CN117499066A - Network security system structure construction method - Google Patents
Network security system structure construction method Download PDFInfo
- Publication number
- CN117499066A CN117499066A CN202310400880.0A CN202310400880A CN117499066A CN 117499066 A CN117499066 A CN 117499066A CN 202310400880 A CN202310400880 A CN 202310400880A CN 117499066 A CN117499066 A CN 117499066A
- Authority
- CN
- China
- Prior art keywords
- service
- security
- analysis
- asset
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000010276 construction Methods 0.000 title claims abstract description 24
- 238000004458 analytical method Methods 0.000 claims abstract description 84
- 238000007726 management method Methods 0.000 claims abstract description 73
- 230000004044 response Effects 0.000 claims abstract description 44
- 238000012544 monitoring process Methods 0.000 claims abstract description 43
- 238000012549 training Methods 0.000 claims abstract description 43
- 238000012550 audit Methods 0.000 claims abstract description 33
- 238000011156 evaluation Methods 0.000 claims abstract description 33
- 238000012423 maintenance Methods 0.000 claims abstract description 27
- 230000006872 improvement Effects 0.000 claims abstract description 25
- 238000012360 testing method Methods 0.000 claims abstract description 16
- 238000011084 recovery Methods 0.000 claims abstract description 14
- 230000035515 penetration Effects 0.000 claims abstract description 10
- 238000013439 planning Methods 0.000 claims abstract description 7
- 238000000034 method Methods 0.000 claims description 22
- 238000012502 risk assessment Methods 0.000 claims description 14
- 238000001514 detection method Methods 0.000 claims description 13
- 241000700605 Viruses Species 0.000 claims description 12
- 230000007246 mechanism Effects 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 12
- 230000002787 reinforcement Effects 0.000 claims description 12
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 11
- 238000012937 correction Methods 0.000 claims description 9
- 238000005553 drilling Methods 0.000 claims description 7
- 230000002265 prevention Effects 0.000 claims description 7
- 238000013070 change management Methods 0.000 claims description 6
- 150000001875 compounds Chemical class 0.000 claims description 6
- 230000007123 defense Effects 0.000 claims description 6
- 238000011161 development Methods 0.000 claims description 6
- 238000007689 inspection Methods 0.000 claims description 6
- 230000008520 organization Effects 0.000 claims description 6
- 238000013515 script Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 claims description 5
- 238000009960 carding Methods 0.000 claims description 4
- 238000013461 design Methods 0.000 claims description 4
- 206010033799 Paralysis Diseases 0.000 claims description 3
- 238000012098 association analyses Methods 0.000 claims description 3
- 230000008859 change Effects 0.000 claims description 3
- 238000004891 communication Methods 0.000 claims description 3
- 238000009430 construction management Methods 0.000 claims description 3
- 238000005206 flow analysis Methods 0.000 claims description 3
- 230000036541 health Effects 0.000 claims description 3
- 238000002372 labelling Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000005065 mining Methods 0.000 claims description 3
- 238000012038 vulnerability analysis Methods 0.000 claims description 3
- 210000001503 joint Anatomy 0.000 claims description 2
- 230000008439 repair process Effects 0.000 claims description 2
- 238000011160 research Methods 0.000 claims description 2
- 230000002045 lasting effect Effects 0.000 description 3
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003014 reinforcing effect Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000005422 blasting Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- ZLIBICFPKPWGIZ-UHFFFAOYSA-N pyrimethanil Chemical compound CC1=CC(C)=NC(NC=2C=CC=CC=2)=N1 ZLIBICFPKPWGIZ-UHFFFAOYSA-N 0.000 description 1
- 239000010979 ruby Substances 0.000 description 1
- 229910001750 ruby Inorganic materials 0.000 description 1
- 238000010408 sweeping Methods 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Entrepreneurship & Innovation (AREA)
- Strategic Management (AREA)
- Economics (AREA)
- Operations Research (AREA)
- Game Theory and Decision Science (AREA)
- Development Economics (AREA)
- Marketing (AREA)
- Educational Administration (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a network security system structure construction method, which is applied to a security operation center and comprises an evaluation and improvement stage, a monitoring and analysis stage, a response loss stopping stage and a recovery and restoration stage; the evaluation improvement stage is used for providing an evaluation improvement field expert service and an evaluation improvement first-line expert service; the evaluation improvement field expert service comprises a management system construction service, a safety training service and a consultation planning service; the evaluation improvement line expert service comprises an asset identification and management service, a business risk evaluation service, a security notification service, an early warning response service and a residence operation maintenance service; the monitoring analysis stage comprises monitoring analysis field expert service and monitoring analysis first-line expert service; the monitoring analysis field expert service comprises a code audit service, a decompilation service, a penetration test service, an exploit analysis service and a sample analysis service. The invention improves the usability and confidentiality of the information system.
Description
Technical Field
The invention relates to the technical field of network security architectures, in particular to a method for constructing a network security architecture.
Background
There is a great need for a construction method of a network security architecture, which is based on the original traditional security capability, performs deepened design and construction on security risks under new situation, and performs targeted reinforcement on risk items, security gaps and security control weak links so as to cope with the current actual security risks, reduce security loss possibly caused by risks, realize lasting security operation, and provide guarantee for improving availability, confidentiality and completability of an information system.
Disclosure of Invention
The invention aims to provide a network security system structure construction method, which is used for pertinently reinforcing risk items, security gaps and security control weak links so as to cope with the current actual security risks, reduce the security loss possibly caused by the risks, realize lasting security operation and provide guarantee for improving the availability, confidentiality and completeness of an information system.
In order to achieve the above purpose, a network security architecture construction method is provided, which is applied to a security operation center and comprises an evaluation improvement stage, a monitoring analysis stage, a response loss stopping stage and a recovery restoration stage;
the evaluation improvement stage is used for providing an evaluation improvement field expert service and an evaluation improvement first-line expert service;
the evaluation improvement field expert service comprises a management system construction service, a safety training service and a consultation planning service;
the management system construction service realizes standardized management on organizations, personnel and processes by constructing a safety management system framework and developing a safety management system; the safety training service constructs a safety training system framework and develops a safety training system; the consultation planning service acquires a network security management system and the existing system, system and process, and establishes and continuously improves various security systems, specifications, processes, mechanisms and modes by combining the network security management system with the existing systems, systems and processes;
the evaluation improvement line expert service comprises an asset identification and management service, a business risk evaluation service, a security notification service, an early warning response service and a residence operation maintenance service;
the asset identification and management service comprises asset management, asset fingerprint change management and threat monitoring; the asset management is used for setting asset types, directory structures and asset attributes of the safety assets, uniformly numbering asset information and inquiring and maintaining the asset information according to the uniform number;
the asset fingerprint change management and threat monitoring comprises asset discovery management flow, asset fingerprint management and asset threat monitoring; the asset discovery management flow can actively scan and passively discover the online, change and offline of the asset, discover the shadow asset through the flow and the log, and realize the whole network asset identification, management and warehousing; the asset fingerprint management collects asset fingerprint information in a scanning sniffing and flow analysis mode, and finally establishes an asset fingerprint file; the asset threat monitoring periodically monitors changes made by the asset by analyzing the asset fingerprint and changes online;
the business risk assessment service acquires the existing network and information system security policy to carry out global pre-assessment, wherein the network and information system security policy comprises information assets and corresponding security measures, security holes existing in the information assets are analyzed, security threats and threat occurrence possibility faced by the information assets are analyzed, the effectiveness of the security measures is checked, so that security risk points existing in the information assets are identified, an accepted risk threshold is preset, accurate assessment is carried out on the risk degree faced by the user information assets according to comparison with the risk threshold, and relevant correction, repair and reinforcement suggestions are provided;
the security notification service is a service for pushing the security notification after confirming the discovered time by performing information auditing by a first line of experts aiming at the collected and integrated loopholes;
the early warning response service monitors and manages the safe health state of the enterprise internet assets based on the network security threat information and actively provides solutions for the aspects of early warning, analysis and disposal of the security events;
the residence operation maintenance service is a safe operation residence service; the security operation residence service comprises equipment operation security monitoring, equipment operation security audit, equipment and policy backup updating;
the monitoring analysis stage comprises monitoring analysis field expert service and monitoring analysis first-line expert service;
the expert services in the monitoring and analysis field comprise code audit service, decompilation service, penetration test service, vulnerability exploitation analysis service and sample analysis service;
the code audit service adopts a safety tool and safety expert manual auxiliary analysis to carry out source code safety audit on application system class program codes, patch codes and plug-in codes, provides reasonable safety correction measures in combination with the risk situation after audit, and formulates a scheme for guiding and assisting safety reinforcement;
the decompilation service is used for reversely compiling a virus sample, a malicious plug-in and attack software on the premise of compliance, and evaluating the safety condition of software and hardware;
the content of the penetration test service detection comprises: code loopholes, protection strategy loopholes, middleware loopholes, database loopholes, server loopholes, data communication security, nday loopholes, harpoon attacks, social engineering attacks, source code leakage, business logic security and information leakage;
the vulnerability exploitation analysis service performs threat discovery through the whole network data traffic, verifies and confirms the high-level network attack event by adopting vulnerability mining, vulnerability analysis and vulnerability exploitation modes, and researches the influence range and the hazard degree of the event and outputs analysis and disposal reports;
the sample analysis service is used for carrying out script deep analysis on a virus sample and outputting a sample analysis report;
the monitoring analysis line expert service comprises Web attack behavior analysis service, network risk analysis service and log audit service;
the Web attack behavior analysis service is used for carrying out carding analysis on Web attack existing in an intranet of the security operation center, and a passive flow grabbing mode is adopted as a flow grabbing mode; the passive flow grabbing mode is to grab the active host behavior according to the data in the flow; the grabbing information comprises a source IP, a destination IP, a utilization module, an attack mode, a result type and sensitive information;
the network risk analysis service relies on analysis cloud, expert cloud, information cloud, searching and killing cloud and knowledge cloud to analyze the security risk existing in the intranet of the security operation center, and detects and prevents APT attack, novel Trojan and killing-free Trojan;
the log audit service relies on expert cloud, analysis cloud and vulnerability cloud, collects the whole network security logs of the security operation center, carries out comprehensive analysis audit on the security logs according to compliance requirements, evaluates security risk conditions by combining threat information, and provides corresponding security rectifying measures;
the response loss stopping stage comprises response loss stopping domain expert service and response loss stopping first-line expert service;
the response loss stopping field expert service comprises emergency drilling service and important period safety guarantee service;
the emergency exercise service is a key measure for solving the problems of large-area network interruption, system paralysis and data leakage caused by the treatment of the emergency exercise through the continuous detection of the safety state of the whole network, and the emergency exercise needs to consider each weak link which is possibly broken through and realize the system linkage with an active detection mechanism so as to realize timely and accurate treatment aiming at the detected safety threat; reevaluating, formulating and perfecting a network security emergency drilling system and mechanism from the drilling results;
the important period safety guarantee service provides safety guarantee service in the important period, including safety service providing key information system, re-protection organization architecture design, active defense, real-time threat detection, response treatment and attack prediction;
the response loss prevention first-line expert service comprises an emergency response service; the emergency response service is emergency response and disposal service in 7×24 hours, and when a network security event occurs in a security operation center, a service mechanism for rapidly responding and disposing is formulated;
the recovery and restoration stage comprises recovery and restoration of expert service in the field of restoration and restoration of expert service in the first line of restoration;
restoring expert service in the field of the compound disk to adjust and optimize network and system architecture according to the service development requirement of the safety operation center, the conclusion of third party inspection, test, evaluation and assessment, and setting and adjusting network protection strategy;
restoring the first line expert service of the compound plate to be based on the whole network security assets of the security operation center, combining threat information, attack and defense expert guiding opinions, external risk reports, internal risk assessment, internal security inspection/test/exercise, any security reinforcement clues of situation awareness monitoring, comprehensively assessing the threat influence level, threat influence range and other dimensionalities, and formulating a security reinforcement scheme;
particularly, the management system construction service builds a safety management system, and concretely comprises the steps of organizing personnel management, system policy management, safety management flow, safety construction management and safety operation and maintenance management.
Particularly, the safety training service constructs a safety training system framework and develops a safety training system, and specifically comprises safety consciousness training, safety management and administration training, safety operation and maintenance training of network equipment, safety product operation and maintenance training, operation and maintenance training of an operating system, database operation and maintenance training, operation and maintenance training of the operating system and safety development of an application system.
In particular, the asset information includes basic information, security attributes, asset views, asset vulnerability information;
the basic information comprises asset names, IP addresses, MAC addresses, service systems, departments, security domains, equipment types, geographic positions, responsible persons and telephones;
the security attributes include availability, integrity and confidentiality and asset value;
the asset view is view information for asset security management based on four dimensions of a service domain, a security domain, a physical location and an organization;
the asset vulnerability information is asset vulnerability information and security configuration information provided by the butt joint leakage scanning equipment.
Particularly, the early warning response service actively provides the safety event early warning for the user specifically comprises the following steps: and carrying out association analysis and behavior portrayal by using big data through the attacker exposed on the Internet, and labeling the attacker threat information.
Specifically, the decompilation service is specifically completed through the steps of file loading, instruction decoding, semantic mapping, related graph construction, process analysis, type analysis and result output, and one or more of the steps are selected according to different analysis purposes to be combined.
In particular, the service range of the penetration test service includes: operating system Windows, linux, freeBSD, AIX, database MySQL, MSSQL, oracle, middleware Apache, IIS, tomcat, application server FTP, DNS; web applications PHP, JSP, ·net, python; a router and a switch.
In particular, the virus samples include virus Trojan, zombie worms, malware, rogue plugins, and APT attack scripts.
In particular, the log audit service provides corresponding security corrective measures, which specifically include the following steps: acquiring and combining threat information data through a special tool, performing security audit on the existing log, finding out attacker traces remained in the log, and finding out and repeating an intrusion event once happened; extracting whether the system is successfully invaded by a hacker, acquiring a security event multi-disc circuit diagram of the application system, acquiring an attacker portrait, finding out vulnerability information successfully utilized by the application system, and calculating possible loss caused by the security event; and according to the acquired information, a first-line expert formulates safety correction measures.
The technical principle and the beneficial effects of the invention are as follows:
according to the invention, through setting an evaluation and improvement stage, a monitoring and analysis stage, a response loss stopping stage and a recovery and restoration stage, targeted enhanced safety protection is carried out on risk items, safety gaps and safety control weak links in each stage, and a network safety system structure is formulated and perfected so as to cope with the current actual safety risk, reduce the possible safety loss caused by the risk, realize lasting safety operation and provide guarantee for improving the availability, confidentiality and completeness of an information system.
Detailed Description
The following detailed description of the preferred embodiments of the invention is provided to enable those skilled in the art to more readily understand the advantages and features of the invention and to make a clear and concise definition of the scope of the invention.
Furthermore, the terms "horizontal," "vertical," "overhang," and the like do not denote a requirement that the component be absolutely horizontal or overhang, but rather may be slightly inclined. As "horizontal" merely means that its direction is more horizontal than "vertical", and does not mean that the structure must be perfectly horizontal, but may be slightly inclined.
The network security architecture construction method of the embodiment of the invention is applied to a security operation center and comprises an evaluation and improvement stage, a monitoring and analysis stage, a response loss stopping stage and a recovery and restoration stage.
The evaluation improvement stage is to provide an evaluation improvement field expert service and an evaluation improvement first line expert service.
The evaluation improvement field expert service comprises a management system construction service, a security training service and a consultation planning service.
The management system construction service realizes standardized management on organizations, personnel and processes by constructing a security management system framework and developing a security management system. The management system construction service builds a safety management system, and specifically comprises the steps of organizing personnel management, system policy management, safety management flow, safety construction management and safety operation and maintenance management.
And the safety training service is used for constructing a safety training system framework and developing a safety training system. And consulting with planning service, obtaining network security management system and existing system, system and flow, combining, and establishing and continuously improving various security systems, specifications, flows, mechanisms and modes. The security training service builds a security training system framework and develops a security training system, and specifically comprises security consciousness training, security management and administration training, security operation and maintenance training of network equipment, security product operation and maintenance training, operation and maintenance training of an operating system, database operation and maintenance training, operation and maintenance training of the operating system and security development of an application system.
The evaluation improvement line expert service comprises an asset identification and management service, a business risk evaluation service, a security notification service, an early warning response service and a residence operation maintenance service.
Asset identification and management services include asset management and asset fingerprinting change management and threat monitoring. Asset management is used for setting asset types, directory structures and asset attributes of the security assets, uniformly numbering asset information, and inquiring and maintaining the asset information according to the uniform numbering.
The asset information includes base information, security attributes, asset views, and asset vulnerability information. The basic information comprises asset names, IP addresses, MAC addresses, service systems, departments, security domains, equipment types, geographic positions, responsible persons and telephones; security attributes include availability, integrity and confidentiality and asset value; asset views are view information for asset security management based on four dimensions of a service domain, a security domain, a physical location and an organization; the asset vulnerability information is asset vulnerability information and security configuration information provided by the docking and miss-sweeping device.
Asset fingerprint change management and threat monitoring includes asset discovery management procedures, asset fingerprint management, and asset threat monitoring. The asset discovery management flow can actively scan and passively discover the online, change and offline of the asset, discover the shadow asset through the flow and the log, and realize the whole network asset identification, management and warehousing. Asset fingerprint management collects asset fingerprint information in a scanning sniffing and flow analysis mode, and finally establishes an asset fingerprint file. Asset threat monitoring periodically monitors changes made by an asset by analyzing the asset fingerprint and changes online.
The business risk assessment service obtains the existing network and information system security policy to carry out global pre-assessment, the network and information system security policy comprises information assets and corresponding security measures, security holes existing in the information assets are analyzed, security threats and possibility of threat occurrence facing the information assets are analyzed, effectiveness of the security measures is checked, accordingly security risk points existing in the information assets are identified, an accepted risk threshold is preset, accurate assessment is carried out on risk degrees facing the user information assets according to comparison with the risk threshold, and relevant rectifying, repairing and reinforcing suggestions are provided.
The security notification service is a service for pushing the security notification after confirming the discovered time by performing information auditing by a first line of experts aiming at the collected and integrated loopholes;
the early warning response service monitors and manages the safe health state of the enterprise internet assets based on the network security threat information and actively provides solutions for the aspects of security event early warning, analysis and disposal; the early warning response service actively provides safety event early warning for the user, which is specifically as follows: and carrying out association analysis and behavior portrayal by using big data through the attacker exposed on the Internet, and labeling the attacker threat information.
Through the early warning response service, it is possible to obtain:
1. whether a vulnerability exists in the Web-based application service system;
2. vulnerability verification, namely improving the efficiency of disposing vulnerability restoration of internal security personnel;
3. the attacker threatens the information and assists the internal security personnel to check the security event;
4. and (5) performing secondary verification and retesting on the loopholes.
Compared with the traditional safety monitoring means and services, the early warning response service of the embodiment of the invention mainly meets the following safety requirements: accurately positioning suspected victim surfaces of enterprises through asset combing, and checking a key data service system; and the key information service system worries about that an attacker attacks the website and the investigation loopholes are utilized.
The residence operation and maintenance service is a safe operation residence service. The security operation residence service comprises equipment operation security monitoring, equipment operation security audit, equipment and policy backup updating. Specific works of the resident operation and maintenance service include:
1. daily inspection: checking an equipment operation log and analyzing the equipment operation condition every working day; and handling the terminal faults in time.
2. Device configuration and optimization: and adjusting the configuration of the safety equipment (including safety strategy modification) according to the service and safety requirements, and merging and optimizing the strategy.
3. Carding strategy: the security policies are combed each year, and the purpose and meaning of each policy are defined.
4. Configuration backup: the configuration of the security device is backed up weekly, and the backup should be performed after each configuration adjustment.
5. And (5) upgrading equipment: and after the new version of the equipment system software or the feature library is released, the equipment software upgrading is completed in time.
6. Fault handling: and handling the faults of the information security product.
7. And (3) newly-added equipment maintenance: and the installation and the debugging of the newly added safety equipment are completed in a matching way, so that the working contents are completed.
The monitoring analysis stage comprises monitoring analysis field expert service and monitoring analysis first-line expert service.
The monitoring analysis field expert service comprises a code audit service, a decompilation service, a penetration test service, an exploit analysis service and a sample analysis service.
The code audit service adopts a safety tool and safety expert manual auxiliary analysis to carry out source code safety audit on application system class program codes, patch codes and plug-in codes, provides reasonable safety correction measures in combination with the risk situation after the audit, and makes a scheme for guiding and assisting safety reinforcement; the code audit service establishes requirements for developing safety specifications, guides the use of a latest version compiler and a supporting tool, the use of compiling built-in protection characteristics, the use of a source code analysis tool and the forbidden function, and performs self-checking and audit of safety codes and periodic code checking and reading. The safety standard standards of CWE, OSWAP TOP 10, SANS TOP 25, national army GJB 8114-2013, national army GJB 5369-2005 and the like are followed. Support multiple languages, including: java, C#, C/C++, object-C, javaScript, python, CSS, typeScript, VB.NET, swift, HTML, COBOL, XML, kotlin, PHP, VB6, scala, RPG, GO, ruby, flex, ABAP, apex, PL/I, PL/SQL, T-SQL, etc.
The decompilation service is used for carrying out the decompilation on virus samples, malicious plug-ins and attack software on the premise of compliance, and evaluating the safety condition of software and hardware; the decompilation service is specifically completed through the steps of file loading, instruction decoding, semantic mapping, correlation diagram construction, process analysis, type analysis and result output, and one or more of the steps are selected according to different analysis purposes to be combined.
The content of the penetration test service detection includes: code loopholes, protection strategy loopholes, middleware loopholes, database loopholes, server loopholes, data communication security, nday loopholes, harpoon attacks, social engineering attacks, source code leakage, business logic security and information leakage; the service range of the penetration test service includes: operating system Windows, linux, freeBSD, AIX, database MySQL, MSSQL, oracle, middleware Apache, IIS, tomcat, application server FTP, DNS; web applications PHP, JSP, ·net, python; a router and a switch.
Threat discovery is carried out by the vulnerability exploitation analysis service through the whole network data traffic, high-level network attack events are verified and confirmed by adopting vulnerability mining, vulnerability analysis and vulnerability exploitation modes, the influence range and the hazard degree of the event are researched and judged, and analysis and disposal reports are output.
The sample analysis service is used for carrying out script deep analysis on a virus sample and outputting a sample analysis report; the virus samples include virus Trojan, zombie worms, malware, rogue plugins, and APT attack scripts.
The monitoring analysis line expert service comprises Web attack behavior analysis service, network risk analysis service and log audit service;
the Web attack behavior analysis service is used for carrying out carding analysis on Web attack existing in an intranet of the security operation center, and a passive flow grabbing mode is adopted as a flow grabbing mode; the passive flow grabbing mode is to grab the active host behavior according to the data in the flow; the grabbing information comprises a source IP, a destination IP, a utilization module, an attack mode, a result type and sensitive information; the Web attack behavior analysis service detectable service item includes: the method comprises the steps of Web universal weak password detection recognition, weak password blasting success recognition, webShell existence recognition, web vulnerability scanning recognition, black post gate scanning recognition, SQL injection attack recognition, struts 2 attack recognition, uploading behavior attack recognition, sensitive information leakage recognition, XSS cross-station attack recognition, sensitive path access recognition, remote code execution recognition and XML entity injection recognition.
The network risk analysis service relies on analysis cloud, expert cloud, information cloud, searching and killing cloud and knowledge cloud to analyze the security risk existing in the intranet of the security operation center, and detects and prevents APT attack, novel Trojan and killing-free Trojan; the network risk analysis service mainly captures information and comprises the following steps: source IP, destination IP, trojan type, event activity, etc. The network risk analysis service detectable service item includes: big data Intelligence (IOC) alarm analysis, web IDS alarm analysis, DDoS attack intelligence push, vulnerability notification push, malicious IP and Trojan push, malicious domain name and URL push, event tracking traceability push.
The log audit service relies on expert cloud, analysis cloud and vulnerability cloud, collects the whole network security logs of the security operation center, carries out comprehensive analysis audit on the security logs according to compliance requirements, evaluates security risk conditions by combining threat information, and provides corresponding security rectifying measures; the log audit service provides corresponding security correction measures, which specifically comprises the following steps: acquiring and combining threat information data through a special tool, performing security audit on the existing log, finding out attacker traces remained in the log, and finding out and repeating an intrusion event once happened; extracting whether the system is successfully invaded by a hacker, acquiring a security event multi-disc circuit diagram of the application system, acquiring an attacker portrait, finding out vulnerability information successfully utilized by the application system, and calculating possible loss caused by the security event; and according to the acquired information, a first-line expert formulates safety correction measures.
The response loss prevention phase includes a response loss prevention domain expert service and a response loss prevention line expert service.
The response loss prevention field expert service comprises an emergency drilling service and an important period safety guarantee service.
The emergency exercise service is a key measure for solving the problems of large-area network interruption, system paralysis and data leakage caused by the treatment of the emergency exercise through the continuous detection of the safety state of the whole network, and the emergency exercise needs to consider each weak link which is possibly broken through and realize the system linkage with an active detection mechanism so as to realize timely and accurate treatment aiming at the detected safety threat; and reevaluating, formulating and perfecting the network security emergency exercise system and mechanism from the exercise result.
The important period safety guarantee service provides safety guarantee service for important period, including providing safety service of key information system, re-insurance organization architecture design, active defense, real-time threat detection, response disposition and attack prediction.
The response loss prevention first-line expert service comprises an emergency response service; the emergency response service is emergency response and disposal service in 7×24 hours, and when a network security event occurs in a security operation center, a service mechanism for rapidly responding and disposing is formulated;
the recovery and restoration stage comprises recovery and restoration of expert service in the field of restoration and restoration of expert service in the first line of restoration.
And the recovery of the expert service in the field of the compound disk is to adjust and optimize the network and system architecture and set and adjust the network protection strategy according to the service development requirement of the safety operation center, the third party examination, the test, the evaluation and the conclusion of the evaluation.
The recovery of the first-line expert service of the compound plate is based on the whole network security assets of the security operation center, and a security reinforcement scheme is formulated by combining threat information, attack and defense expert guiding opinions, external risk reports, internal risk assessment, internal security inspection/test/exercise, any security reinforcement clues of situation awareness monitoring, comprehensive assessment threat influence level, threat influence range and other dimensionalities.
While the embodiments of the present invention have been described, various modifications or adaptations can be made by the patentee within the scope of the following claims, and are intended to be within the scope of the invention as described in the claims.
Claims (9)
1. The construction method of the network security system structure is applied to a security operation center and is characterized by comprising an evaluation and improvement stage, a monitoring and analysis stage, a response loss stopping stage and a recovery and restoration stage;
the evaluation improvement stage is used for providing an evaluation improvement field expert service and an evaluation improvement first-line expert service;
the evaluation improvement field expert service comprises a management system construction service, a safety training service and a consultation planning service;
the management system construction service realizes standardized management on organizations, personnel and processes by constructing a safety management system framework and developing a safety management system; the safety training service constructs a safety training system framework and develops a safety training system; the consultation planning service acquires a network security management system and the existing system, system and process, and establishes and continuously improves various security systems, specifications, processes, mechanisms and modes by combining the network security management system with the existing systems, systems and processes;
the evaluation improvement line expert service comprises an asset identification and management service, a business risk evaluation service, a security notification service, an early warning response service and a residence operation maintenance service;
the asset identification and management service comprises asset management, asset fingerprint change management and threat monitoring; the asset management is used for setting asset types, directory structures and asset attributes of the safety assets, uniformly numbering asset information and inquiring and maintaining the asset information according to the uniform number;
the asset fingerprint change management and threat monitoring comprises asset discovery management flow, asset fingerprint management and asset threat monitoring; the asset discovery management flow can actively scan and passively discover the online, change and offline of the asset, discover the shadow asset through the flow and the log, and realize the whole network asset identification, management and warehousing; the asset fingerprint management collects asset fingerprint information in a scanning sniffing and flow analysis mode, and finally establishes an asset fingerprint file; the asset threat monitoring periodically monitors changes made by the asset by analyzing the asset fingerprint and changes online;
the business risk assessment service acquires the existing network and information system security policy to carry out global pre-assessment, wherein the network and information system security policy comprises information assets and corresponding security measures, security holes existing in the information assets are analyzed, security threats and threat occurrence possibility faced by the information assets are analyzed, the effectiveness of the security measures is checked, so that security risk points existing in the information assets are identified, an accepted risk threshold is preset, accurate assessment is carried out on the risk degree faced by the user information assets according to comparison with the risk threshold, and relevant correction, repair and reinforcement suggestions are provided;
the security notification service is a service for pushing the security notification after confirming the discovered time by performing information auditing by a first line of experts aiming at the collected and integrated loopholes;
the early warning response service monitors and manages the safe health state of the enterprise internet assets based on the network security threat information and actively provides solutions for the aspects of early warning, analysis and disposal of the security events;
the residence operation maintenance service is a safe operation residence service; the security operation residence service comprises equipment operation security monitoring, equipment operation security audit, equipment and policy backup updating;
the monitoring analysis stage comprises monitoring analysis field expert service and monitoring analysis first-line expert service;
the expert services in the monitoring and analysis field comprise code audit service, decompilation service, penetration test service, vulnerability exploitation analysis service and sample analysis service;
the code audit service adopts a safety tool and safety expert manual auxiliary analysis to carry out source code safety audit on application system class program codes, patch codes and plug-in codes, provides reasonable safety correction measures in combination with the risk situation after audit, and formulates a scheme for guiding and assisting safety reinforcement;
the decompilation service is used for reversely compiling a virus sample, a malicious plug-in and attack software on the premise of compliance, and evaluating the safety condition of software and hardware;
the content of the penetration test service detection comprises: code loopholes, protection strategy loopholes, middleware loopholes, database loopholes, server loopholes, data communication security, nday loopholes, harpoon attacks, social engineering attacks, source code leakage, business logic security and information leakage;
the vulnerability exploitation analysis service performs threat discovery through the whole network data traffic, verifies and confirms the high-level network attack event by adopting vulnerability mining, vulnerability analysis and vulnerability exploitation modes, and researches the influence range and the hazard degree of the event and outputs analysis and disposal reports;
the sample analysis service is used for carrying out script deep analysis on a virus sample and outputting a sample analysis report;
the monitoring analysis line expert service comprises Web attack behavior analysis service, network risk analysis service and log audit service;
the Web attack behavior analysis service is used for carrying out carding analysis on Web attack existing in an intranet of the security operation center, and a passive flow grabbing mode is adopted as a flow grabbing mode; the passive flow grabbing mode is to grab the active host behavior according to the data in the flow; the grabbing information comprises a source IP, a destination IP, a utilization module, an attack mode, a result type and sensitive information;
the network risk analysis service relies on analysis cloud, expert cloud, information cloud, searching and killing cloud and knowledge cloud to analyze the security risk existing in the intranet of the security operation center, and detects and prevents APT attack, novel Trojan and killing-free Trojan;
the log audit service relies on expert cloud, analysis cloud and vulnerability cloud, collects the whole network security logs of the security operation center, carries out comprehensive analysis audit on the security logs according to compliance requirements, evaluates security risk conditions by combining threat information, and provides corresponding security rectifying measures;
the response loss stopping stage comprises response loss stopping domain expert service and response loss stopping first-line expert service;
the response loss stopping field expert service comprises emergency drilling service and important period safety guarantee service;
the emergency exercise service is a key measure for solving the problems of large-area network interruption, system paralysis and data leakage caused by the treatment of the emergency exercise through the continuous detection of the safety state of the whole network, and the emergency exercise needs to consider each weak link which is possibly broken through and realize the system linkage with an active detection mechanism so as to realize timely and accurate treatment aiming at the detected safety threat; reevaluating, formulating and perfecting a network security emergency drilling system and mechanism from the drilling results;
the important period safety guarantee service provides safety guarantee service in the important period, including safety service providing key information system, re-protection organization architecture design, active defense, real-time threat detection, response treatment and attack prediction;
the response loss prevention first-line expert service comprises an emergency response service; the emergency response service is emergency response and disposal service in 7×24 hours, and when a network security event occurs in a security operation center, a service mechanism for rapidly responding and disposing is formulated;
the recovery and restoration stage comprises recovery and restoration of expert service in the field of restoration and restoration of expert service in the first line of restoration;
restoring expert service in the field of the compound disk to adjust and optimize network and system architecture according to the service development requirement of the safety operation center, the conclusion of third party inspection, test, evaluation and assessment, and setting and adjusting network protection strategy;
the recovery of the first-line expert service of the compound plate is based on the whole network security assets of the security operation center, and a security reinforcement scheme is formulated by combining threat information, attack and defense expert guiding opinions, external risk reports, internal risk assessment, internal security inspection/test/exercise, any security reinforcement clues of situation awareness monitoring, comprehensive assessment threat influence level, threat influence range and other dimensionalities.
2. The method for constructing a network security architecture according to claim 1, wherein the management system construction service constructs a security management system, and specifically comprises the steps of organizing personnel management, system policy management, security management flow, security construction management and security operation and maintenance management.
3. The network security architecture construction method according to claim 1, wherein the security training service constructs a security training architecture and develops a security training system, and specifically comprises security consciousness training, security management and administration training, security operation and maintenance training of network equipment, security product operation and maintenance training, operation and maintenance training of an operating system, database operation and maintenance training, operation and maintenance training of an operating system, and security development of an application system.
4. A method of constructing a network security architecture according to claim 1, wherein the asset information includes basic information, security attributes, asset views, asset vulnerability information;
the basic information comprises asset names, IP addresses, MAC addresses, service systems, departments, security domains, equipment types, geographic positions, responsible persons and telephones;
the security attributes include availability, integrity and confidentiality and asset value;
the asset view is view information for asset security management based on four dimensions of a service domain, a security domain, a physical location and an organization;
the asset vulnerability information is asset vulnerability information and security configuration information provided by the butt joint leakage scanning equipment.
5. The method for constructing a network security architecture according to claim 1, wherein the early warning response service actively provides the user with a security event early warning specifically comprises: and carrying out association analysis and behavior portrayal by using big data through the attacker exposed on the Internet, and labeling the attacker threat information.
6. The method according to claim 1, wherein the decompiling service is specifically implemented by file loading, instruction decoding, semantic mapping, correlation diagram construction, process analysis, type analysis, and result output, and one or more of the above steps are selected according to different analysis purposes and combined.
7. A method of constructing a network security architecture according to claim 1, wherein the service area of the penetration test service includes: operating system Windows, linux, freeBSD, AIX, database MySQL, MSSQL, oracle, middleware Apache, IIS, tomcat, application server FTP, DNS; web applications PHP, JSP, ·net, python; a router and a switch.
8. A method of network security architecture construction as claimed in claim 1, wherein the virus samples include virus Trojan horses, zombie worms, malware, rogue plug-ins, and APT attack scripts.
9. The method for constructing a network security architecture according to claim 1, wherein the log audit service provides corresponding security corrective measures, specifically comprising the steps of: acquiring and combining threat information data through a special tool, performing security audit on the existing log, finding out attacker traces remained in the log, and finding out and repeating an intrusion event once happened; extracting whether the system is successfully invaded by a hacker, acquiring a security event multi-disc circuit diagram of the application system, acquiring an attacker portrait, finding out vulnerability information successfully utilized by the application system, and calculating possible loss caused by the security event; and according to the acquired information, a first-line expert formulates safety correction measures.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310400880.0A CN117499066A (en) | 2023-04-14 | 2023-04-14 | Network security system structure construction method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310400880.0A CN117499066A (en) | 2023-04-14 | 2023-04-14 | Network security system structure construction method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117499066A true CN117499066A (en) | 2024-02-02 |
Family
ID=89671396
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310400880.0A Pending CN117499066A (en) | 2023-04-14 | 2023-04-14 | Network security system structure construction method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117499066A (en) |
-
2023
- 2023-04-14 CN CN202310400880.0A patent/CN117499066A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kwon et al. | Cyber threat dictionary using mitre att&ck matrix and nist cybersecurity framework mapping | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| Elia et al. | Comparing SQL injection detection tools using attack injection: An experimental study | |
| CN111625821A (en) | Application attack detection system based on cloud platform | |
| Riadi et al. | Vulnerability analysis of E-voting application using open web application security project (OWASP) framework | |
| Xu et al. | Network security | |
| CN116094817A (en) | Network security detection system and method | |
| Barnett | Web Application Defender's Cookbook: Battling Hackers and Protecting Users | |
| Bier et al. | Mitigating remote code execution vulnerabilities: A study on tomcat and android security updates | |
| KR101968633B1 (en) | Method for providing real-time recent malware and security handling service | |
| Ude et al. | Securing Remote Access Networks using malware detection tools for industrial control systems | |
| CN116405255A (en) | Network protection and defense system | |
| Sherif et al. | Intrusion detection: methods and systems. Part II | |
| CN117499066A (en) | Network security system structure construction method | |
| Alsmadi et al. | Incident response | |
| Singh et al. | Attacks on Vulnerable Web Applications | |
| Al-Kahla et al. | A taxonomy of web security vulnerabilities | |
| Idris et al. | Vulnerability assessment of some key Nigeria government websites | |
| Kaur et al. | Emerging Trends in Cybersecurity Challenges with Reference to Pen Testing Tools in Society 5.0 | |
| CN111355688A (en) | Core method and device for automatic infiltration and analysis based on AI technology | |
| Buja et al. | AN ONLINE SQL VULNERABILITY ASSESSMENT TOOL AND IT’S IMPACT ON SMEs | |
| CN112269984B (en) | Automatic code audit platform system for guaranteeing source code safety | |
| KR102330404B1 (en) | Method And Apparatus for Diagnosing Integrated Security | |
| Enache | Formulas for counteracting cyber threats in regards to computer products supply chains | |
| Deepalakshmi et al. | Application of artificial intelligence in cybersecurity: a detailed survey on intrusion detection systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |