informatization of information system safety management work.

Example one

The embodiment of the application provides a civil aviation air traffic control network security detection early warning platform, which comprises a security information collector, a website, an application monitoring center, a situation analysis center and distributed computing storage nodes, wherein the various collectors, the website, the application monitoring center, the situation analysis center and the distributed computing nodes are respectively deployed in an internal network and an external network; the components are described in detail below:

(1) the safety information collector comprises an asset collector, a log collector, a full-flow collection system, a vulnerability collector and a safety configuration collector;

the asset collector comprises a server, network equipment, safety equipment, a database, an application system and the like, and can automatically scan and detect assets in a network and accurately identify the assets;

The full-flow acquisition system is in a hardware form, and the other acquisition devices can support two forms of software and hardware; the five types of safety information collectors can collect safety related information such as assets, logs, flow, performance and the like according to a collection strategy and upload the safety related information to the situation analysis center according to a transmission strategy, and all the collectors can be uniformly managed by the situation analysis center.

(2) Website and application monitoring

Specifically, for a website group and an APP, a remote monitoring technology is adopted to provide 7 × 24-hour real-time safety monitoring for website applications. The method comprises the steps of webpage Trojan horse monitoring, and fast and accurately discovering and positioning the Trojan horse hanging behavior aiming at the webpage. The webpage tampering monitoring can provide all-around protection for the WEB site directory, and prevent hackers, viruses and the like from illegally tampering and damaging webpage files such as webpages, electronic documents, pictures, databases and the like in the directory. The website availability monitoring can effectively monitor website availability problems such as domain name hijacking, DNS poisoning and the like, so that security management personnel can perform detailed perception on website availability. The web page keyword monitoring can be used for monitoring the sensitive keywords of the website, so that accurate sensitive word identification is realized, and the website content is ensured to meet the relevant regulations of the Internet.

Aiming at the management information network, an intranet deployment monitoring technology is adopted to provide 7-24-hour real-time safety monitoring for intranet websites and applications. The vulnerability scanning of the website application is included, and the vulnerability of the webpage is quickly and accurately found and located. The webpage tampering monitoring can provide all-around protection for the WEB site directory, prevent hackers from entering an intranet by a specific means and illegally tamper and destroy webpage files such as webpages, electronic documents, pictures, databases and the like in websites and application directories. The website change and usability monitoring can effectively monitor the change behavior of the webpage or the webpage picture, so that safety management personnel can sense the website change and usability in detail. The web page keyword monitoring can be used for monitoring sensitive keywords of the website, so that accurate sensitive word identification is realized, and the website content is ensured to conform to related regulations of intranet data release.

(3) The situation analysis center is system core software and is used for storing various safety situation element data, analyzing the situation elements by adopting various intelligent analysis methods, sensing various network safety situations, carrying out safety monitoring, finding safety problems, and carrying out early warning and response. And the situation analysis center simultaneously provides a security situation visual display and an application interactive interface. The data processing of the bottom layer of the situation analysis center adopts the distributed computing and search engine technology to process log data and flow metadata, can support horizontal elastic expansion, can work in a single node, and can realize the expansion of computing and storage resources by forming a cluster by a plurality of nodes.

(4) The distributed computing storage node is used in the scene of mass logs and flow metadata. When the data scale is continuously enlarged and the situation analysis center of a single node cannot meet the data storage and analysis requirements, horizontal expansion can be performed by adding distributed computing storage nodes, the distributed computing storage nodes can support elastic expansion, the number of the nodes can be flexibly increased or decreased according to the data scale, data redundant storage is provided, the number of data copies can be set according to the data reliability requirements, multiple copies of data are stored in different nodes, and configuration is flexible and simple. The distributed computing storage nodes can be installed and operated on independent servers, and distributed storage, full-text indexing and analysis of security events are achieved. The situation analysis center can perform centralized management on distributed computing storage nodes dispersed in the network.

In the embodiment of the application, an AFTN (aviation fixed communication network) and meteorological and information production system is selected to deploy a full-flow acquisition engine, and data are gathered to a safety monitoring and early warning system by an internal exchange platform after being subjected to primary processing;

fig. 1 is a structural design diagram of a safety monitoring and early warning system, as shown in fig. 1, the safety monitoring and early warning system includes a function application layer, a big data analysis layer and a monitoring and early warning sub-platform; the safety monitoring and early warning system adopts a full-flow acquisition, website safety monitoring, comprehensive log acquisition and remote safety evaluation submodule to acquire, process and analyze data, sense situation and report and early warn on a transverse structure, and the system also has the guarantee capability of safety monitoring in the global scope at present; covering the management information network of the local organization and the affiliated unit on the longitudinal structure;

(1) the functional application layer comprises the main purposes of the safety monitoring and early warning system, comprises a safety monitoring module, a safety inspection module, a risk assessment module, an emergency response module, a safety threat early warning module, a safety configuration checking module, a report management module, an information resource management module and the like, and also provides a system management inlet and a related interface of the platform; the management of peer-level protection inspection is realized by establishing a network security situation integrated comprehensive management platform, a report early warning and emergency response mechanism is established, and information sharing is realized by establishing a monitoring system of 7x24 hours and all-weather omnibearing network security situation perception analysis capability;

(2) a scene analysis layer, namely a big data analysis layer defines an analysis method of the safety monitoring and early warning system, and the analysis method adopts the respective definitions of an analysis engine, an analysis scene and analysis output;

the analysis engine provides analysis computing power for scene analysis, and comprises an analysis algorithm, an offline computing engine and a real-time computing engine;

specifically, the analysis algorithm comprises correlation analysis, statistical analysis and data mining; the security event correlation analysis is a process of performing feature matching analysis on a plurality of heterogeneous events by adopting a rule matching-based method and obtaining an event analysis conclusion when the association rule conditions are met. The method provides a rule-based, statistic-based and asset-based correlation analysis function, and can realize the capabilities of false alarm elimination, event source inference, security event level redefinition and the like for security events. The event statistical analysis refers to that a statistical method is adopted to calculate the quantitative characteristics of data such as the state, frequency and occurrence period of various events, the distribution condition, the main characteristics, the trend of time sequence, the existence of abnormal values, the event summary result and the like of the event data are obtained, and the event statistical analysis result can be directly used for judging, explaining and deciding the event properties. Data mining refers to the process of extracting and further modeling previously unknown, but potentially useful information and knowledge from a given business objective, from a large, incomplete, noisy, fuzzy, random amount of actual application data. The current mainstream algorithms include common analysis algorithms such as cluster analysis, association analysis, decision tree analysis, regression analysis and other support classifications, cluster and association analysis.

The offline computation engine is an offline storage computation cluster, is a core data storage area in the whole big data center, stores the whole amount of historical detail data, and the computation of all offline services takes place here. The basic scene analysis uses a Hadoop cluster to store full storage data, and uses components such as HBase and Hive to provide high-performance data access capability.

The real-time computing engine adopts a distributed real-time computing architecture, the storage capacity can be dynamically adjusted, data reading and writing and offline data analysis can be separated due to high availability and reading and writing separation, the use efficiency is improved, an input data stream is split by taking time slices (second level) as a unit, and then each time slice data is processed in a batch processing mode.

Fig. 2 is a design diagram of an analysis scenario, where the analysis scenario includes a network threat analysis scenario, a system security analysis scenario, and a user behavior analysis scenario for internal threat analysis, and is used to detect a main security threat and an attack event existing in an air traffic control by using a big data analysis technology. And performing situation security analysis on the internal and external security threat states of the air traffic management from three dimensions of network threat analysis, system security analysis and user behavior analysis by using the security logs and the basic information of the air traffic management service information system. And simultaneously, the potential attack behavior of the empty pipe is identified by utilizing the security threat intelligence. The scene of monitoring and early warning of the information system provides data support for upper-layer applications such as security situation display, security alarm monitoring, security threat information management and the like.

As shown in fig. 2, the analysis scenario includes a network threat analysis model, an abnormal safe traffic detection model, a system malicious operation analysis model, and a threat intelligence analysis model;

specifically, the cyber-threat analysis model: by filtering and analyzing original data such as a security device alarm log, a system log and the like in a network, the overall attack situation in the network and the system is counted and analyzed, and clear alarm information, trend early warning information after analysis and prediction and situation information of network threats are output; carrying out attack portrayal through two dimensions of assets and attacks, and identifying attackers and the attacked condition of the assets; the method specifically comprises attack detection analysis, brute force cracking detection analysis, Web attack detection analysis, malicious scanning detection analysis and malicious program detection analysis;

the attack detection analysis is to carry out multi-dimensional statistical analysis after carrying out standardized processing on the original data of the attack from the Internet, and carry out alarm, situation and trend early warning output according to different analysis results, and the attack detection analysis is used for supporting network threat situation and safety alarm monitoring display;

the brute force cracking detection analysis adopts a data comparison and analysis based mode, partial password guessing attack behaviors which are not discovered by the safety equipment can be detected, and the occurrence of the password guessing attack behaviors can be predicted more probably. Specifically, the password guess attack detection analysis is to perform detection analysis on a system login log and a security device (IDS/IPS, WAF) alarm log, count and analyze the overall situation of the password guess attack, and predict the situation that the password guess attack may occur;

the Web attack detection analysis carries out detection analysis through a security device attack alarm log, WEB flow, a WEB site log, a WEB middleware access log, a WEB server log and the like, counts and analyzes the overall situation of attack behaviors such as CC attack, injection attack, WebShell attack, cross-site attack and the like suffered by the WEB site, and predicts the situation of the possible WEB attack through the historical situation; specifically, an alarm log of the WEB attack is extracted from the alarm log of the security device, based on the WEB access log, a detection algorithm is utilized to perform detection analysis on access requests (such as URL, access parameters, access types and the like) in the WEB component access log, identify WEB attack events contained in the WEB component access log, and output alarm information;

the malicious scanning detection analysis mainly refers to scanning attack behaviors aiming at WEB sites or specific ports, and the malicious scanning detection analysis statistically analyzes the overall situation of malicious scanning behaviors aiming at the WEB sites or the specific ports by analyzing security equipment alarm logs, network traffic, WEB site logs and server logs and predicts the situation of the possible occurrence of malicious scanning; specifically, according to the alarm log of the security device, the log of the WEB site, and the log of the server, the source IP and the scanning port are used as unique identifiers, and malicious scanning behaviors aiming at the WEB or the host are analyzed and identified aiming at different scanning characteristics.

The malicious program detection and analysis is to identify the malicious program in the network by analyzing the alarm log and the network flow of the security device, and to perform statistical analysis on the threat situation. Such as: and detecting and analyzing the attack behavior of the Trojan horse program, and predicting the condition that the attack of the malicious program is possible to occur.

Abnormal safe flow detection model: the method comprises the steps of describing a flow baseline of an important asset application system through flow data and safety equipment log analysis and big data intelligent learning, determining the time point of occurrence of abnormal flow behaviors through characteristics of network flow changes, and analyzing flow behavior characteristic parameters at the time point of occurrence of each abnormal flow behavior to find out a target IP address corresponding to the abnormal behavior; finally, extracting the flow related to the abnormal behavior to carry out comprehensive analysis, and finding out the abnormal flow attack behavior;

a flow baseline is established through the size of flow, the protocol distribution of the flow, the service of the flow and the like, and the numerical sequence of flow characteristics can be expressed. Traffic baselines are a common method for network anomaly traffic detection. By comparing with the flow baseline, the network load condition and the load change condition in a specific period can be obtained at the first time, the health degree of the network flow can be visually evaluated, and the method has a guiding function for discovering abnormal flow, particularly network security events such as DDOS flooding attack, malicious scanning and the like;

and flow abnormal detection based on the baseline, the flow baseline of the important asset application system is depicted through long-time big data intelligent learning, and once the current flow and the baseline are seriously deviated, a flow abnormal event is identified. And counting according to a time window defined by the system, wherein the objects comprise a target application system, a source address and geographic information (country, province and city) or organization structure thereof, a protocol, the size of uplink traffic, the size of downlink traffic and the like. And detecting and analyzing DOS/DDOS attacks and other abnormal flows through a log analysis of the security equipment and a baseline detection method of flow data.

The system malicious operation analysis model comprises the following steps: by filtering and analyzing original data such as system alarm logs, system security logs and the like in system resources, statistics and analysis are carried out aiming at attacks in the system, and clear alarm information, early warning information after analysis and prediction and situation information of system security threats are output; the method specifically comprises the steps of monitoring behaviors interfering or destroying system log records in a key mode, identifying attack behaviors of finding out whether logs are destroyed by malicious operations, and judging whether the logs are deleted or not according to the malicious operation behaviors by analyzing specified log types, log IDs or keywords; and identifying and discovering the malicious operation security risk of the account being authorized by mainly monitoring the behavior of the asset account authority increase. Specifically, whether an operation behavior aiming at special authority is modified or not is judged for a specified log type, a log ID or a keyword; and judging the source of the error log event or the corresponding event ID by designating the log event level so as to inquire all related error logs and know the reason of the error and the position of the problem.

Threat intelligence analysis model: by acquiring (online query, cloud pushing or offline copying) machine-readable threat information from a cloud, a local system can automatically create analysis rules, compare data acquired in the local network in real time and find suspicious connection behaviors; meanwhile, historical data can be compared by using threat intelligence to find out the APT attack behavior which occurs once or a Botnet host in a local network, and security events can be traced by using intelligence.

And analyzing and outputting various situation displays including comprehensive security situation display, real-time attack situation display, malicious operation situation display, abnormal flow situation display and attack portrait display.

(3) The monitoring and early warning sub-platform is a safe big data center with independent service capability, realizes the capabilities of collecting, processing, gathering, storing and retrieving various kinds of safe data, and provides a data subscription interface upwards. The center provides input data for the analysis of the information system safety monitoring and early warning sub-platform in an interface form, and the interface is also opened to the upper-level unit platform and the administrative department;

fig. 3 is a structural design diagram of a monitoring and early warning sub-platform, as shown in fig. 3, the monitoring and early warning sub-platform includes a data acquisition layer, a data processing layer, a data collection layer and a data interface layer; the data acquisition layer is used for data sources and acquisition objects of threat analysis and definitely storing various safety data in a centralized manner; cleaning, filtering, standardizing, performing correlation completion and data tagging on the acquired original data through a data processing layer to form standardized data, and standardizing the data format of the data at each stage; defining a target storage position of the standardized safety data, intelligently retrieving original data and standardized data through a data collection layer, and realizing the capability of providing data to the outside through a data interface layer;

as shown in fig. 4, the data flow of the monitoring and early warning sub-platform specifically includes: aiming at the whole life cycle of the data in the monitoring and early warning sub-platform, the data flow comprises cleaning and filtering, standardization, correlation completion, data tagging and storage;

the data acquisition of the monitoring and early warning sub-platform is specifically that the monitoring and early warning sub-platform is adaptive to various acquired data sources, and needs to support various acquisition protocols so as to realize the acquisition of various data, including data such as security object attributes, operating states, security events, evaluation and detection and the like; in order to realize the acquisition of data including attributes, operating states, security events, evaluation and detection of security objects, the acquisition frequency is set for different types of data and corresponding adaptation protocols, such as the adaptation protocol shown in table 1 below and the data source shown in table 2 below:

TABLE 1

TABLE 2

The data acquisition mode of the monitoring and early warning sub-platform is mainly active acquisition and is assisted passive acquisition. For collection objects without storage function or with limited storage capacity, such as devices like firewalls, IDSs and the like, a passive collection mode is preferably adopted; other types of collection objects recommend that data are collected preferentially in an active mode; the supported data acquisition mode is as follows:

1) active collection: and the collection node is supported to actively collect data through protocols such as Ftp/Sftp, SNMP, file, JDBC/ODBC and the like.

2) Passive acquisition: and the collection node is supported to passively receive data through protocols such as Syslog and Flow.

The data processing of the monitoring and early warning sub-platform specifically comprises the following steps: in order to meet the requirement of monitoring and early warning scene analysis of an information system on data quality, the data processing (ETL) carries out processing such as cleaning/filtering, standardization, correlation completion, label adding and the like on the acquired data, and loads standard data into a data storage, and an original log is stored for the standardized data;

specifically, the data cleaning/filtering supports the conversion and processing of data aiming at the problems of data format inconsistency, data input errors, data incompleteness and the like. Common data conversion components comprise field mapping, data filtering, data cleaning, data replacement, data calculation, data verification, data encryption and decryption, data combination, data splitting and the like, and corresponding components can be flexibly selected according to actual requirements in the actual processing process;

data standardization, namely, uniform formatting processing is carried out on heterogeneous original data so as to meet the requirement of data format definition of a monitoring and early warning sub-platform, and standardized original logs are stored; specifically, on the basis of ensuring basic expansion capability, standardization of related fields is realized according to standard library rules of each type of data; in addition, for commonly used fields, the consistency of the field contents is ensured, the inconsistency of different events for similar problem descriptions is eliminated, and the transportability of rules depending on the fields is met; and for the data which is not standardized, an original log is stored and is used for defining the standardized rule for the specific data afterwards;

the data association and completion method specifically comprises the steps of forming complete data through association and completion according to the association between the collected data, and enriching the data so as to facilitate later statistical analysis; the object of data association completion comprises: supplementing user information, namely supplementing fields containing information such as user names, organization structures to which the users belong, user roles, contact ways and the like; the asset supplementing information is that the supplemented fields comprise information such as asset names, asset IPs, service systems to which the assets belong, asset standard systems, persons responsible for the assets belong, asset states and the like; completing threat intelligence, namely completing fields including but not limited to threat intelligence names, threat intelligence numbers, threat intelligence threat levels, threat intelligence solutions and other information;

the data tagging specifically comprises the steps of marking on the basis of original data based on the data after the correlation and completion and by combining information such as a service system to which the data belongs, equipment types and the like; the principle of data tagging includes: labeling according to a service system, wherein the content of the label comprises but is not limited to information such as a service system name and the like; labeling according to the device type, wherein the content of the label comprises but is not limited to information such as the device type name and the like; labeling according to time, wherein the content of the label comprises but is not limited to information such as whether to work or not, whether to holiday or not and the like; labeling according to the responsible person, wherein the content of the label comprises but is not limited to information such as a first responsible person, a direct leader and the like; labeling according to the logic classification of the data, wherein the content of the label comprises but is not limited to information such as a login label, an operation label, an attack label and the like; and (4) marking a label according to the use purpose of the data, wherein the content of the label comprises but is not limited to information such as brute force cracking, malicious operation, bypass access and the like.

The data collection storage is used for classifying and storing different types of collected data so as to meet the requirement of data analysis, support the storage of multiple data formats and provide multiple storage modes; the data storage rule supports the following three types of data storage according to different data structure types: the first is unstructured data: including text files, pictures, etc. in all formats; the second is structured data: can be expressed by a relation table structure, and has the mode and the content of structured data; the third is semi-structured data: intermediate between unstructured data and structured data, such as: HTML documents, etc.

In the embodiment of the application, the monitoring and early warning sub-platform divides data storage modes into four types: the method comprises the following steps of relational data storage, distributed full-text retrieval, distributed file storage and a distributed message bus, wherein the storage modes are defined as follows:

for relational data storage: the method comprises the steps of storing structured data with small data volume and small change period, such as basic data (such as asset data and user data), scene analysis result data, service data (such as missing scanning results and compliance results) and the like; the relational data storage realizes the storage of two-dimensional data, supports the deployment of mainstream relational databases, including Oracle, DB2, Microsoft SQLServer, MySQL, Sybase and the like, and supports the storage of structured data, including but not limited to asset data, personnel data, work order data, configuration data and other business data;

for distributed full-text retrieval: the method comprises the steps of storing data needing to be provided with full-text retrieval, realizing retrieval operation of the data, performing accurate retrieval, fuzzy retrieval, range retrieval and multi-piece combined retrieval on massive data, describing the data in the full-text retrieval in a JSON format, and automatically deducing common types and determining the types;

for distributed file storage: storing the collected raw data and the normalized data after ETL. The distributed file system, the NoSQL distributed database and the distributed relational database can be supported in an expanded mode; the distributed file system realizes the storage of various data, is mainly used for the storage management of log, file, text document, audio and video and other types of data, and provides the read-write operation of the data. Specific data storage objects include: 1) logs of devices such as network devices, security devices, host servers, etc.; 2) other application systems and the like synchronously return data which are not suitable for being stored in the relational database; the distributed file storage should support the deployment of various big data analysis components to meet the expansion of later functions, such as a Hive component, an Hbase component, an MPP component, a Spark component, and the like.

For a distributed message bus: a distributed message processing mechanism is provided, and the distributed message processing mechanism has high throughput and high concurrency message publishing and message subscribing and is used for real-time data processing; the distributed message bus realizes online processing of monitoring, message distribution and the like of real-time data. According to the source or service definition of data, the data is logically divided into different topics, each topic is divided into a plurality of partitions and distributed on different physical nodes, and the performances of data processing, data publishing and data subscribing are improved.

Specifically, according to the characteristics of the data source, the storage mode shown in the following table 3 is set:

TABLE 3

In addition, as shown in fig. 5, for four types of data storage modes provided by the monitoring and early warning sub-platform, JDBC, RESTful, message subscription, and distributed file standard interface are provided for each data type; the interaction requirements of the data sharing interface include: if _1, if _2, if _3, if _4, if _ 5;

specifically, if _1 provides a JDBC interface for the relational database to the outside, the JDBC interface connection is established by the external system carrying authentication information provided by the secure data platform, and the external system can obtain and use data after the secure data platform passes authentication. if _2 provides a JDBC interface for the distributed file storage system through HIVE or Hbase and other components, the external system carries authentication information provided by the secure data platform to establish JDBC interface connection, and the external system can acquire and use data after the secure data platform passes authentication. if _3 provides an HDFSurl interface for the distributed file storage system, the external system carries authentication information provided by the safety data platform to establish connection, and the external system can acquire and use the data file after the safety data platform passes authentication. if _4 is distributed full-text retrieval and provides RESTful interfaces to the outside uniformly, an external system carries authentication information provided by a safety data platform to establish RESTful interface connection, and after the safety data platform passes authentication, the external system can quickly retrieve key information and acquire retrieval result data. if _5 is used for providing a message subscription interface for the distributed message publishing and subscribing system, the external system carries authentication information provided by the safety data platform to establish message subscription interface connection, and the external system can acquire subscribed data after the safety data platform passes authentication.

Example two

The second embodiment of the application provides a detailed example of the civil aviation air traffic control network security detection early warning platform disclosed in the application:

firstly, building a foundation platform group; specifically, a big data base platform is built based on hadoop ecology, big data technical frameworks such as Spark, flash, Kafka and Elasticissearch are integrated and secondarily developed, and application requirements of the platform on different scenes such as real-time flow analysis, interactive off-line analysis, correlation analysis and deep learning of collected data are met; developing a unified data acquisition module group, integrating functions of log acquisition, basic data acquisition, asset detection and information acquisition, selecting corresponding storage modes aiming at different data types, establishing a database association mode, and performing association and completion on generalized data and labeling;

meanwhile, the platform software supports data docking with the existing interface, customization development of the interface can be carried out, and the docking requirement of the platform and the established system is met; for the established system without the external interface, the technical scheme of butt joint is formed by supporting the requirement communication with the established system, and the platform end interface is realized. The data format of the platform is customized according to the docking requirements of the established system and the platform, and the requirements of docking, data interaction, display and the like of the platform and the established system can be met. According to the docking requirement, the processing flow of the carding and the established system supports but is not limited to processing, analyzing, displaying, feeding back and the like of data transmitted by the established system.

Secondly, constructing a safety monitoring module; specifically, the safety monitoring module comprises a safety monitoring function and a safety auditing function, wherein the safety monitoring function is used for providing an entrance for viewing and analyzing safety threats and early warning information for a user, and the safety situation, the influence evaluation and the situation evolution of the whole network are comprehensively described through inductive summary of historical safety data, real-time safety threat analysis and prediction evaluation of situation development conditions. The security audit function comprises a comprehensive security situation, a network threat situation, a system security situation, a user behavior situation and a security situation report;

the comprehensive security situation is the overall multi-dimensional presentation of the security situation, and comprises the aspects of network threat, system security and user behavior, and supports the statistical trends of graphically displaying the total attack amount, DDoS abnormal flow and service abnormal flow, system attack, vulnerability and user abnormal behavior; the method comprises the steps of displaying the distribution ratio of a network threat type, a system attack type, a vulnerability type and an abnormal behavior type, and supporting detail drilling; graphically displaying the regional distribution of the network threat, and displaying the system distribution aiming at system attack, vulnerability and abnormal behavior;

the network threat situation can show the network attack situation in multiple dimensions, and the attack types include but not limited to password guessing attack, WEB attack, malicious scanning, malicious programs and the like. Providing an attack map display function, graphically displaying attack phenomena from provinces and foreign countries by taking a geographical map as a base map, and displaying attack data in real time and statistically displaying the attack data according to a time period; auditing and displaying the abnormal flow of the DDOS;

and the system security situation multi-dimensionally shows the self security state of the system, including system attack and vulnerability. And counting the system attack according to the system type, the system attack quantity and the asset dimension. The information system is taken as a visual angle, and the asset vulnerability condition of the information system is graphically presented;

and (4) displaying the information of the asset overview according to the asset situation, and displaying events, alarms and vulnerabilities of the asset from the view angles of a host, network equipment, an application system, a database and virtualization. And displaying the coverage rate and the asset proportion of the vulnerability in a graphical mode.

Thirdly, constructing a safety inspection module; and the leakage scanning system is centrally scheduled and issued with a vulnerability scanning task through a secondary development interface of the leakage scanning system, and scanning results are automatically acquired to obtain the asset vulnerability. Meanwhile, aiming at the condition that automatic scheduling cannot be carried out, the system supports a result file importing mode to import a result after scanning of the mainstream missed scanning system and also supports manual input through safety evaluation process analysis. By means of vulnerability management of IT assets, security risks can be effectively prevented;

with the vulnerability scanning system, the platform triggers one or more scanning actions against the determined or undetermined "assets" to discover if it has any urgent or high risk vulnerabilities. For example: when a new service is added to the network, the platform can detect the basic information and the vulnerability condition of the new service and whether key patches are omitted or not, then the security situation sensing and monitoring and early warning sub-platform can inform a security operation and maintenance team to carry out vulnerability repair or corresponding planning, and supervise the whole repair process, and if the task is not executed, supervise or upgrade the problem. The system can record discovery, confirmation, repair and the like of the vulnerability of each asset, and carry out vulnerability full-life-cycle management. The system can count and analyze the conditions of vulnerability detection rate, re-detection rate, repair period and the like, help the management layer to improve vulnerability management level according to the statistical data, and reduce security risk;

meanwhile, data association is carried out on the asset attributes of the self-security vulnerability information base and system management, vulnerability risks existing in the assets are rapidly found and predicted through asset data fusion analysis of the information and the system, detection speed and accuracy are accelerated, and risk stay time is shortened.

Fourthly, constructing a risk evaluation module; the system follows national and international risk assessment standards, has the functions of automatically and quantitatively calculating the risk value of the assets and the business system thereof, assists managers in quantitative risk assessment, can be internally provided with a risk calculation model, comprehensively considers the value, the vulnerability and the threat of the assets, and calculates the possibility of risk and the influence of the risk. Comprehensively considering the value, the vulnerability and the threat of the assets through a built-in risk calculation model, displaying the risk values of the assets, the security domains and the service system, and depicting a risk change curve of the assets, the security domains and the service system along with the change of time;

in addition, the system can show the risk condition of the security domain, label the distribution condition of asset risk in the security domain, assist the administrator to carry out risk analysis, and take corresponding risk treatment countermeasures. The method can realize the calculation and the display of regional and global risks, can quantify and dynamically display the security risks, and enables security managers to quickly perceive the network security risks.

Fifthly, constructing an emergency response module; the platform can perform early warning and alarming on the perceived safety problem in real time. The system can carry out statistical analysis on the alarm information, can directly drill the alarm information meeting the conditions according to the statistical result, and supports the tracing of the alarm information. The platform provides a variety of alert notification modes such as real-time screen display, email, work order, and the like. The system can provide a work order tracking function and ensure that safety events are correspondingly processed;

for work order management, the system supports a customizable work order circulation function to realize safe operation and maintenance and emergency disposal. The system can create a work order aiming at the found safety events, alarms, early warnings, safety notices and the like, customize a work order circulation flow, and complete the circulation of safety management work through the confirmation, approval, transaction and the like of the work order. The work order can be assigned manually, a single task work order can be generated, a periodic task work order can be generated, and priority, work order time limit and the like can be set. When the work order is dispatched, the platform can inform the operation and maintenance personnel to process in time in a mail mode, a short message mode or a WeChat mode. The work order function can realize the process, standardization and traceability of the safe operation and maintenance management work, and ensure the smooth implementation and implementation quality of the safe operation and maintenance and management work of the client. And the docking with a third-party operation and maintenance system can be realized through customized development, so that work order cooperation is formed. The manager can make statistical analysis on the work order and know the work order task status.

In addition, the platform provides an interactive analysis interface for a security analyst and network security operation and maintenance personnel. Through a concise search engine interface, the platform provides the security analyst with the ability to perform ad hoc queries. A plurality of association rules are built in, and network security attack and defense detection and compliance detection are supported. And (4) presenting the analysis result to the user in a visualized manner, and showing the occurrence process of the security event at a glance. The log retrieval provides a keyword combination input function, realizes the rapid log retrieval, and comprises the steps of original log search, standardized log search and self-defined search templates. A visual and convenient tracing and tracing window is provided for safety event verification and manual deep data mining.

Sixthly, constructing a security threat early warning module; and detecting main security threats and attack events existing in the air traffic control by utilizing a big data analysis technology. And performing situation security analysis on the internal and external security threat states of the air traffic management from three dimensions of network threat analysis, system security analysis and user behavior analysis by using the security logs and the basic information of the air traffic management service information system. And simultaneously, the potential attack behavior of the empty pipe is identified by utilizing the security threat intelligence. The scene of monitoring and early warning of the information system provides data support for upper-layer applications such as security situation display, security alarm monitoring, security threat information management and the like.

Seventhly, constructing a security configuration checking module; the platform can support manual maintenance, batch import, external interface synchronization and other modes to record and maintain assets, and can also perform asset sensing and mapping functions. When a new "asset" appears on the network, the platform can automatically sense its presence by probing the scan log or the network data stream. The system can scan the appointed IP address range to sniff the newly added assets, adopts a plurality of protocol detection technologies aiming at the assets to discover more network service types and related data, and combines the abundant asset fingerprint library of the system to accurately identify the asset types and versions and the open port range to start the services. Through periodic comparison and verification, map construction and automatic analysis according to the network asset data and the service data are realized, and visual presentation is provided;

asset management assets can be grouped, managed in domains from a variety of dimensions and criteria, which may include asset type, business system, security level, geographic location, department of belongings, and the like. The asset management of the platform can construct a topological view of the assets and provide a good visual interface for management personnel.

Eighth, report management module; the statistical report and the safety work report are one of important functions of the platform, and are the presentation of safety analysis results and the result description of safety management work. The safety statistical report forms are used for comprehensively analyzing and evaluating the safety management results of the information safety conditions of the organization by summarizing, calculating and comparing the related data acquired by the system. Report analysis belongs to the field of basic analysis, is dynamic statistical analysis on the information security condition of enterprises, and is used for sensing future trends on the basis of research in the past so as to make correct security management decisions.

The safety statistical report is static historical data, and can only generally reflect the safety condition and the management result of an organization in a period of time, and comprehensively analyze the report to obtain more effective information. The safety management personnel synthesize the safety statistic results, the safety event analysis results, the knowledge base, the cases and the like to generate a safety analysis report, the report has rich data elements and expression forms, and event description and chart data are used for evidencing, so that repair suggestions and improvement guidelines are provided. And providing reports such as weekly reports, monthly reports, quarterly reports, annual reports and the like for safety management personnel to refer.

The system not only has rich built-in reports, but also provides a report editor for a manager to self-define the reports. The report supports multiple format exports, including supporting the export of reports in EXCEL format. The administrator can make a plan for report generation, automatically generate reports periodically, and support mail delivery. The administrator can set sharing authority for the report and the report, and the report are shared by other users, so that corresponding personnel can read the safety report and know the safety dynamics.

Ninthly, constructing an information resource management module; the module function is completed through software integration. The information resource management is used by each information system unit, and performs multidimensional management on information resource scale information, classification information, equipment information, outsource information and the like, thereby realizing information management of the information resources and achieving the purpose of providing detailed and accurate statistical analysis results.

The module has the main functions of cleaning and then completely importing the original equal-protection system information resource data, realizing daily air traffic control information resource data management, flexibly inquiring data and finally providing a multi-dimensional information resource data statistical analysis result;

the information resource data cleaning specifically includes that data formats and contents are standardized according to national relevant standard requirements, information resource modules of an existing system are subjected to data cleaning, content formats such as profession, update period, annual information scale and retention time of the information resource data in the existing system can be redefined through the data cleaning, compiling specifications are formulated, the data are more reasonably improved, and application values are brought;

information resource management, specifically, aiming at the existing working mode, original and other protection system information resource data, equipment data and outsource unit data are reserved, and daily maintenance of information resources is realized, and the method comprises the following steps: adding, modifying, deleting and checking, and realizing combined query according to specific query conditions, fuzzy query can be realized globally, query results can be derived after query, and the query conditions comprise service classification, information resource names, source systems, information assets and the like;

the statistical analysis of the information resources is specifically to perform statistical analysis on the imported data of the original system and the newly collected information resources, and comprises the following steps: analyzing the overall situation of the air traffic control information system and the information resources, analyzing the overall situation of the air traffic control system, registering the number of units, the number of the information systems, the number of the information resources and the specific distribution situation of each place; the information system and other security rating conditions of the whole air management system can be subjected to integral statistics and analysis, and the conditions of each region can be visually displayed according to a map form; the operation condition of the air management system is counted in groups according to the operation time, and the systems in each region are counted and displayed according to the average operation time; information resources are distributed according to the specialties, and information resource collection of the air management system is analyzed and displayed according to the specialties; collecting information resources according to the information scale condition, carrying out overall information scale statistics and display according to different years, carrying out statistical analysis and display on the information scale of each region, and carrying out statistical analysis on the information scale according to each specialty; and (4) carrying out statistical analysis and display on the information storage quantity condition of the information resources of the air management system according to the year.

Tenth, establishing a report early warning system: for national key infrastructure and important customer units, the safety management has the requirement of cooperative management, and the uploading and issuing of safety information and notice are required. The system supports the safety event report, the important period safety report, the safety situation report and other report types, provides report issuing, receiving and reporting workflow management, supports two modes of single report task issuing and periodic report task issuing, and also comprises the functions of information active report, safety monthly report and the like.

According to the requirement, the system supports the interface with a national information safety report mechanism, can lead the national information safety report into the platform and send the national information safety report to the lower level unit, the lower level unit collects feedback information according to the requirement of the administrative department and outputs a formatted report to report the information safety report to the administrative department, and the report content comprises a report name, a receiving unit, event classification, a report requirement and the like.

The safety operation and maintenance personnel can use the system to collect the overall safety report condition for associated display, and the overall situation of organizing the safety report can be formed according to the displayed content.

Adopt the civil aviation air traffic control network safety detection early warning platform that this application provided, can realize following technological effect:

1. integrated safety control interface

The platform provides an integrated safety management and control function interface for related safety management personnel, and provides a multi-view and multi-level management view for personnel without levels.

For the high-level leaders of the network security management layer, the overall security situation of the whole network can be mastered through the overall view of the platform, the effectiveness conditions of the whole network and the security mechanism of the important service information system are evaluated, the key points of the next safety protection improvement are mastered, and necessary decision support is provided for security management.

For each business department leader of the network security management layer, the security situation of the business information system can be mastered through the business view of the system, the operation report and the security report of the business system are consulted, and the operation and maintenance flow and the processing of security events among the departments are coordinated.

For network security executive personnel, the system can be used for decomposing the upper-level working target implementation to form a strategy, an index, a rule, a plan and a task which can be executed by the system; the running state of the safety assets, the safety risk trend and the processing condition of important safety events of the network and the service system can be checked through the management view and the instrument panel of the system, and a report is analyzed safely; the progress of the plan and the task can be mastered at any time, and the assessment of the first-line operation and maintenance personnel is realized.

The platform firstly provides a global monitoring instrument board, and real-time log flow curves and statistical graphs of different equipment types and different safety regions, the overall operation situation of the network, alarm information to be processed and the like can be seen in one screen. The safety service personnel can customize the instrument panel, design the content and the layout displayed by the instrument panel as required, and establish the instrument panels with different dimensions for users with different roles.

The platform provides a real-time audit view, an auditor can observe the trend of the security event from any dimension of the log in real time according to a built-in or self-defined real-time monitoring strategy, and can conduct event investigation and drilling, and conduct event behavior analysis and source positioning. Auditors can monitor high-risk security events of firewalls, IDSs, anti-viruses, network devices, hosts, and applications in real time; key safety events of each department, each safety domain and each service system can be monitored in real time; the method can monitor illegal login events, configuration change events and intrusion attack events aiming at key servers of the whole network in real time.

The platform provides a statistical view, and auditors can perform real-time statistical analysis on the security events from multiple dimensions of the log according to built-in or self-defined statistical strategies and perform visual display in the forms of column diagrams, pie charts, stack diagrams and the like. The auditor can check the host flow rate, the host login failure times, the active virus, the network equipment fault, the most visiting customers and the like within a period of time.

The platform provides analysis methods such as rule association and statistical association, and by establishing a scientific analysis model, analysis depth of log and identification accuracy of safety events of related users are assisted to be further improved.

2. Service-oriented unified security management

The business refers to the sum of a series of processes such as production, operation, transaction processing and the like of enterprises and organizations. With the introduction of information technology, services have been tightly coupled with IT. From the IT perspective, the service includes an IT support system (referred to as a service support system for short), service data, a service process, and a service participant. The service support system is a basic stone of the service, and includes various software and hardware IT resources for carrying service operation, such as network equipment, security equipment, a host, a database, middleware, and the like. The IT resources are organically combined together and share a group of tasks for generating specific customer value, so that a business support system is formed.

The platform can automatically calculate the vulnerability index of the business by analyzing the vulnerability forming assets and configuration vulnerabilities in the business. The platform establishes a set of multi-dimensional key threat index system aiming at the service and can calculate the threat index of the service. The platform provides a business health index model based on a safety index system, and can comprehensively calculate the business health index from three dimensions of the performance and the availability of the business, the vulnerability of the business and the threat of the business and a business health index curve of the business health index fluctuating along with time.

3. Lifecycle management for full range assets and vulnerabilities

Under the development of the large-object moving cloud technology, for the reason that the management of massive assets by manpower is low-efficiency and tedious, the asset management is not good, and the safety can not be effectively managed. The security service platform of the security service platform can automatically discover assets in a network space, accurately identify the assets by utilizing the own asset fingerprint library, acquire various attribute information of the assets by various technical means, realize the all-round management of asset information and greatly reduce the workload of manual maintenance.

Aiming at the discovered assets, except that the vulnerability existing in the assets can be timely obtained through a vulnerability scanning system, the platform is combined with an external vulnerability information base obtained by a security service platform and is compared with the attribute information of the assets managed by the platform, and the latest vulnerability existing in the system can be timely discovered. Aiming at the discovered security loophole, the platform informs security operation and maintenance personnel to repair and dispose in time, the system realizes discovery, confirmation, repair and closing of the security loophole to form full life cycle management of the loophole, and effectively eliminates the risk of the security loophole residing for a long time.

4. Dimensional security event analysis and response

The platform is a platform capable of realizing whole-network safety detection, early warning and response. It provides multi-dimensional security analysis technology to sense the security threat of internal and external networks. In the intranet, the internal violation operation and information leakage can be efficiently sensed through the user behavior analysis technology, so that managers can know the internal security risk. The platform detects and judges various threats through multi-level safety analysis technology and means, provides response processing suggestions and various automatic response modes, and finally enables management personnel to distinguish whether the network is safe at present, where the network is unsafe, what hazards are caused, how the influence range is, how the network is processed, and how the process and the result of the processing are processed through a visual mode.

The platform provides a multi-dimensional security event analysis method, various security analysis scene rules are built in the platform, association rules can be edited through a visualization method, a strong association analysis engine analyzes acquired security logs and traffic source data in real time, known attacks and threats are discovered in time, and security events are formed. Aiming at unknown threats, the platform provides an abnormal behavior detection method based on machine learning, selects attribute characteristics from mass logs and flow source data to learn, constructs a behavior baseline model of an entity, analyzes and identifies abnormal behaviors through deviation of actual values and predicted values, and further analyzes and discovers a safety event through a safety analyst. Aiming at the attack chain behavior, the system provides a deep analysis technology, explores attacks at different stages in the whole attack chain process, constructs the attack behavior chain and analyzes the influence. The system also provides an interactive security analysis means, a security analyst can explore data through a visual page, and network security events are discovered through various data visualization technologies according to security analysis experiences and in combination with massive data combinations.

Aiming at the discovered security events, the platform provides a plurality of response modes, can inform corresponding responsible persons in time in a plurality of modes, supports a plurality of automatic response modes and realizes network security closed-loop management.

5. Power-assisted network safety law and grade protection compliance management

The platform complies with relevant security designs and specifications in network security laws and information system level protection.

The network security law is a national law of the network security industry, and clearly puts forward requirements on network operation security, network information security, emergency disposal and the like. The twenty-first requirement is that technical measures for monitoring and recording the network running state and network security events are taken, and related weblogs are saved for not less than six months according to the regulations; ". The system provides safe real-time monitoring and all-weather all-dimensional full-flow acquisition engine information, collects and stores various weblogs in a centralized manner, stores the weblogs for at least more than six months, and assists customers in statistics, query, analysis and report of safety data. The system supports a safety service platform of safety service and information report, and can report and issue safety information through an interface according to the specification. The network security law stipulates that China implements a network security level protection system. The basic requirements of network security level protection are wide in coverage and dispersed in security measures, and the system can conduct centralized audit on the effectiveness of security mechanisms related to physics, networks, hosts, applications and data in the basic security requirements. Aiming at the basic management requirements of system operation and maintenance management designed in the basic safety requirements, the system provides the functions of asset discovery and management, equipment management, safety monitoring, service monitoring, vulnerability management, safety event handling and the like, and provides a multi-dimensional safety monitoring and operation and maintenance management technology support safety service platform.

The above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the present disclosure, which should be construed in light of the above teachings. Are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. The utility model provides a civil aviation air traffic control network safety inspection early warning platform which characterized in that includes: the system comprises a safety information collector, a website and application monitoring and situation analysis center and distributed computing storage nodes, wherein the various collectors, the website and application monitoring and situation analysis center and the distributed computing nodes are respectively deployed in an internal network and an external network;

2. The civil aviation air traffic control network security detection and early warning platform of claim 1,

3. The civil aviation air traffic control network security detection and early warning platform of claim 1, wherein from the architecture design perspective, the civil aviation air traffic control network security detection and early warning platform comprises a function application layer, a scene analysis layer and a monitoring and early warning sub-platform;

4. The civil aviation air traffic control network security detection and early warning platform of claim 3,

the analysis algorithm in the analysis engine comprises correlation analysis, statistical analysis and data mining; the security event correlation analysis is to perform feature matching analysis on a plurality of heterogeneous events by adopting a rule matching-based method; the event statistical analysis is to calculate the state, frequency and occurrence period of various events by adopting a statistical method to obtain the distribution condition, main characteristics, trend of time sequence, whether abnormal values exist or not and an event summary result of event data; data mining refers to the process of extracting and further modeling previously unknown but potentially useful information and knowledge from a given business objective from a large, incomplete, noisy, fuzzy, random amount of actual application data;

5. The civil aviation air traffic control network security detection and early warning platform of claim 3, wherein the analysis scenario comprises a network threat analysis model, an abnormal security traffic detection model, a system malicious operation analysis model and a threat intelligence analysis model;

6. The civil aviation air traffic control network security detection and early warning platform of claim 5, wherein the network threat analysis model specifically comprises attack detection analysis, brute force detection analysis, Web attack detection analysis, malicious scanning detection analysis and malicious program detection analysis;

7. The civil aviation air traffic control network security detection and early warning platform of claim 3, wherein the monitoring and early warning sub-platform comprises a data acquisition layer, a data processing layer, a data collection layer and a data interface layer; the data acquisition layer is used for data sources and acquisition objects of threat analysis and definitely storing various safety data in a centralized manner; cleaning, filtering, standardizing, performing correlation completion and data tagging on the acquired original data through a data processing layer to form standardized data, and standardizing the data format of the data at each stage; and defining the target storage position of the standardized safety data, intelligently retrieving the original data and the standardized data through the data collection layer, and realizing the capability of providing data to the outside through the data interface layer.

8. The civil aviation air traffic control network security detection and early warning platform as claimed in claim 7, wherein the data acquisition is specifically that the monitoring and early warning sub-platform is adapted to various acquired data sources, and needs to support multiple acquisition protocols to realize acquisition of various data, including security object attributes, operating states, security events, evaluation and detection data; in order to realize the collection of the attributes, the running state, the safety event, the evaluation and the detection data of the safety object, the corresponding collection frequency is set aiming at different types of data and corresponding adaptive protocols.

9. The civil aviation air traffic control network security detection and early warning platform of claim 7, wherein the data processing is specifically: cleaning/filtering, standardizing, performing correlation completion and adding labels on the acquired data, and loading the standard data into a data storage;

10. The civil aviation air traffic control network security detection and early warning platform of claim 7, wherein the data storage mode comprises relational data storage, distributed full-text retrieval, distributed file storage and distributed message bus;