CN114567497A - Collaborative safety centralized management and control system - Google Patents

Collaborative safety centralized management and control system Download PDF

Info

Publication number
CN114567497A
CN114567497A CN202210212338.8A CN202210212338A CN114567497A CN 114567497 A CN114567497 A CN 114567497A CN 202210212338 A CN202210212338 A CN 202210212338A CN 114567497 A CN114567497 A CN 114567497A
Authority
CN
China
Prior art keywords
centralized management
module
enterprise
control
control system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210212338.8A
Other languages
Chinese (zh)
Inventor
凌飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Liancheng Technology Development Co ltd
Original Assignee
Nanjing Liancheng Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Liancheng Technology Development Co ltd filed Critical Nanjing Liancheng Technology Development Co ltd
Priority to CN202210212338.8A priority Critical patent/CN114567497A/en
Publication of CN114567497A publication Critical patent/CN114567497A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention discloses a collaborative safety centralized management and control system which is characterized by adopting a layered distributed architecture and comprising a center node and a plurality of edge nodes, wherein one center node is connected with the plurality of edge nodes, the system also comprises a center-centralized management and control and a plurality of enterprise-centralized management and control, the enterprise-centralized management and control is deployed at the edge nodes, and the center-centralized management and control is deployed at the center nodes and comprises an interconnection input module, an acquisition module, a processing module, a storage module, an aggregation and analysis module, an evaluation module, an influence analysis module, a mitigation module, a management module, a visualization module, an interconnection output module and a collaboration module. By the method and the system, the dispersed benefit-related enterprises can be supported across enterprise boundaries, and quick collaboration and collaborative reaction can be realized, so that the influence of the network threat is relieved and/or the further propagation and linkage influence of the network threat are relieved.

Description

Collaborative safety centralized management and control system
Technical Field
The invention relates to the technical field of network security, SOC (security operation center), information sharing, network event processing and network event reporting, in particular to a coordinated security centralized management and control system.
Background
Today, industrial control systems operating in critical infrastructures are becoming more and more complex; in addition, they are widely interconnected with enterprise IT information systems for cost effective monitoring, management and maintenance. This exposes the critical infrastructure to modern advanced network threats. Existing security solutions, however, attempt to prevent, detect, and address cyber threats by employing security measures that do not generally cross enterprise boundaries.
Modern advanced cyber threats, especially multi-stage cyber attacks such as Stuxnet, take advantage of inter-dependencies between enterprises. By exploiting vulnerabilities of various systems, network attackers invade multiple enterprises, using them as stepping stones for the critical infrastructure to reach the target. Therefore, in order to deal with such threats, enterprises need to protect their businesses through a mechanism that does not completely use information collected from their own systems, but additionally collects relevant observations shared or disclosed among the enterprises, analyzes them, and timely reveals such attacks and promptly deploys mitigation measures.
Information sharing is increasingly important in network defense, and related event information is shared among enterprises, so that the current network security condition of key infrastructures of each enterprise can be better known, and hidden large-scale network attacks and new malicious software can be detected. Analysis of shared event information is critical in attempting to identify threats in the enterprise's critical infrastructure that have been detected in other enterprise critical infrastructures, and an attacked enterprise may benefit from analyzing and correlating solutions previously employed by other enterprises to address the same or similar problems.
Disclosure of Invention
In order to solve the technical problem, the invention provides a cooperative security centralized management and control system, which adopts network security measures crossing enterprise boundaries to deal with multi-stage network attacks.
A cooperative safety centralized management and control system is characterized in that a layered distributed architecture is adopted, the system comprises a center node and a plurality of edge nodes, one center node is connected with the plurality of edge nodes, and the system further comprises a center-centralized management and control system and a plurality of enterprise-centralized management and control systems;
the enterprise-centralized management and control system is deployed on the edge node, is used for intrusion and threat detection in the enterprise range, not only can automatically forward acquired data to an acquisition module of the central-centralized management and control system, but also reports locally detected abnormity and events with cross-enterprise correlation to the central-centralized management and control system;
the central-centralized management and control system is deployed on the central node, receives the acquired data, the strategic information shared by the enterprise-centralized management and control systems and the public network information sent by the enterprise-centralized management and control systems, analyzes the acquired strategic information and the public network information, evaluates the acquired network attacks crossing the enterprise boundary, and provides a mitigation strategy, a suggestion or an early warning to the enterprise-centralized management and control system, the related enterprise-centralized management and control system and even related mechanisms reported by the central-centralized management and control system once the analysis and the evaluation are finished, and comprises an interconnection input module, an acquisition module, a processing module, a storage module, an aggregation and analysis module, an evaluation module, an influence analysis module, a mitigation module, a management module, a visualization module, an interconnection output module and a cooperation module;
the collaboration module integrates abundant collaboration functions to support dispersed interest-related enterprises to carry out rapid collaboration and collaboration reaction, in some reported events, the rapid collaboration and collaboration reaction are the key for relieving the influence of network threats and/or relieving the further propagation and linkage influence of the network threats, the whole collaborative centralized control process is supervised and managed by a security manager, enterprise security operation and maintenance service personnel and an expert team, various instant communication mechanisms are provided to realize video communication, language communication and information exchange among the security manager, the enterprise security operation and maintenance service personnel and the expert team, and the collaboration module has a log function;
furthermore, the acquisition module adopts advanced data acquisition and data fusion technology to realize the rapid import and purification of various data;
further, the processing module calculates a credit value according to the credit and trust model, the credit value is represented by a credit value between 1 and 5, the credit value ranks the credibility of the enterprise-centralized control and the quality of the generated event report, specific detailed information can be accessed only by the enterprise-centralized control with higher credit, and the enterprise-centralized control with lower credit can only access general safety reports;
further, the influence analysis module performs influence analysis based on a detailed interdependence model of the dynamic network topology to obtain a mitigation measure;
further, the evaluation module allows for obtaining network situational awareness by evaluating aggregation and analysis results and deriving root causes of reported events;
further, the interconnection input module establishes a secure connection, imports the event report and threat data from enterprise-centralized management and control or public network resources, exports the intelligence and mitigation strategy to enterprise-centralized management and control, and exchanges related information with a third party, and the interconnection input module comprises a security gateway and encryption. The invention has the technical effects that:
the invention provides a cooperative safety centralized management and control system which is characterized in that a layered distributed architecture is adopted. The system comprises a center node and a plurality of edge nodes, wherein the center node is connected with the edge nodes, the system further comprises a center-centralized management and control and a plurality of enterprise-centralized management and control, the enterprise-centralized management and control is deployed at the edge nodes, and the center-centralized management and control is deployed at the center nodes and comprises an interconnection input module, an acquisition module, a processing module, a storage module, an aggregation and analysis module, an evaluation module, an influence analysis module, a mitigation module, a management module, a visualization module, an interconnection output module and a cooperation module. By the method and the system, the enterprise related to the dispersed benefits can be supported across the enterprise boundary, and the quick collaboration and the collaborative reaction can be realized, so that the influence of the network threat can be reduced and/or the further propagation and linkage influence of the network threat can be reduced.
Drawings
FIG. 1 is a schematic diagram of the architecture of a coordinated safety centralized management system;
fig. 2 is a frame diagram of central-centralized management and control of a collaborative security centralized management and control system.
Detailed Description
The invention is described in further detail below with reference to the figures and examples:
as shown in fig. 1, the present application provides a hierarchical structure of a cooperative security centralized management and control system, which employs a layered distributed architecture. The system comprises a central node and a plurality of edge nodes, wherein the central node is used for deploying central-centralized management and control, the edge nodes are used for deploying enterprise-centralized management and control, and one central-centralized management and control is connected with a plurality of enterprise-centralized management and control.
The enterprise-centralized management and control is used for intrusion and threat detection in an enterprise range, can automatically forward collected data to a central-centralized management and control collection module, and reports events possibly having cross-enterprise relevance to the central-centralized management and control. In addition, by analyzing the security-related information (such as events, bugs, observed values, etc.) obtained by locally detected anomalies, the security operation and maintenance personnel of the enterprise-centralized management and control report to the center-centralized management and control in a manual manner.
The center-centralized management and control receives the collected data sent by the plurality of enterprise-centralized management and control, the strategic information shared by the plurality of enterprise-centralized management and control and the public network information, analyzes and evaluates the obtained cross-enterprise network attacks, and provides related information including mitigation measures, suggestions or early warnings to reported enterprise-centralized management and control, related enterprise-centralized management and control and even related organizations once the analysis and evaluation are finished. Network event information aggregation, association, classification, and analysis are the primary functions provided by central-centralized governance.
As shown in fig. 2, a frame diagram of central-centralized management and control of a collaborative security centralized management and control system is shown. The central-centralized management and control system comprises an interconnection input module, a collection module, a processing module, a storage module, an aggregation and analysis module, an evaluation module, an influence analysis module, a reduction module, a management module, a visualization module, an interconnection output module and a cooperation module.
The central-centralized management and control system is composed of a plurality of modules. The modules perform a series of operations according to the arrows shown in fig. 2, the modules shown in fig. 2, and the stages shown in fig. 2. In the acquisition stage, the acquisition module adopts advanced data acquisition and data fusion technology, and the rapid import and purification of various data are realized. Then, in the processing stage, the processing module calculates a credit value according to the credit and trust model, the credit value is represented by a credit value between 1 and 5, the credit value grades the credibility of the enterprise-centralized management and the quality of the generated event report, specific detailed information can be accessed only by the enterprise-centralized management with higher credit, and the enterprise-centralized management with lower credit can only access general safety reports. An aggregation and analysis module, feature extraction algorithms aggregate the collected data, allowing the analysis engine to examine it and compare it to previously processed resources stored in the knowledge base. The evaluation module allows for obtaining network situational awareness by evaluating the aggregation and analysis results and deriving root causes (root cause) of reported events. And then, the influence analysis module carries out influence analysis based on the detailed interdependence model of the dynamic network topology to obtain a relieving measure. The whole safety event processing process is organized by a work order management system and supported by a visual framework, and the visual framework can display relevant information to operators in time at different stages of the whole process.
The centralized management and control process of the event is supervised by a security operation and maintenance service personnel, a security manager and an expert team which are responsible for key decision-making tasks.
Establishing security connection, importing event reports and threat data from centralized management and control or public network resources, exporting intelligence and mitigation strategies to enterprise-centralized management and control, and exchanging related information with a third party. These operations are performed by an interconnection input module that includes a security gateway and encryption. The cooperation module provides a plurality of instant messaging mechanisms, and video communication, language communication and information exchange among security managers, expert teams and enterprise security operation and maintenance service personnel are realized. In addition, in some reported events, quick collaboration and collaboration are the key to reduce the influence of the network threat and/or reduce the further propagation and linkage influence of the network threat. This is particularly true in central-centralized management. Therefore, there is a need for a collaboration function to support distributed interest-related enterprises and a virtual community, and integrate a wide range of collaboration functions to provide a single, unified solution for customers.
In one embodiment, consider an attack scenario for a metallurgical enterprise furnace and its rolling infrastructure. Hackers aim to interrupt the production of a ferrous metallurgical enterprise by blocking the supply of natural gas to the corresponding ferrous metallurgical heating furnace, thereby disrupting the marketing operations and normal operations of the enterprise.
First, with the help of an employee dissatisfied with the enterprise, a hacker obtains information on the gas supply network structure, protocols and equipment used, monitoring, data collection, and ICS (Industrial Control System) details of the metallurgical furnace. For example, currently deployed ICS systems are typically designed without any deliberate misuse being taken into account, and often exhibit security flaws such as hard-coded, easily guessed administrator passwords. In some cases, even after the vulnerabilities are disclosed for months, the vulnerabilities are not fixed. Knowing this, the attacker designs software to manipulate certain ICS components that the enterprise uses to control valves that regulate furnace gas supply.
The ICS is maintained by another industry control software vendor. An attacker can now monitor the social network profiles of multiple enterprise employees and target them through sophisticated phishing emails. These emails appear to come from colleagues or recruiters of these employees, containing a link to a website that carries a malicious attack that hacks into the computer using a web browser bug rootkit.
After an attacker establishes a foothold in a local network of an ICS industrial control software provider, malicious codes can be embedded into a legal update package on the server of the industrial control software provider. The update package is then downloaded by the enterprise and other clients.
Within a specified time, an attacker connects to the ICS with a known ICS vulnerability and triggers malware. The attacker starts to operate the gas valve of the heating furnace, which affects the production continuity of the iron and steel metallurgy enterprise and causes financial loss. Meanwhile, the malicious software forges a signal sent to the enterprise-centralized management and control of the enterprise, so that the enterprise-centralized management and control is ensured not to detect and inform the security operation and maintenance service personnel of emergency situations in time to effectively relieve the emergency situations.
If both enterprise-centric management and ICS industrial control software vendors exchange threat information with central-centric management, attacks can be blocked or detected before they succeed.
In addition to using common anti-phishing tools, the ICS industrial control software provider will also filter the received mail according to a blacklist received from the central-central control. Research by some software consulting companies has shown that no more than 1 out of every 4 employees will be concerned with links in spearphishing emails. It is crucial that the remaining 3 employees not only discard the mail, but also report a phishing attack to the business-centralized administration after contacting the so-called phishing address through other resources and ensuring that the e-mail originator is spoofed.
The business-centralized administration will then submit a report to the central-centralized administration containing the actual phishing mails, the relevant mail server logs and a short summary of the attacks encountered. When centrally-centralized governs the survey reports, it will determine the IOCs (Indicators of compliance hazards) of the vulnerabilities used by the attacker, and ask the ICS industrial control software vendor to scan their critical infrastructure using these IOCs.
Scanning for indications of operations that will show on a software update package of an ICS industrial control software vendor; and then the ICS industrial control software provider can identify the malicious content in the update package, issue the patching program and update, and inform the center-centralized control, and the center-centralized control informs related enterprises-centralized control security operation and maintenance service personnel.
Enterprises deploy acquisition modules on their critical infrastructure components. The acquisition modules are connected to enterprise-centralized management and control through independent protected channels, so that real-time situation awareness is achieved. With the consent of the enterprise, some of the collected data will be continually submitted to central-centralized management for automated assessment and anomaly detection. Now, after receiving the warning that the ICS industry control software provider needs to be updated about intrusion, the enterprise will (1) monitor the endangered parts of the infrastructure more and more together with central-centralized management and control, (2) take preventive measures against possible emergencies, and (3) roll back the malicious updates provided by the ICS industry control software provider and invite the security experts trusted by the provider to diagnose, so as to ensure that the ICS software components are not intruded, and are not freely accessed from outside the network. Finally, the enterprise may share the knowledge of the security experts with a central-centralized administration (perhaps, a central-centralized administration or related organization may be required to pay the enterprise's investigation fees in part).
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention; all equivalent changes and modifications made according to the present invention are considered to be covered by the scope of the present invention.

Claims (6)

1. A cooperative safety centralized management and control system is characterized in that a layered distributed architecture is adopted, the system comprises a center node and a plurality of edge nodes, one center node is connected with the plurality of edge nodes, and the system further comprises a center-centralized management and control system and a plurality of enterprise-centralized management and control systems;
the enterprise-centralized management and control is deployed on the edge node and used for intrusion and threat detection in the enterprise range, the enterprise-centralized management and control can automatically forward collected data to a collection module of the central-centralized management and control, and reports locally detected abnormity and events with cross-enterprise correlation to the central-centralized management and control
The central-centralized management and control system is deployed on the central node, receives the acquired data, the strategic information shared by the enterprise-centralized management and control systems and the public network information sent by the enterprise-centralized management and control systems, analyzes the acquired strategic information and the public network information, evaluates the acquired network attacks crossing the enterprise boundary, and provides a mitigation strategy, a suggestion or an early warning to the enterprise-centralized management and control system, the related enterprise-centralized management and control system and even related mechanisms reported by the central-centralized management and control system once the analysis and the evaluation are finished, and comprises an interconnection input module, an acquisition module, a processing module, a storage module, an aggregation and analysis module, an evaluation module, an influence analysis module, a mitigation module, a management module, a visualization module, an interconnection output module and a cooperation module;
the collaboration module integrates abundant collaboration functions to support dispersed interest-related enterprises to carry out rapid collaboration and collaboration reaction, in some reported events, the rapid collaboration and collaboration reaction are the key for relieving the influence of network threats and/or relieving the further propagation and linkage influence of the network threats, the whole collaborative centralized control process is supervised and managed by a security manager, enterprise security operation and maintenance service personnel and an expert team, various instant communication mechanisms are provided to realize video communication, language communication and information exchange among the security manager, the enterprise security operation and maintenance service personnel and the expert team, and the collaboration module has a log function.
2. The coordinated security centralized management and control system of claim 1, wherein said acquisition module employs advanced data acquisition and data fusion techniques to achieve rapid import and purification of multiple data.
3. The collaborative security centralized management and control system of claim 1, wherein the processing module calculates a reputation value according to the reputation and trust model, the reputation value is represented by a score value between 1 and 5, the score value ranks the credibility of the enterprise-centralized management and the quality of the generated event report, specific detailed information can only be accessed by the enterprise-centralized management with higher reputation, and the enterprise-centralized management with lower reputation can only access general security reports.
4. The coordinated security centralized management and control system of claim 1, wherein said impact analysis module performs impact analysis based on detailed inter-dependent models of dynamic network topology to obtain mitigation measures.
5. The coordinated security centralized management system of claim 1, wherein the evaluation module allows for network situational awareness by evaluating aggregation and analysis results and deriving root causes of reported events.
6. The coordinated security centralized management and control system of claim 1, wherein said interconnection input module, establishing secure connections, importing event reports and threat data from enterprise-centralized management or public network resources, exporting intelligence and mitigation strategies to enterprise-centralized management, and exchanging related information with third parties, comprises security gateway and encryption.
CN202210212338.8A 2022-03-04 2022-03-04 Collaborative safety centralized management and control system Pending CN114567497A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210212338.8A CN114567497A (en) 2022-03-04 2022-03-04 Collaborative safety centralized management and control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210212338.8A CN114567497A (en) 2022-03-04 2022-03-04 Collaborative safety centralized management and control system

Publications (1)

Publication Number Publication Date
CN114567497A true CN114567497A (en) 2022-05-31

Family

ID=81718205

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210212338.8A Pending CN114567497A (en) 2022-03-04 2022-03-04 Collaborative safety centralized management and control system

Country Status (1)

Country Link
CN (1) CN114567497A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015134008A1 (en) * 2014-03-05 2015-09-11 Foreground Security Automated internet threat detection and mitigation system and associated methods
CN113361933A (en) * 2021-06-08 2021-09-07 南京联成科技发展股份有限公司 Centralized management and control center for cross-enterprise collaboration
CN113379382A (en) * 2021-06-09 2021-09-10 南京联成科技发展股份有限公司 Situation awareness and event response collaborative analysis implementation system of centralized management and control center

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015134008A1 (en) * 2014-03-05 2015-09-11 Foreground Security Automated internet threat detection and mitigation system and associated methods
CN113361933A (en) * 2021-06-08 2021-09-07 南京联成科技发展股份有限公司 Centralized management and control center for cross-enterprise collaboration
CN113379382A (en) * 2021-06-09 2021-09-10 南京联成科技发展股份有限公司 Situation awareness and event response collaborative analysis implementation system of centralized management and control center

Similar Documents

Publication Publication Date Title
JP7265797B2 (en) Method and apparatus for managing security in computer networks
US11706247B2 (en) Detection and prevention of external fraud
US20210273961A1 (en) Apparatus and method for a cyber-threat defense system
Ruefle et al. Computer security incident response team development and evolution
KR20040035572A (en) Integrated Emergency Response System in Information Infrastructure and Operating Method therefor
EP3855698A1 (en) Reachability graph-based safe remediations for security of on-premise and cloud computing environments
CN117769706A (en) Network risk management system and method for automatically detecting and analyzing network security in network
CN113361933A (en) Centralized management and control center for cross-enterprise collaboration
CN115941317A (en) Network security comprehensive analysis and situation awareness platform
Smith et al. Ethical hacking: The security justification redux
Miloslavskaya Network Security Intelligence Center as a combination of SIC and NOC
Skendžić et al. Management and monitoring security events in a business organization-siem system
CN115499840A (en) Security assessment system and method for mobile internet
CN114567497A (en) Collaborative safety centralized management and control system
Alharbi A qualitative study on security operations centers in saudi arabia: challenges and research directions
Rawal et al. Cybersecurity and Identity Access Management
Kaur et al. An introduction to security operations
Gheorghică et al. A new framework for enhanced measurable cybersecurity in computer networks
Agbede Incident Handling and Response Process in Security Operations
Ghauri Digital Security Versus Private Information
Beaudoin et al. Coalition network defence common operational picture
Dashdamirova Development of decision support system using OLAP-technologies for information security monitoring systems
Minkevics et al. Managing Information System Security in Higher Education Organizations
Settanni et al. Real-world implementation of an information sharing network lessons learned from the large-scale European Research Project ECOSSIAN
Simion et al. INTEGRATED MANAGEMENT SYSTEM IN THE FIELD OF CYBER SECURITY DE MANAGEMENT

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination