CN116094816A - Response method and device for network security event - Google Patents
Response method and device for network security event Download PDFInfo
- Publication number
- CN116094816A CN116094816A CN202310084290.1A CN202310084290A CN116094816A CN 116094816 A CN116094816 A CN 116094816A CN 202310084290 A CN202310084290 A CN 202310084290A CN 116094816 A CN116094816 A CN 116094816A
- Authority
- CN
- China
- Prior art keywords
- event
- response
- network
- data
- security event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a response method and a response device of a network security event, which specifically comprise the following steps: s1, preparing a safety event response; s2, detecting a security event; s3, suppressing the security event; s4, deleting the network data; s5, network data recovery: restoring all the broken networks and equipment to their normal working task state by the restoration target, and storing the data information; s6, summarizing the security event after the fact: after the event is processed, executing post-analysis, absorbing training, summarizing experience, and re-evaluating and modifying the response process of the event; the response method and the device for the network security event take necessary measures after various unexpected events occur, avoid and reduce harm and loss, recover from the harm and loss, and successfully process the network security event by mutual cooperation of multiple departments, and process event data in batches by making a processing plan and orderly arranging and executing work.
Description
Technical Field
The invention relates to the technical field of network security events, in particular to a response method and device of a network security event.
Background
In the recent years of the internet technology and the computer application technology, the internet brings great convenience to the life of people, and also faces great challenges, new public internet security events are continuously exposed, great harm is brought to the property security of people and the stable development of society, in recent years, china continuously strengthens the construction of network security guarantee facilities, various propaganda and competition activities are carried out successively, the attention and importance of each industry and each field to the network security are improved, the network security consciousness level is improved year by year, the internet security protection level of China is greatly improved under the common effort of each party, however, the occurrence of network security events still cannot be avoided, basic network equipment, domain name systems, industrial internet and other national basic networks and key facilities still face great security risks, and how the network security events are effectively prevented and correctly processed has become the key point of the current research.
Today, with the rapid development of computer science and technology, the complexity and automation degree of network attack are continuously improved, the invasion speed is faster and the efficiency is higher, so that the occurrence of security events is unavoidable, what we can do is to take necessary measures after various unexpected events occur, avoid, reduce harm and loss, and recover from the harm and loss, the processing work of network security events is complicated, successful processing of network security events requires cooperation of multiple departments, reasonable processing plan is required to be formulated, and orderly arrangement and execution work are required, therefore, the security event transaction management is an indispensable link in the network security assurance system, and based on this we propose a response method and device of network security events.
Disclosure of Invention
In order to achieve the above purpose, the invention is realized by the following technical scheme: a response method of network security event specifically comprises the following steps:
s1, preparing a security event response: planning for the event response before the occurrence of the security event is performed, wherein the planning is as follows: the exception handling module establishes general defensive measures based on the threat of the event, establishes event response handling procedures, obtains necessary manpower and material resources in the response process, establishes an infrastructure supporting event response activities, can timely take necessary measures when various unexpected events occur, avoids and reduces harm and loss, and recovers from the harm and loss;
s2, detecting a security event: whether malicious codes, files and catalogues are tampered or other characteristics appear is checked through a comparison analysis module, and the place and the influence range of the occurrence of the problem are found;
s3, safety event suppression: limiting the characteristics of malicious codes in the network, limiting the attack range, and reducing damage caused by events;
s4, deleting network data: after the event is restrained, searching the root of the event and radically eradicating the event;
s5, network data recovery: restoring all the broken networks and equipment to their normal working task state by the restoration target, and storing the data information;
s6, summarizing the security event after the fact: post-event profiling is performed on the event after the event is processed, training is absorbed, experience is summarized, and the response process of the event is re-evaluated and modified.
Preferably, the response processing procedure in S1 is as follows:
splitting an event response process, timely recording and feeding back the split response process and corresponding results, so that the response efficiency of the system is improved, secondly, for different data structures of the event, due to different sources of event reports, the received event formats of the emergency response system are different, for the design of the event formats, the current actual situation and the data formats of other systems are considered, one event format converted into a general standard is redesigned, the system can completely store heterogeneous event information, the response processing efficiency of the event is improved, the event types and auxiliary tools are managed in a configuration mode, event and loading tools are dynamically added by response team management staff, and therefore the expansibility of the system is enhanced, and the working efficiency of the event response team staff is improved.
Preferably, the data information storage flow in S5 is as follows:
in the event response process, various data information is acquired, wherein some data is used as evidence to be kept for subsequent processing for a long time, the data is automatically stored through a server, the related event information is sent to a processing module for data processing, the data is automatically acquired and filtered, and then valuable data is stored according to corresponding rules.
Preferably, the general defensive measure in S1 is designed as follows:
the template is designed aiming at the event format of the general specification, a user plane is provided for event management staff, and the event management staff does not need to modify background codes to carry out flow response on defined and modified events, so that the response efficiency of the events is improved, the design of the template can reduce partial redundant work when the event response staff processes similar events, and can cooperate with related systems to realize automatic response.
Preferably, the network malicious code in S3 originates from a source comprising I P address, host number, network number and routing information I P.
The network security event responding device is suitable for the network security event responding method according to any one of the above, and the comparison analysis module is used for comparing and analyzing the codes and the initial information to obtain comparison analysis results;
and the exception handling module is used for establishing a defending measure to defend the communication of the security event.
Preferably, the comparison analysis module is used for dividing the received network security event data into different network data grades after comparison analysis processing, and comparing each network data under each network data grade with the network data corresponding to each network data grade in the network database one by one.
The invention provides a response method and a response device of a network security event, which have the following beneficial effects compared with the prior art:
1. according to the response method and device of the network security event, the event response process is split, the split response process and corresponding results are recorded and fed back timely, so that the response efficiency of the system is improved, the event report sources are different, the event formats received by the emergency response system are different, the event formats are designed, the current actual situation and the data formats of other systems are considered, the event formats are redesigned, the event formats are converted into the event formats with general specifications, the system can store heterogeneous event information completely, the response processing efficiency of the event is improved, the event types and auxiliary tools are managed in a configuration mode, event and loading tools are added dynamically by response team management staff, the expansibility of the system is improved, and the working efficiency of the event response team staff is improved.
2. According to the response method and device for the network security event, the template design is carried out aiming at the event format of the general specification, and the user plane is provided for the event manager, so that the event manager does not need to modify background codes to carry out flow response on the defined and modified event, the response efficiency of the event is improved, and the design of the template can reduce partial redundant work of event responders when the event responders process similar events.
Drawings
FIG. 1 is a flow chart of a method for responding to a network security event according to the present invention.
Detailed Description
The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making creative efforts based on the embodiments of the present invention are included in the protection scope of the present invention.
Embodiment one:
referring to fig. 1, a method for responding to a network security event specifically includes the following steps:
s1, preparing a security event response: planning for the event response before the occurrence of the security event is performed, wherein the planning is as follows: the exception handling module establishes general defensive measures based on the threat of the event, establishes an event response handling program, obtains necessary manpower and material resources in the response process, and establishes an infrastructure supporting event response activities;
s2, detecting a security event: whether malicious codes, files and catalogues are tampered or other characteristics appear is checked through a comparison analysis module, and the place and the influence range of the occurrence of the problem are found;
s3, safety event suppression: limiting the characteristics of malicious codes in the network, limiting the attack range, and reducing damage caused by events;
s4, deleting network data: after the event is restrained, searching the root of the event and radically eradicating the event;
s5, network data recovery: restoring all the broken networks and equipment to their normal working task state by the restoration target, and storing the data information;
s6, summarizing the security event after the fact: post-event profiling is performed on the event after the event is processed, training is absorbed, experience is summarized, and the response process of the event is re-evaluated and modified.
In this embodiment, the response processing procedure in S1 is as follows:
splitting an event response process, timely recording and feeding back the split response process and corresponding results, so that the response efficiency of the system is improved, secondly, for different data structures of the event, due to different sources of event reports, the received event formats of the emergency response system are different, for the design of the event formats, the current actual situation and the data formats of other systems are considered, one event format converted into a general standard is redesigned, the system can completely store heterogeneous event information, the response processing efficiency of the event is improved, the event types and auxiliary tools are managed in a configuration mode, event and loading tools are dynamically added by response team management staff, and therefore the expansibility of the system is enhanced, and the working efficiency of the event response team staff is improved.
In this embodiment, the data information saving flow in S5 is as follows:
in the event response process, various data information is acquired, wherein some data is used as evidence to be kept for subsequent processing for a long time, the data is automatically stored through a server, the related event information is sent to a processing module for data processing, the data is automatically acquired and filtered, and then valuable data is stored according to corresponding rules.
In this embodiment, the general defensive measure in S1 is designed as follows:
the template is designed aiming at the event format of the general specification, a user plane is provided for event management staff, and the event management staff does not need to modify background codes to carry out flow response on defined and modified events, so that the response efficiency of the events is improved, the design of the template can reduce partial redundant work when the event response staff processes similar events, and can cooperate with related systems to realize automatic response.
In this embodiment, the network malicious code in S3 originates from a source comprising I P address, host number, network number and routing information I P.
Embodiment two:
referring to fig. 1, the present embodiment provides a technical solution based on the first embodiment: the network security event responding device is suitable for the network security event responding method of any one of the above, and the comparison analysis module is used for comparing and analyzing the codes and the initial information to obtain comparison analysis results;
and the exception handling module is used for establishing defending measures and defending communication of the security event.
In this embodiment, the comparison analysis module is configured to divide the received network security event data into different network data levels after comparison analysis processing, and compare each network data in each network data level with each network data corresponding to each network data level in the network database one by one.
And all that is not described in detail in this specification is well known to those skilled in the art.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions, and further, that the terms "comprise," "include," or any other variation thereof, are intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements, but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (7)
1. A method for responding to a network security event, comprising the steps of:
s1, preparing a security event response: planning for the event response before the occurrence of the security event is performed, wherein the planning is as follows: the exception handling module establishes general defensive measures based on the threat of the event, establishes an event response handling program, obtains necessary manpower and material resources in the response process, and establishes an infrastructure supporting event response activities;
s2, detecting a security event: whether malicious codes, files and catalogues are tampered or other characteristics appear is checked through a comparison analysis module, and the place and the influence range of the occurrence of the problem are found;
s3, safety event suppression: limiting the characteristics of malicious codes in the network, limiting the attack range, and reducing damage caused by events;
s4, deleting network data: after the event is restrained, searching the root of the event and radically eradicating the event;
s5, network data recovery: restoring all the broken networks and equipment to their normal working task state by the restoration target, and storing the data information;
s6, summarizing the security event after the fact: post-event profiling is performed on the event after the event is processed, training is absorbed, experience is summarized, and the response process of the event is re-evaluated and modified.
2. The method according to claim 1, wherein the response processing procedure in S1 is as follows:
splitting an event response process, timely recording and feeding back the split response process and corresponding results, and then converting the design into a general standard event format according to different data structures of the events, so that the system can completely store heterogeneous event information, and the event types and auxiliary tools are managed in a configuration mode, so that response team management staff dynamically add the events and load tools.
3. The method for responding to a network security event according to claim 1, wherein the data information storage procedure in S5 is as follows:
in the event response process, various data information is acquired, wherein some data is used as evidence to be kept for subsequent processing for a long time, the data is automatically stored through a server, the event related information is sent to a processing module for data processing, the data is automatically acquired and filtered, and then valuable data is stored according to corresponding rules.
4. The method according to claim 1, wherein the general defensive measure in S1 is designed as follows:
and (3) designing a template aiming at the event format of the general specification, and providing a user plane for event management personnel to enable the event management personnel to respond to defining and modifying the event without modifying background codes.
5. The method of claim 1, wherein the network malicious code in S3 is derived from a source comprising I P address, host number, network number and routing information I P.
6. A response device of a network security event, which is suitable for a response method of a network security event according to any one of claims 1-5, and is characterized in that the contrast analysis module is configured to perform contrast analysis on the code and the initial information to obtain a contrast analysis result;
and the exception handling module is used for establishing a defending measure to defend the communication of the security event.
7. The device for responding to a network security event according to claim 6, wherein the comparison analysis module is configured to divide the received network security event data into different network data levels after comparison analysis processing, and compare each network data in each network data level with each network data corresponding to each network data level in the network database one by one.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310084290.1A CN116094816A (en) | 2023-02-09 | 2023-02-09 | Response method and device for network security event |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310084290.1A CN116094816A (en) | 2023-02-09 | 2023-02-09 | Response method and device for network security event |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116094816A true CN116094816A (en) | 2023-05-09 |
Family
ID=86204249
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310084290.1A Pending CN116094816A (en) | 2023-02-09 | 2023-02-09 | Response method and device for network security event |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116094816A (en) |
-
2023
- 2023-02-09 CN CN202310084290.1A patent/CN116094816A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10122575B2 (en) | Log collection, structuring and processing | |
CN111614696B (en) | Network security emergency response method and system based on knowledge graph | |
CN107172022B (en) | APT threat detection method and system based on intrusion path | |
CN104486346A (en) | Stepping stone system | |
Montesino et al. | Automation possibilities in information security management | |
CN109992476B (en) | Log analysis method, server and storage medium | |
CN114840519A (en) | Data labeling method, equipment and storage medium | |
CN114003600A (en) | Data processing method, system, electronic device and storage medium | |
CN116094816A (en) | Response method and device for network security event | |
Kurra et al. | An agent based approach to perform damage assessment and recovery efficiently after a cyber attack to ensure E-government database security | |
CN114531306B (en) | Real-time detection method and system based on threat behaviors | |
CN115333841A (en) | Data security management and control platform based on IPDR security capability framework | |
CN115577972A (en) | Intelligent early warning analysis system based on in-enterprise control compliance | |
CN111680974B (en) | Method and device for positioning problems of electronic underwriting process | |
CN109992475B (en) | Log processing method, server and storage medium | |
CN114077973A (en) | Manufacturing execution system and method for solar cell module production | |
CN113988507A (en) | Power transmission and transformation operation equipment early warning method and device | |
CN113342579A (en) | Data restoration method and device | |
CN111160839A (en) | Multistage problem disposal process management system | |
CN114553687B (en) | Network asset configuration information processing method and device | |
CN113449328B (en) | Financial internet user data security processing method and system | |
CN112261006B (en) | Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors | |
CN116909838B (en) | Abnormal log reporting method, system, terminal equipment and storage medium | |
CN114722390A (en) | Method, device, equipment and medium for safety data integration and feature extraction | |
CN106850305A (en) | A kind of IT operation management method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |