RU2815595C1 - System and method for predicting signs of information security incidents in automated control systems - Google Patents

Abstract

FIELD: information security.

SUBSTANCE: technical result is achieved when implementing a method for predicting signs of information security incidents in an automated control system, in which performing: collecting events from heterogeneous sources, aggregating events to reduce the number of recurring events, determining the category of events, normalizing events in accordance with the category, enrichment of incoming events with missing and additional information for correct operation of correlation rules, determination of cause-and-effect relationships between normalized and information-enriched events to identify significant information and predict information security incidents, recording in a chronological sequence of events received from sources into an event database, displaying screen notifications on predicted information security incidents on a console.

EFFECT: high efficiency of predicting signs of information security incidents by information protection and event management systems in automated control systems.

1 cl, 2 dwg

Description

The invention relates to systems and methods for predicting signs of information security incidents in automated control systems.

With the growing number of information systems and the improvement of methods and forms of automation of information processing and transmission processes, the vulnerability of system processes and resources increases, which directly affects the violation of information security measures, and as a result, the interruption of state and military control processes. These vulnerabilities affect the information security of automated control systems and can lead to negative consequences. Such consequences define the concept of an incident, which is understood as one or more undesirable events that entail a violation of the integrity, confidentiality and availability of information. An event is any situation in a system or network that reflects the functionality of system-wide application software and hardware and specialized software and hardware.

The automated control system sooner or later comes into operation. It is important for the user that the system works without failures. If an emergency does occur, it should be resolved with minimal delay.

In the context of processing information related to information security incidents, a large number of machine learning methods have been developed for analyzing multi-format data sets (network traffic, event logs); there are quite a lot of software and hardware implementations of these methods that allow real-time analysis of events emanating from devices and applications, normalize and correlate them, using various technical techniques to compare audit data from various sources in order to identify significant information and respond to them before significant damage occurs. Such developments belong to the class of information security and event management systems (security information event management, abbreviated as SIEM).

One of the rather pressing tasks facing such systems is the task of processing large arrays of heterogeneous data about events coming from various sources. The sources of events (monitoring data) are: automated workstations (logs from the operating system, databases, applications); server equipment; telecommunications equipment; information security tools; other monitoring objects determined by the information security administrator of the automated control system.

A modern automated control system may contain several hundred or even thousands of such data sources. As a result, the information security server or automated workstation of the information security administrator may receive data on hundreds of events per day for processing.

Processing of incoming events includes operations such as: normalization (bringing collected data to a single format); filtering (screening out duplicate, insignificant or useless data); aggregation (the process of combining homogeneous and repeating event data); analysis; correlation (determining relationships between instances of events and their groups); ranking (evaluation of correlation results based on certain characteristics); prioritization (calculating the degree of importance of the results of the correlation process).

A computer system is known from the prior art, described in US Pat. No. 7,376,969 B1, which collects security events generated by multiple network devices; event normalization to create normalized security events in the overall scheme; cross-correlation of normalized security events according to rules for generating meta-events.

The specified system and method are the closest in technical essence to the declared ones.

The disadvantage of this known computer system, which allows capturing, normalizing and reporting security events from heterogeneous sources, is the lack of a means of determining the category of initial events and a means of enriching the normalized events with missing and additional information, in accordance with the category, to the extent necessary for the correct operation of the correlation rules. Event normalization is a schema - a set of fields into which the data from the original event is placed during the process. Often normalized events do not always contain information in the amount necessary for the correct operation of correlation rules, due to their simplification. Simplification occurs in several stages. When some phenomenon occurs at the event source, it is recorded in different formats, first in the operating system event log (first stage) and then in the information security and event management system (second stage). Each stage of processing is accompanied by data loss, since at the operating system level there is one log scheme, defined by the operating system developers and limited by a set of fields - log scheme and size, and at the level of the information security and event management system another. Normalization and saving of an event in an information security and event management system also occurs with data loss, just as within this system there is its own scheme, limited by a set of fields, and if the discarded information that does not fit into the fields of the scheme at one or another level is important, then understand the meaning of what is happening in the event will be very difficult. These facts lead to the fact that those responsible for writing correlation rules will interpret normalized events ambiguously.

The purpose of the proposed invention is to improve the efficiency of predicting signs of information security incidents by information security and event management systems in automated control systems by enriching events with missing and additional information, in accordance with the category, to the extent necessary for the correct operation of correlation rules.

After all the key attributes of the initial event have been identified, it is necessary to describe the essence of the process itself reflected in it, enrich it with missing and additional information, in accordance with the category, to the extent necessary for the correct operation of the correlation rules and translate it into the language of normalization.

The implementation of information security and event management systems often begins with connecting sources that generate heterogeneous events. An important property of these events is that they reflect the functionality of the sources themselves.

Categorizing events allows you to work with semantically similar events in the same way, regardless of the source type:

1. Semantically similar events from any type of source have a common category.

2. For events of each category, clear rules for filling out the fields of the diagram are defined. This way we effectively combat the chaos that arises at the stage of event normalization and often leads to multiple false positives of correlation rules.

3. Operating with categories allows you to avoid unnecessary checks in the code of correlation rules in order to understand the semantics of the event.

We include the main purpose of the source as types of sources: network equipment, operating systems, application software.

In an automated control system, based on the specifics of generated events, two large types of sources can be distinguished:

1. IT sources - system-wide application software and hardware that generates IT events.

2. Information security sources - specialized software and hardware for the company’s information security that generate information security events.

The fundamental differences between these types of events are that IT sources report the occurrence of any phenomena in an automated control system, without assessing the level of security - “good” or “bad”. Unlike IT sources, information security sources have additional external knowledge on how to interpret certain events from a security point of view - policy. Thus, the use of policies allows information security sources to make decisions - whether an observed phenomenon is “good” or “bad” - and report this to the information security and event management system through generated information security events.

System-wide application software and hardware, which we refer to as IT event sources, are designed to implement or support specific processes to perform their tasks. In the course of their resolution, accomplished facts are recorded by individual IT events. They can be attributed to the process through which each occurred. By highlighting the processes occurring in IT sources, we can form the first level of categorization. It will define a semantic field that allows IT events to be correctly interpreted.

When analyzing events, it becomes clear that each of them describes the interaction of several attributes within the framework of an already defined process. By highlighting one of these attributes as the main one as an object of interaction, we form the second level of categorization. The nature of the behavior of the main attribute in an event within a specific process will play the role of the third level of categorization of IT events. An additional, fourth level that determines the success or failure of the action described in the event.

In total, we received the following levels at the output:

1. Context (process) within which the event occurred. Sublevels of the first level:

- business continuity management;

- user and rights management;

- access control;

- availability management;

- deployment management;

- management of network interactions;

- network management;

- database management;

- system management;

- management of other applications.

2. Object (main attribute) described by the event. Sublevels of the second level:

- identifying attribute;

- executable attribute;

- rules and policies,

- attribute of information storage in the operating system;

- network connections attribute;

- node network identification attribute

- database attribute;

- physical equipment.

3. The nature of the object’s behavior within a given context. Sublevels of the third level:

- interactions affecting the functioning of the attribute;

- communication between attributes;

- actions to work with the attributes themselves, including manipulation of their data;

- interaction resulting in the addition of a new attribute to the context (or removal of an entity from the context)

- information events about changes in the attribute state.

4. An additional level describes the status of these actions (success, failure).

Thus, we have created four levels of categorization of IT events, which make it possible to conveniently operate with semantically similar events from various types of sources in the IT infrastructure of an automated control system. To ensure the unambiguity of the resulting categorization levels, separate sublevels of each level were formed.

When considering the categorization of information security events, we should note that only events coming from information security tools in an automated control system are considered.

The method for categorizing information security events is formulated as follows: any information security incident that occurs in an automated management system is reflected in one or several environments at once: the level of a specific host, the network level, the level of the physical environment.

Information security tools operating at these levels detect an information security incident and generate information security events that enter the information security and event management system.

When working with information security events, it is often necessary to understand in what environment the symptom of an information security incident was identified. And based on this, form the logic of the correlation rule. Thus, the detection environment is the first level of categorization of information security events. The detection environment includes the following sublevels:

- host (events coming from security tools installed on end workstations and servers);

- networks (events coming from systems that analyze network traffic and apply a set of established security policies to it);

- physical environment (events coming from physical security means).

The second level of categorization of information security events is related to the first, but has features due to the following prerequisites:

- information security incidents do not always manifest themselves in the physical environment;

- information security incidents in the physical environment are not always related to information security incidents, but there are also overlaps;

- incidents at the network and end-host levels often have a similar structure and semantics.

Therefore, at the second level there is a group of categories corresponding to information security incidents at the level of the physical environment, and groups of categories common to information security incidents at the network and host levels.

A group of categories corresponding to information security incidents at the level of the physical environment:

- physical penetration (unauthorized or unregulated bypass of the physical security system);

- damage (targeted damage, destruction, reduction in the service life of equipment or communication channels).

Groups of categories common to network and host level information security incidents:

- data collection (collection of data about the object of protection from open and closed sources of information, using active and passive collection methods);

- violation of availability (random disruption of the availability of individual services and systems as a whole);

- information leakage (detection of confidential data leakage through any communication channels).

- anomalies (significant deviations of the parameters of the protected object or its behavior from the previously established norm).

The third level of categorization of information security events clarifies the second and directly describes the information security incidents themselves, the essence of which is reflected in information security events.

Thus, in order to unify the normalization of events, the method of enriching events with missing and additional information, in accordance with the category, defines the following rules:

1. For each category of each level of IT and information security events, a directory is generated with a list of the information that needs to be found in the original event and normalized.

2. If any category has been assigned to an event, it must be found in accordance with the directory and normalized.

3. Each category defines a set of normalized event schema fields that must be completed.

Thus, the category chosen for the event establishes a direct correspondence between:

- semantics of the event;

- important information that needs to be extracted from the event, according to the category;

- a set of fields of the normalized event scheme in which this information must be “put”.

This method allows you to clearly understand from the category of any event what data is in which fields of the normalized event.

In FIG. Figure 1 shows a diagram of a computer system. The system includes: event sources 101; automated security administrator workstation or information security server 102 information security and event management system 103; a tool for collecting events from sources 104; means of aggregation of received events 105; means for determining the category of events 106; means of normalizing events 107; a means of enriching events with information in accordance with category 108; event correlation tool 109; event database 110 and console (user interface) 111.

The automated security administrator workstation or information security server 102 includes an information security and event management system 103, an event database 110 and a console (user interface) 111.

The information security and event management system 103 includes a means for collecting events from sources 104, a means for aggregating received events 105, a means for determining the category of events 106; means of normalizing events 107; a means for enriching events with information in accordance with category 108 and a means for correlating events 109.

The main purpose of the information security and event management system 103 is to analyze multi-format data arrays (network traffic, event logs) downloaded from sources 101 using tool 104, in order to identify significant information and respond to it before significant damage occurs.

Let's take a closer look at an example of how the information security and event management system 103 works.

Information security and event management systems 103 collects events generated by heterogeneous sources 101 (network devices/applications in an automated control system) using a tool 104.

The aggregation tool for received events 105 of the information security and event management system 103 allows you to reduce the amount of “garbage”, namely repeating events (collapse of several events into one). This helps reduce the volume of events processed.

The event category definition tool 106 allows you to understand the category of the event, namely by what source it was generated, to describe the essence of the process itself reflected in the event.

The event normalization tool 107 allows you to extract the necessary information from the original events and put it into the fields of the normalized event schema in accordance with the category.

The tool for enriching events with information in accordance with category 108 allows you to enrich events with missing and additional information in accordance with the category, since incoming events do not always contain information in the amount necessary for the correct operation of correlation rules.

The event correlation tool 109 contains a repository of correlation rules that allow you to determine cause-and-effect relationships between events that are normalized and supplemented with the necessary information. The rules engine underlies the event correlation tool 109 and is used to cross-correlate event data with rules to predict information security incidents.

The event database 110 is a centralized database where events received from automated control system sources are stored in chronological order.

On-screen notifications may be displayed on the console (user interface) 111 to prompt the information security administrator to open relevant information to investigate the information security incidents that led to the notification.

The listed distinctive features of the claimed invention make it possible to increase the efficiency of the correlation rules and, as a result, increase the number of predicted information security incidents in the automated control system.

The proposed technical solutions are industrially applicable, as they are based on computer technology and modeling tools, which are widely used in modeling control processes in automated control systems.

The claimed invention is illustrated by a specific example of implementation, which, however, is not the only possible one, but clearly demonstrates the possibility of achieving the required technical result by the given set of features.

Fig. 2 represents an example of a general purpose computer system, a personal computer or server 200, including a central microprocessor 201, internal memory 205, and a system bus 202 that contains various system components, including memory, coupled to the central processing unit 201. The system bus 202 is implemented as any bus structure known from the prior art, which in turn contains a bus memory or bus memory controller, a peripheral bus, and a local bus that is capable of interoperating with any other bus architecture. The internal memory 205 contains read-only memory (RAM memory) 204, random access memory (ROM memory) 203. The main input/output system (BIOS) contains the basic procedures that ensure the transfer of information between elements of the personal computer 200, for example, at boot time operating system using RAM 204.

The personal computer 200 in turn includes a hard disk 207 for reading and writing data, a magnetic disk drive 209 for reading and writing removable magnetic disks, and an optical drive 211 for reading and writing removable optical disks such as CD-ROM, DVD-ROM and other optical storage media. The hard disk drive 207, the magnetic disk drive 209, and the optical drive 211 are connected to the system bus 202 through the hard disk drive interface 208, the magnetic disk drive interface 210, and the optical drive interface 212, respectively. Drives and related computer storage media provide non-volatile means for storing computer instructions, data structures, program modules, and other data of the personal computer 200.

This description discloses an implementation of a system that uses a hard disk, a removable magnetic disk, and a removable optical disk, but it should be understood that other types of computer storage media that are capable of storing data in a computer-readable form (solid-state drives, flash memory cards, digital disks, random access memory (ROM), etc.).

The computer 200 has a file system that stores a recorded operating system and additional software applications, other software modules, and program data. The user has the ability to enter commands and information into the personal computer 200 through input devices (keyboard 215, mouse 217). Other input devices (not shown) can be used: microphone, joystick, game console, scanner, etc. Such input devices are typically connected to the computer system 200 via I/O ports 214 and serial switch ports 216, which in turn are connected to the system bus 202, but may be connected in other ways, such as through a parallel gaming switch port 219. port or universal serial bus (USB). A monitor 213 or other type of display device is also connected to the system bus 202 through an interface, such as a video adapter 206. In addition to the monitor 213, the personal computer may be equipped with other peripheral output devices, such as speakers (not displayed), a printer, or the like. The printer 220 is connected to the system bus 202 via a serial switch port 219.

The personal computer 200 is capable of operating in a networked environment, using a network connection to another or more remote computers 223. The remote computer(s) 223 are the same personal computers or servers that have most or all of the elements noted earlier in the description of the entity personal computer 200 shown in FIG. 2. There may also be other devices in the computer network, for example, routers, network stations, peeling devices or other network nodes.

The network connections may form a local area network (LAN) 222 and a wide area network (WAN). Such networks are used in corporate computer networks, internal company networks and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 200 is connected to a local area network through a network adapter or network interface 221. When using networks, the personal computer 200 may use a modem 218 or other means of communicating with a wide area network, such as the Internet. The modem 218, which is an internal or external device, is connected to the system bus 202 via a serial switch port 216. It should be clarified that the network connections are only approximate and are not required to represent the exact network configuration, i.e. in fact, there are other ways to establish a connection using technical means of communication from one computer to another.

In conclusion, it should be noted that the information given in the description are examples only and do not limit the scope of the present invention to the described formula. One skilled in the art will appreciate that other embodiments of the present invention may exist within the spirit and scope of the present invention.

Claims (19)

1. A system for predicting signs of information security incidents in an automated management system, containing data on system events received from sources connected to an automated workstation of an information security administrator or an information security server; an automated workstation for an information security administrator or an information security server, including an information security and event management system, which consists of a means of collecting events from sources, allowing you to collect events generated by heterogeneous sources, means of aggregation of received events, allowing to reduce the number of repeating events, a means of determining the category of events, allowing you to determine exactly what type of source it was generated, to describe the essence of the process itself reflected in the event, a means of normalizing events, allowing you to bring received events to the format necessary for their further processing and storage in accordance with the category, a means of enriching events with information in accordance with the category, allowing you to enrich incoming events with missing and additional information for the correct operation of correlation rules, according to the rules according to which for each category of each level of events a directory is formed with a list of the information that needs to be found in the original event and normalized, if any category has been assigned to an event, it must be found in accordance with the directory and normalized, each category defines a set of fields in the normalized event schema that must be filled in, event correlation tools that allow you to determine cause-and-effect relationships between events that are normalized and enriched with the necessary information, to identify significant information and predict information security incidents; an event database that allows you to store events received from sources in chronological order; a console that allows you to display on-screen notifications. 2. A method for predicting signs of information security incidents in an automated control system, in which the following is performed: collection of events generated by heterogeneous sources means of collecting events from sources, event aggregation means aggregation of received events to reduce the number of duplicate events, determining the category of events by means of determining the category of events, allowing you to determine what type of source they were generated, normalization of events by bringing the received events to the format necessary for their further processing and storage in accordance with the category, means of event normalization, enrichment of incoming events with missing and additional information for the correct operation of correlation rules by means of enriching events with information in accordance with the category, according to the rules according to which for each category of each level of events a directory is formed with a list of the information that needs to be found in the original event and normalized if the event any category has been assigned, it must be found in accordance with the directory and normalized, each category defines a set of fields of the normalized event scheme that must be filled in, determination of cause-and-effect relationships between events normalized and enriched with the necessary information to identify significant information and predict information security incidents by means of event correlation, recording in a chronological sequence of events received from sources into an event database, outputting screen notifications about predicted information security incidents to the console.

Images