CN116094816A - Response method and device for network security event - Google Patents

Response method and device for network security event Download PDF

Info

Publication number
CN116094816A
CN116094816A CN202310084290.1A CN202310084290A CN116094816A CN 116094816 A CN116094816 A CN 116094816A CN 202310084290 A CN202310084290 A CN 202310084290A CN 116094816 A CN116094816 A CN 116094816A
Authority
CN
China
Prior art keywords
event
response
network
data
security event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310084290.1A
Other languages
Chinese (zh)
Inventor
施其明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Digital Communication Shanghai Enterprise Development Co ltd
Original Assignee
Digital Communication Shanghai Enterprise Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Digital Communication Shanghai Enterprise Development Co ltd filed Critical Digital Communication Shanghai Enterprise Development Co ltd
Priority to CN202310084290.1A priority Critical patent/CN116094816A/en
Publication of CN116094816A publication Critical patent/CN116094816A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a response method and a response device of a network security event, which specifically comprise the following steps: s1, preparing a safety event response; s2, detecting a security event; s3, suppressing the security event; s4, deleting the network data; s5, network data recovery: restoring all the broken networks and equipment to their normal working task state by the restoration target, and storing the data information; s6, summarizing the security event after the fact: after the event is processed, executing post-analysis, absorbing training, summarizing experience, and re-evaluating and modifying the response process of the event; the response method and the device for the network security event take necessary measures after various unexpected events occur, avoid and reduce harm and loss, recover from the harm and loss, and successfully process the network security event by mutual cooperation of multiple departments, and process event data in batches by making a processing plan and orderly arranging and executing work.

Description

Response method and device for network security event
Technical Field
The invention relates to the technical field of network security events, in particular to a response method and device of a network security event.
Background
In the recent years of the internet technology and the computer application technology, the internet brings great convenience to the life of people, and also faces great challenges, new public internet security events are continuously exposed, great harm is brought to the property security of people and the stable development of society, in recent years, china continuously strengthens the construction of network security guarantee facilities, various propaganda and competition activities are carried out successively, the attention and importance of each industry and each field to the network security are improved, the network security consciousness level is improved year by year, the internet security protection level of China is greatly improved under the common effort of each party, however, the occurrence of network security events still cannot be avoided, basic network equipment, domain name systems, industrial internet and other national basic networks and key facilities still face great security risks, and how the network security events are effectively prevented and correctly processed has become the key point of the current research.
Today, with the rapid development of computer science and technology, the complexity and automation degree of network attack are continuously improved, the invasion speed is faster and the efficiency is higher, so that the occurrence of security events is unavoidable, what we can do is to take necessary measures after various unexpected events occur, avoid, reduce harm and loss, and recover from the harm and loss, the processing work of network security events is complicated, successful processing of network security events requires cooperation of multiple departments, reasonable processing plan is required to be formulated, and orderly arrangement and execution work are required, therefore, the security event transaction management is an indispensable link in the network security assurance system, and based on this we propose a response method and device of network security events.
Disclosure of Invention
In order to achieve the above purpose, the invention is realized by the following technical scheme: a response method of network security event specifically comprises the following steps:
s1, preparing a security event response: planning for the event response before the occurrence of the security event is performed, wherein the planning is as follows: the exception handling module establishes general defensive measures based on the threat of the event, establishes event response handling procedures, obtains necessary manpower and material resources in the response process, establishes an infrastructure supporting event response activities, can timely take necessary measures when various unexpected events occur, avoids and reduces harm and loss, and recovers from the harm and loss;
s2, detecting a security event: whether malicious codes, files and catalogues are tampered or other characteristics appear is checked through a comparison analysis module, and the place and the influence range of the occurrence of the problem are found;
s3, safety event suppression: limiting the characteristics of malicious codes in the network, limiting the attack range, and reducing damage caused by events;
s4, deleting network data: after the event is restrained, searching the root of the event and radically eradicating the event;
s5, network data recovery: restoring all the broken networks and equipment to their normal working task state by the restoration target, and storing the data information;
s6, summarizing the security event after the fact: post-event profiling is performed on the event after the event is processed, training is absorbed, experience is summarized, and the response process of the event is re-evaluated and modified.
Preferably, the response processing procedure in S1 is as follows:
splitting an event response process, timely recording and feeding back the split response process and corresponding results, so that the response efficiency of the system is improved, secondly, for different data structures of the event, due to different sources of event reports, the received event formats of the emergency response system are different, for the design of the event formats, the current actual situation and the data formats of other systems are considered, one event format converted into a general standard is redesigned, the system can completely store heterogeneous event information, the response processing efficiency of the event is improved, the event types and auxiliary tools are managed in a configuration mode, event and loading tools are dynamically added by response team management staff, and therefore the expansibility of the system is enhanced, and the working efficiency of the event response team staff is improved.
Preferably, the data information storage flow in S5 is as follows:
in the event response process, various data information is acquired, wherein some data is used as evidence to be kept for subsequent processing for a long time, the data is automatically stored through a server, the related event information is sent to a processing module for data processing, the data is automatically acquired and filtered, and then valuable data is stored according to corresponding rules.
Preferably, the general defensive measure in S1 is designed as follows:
the template is designed aiming at the event format of the general specification, a user plane is provided for event management staff, and the event management staff does not need to modify background codes to carry out flow response on defined and modified events, so that the response efficiency of the events is improved, the design of the template can reduce partial redundant work when the event response staff processes similar events, and can cooperate with related systems to realize automatic response.
Preferably, the network malicious code in S3 originates from a source comprising I P address, host number, network number and routing information I P.
The network security event responding device is suitable for the network security event responding method according to any one of the above, and the comparison analysis module is used for comparing and analyzing the codes and the initial information to obtain comparison analysis results;
and the exception handling module is used for establishing a defending measure to defend the communication of the security event.
Preferably, the comparison analysis module is used for dividing the received network security event data into different network data grades after comparison analysis processing, and comparing each network data under each network data grade with the network data corresponding to each network data grade in the network database one by one.
The invention provides a response method and a response device of a network security event, which have the following beneficial effects compared with the prior art:
1. according to the response method and device of the network security event, the event response process is split, the split response process and corresponding results are recorded and fed back timely, so that the response efficiency of the system is improved, the event report sources are different, the event formats received by the emergency response system are different, the event formats are designed, the current actual situation and the data formats of other systems are considered, the event formats are redesigned, the event formats are converted into the event formats with general specifications, the system can store heterogeneous event information completely, the response processing efficiency of the event is improved, the event types and auxiliary tools are managed in a configuration mode, event and loading tools are added dynamically by response team management staff, the expansibility of the system is improved, and the working efficiency of the event response team staff is improved.
2. According to the response method and device for the network security event, the template design is carried out aiming at the event format of the general specification, and the user plane is provided for the event manager, so that the event manager does not need to modify background codes to carry out flow response on the defined and modified event, the response efficiency of the event is improved, and the design of the template can reduce partial redundant work of event responders when the event responders process similar events.
Drawings
FIG. 1 is a flow chart of a method for responding to a network security event according to the present invention.
Detailed Description
The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making creative efforts based on the embodiments of the present invention are included in the protection scope of the present invention.
Embodiment one:
referring to fig. 1, a method for responding to a network security event specifically includes the following steps:
s1, preparing a security event response: planning for the event response before the occurrence of the security event is performed, wherein the planning is as follows: the exception handling module establishes general defensive measures based on the threat of the event, establishes an event response handling program, obtains necessary manpower and material resources in the response process, and establishes an infrastructure supporting event response activities;
s2, detecting a security event: whether malicious codes, files and catalogues are tampered or other characteristics appear is checked through a comparison analysis module, and the place and the influence range of the occurrence of the problem are found;
s3, safety event suppression: limiting the characteristics of malicious codes in the network, limiting the attack range, and reducing damage caused by events;
s4, deleting network data: after the event is restrained, searching the root of the event and radically eradicating the event;
s5, network data recovery: restoring all the broken networks and equipment to their normal working task state by the restoration target, and storing the data information;
s6, summarizing the security event after the fact: post-event profiling is performed on the event after the event is processed, training is absorbed, experience is summarized, and the response process of the event is re-evaluated and modified.
In this embodiment, the response processing procedure in S1 is as follows:
splitting an event response process, timely recording and feeding back the split response process and corresponding results, so that the response efficiency of the system is improved, secondly, for different data structures of the event, due to different sources of event reports, the received event formats of the emergency response system are different, for the design of the event formats, the current actual situation and the data formats of other systems are considered, one event format converted into a general standard is redesigned, the system can completely store heterogeneous event information, the response processing efficiency of the event is improved, the event types and auxiliary tools are managed in a configuration mode, event and loading tools are dynamically added by response team management staff, and therefore the expansibility of the system is enhanced, and the working efficiency of the event response team staff is improved.
In this embodiment, the data information saving flow in S5 is as follows:
in the event response process, various data information is acquired, wherein some data is used as evidence to be kept for subsequent processing for a long time, the data is automatically stored through a server, the related event information is sent to a processing module for data processing, the data is automatically acquired and filtered, and then valuable data is stored according to corresponding rules.
In this embodiment, the general defensive measure in S1 is designed as follows:
the template is designed aiming at the event format of the general specification, a user plane is provided for event management staff, and the event management staff does not need to modify background codes to carry out flow response on defined and modified events, so that the response efficiency of the events is improved, the design of the template can reduce partial redundant work when the event response staff processes similar events, and can cooperate with related systems to realize automatic response.
In this embodiment, the network malicious code in S3 originates from a source comprising I P address, host number, network number and routing information I P.
Embodiment two:
referring to fig. 1, the present embodiment provides a technical solution based on the first embodiment: the network security event responding device is suitable for the network security event responding method of any one of the above, and the comparison analysis module is used for comparing and analyzing the codes and the initial information to obtain comparison analysis results;
and the exception handling module is used for establishing defending measures and defending communication of the security event.
In this embodiment, the comparison analysis module is configured to divide the received network security event data into different network data levels after comparison analysis processing, and compare each network data in each network data level with each network data corresponding to each network data level in the network database one by one.
And all that is not described in detail in this specification is well known to those skilled in the art.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions, and further, that the terms "comprise," "include," or any other variation thereof, are intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements, but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (7)

1. A method for responding to a network security event, comprising the steps of:
s1, preparing a security event response: planning for the event response before the occurrence of the security event is performed, wherein the planning is as follows: the exception handling module establishes general defensive measures based on the threat of the event, establishes an event response handling program, obtains necessary manpower and material resources in the response process, and establishes an infrastructure supporting event response activities;
s2, detecting a security event: whether malicious codes, files and catalogues are tampered or other characteristics appear is checked through a comparison analysis module, and the place and the influence range of the occurrence of the problem are found;
s3, safety event suppression: limiting the characteristics of malicious codes in the network, limiting the attack range, and reducing damage caused by events;
s4, deleting network data: after the event is restrained, searching the root of the event and radically eradicating the event;
s5, network data recovery: restoring all the broken networks and equipment to their normal working task state by the restoration target, and storing the data information;
s6, summarizing the security event after the fact: post-event profiling is performed on the event after the event is processed, training is absorbed, experience is summarized, and the response process of the event is re-evaluated and modified.
2. The method according to claim 1, wherein the response processing procedure in S1 is as follows:
splitting an event response process, timely recording and feeding back the split response process and corresponding results, and then converting the design into a general standard event format according to different data structures of the events, so that the system can completely store heterogeneous event information, and the event types and auxiliary tools are managed in a configuration mode, so that response team management staff dynamically add the events and load tools.
3. The method for responding to a network security event according to claim 1, wherein the data information storage procedure in S5 is as follows:
in the event response process, various data information is acquired, wherein some data is used as evidence to be kept for subsequent processing for a long time, the data is automatically stored through a server, the event related information is sent to a processing module for data processing, the data is automatically acquired and filtered, and then valuable data is stored according to corresponding rules.
4. The method according to claim 1, wherein the general defensive measure in S1 is designed as follows:
and (3) designing a template aiming at the event format of the general specification, and providing a user plane for event management personnel to enable the event management personnel to respond to defining and modifying the event without modifying background codes.
5. The method of claim 1, wherein the network malicious code in S3 is derived from a source comprising I P address, host number, network number and routing information I P.
6. A response device of a network security event, which is suitable for a response method of a network security event according to any one of claims 1-5, and is characterized in that the contrast analysis module is configured to perform contrast analysis on the code and the initial information to obtain a contrast analysis result;
and the exception handling module is used for establishing a defending measure to defend the communication of the security event.
7. The device for responding to a network security event according to claim 6, wherein the comparison analysis module is configured to divide the received network security event data into different network data levels after comparison analysis processing, and compare each network data in each network data level with each network data corresponding to each network data level in the network database one by one.
CN202310084290.1A 2023-02-09 2023-02-09 Response method and device for network security event Pending CN116094816A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310084290.1A CN116094816A (en) 2023-02-09 2023-02-09 Response method and device for network security event

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310084290.1A CN116094816A (en) 2023-02-09 2023-02-09 Response method and device for network security event

Publications (1)

Publication Number Publication Date
CN116094816A true CN116094816A (en) 2023-05-09

Family

ID=86204249

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310084290.1A Pending CN116094816A (en) 2023-02-09 2023-02-09 Response method and device for network security event

Country Status (1)

Country Link
CN (1) CN116094816A (en)

Similar Documents

Publication Publication Date Title
US10122575B2 (en) Log collection, structuring and processing
CN111614696B (en) Network security emergency response method and system based on knowledge graph
CN107172022B (en) APT threat detection method and system based on intrusion path
CN104486346A (en) Stepping stone system
Montesino et al. Automation possibilities in information security management
CN109992476B (en) Log analysis method, server and storage medium
CN114840519A (en) Data labeling method, equipment and storage medium
CN114003600A (en) Data processing method, system, electronic device and storage medium
CN116094816A (en) Response method and device for network security event
Kurra et al. An agent based approach to perform damage assessment and recovery efficiently after a cyber attack to ensure E-government database security
CN114531306B (en) Real-time detection method and system based on threat behaviors
CN115333841A (en) Data security management and control platform based on IPDR security capability framework
CN115577972A (en) Intelligent early warning analysis system based on in-enterprise control compliance
CN111680974B (en) Method and device for positioning problems of electronic underwriting process
CN109992475B (en) Log processing method, server and storage medium
CN114077973A (en) Manufacturing execution system and method for solar cell module production
CN113988507A (en) Power transmission and transformation operation equipment early warning method and device
CN113342579A (en) Data restoration method and device
CN111160839A (en) Multistage problem disposal process management system
CN114553687B (en) Network asset configuration information processing method and device
CN113449328B (en) Financial internet user data security processing method and system
CN112261006B (en) Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors
CN116909838B (en) Abnormal log reporting method, system, terminal equipment and storage medium
CN114722390A (en) Method, device, equipment and medium for safety data integration and feature extraction
CN106850305A (en) A kind of IT operation management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination