CN116089965B - Information security emergency management system and method based on SOD risk model - Google Patents

Information security emergency management system and method based on SOD risk model Download PDF

Info

Publication number
CN116089965B
CN116089965B CN202310372979.4A CN202310372979A CN116089965B CN 116089965 B CN116089965 B CN 116089965B CN 202310372979 A CN202310372979 A CN 202310372979A CN 116089965 B CN116089965 B CN 116089965B
Authority
CN
China
Prior art keywords
module
risk
safety
security
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310372979.4A
Other languages
Chinese (zh)
Other versions
CN116089965A (en
Inventor
毕丽彤
李志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Information Science and Technology
Original Assignee
Nanjing University of Information Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Information Science and Technology filed Critical Nanjing University of Information Science and Technology
Priority to CN202310372979.4A priority Critical patent/CN116089965B/en
Publication of CN116089965A publication Critical patent/CN116089965A/en
Application granted granted Critical
Publication of CN116089965B publication Critical patent/CN116089965B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Abstract

The invention relates to the technical field of information safety, in particular to an information safety emergency management system and method based on an SOD risk model, which are used for separating and controlling system authorities through the SOD risk model to avoid risks such as malicious operation and data leakage of internal staff; the system has the emergency response function of the safety event, can respond and process the abnormal event in time, and avoids the diffusion and influence of the safety event; the safety event in the system can be monitored and audited, and the safety problem can be found and treated in time; predicting and preventing possible safety problems in the system by evaluating and analyzing the system risk; sensitive data can be protected and backed up, and the problems of data loss or leakage and the like are avoided; the system helps the organization to solve the problems of internal risk control, emergency response of safety event, safety audit and monitoring, risk assessment and prevention, data protection and backup and the like, and improves the information safety level and reliability of the organization.

Description

Information security emergency management system and method based on SOD risk model
Technical Field
The invention relates to the technical field of information security, in particular to an information security emergency management system and method based on an SOD risk model.
Background
With the continuous development and the continuous deep application of information technology, the network security threat is increased, and the information security has become a non-negligible important problem for various organizations. In the field of information security, SOD (separation responsibilities) is a common security control strategy whose main idea is to reduce the risk of internal malicious behaviour by dividing the rights in the system into different responsibilities and assigning these responsibilities to different users or roles. Information security emergency management systems based on SOD risk models have been developed in this context. Along with the continuous development of information security technology, an information security emergency management system based on an SOD risk model is also continuously evolved and perfected. The original SOD model is mainly applied to the internal security control of enterprises, and is gradually applied to the field of network security later. With the advent of technologies such as cloud computing, big data, internet of things and the like, the information security field is also faced with new challenges and opportunities, and various novel security technologies and methods are also continuously emerging, such as security protection based on machine learning, blockchain technology and the like. Information security emergency management systems based on SOD risk models are also continually fusing and integrating these new technologies to accommodate ever changing security threats and demands.
The emergency management capability of the current information security system does not form a mature system, and mainly has the following problems: (1) exacerbating the information security problem: with the popularization of the internet and the development of informatization, various network attacks and data leakage events are increasing, and information security threats facing enterprises and organizations are increasing. (2) Threat of internal staff: malicious operation and disclosure behavior of internal staff are one of main threats of information security, and corresponding measures need to be taken for precaution and management. (3) Requirements for emergency response of security events: when an information security event occurs, timely and effective emergency measures are needed to be taken, so that the diffusion and influence of the event are avoided. (4) Importance of risk control: risk control is an important component of information security, and corresponding measures need to be taken to evaluate and control risks.
Disclosure of Invention
The invention aims to provide an information security emergency management system and method based on an SOD risk model, so as to solve the problems in the background technology.
The technical scheme of the invention is as follows: the information security emergency management system based on the SOD risk model comprises a receiving processing module, a risk analysis management module and a log audit configuration module, wherein the receiving processing module comprises a receiving module, a sorting confirmation module, a security processing module and a model system recovery module, the receiving module, the sorting confirmation module, the security processing module and the model system recovery module are sequentially in data link, the risk analysis management module is positioned between the sorting confirmation module and the security processing module, the data input end of the risk analysis management module is in data link with the data output end of the sorting confirmation module, the data output end of the risk analysis management module is in data connection with the data input end of the security processing module, the data input end of the log audit configuration module is respectively in data link with the sorting confirmation module, the security processing module and the risk analysis management module, and the data output end of the log audit configuration module is in data link with the model system recovery module.
Preferably, the risk analysis management module comprises a risk identification module, a risk analysis module and a risk assessment module, wherein the risk identification module is in data link with the arrangement confirmation module, one end of the risk analysis module is in data link with the risk identification module, the other end of the risk analysis module is in data link with the risk assessment module, and the risk assessment module is in data link with the safety processing module.
Preferably, the log audit configuration module comprises a log acquisition module, a log storage and analysis module, an audit management module and a security system configuration policy module, wherein the log acquisition module is respectively in data link with the arrangement confirmation module and the risk assessment module security processing module, the log storage and analysis module is in data link with the log acquisition module, one end of the audit management module is in data link with the log storage and analysis module, the other end of the audit management module is in data link with the security system configuration policy module, and one end of the security system configuration policy module is in data link with the model system recovery module.
Preferably, the receiving module is in data link with an external data interface comprising a network monitoring system, a security device, a security service provider.
An information security emergency management method based on an SOD risk model comprises the following steps:
step 1, acquiring possible security threats in a system through a public external data interface by adopting a receiving module;
step 2, adopting a sorting confirmation module to sort the events, confirming the received events, and judging whether the events belong to real safety events or not;
step 3, transmitting the event information to a risk analysis management module for risk analysis and treatment;
step 4, after risk analysis is completed, processing the event through a safety processing module, and taking corresponding emergency response measures;
and step 5, after the information security event processing is completed, transmitting an event processing result to a model system recovery module through a security processing module to recover and repair the system.
Preferably, step 3 specifically includes:
step 3.1, analyzing and identifying the security holes, defects, deficiency and other aspects of the system by adopting a risk identification module so as to determine possible risks and threats in the system;
step 3.2, classifying, evaluating and sequencing risks by adopting a risk analysis module to determine the risks and events which are preferentially processed;
and 3.3, evaluating the risk by adopting a risk evaluation module, and quantifying and analyzing the risk of the system to determine the security level and the risk level in the system.
Preferably, the method further comprises the following steps:
step 6, acquiring and collecting various logs of the system in real time by adopting a log acquisition module, acquiring possible security threat information in the system, configuring and managing information such as the type, the source, the format and the storage position of the system log, and the like, so as to ensure the integrity and the accuracy of the log;
step 7, storing and analyzing the collected logs by adopting a log storage and analysis module, configuring and managing parameters such as the format, the storage position, the retention time and the like of the logs to ensure the safety and the effectiveness of the log data, and analyzing and processing the log data to identify safety events and abnormal conditions in the system;
step 8, adopting an audit management module to audit and manage the security events of the system, classifying, screening and analyzing the log data of the system to determine possible security threats and abnormal conditions in the system, and simultaneously recording and tracking the security events for subsequent emergency response and processing;
and 9, configuring and managing the security policy of the system by adopting a security system configuration policy module, wherein the security policy comprises aspects of access control, password policy, security audit and the like, so as to ensure the security and stability of the system.
Preferably, the execution time of step 6 is between step 2 and step 4, the execution time of step 6 is after step 3.3, and the execution time of step 9 is before step 5.
Compared with the prior art, the information security emergency management system and method based on the SOD risk model provided by the invention have the following improvements and advantages:
the method comprises the following steps: according to the invention, through the SOD risk model, the system authority is separated and controlled, and risks such as malicious operation and data leakage of internal staff are avoided; the system has the emergency response function of the safety event, can respond and process the abnormal event in time, and avoids the diffusion and influence of the safety event; the system can monitor and audit the safety event in the system, and timely discover and process the safety problem; by evaluating and analyzing the system risk, the possible safety problems in the system can be predicted and prevented; the system can protect and backup sensitive data, and avoid the problems of data loss or leakage and the like;
and two,: the invention can help the organization to solve the problems of internal risk control, emergency response of safety event, safety audit and monitoring, risk assessment and prevention, data protection and backup, and the like, and improves the information safety level and reliability of the organization.
Drawings
The invention is further explained below with reference to the drawings and examples:
FIG. 1 is a block diagram of the overall structure of an information security emergency management system of the present invention;
FIG. 2 is a block diagram of a risk analysis management module of the present invention;
FIG. 3 is a block diagram of a log audit configuration module of the present invention;
FIG. 4 is a flow chart of an information security emergency management method of the present invention;
FIG. 5 is a flow chart of step 3 of the present invention;
fig. 6 is a detailed flowchart of the information security emergency management method of the present invention.
Detailed Description
The following detailed description of the present invention clearly and fully describes the technical solutions of the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention provides an information safety emergency management system and method based on an SOD risk model by improving the information safety emergency management system and the method, which mainly comprise an information safety emergency management system based on the SOD risk model and an information safety emergency management method based on the SOD risk model, and the technical scheme of the invention is as follows:
1-3, an information security emergency management system based on an SOD risk model comprises a receiving processing module, a risk analysis management module and a log audit configuration module, wherein the receiving processing module comprises a receiving module, a sorting confirmation module, a security processing module and a model system recovery module, the receiving module, the sorting confirmation module, the security processing module and the model system recovery module are sequentially linked with each other in data, the risk analysis management module is positioned between the sorting confirmation module and the security processing module, a data input end of the risk analysis management module is connected with a data output end of the sorting confirmation module in data mode, a data output end of the risk analysis management module is connected with a data input end of the security processing module in data mode, a data input end of the log audit configuration module is respectively connected with the sorting confirmation module, the security processing module and the data link of the risk analysis management module, and a data output end of the log audit configuration module is connected with the model system recovery module in data mode.
Further, the risk analysis management module comprises a risk identification module, a risk analysis module and a risk assessment module, wherein the risk identification module is in data link with the arrangement confirmation module, one end of the risk analysis module is in data link with the risk identification module, the other end of the risk analysis module is in data link with the risk assessment module, and the risk assessment module is in data link with the safety processing module.
Further, the log audit configuration module comprises a log acquisition module, a log storage and analysis module, an audit management module and a security system configuration policy module, wherein the log acquisition module is respectively in data link with the arrangement confirmation module and the security processing module of the risk assessment module, the log storage and analysis module is in data link with the log acquisition module, one end of the audit management module is in data link with the log storage and analysis module, the other end of the audit management module is in data link with the security system configuration policy module, and one end of the security system configuration policy module is in data link with the model system recovery module.
Separating and controlling system permissions through an SOD risk model, and avoiding risks such as malicious operation and data leakage of internal staff; the system has the emergency response function of the safety event, can respond and process the abnormal event in time, and avoids the diffusion and influence of the safety event; the system can monitor and audit the safety event in the system, and timely discover and process the safety problem; by evaluating and analyzing the system risk, the possible safety problems in the system can be predicted and prevented; the system can protect and backup sensitive data and avoid the problems of data loss or leakage and the like.
The receiving module is in data link with an external data interface, and the external data interface comprises a network monitoring system, safety equipment and a safety service provider.
As shown in fig. 4-6, an information security emergency management method based on SOD risk model includes the following steps:
step 1, acquiring possible security threats in a system through a public external data interface by adopting a receiving module;
step 2, adopting a sorting confirmation module to sort the events, confirming the received events, and judging whether the events belong to real safety events or not;
step 3, transmitting the event information to a risk analysis management module for risk analysis and processing, wherein the method specifically comprises the following steps:
step 3.1, analyzing and identifying the security holes, defects, deficiency and other aspects of the system by adopting a risk identification module so as to determine possible risks and threats in the system;
step 3.2, classifying, evaluating and sequencing risks by adopting a risk analysis module to determine the risks and events which are preferentially processed;
step 3.3, evaluating risks by adopting a risk evaluation module, quantifying and analyzing the risks of the system to determine the security level and the risk level in the system;
step 4, after risk analysis is completed, processing the event through a safety processing module, and taking corresponding emergency response measures;
and step 5, after the information security event processing is completed, transmitting an event processing result to a model system recovery module through a security processing module to recover and repair the system.
Further, the method also comprises the following steps:
step 6, acquiring and collecting various logs of the system in real time by adopting a log acquisition module, acquiring possible security threat information in the system, configuring and managing information such as the type, the source, the format and the storage position of the system log, and the like, so as to ensure the integrity and the accuracy of the log;
step 7, storing and analyzing the collected logs by adopting a log storage and analysis module, configuring and managing parameters such as the format, the storage position, the retention time and the like of the logs to ensure the safety and the effectiveness of the log data, and analyzing and processing the log data to identify safety events and abnormal conditions in the system;
step 8, adopting an audit management module to audit and manage the security events of the system, classifying, screening and analyzing the log data of the system to determine possible security threats and abnormal conditions in the system, and simultaneously recording and tracking the security events for subsequent emergency response and processing;
and 9, configuring and managing the security policy of the system by adopting a security system configuration policy module, wherein the security policy comprises aspects of access control, password policy, security audit and the like, so as to ensure the security and stability of the system.
Wherein, the execution time of step 6 is located between step 2 and step 4, the execution time of step 6 is located after step 3.3, and the execution time of step 9 is located before step 5.
The invention can help the organization to solve the problems of internal risk control, emergency response of safety event, safety audit and monitoring, risk assessment and prevention, data protection and backup, and the like, and improves the information safety level and reliability of the organization.
The previous description is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (2)

1. An information security emergency management system based on a role separation SOD risk model is characterized in that: the system comprises a receiving processing module, a risk analysis management module and a log audit configuration module, wherein the receiving processing module comprises a receiving module, a sorting confirmation module, a safety processing module and a model system recovery module, and the receiving module, the sorting confirmation module, the safety processing module and the model system recovery module are sequentially connected with each other in a data manner;
the risk analysis management module is positioned between the arrangement confirmation module and the safety processing module, the data input end of the risk analysis management module is in data connection with the data output end of the arrangement confirmation module, the data output end of the risk analysis management module is in data connection with the data input end of the safety processing module, the data input end of the log audit configuration module is respectively connected with the arrangement confirmation module, the security processing module and the risk analysis management module, and the data output end of the log audit configuration module is connected with the model system recovery module;
the risk analysis management module comprises a risk identification module, a risk analysis module and a risk assessment module, wherein the risk identification module is in data connection with the arrangement confirmation module, one end of the risk analysis module is in data connection with the risk identification module, the other end of the risk analysis module is in data connection with the risk assessment module, and the risk assessment module is in data connection with the safety processing module; the receiving module is in data connection with an external data interface, and the external data interface is connected with a network monitoring system, safety equipment and a safety service provider. The system comprises a log audit configuration module, a model system recovery module, a log storage and analysis module, a log management module and a safety system configuration policy module, wherein the log audit configuration module comprises a log acquisition module, a log storage and analysis module, an audit management module and a safety system configuration policy module, the log acquisition module is respectively in data connection with the arrangement confirmation module, the risk assessment module and the safety processing module, the log storage and analysis module is in data connection with the log acquisition module, one end of the audit management module is in data connection with the log storage and analysis module, the other end of the audit management module is in data connection with the safety system configuration policy module, and one end of the safety system configuration policy module is in data connection with the model system recovery module;
the information security emergency management system based on the SOD risk model is used for realizing the following method, namely, step 1, a receiving module is adopted to acquire security threats possibly existing in the system through an external data interface;
step 2, adopting a sorting confirmation module to sort the events, confirming the received events, and judging whether the events belong to real safety events or not;
step 3, transmitting the event information to a risk analysis management module for risk analysis and treatment;
step 4, after risk analysis is completed, processing the event through a safety processing module, and taking corresponding emergency response measures;
step 5, after the event processing is completed, transmitting an event processing result to a model system recovery module through a safety processing module to recover and repair the system;
step 6, adopting a log acquisition module to acquire and collect various logs of the system in real time, acquiring possible security threat information in the system, and configuring and managing the type, source, format and storage position information of the system log so as to ensure the integrity and accuracy of the log;
step 7, storing and analyzing the collected logs by adopting a log storage and analysis module, configuring and managing the format, storage position and retention time parameters of the logs to ensure the safety and effectiveness of the log data, and analyzing and processing the log data to identify safety events and abnormal conditions in the system;
step 8, adopting an audit management module to audit and manage the security events of the system, classifying, screening and analyzing the log data of the system to determine possible security threats and abnormal conditions in the system, and simultaneously recording and tracking the security events for subsequent emergency response and processing;
and 9, configuring and managing the security policy of the system by adopting a security system configuration policy module, wherein the security policy comprises access control, password policy and security audit aspect, so as to ensure the security and stability of the system.
2. An information security emergency management system based on a responsibility separation SOD risk model according to claim 1, wherein: the step 3 specifically includes:
step 3.1, analyzing and identifying security holes, defects and defects of the system by adopting a risk identification module to determine possible risks and threats in the system;
step 3.2, classifying, evaluating and sequencing risks by adopting a risk analysis module to determine the risks and events which are preferentially processed;
and 3.3, evaluating the risk by adopting a risk evaluation module, and quantifying and analyzing the risk of the system to determine the security level and the risk level in the system.
CN202310372979.4A 2023-04-10 2023-04-10 Information security emergency management system and method based on SOD risk model Active CN116089965B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310372979.4A CN116089965B (en) 2023-04-10 2023-04-10 Information security emergency management system and method based on SOD risk model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310372979.4A CN116089965B (en) 2023-04-10 2023-04-10 Information security emergency management system and method based on SOD risk model

Publications (2)

Publication Number Publication Date
CN116089965A CN116089965A (en) 2023-05-09
CN116089965B true CN116089965B (en) 2023-07-25

Family

ID=86214255

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310372979.4A Active CN116089965B (en) 2023-04-10 2023-04-10 Information security emergency management system and method based on SOD risk model

Country Status (1)

Country Link
CN (1) CN116089965B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103856371A (en) * 2014-02-28 2014-06-11 中国人民解放军91655部队 Safety protection method of information system
CN108259202A (en) * 2016-12-29 2018-07-06 航天信息股份有限公司 A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems
CN112766672A (en) * 2021-01-07 2021-05-07 深圳市永达电子信息股份有限公司 Network security guarantee method and system based on comprehensive evaluation
CN114584365A (en) * 2022-03-01 2022-06-03 北京优炫软件股份有限公司 Security event analysis response method and system
CN114978584A (en) * 2022-04-12 2022-08-30 深圳市蔚壹科技有限公司 Network security protection safety method and system based on unit cell

Also Published As

Publication number Publication date
CN116089965A (en) 2023-05-09

Similar Documents

Publication Publication Date Title
CN111064745B (en) Self-adaptive back-climbing method and system based on abnormal behavior detection
CN114584405B (en) Electric power terminal safety protection method and system
CN101201786A (en) Method and device for monitoring fault log
CN112766672A (en) Network security guarantee method and system based on comprehensive evaluation
KR100853721B1 (en) Method for real-time integrity check and audit trail connected with the security kernel
CN111404948A (en) Security system and method based on computer network monitoring
CN112419130B (en) Emergency response system and method based on network security monitoring and data analysis
KR101256507B1 (en) An malicious insider detection system via user behavior analysis and method thereof
CN111327601A (en) Abnormal data response method, system, device, computer equipment and storage medium
CN112039858A (en) Block chain service security reinforcement system and method
CN112733147A (en) Equipment safety management method and system
CN114625074A (en) Safety protection system and method for DCS (distributed control System) of thermal power generating unit
CN114629677A (en) Safety protection system and method for thermal power generating unit electric quantity charging system
CN116089965B (en) Information security emergency management system and method based on SOD risk model
CN116094817A (en) Network security detection system and method
EP4068687A1 (en) System and method for anomaly detection in a computer network
CN112839029B (en) Botnet activity degree analysis method and system
Kossakowski et al. Responding to intrusions
CN112163198A (en) Host login security detection method, system, device and storage medium
KR20200054495A (en) Method for security operation service and apparatus therefor
Leniski et al. Securing the biometric model
CN114268460B (en) Network security anomaly detection method and device, storage medium and computing equipment
CN116962049B (en) Zero-day vulnerability attack prevention and control method and system for comprehensive monitoring and active defense
KR20090099327A (en) System and method for real-time intrusion detection, and record media recoded program for implement thereof
CN117879887A (en) Computer host information transmission supervision system based on artificial intelligence

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant