TWI591576B - System and Method for Blocking Intelligent Information Security Network - Google Patents

System and Method for Blocking Intelligent Information Security Network Download PDF

Info

Publication number
TWI591576B
TWI591576B TW105120119A TW105120119A TWI591576B TW I591576 B TWI591576 B TW I591576B TW 105120119 A TW105120119 A TW 105120119A TW 105120119 A TW105120119 A TW 105120119A TW I591576 B TWI591576 B TW I591576B
Authority
TW
Taiwan
Prior art keywords
blocking
host
information
analysis
data
Prior art date
Application number
TW105120119A
Other languages
Chinese (zh)
Other versions
TW201810176A (en
Inventor
Yu Ting Chiu
Shun Te Liu
Chun Hsi Shih
Kuo Sen Chou
Pao Chung Chang
Shiou Jing Lin
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW105120119A priority Critical patent/TWI591576B/en
Application granted granted Critical
Publication of TWI591576B publication Critical patent/TWI591576B/en
Publication of TW201810176A publication Critical patent/TW201810176A/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Description

智慧型資訊安全網路阻斷分析之系統與方法 System and method for intelligent information security network blocking analysis

本發明屬於一種智慧型資訊安全網路阻斷分析之系統與方法。 The invention belongs to a system and method for blocking analysis of intelligent information security network.

因大型企業網路中網路架構十分複雜,若欲確保網路服務確實被阻斷則需在多個閘門上執行阻斷指令,可能造成多閘門阻斷之效率不彰與管理不易之困擾,另一方面,過去的阻斷方式被阻斷網路服務之主機容易有無法解除阻斷狀態的管理問題。 Because the network architecture in a large enterprise network is very complicated, if you want to ensure that the network service is indeed blocked, you need to execute blocking instructions on multiple gates, which may cause the efficiency of multiple gate blocking to be inconvenient and difficult to manage. On the other hand, in the past, the blocking method was blocked by the host of the network service, and there was a problem that the management problem of the blocking state could not be released.

本案發明人鑑於上述習用方式所衍生的各項缺點,乃亟思加以改良創新,並經多年苦心孤詣潛心研究後,終於成功研發完成本智慧型資訊安全網路阻斷分析之系統與方法。 In view of the shortcomings derived from the above-mentioned conventional methods, the inventors of the present invention have improved and innovated, and after years of painstaking research, they finally succeeded in researching and developing the system and method for blocking analysis of this intelligent information security network.

為達上述目的,本發明提出提供一智慧型的網路服務阻斷方法與系統,提高阻斷指令的執行效率、提高主機管理效率、並解決主機阻斷與解除阻斷的管理問題。本發明包含智慧型網路阻斷分析伺服器、以及智慧型網路阻斷控制伺服器,在對應的伺服器中裝有智慧型資訊安全網路阻斷分析之程式、以及智慧型資訊安全網路阻斷控制之程式。本發明的伺 服器與程式中包含以下八大模組:資料分析單元、IP資產分析單元、資產管理單元、阻斷衝擊分析單元、阻斷清單管理單元、資料收集單元、系統溝通單元、IP阻斷控制單元。。本發明所收集之資料內容包括但不限於:代理伺服器紀錄、防火牆紀錄等網路活動紀錄日誌,針對有資訊安全疑慮的主機計算阻斷網路服務的優先順序,並智慧型計算最適切的執行阻斷指令的裝置,將須優先阻斷網路服務的阻斷指令派送至裝置上。除了阻斷指令的派送外,本發明亦提供主機網路連線生命週期的預估,根據此生命週期,估算被阻斷網路服務的主機何時能解除其阻斷指令。 To achieve the above objective, the present invention provides an intelligent network service blocking method and system, which improves the execution efficiency of blocking instructions, improves host management efficiency, and solves management problems of host blocking and unblocking. The invention comprises a smart network blocking analysis server and a smart network blocking control server, and a smart information security network blocking analysis program and a smart information security network are installed in the corresponding server. Road blocking control program. The servo of the present invention The server and the program include the following eight modules: data analysis unit, IP asset analysis unit, asset management unit, blocking impact analysis unit, block list management unit, data collection unit, system communication unit, and IP blocking control unit. . The data collected by the present invention includes, but is not limited to, proxy server records, firewall records and other network activity record logs, and the priority of blocking network services is calculated for the host with information security concerns, and the smart computing is most suitable. The device that executes the blocking instruction dispatches a blocking instruction that preferentially blocks the network service to the device. In addition to blocking the dispatch of instructions, the present invention also provides an estimate of the lifetime of the host network connection. Based on this life cycle, it is estimated when the host of the blocked network service can release its blocking command.

一種智慧型資訊安全網路阻斷分析之系統,其主要包括:分析模組,是為分析資料並計算總和的資產分數Srcinv(IP)、以及阻斷分數Srcbk(IP),其中包括:資料分析單元,是透過系統溝通單元接收各式日誌紀錄資料,進行前處理與分析;IP資產分析單元,是於整合資產管理單元分析完之企業資訊設備資產資訊,計算各主機的資產分數Srcinv(IP);阻斷衝擊分析單元,透過阻斷清單管理單元擷取具資安疑慮且需進行網路阻斷的主機資訊,進行主機的衝擊分析,分析主機被阻斷網路服務並下線之後對企業內部網路的整體架構的影響與衝擊程度;資訊管理模組,是於分析以及管理資訊,其中包括:資產管理單元,是擷取企業資訊設備資產資料庫中相關資訊,計算並分析出主機設備的資產等級與資訊;阻斷清單管理單元,是為分析並存取阻斷清單資料庫中之相關資訊;收集模組,是為收集相關資料(請說明為何種資料或資訊);資料收集單元,是蒐集分析資料並將其儲存於資料庫中,透過儲存裝置及網路收集各式紀錄(log)資料;執行模組,是於傳輸資料 與執行指令,其中包括:系統溝通單元,是於智慧型資訊安全網路阻斷分析程式與智慧型資訊安全網路阻斷控制程式之間的溝通;IP阻斷控制單元,是於企業網路邊界的資安設備上,主要將執行網路服務阻斷指令或網路服務阻斷解除指令。 A smart information security network blocking analysis system, which mainly comprises: an analysis module, which is an analysis of data and calculates a sum of asset scores Srcinv (IP), and a blocking score Srcbk (IP), including: data analysis The unit receives various log records and data through the system communication unit for pre-processing and analysis. The IP asset analysis unit is the enterprise information equipment asset information analyzed by the integrated asset management unit, and calculates the asset score of each host, Srcinv (IP). The blocking impact analysis unit intercepts the host information that is suspicious and needs to be blocked by the network through the blocking list management unit, analyzes the impact of the host, and analyzes the internal network of the host after being blocked and offline. The impact and impact of the overall architecture of the network; the information management module is to analyze and manage information, including: the asset management unit, which is to extract relevant information from the enterprise information equipment asset database, calculate and analyze the host equipment. Asset level and information; block list management unit to analyze and access related information in the block list database The collection module is for collecting relevant information (please specify what kind of information or information); the data collection unit collects the analysis data and stores it in the database, and collects various records (log) through the storage device and the network. Data; execution module, is to transmit data And the execution instructions, including: the system communication unit is the communication between the intelligent information security network blocking analysis program and the intelligent information security network blocking control program; the IP blocking control unit is in the enterprise network On the border security equipment, the network service blocking command or the network service blocking release command will be mainly executed.

其中資產分數,是為透過線性迴歸模型計算出總和的資產分數Srcinv(IP),資產分數之計算,是指主機所屬之角色的重要程度、網域的重要程度、機密程度、運作繁忙程度、企業網路中連線其他主機的頻繁程度(out-link frequency)、企業網路中被其他主機連線的頻繁程度(in-link frequency),阻斷衝擊分析單元,是於管理所有阻斷主機並提供管控上的協助,並根據IP資產分析單元模組計算的資產分數Srcinv(IP)配合主機的阻斷清單資訊計算阻斷分數Srcbk(IP),並以此分述判斷須優先阻斷其網路服務的主機,阻斷衝擊分析單元,是另針對優先阻斷主機評估其阻斷指令派送的最適切裝置,並將指令派送到裝置上,阻斷衝擊分析單元,是亦記錄被阻斷網路服務主機的起始日期、預計結束日期、指令阻斷執行的裝置之資訊,管理資訊,是為組織或企業內部資產資訊、以及阻斷資訊,各式紀錄(log)資料,是為代理伺服器紀錄、防火牆紀錄,系統溝通單元,是得以將資料收集單元所蒐集之資料從資料庫中取出,並傳送至資料分析單元分析,系統溝通單元,亦接收阻斷衝擊分析模組的阻斷派送與解除指令,並將指令傳送至資產管理單元,以達成藉由企業內部網路邊界資安設備來控制特定主機網路服務狀態。 The asset score is the calculated asset score Srcinv (IP) through the linear regression model. The calculation of the asset score refers to the importance of the role of the host, the importance of the domain, the confidentiality, the busyness of the operation, and the enterprise. The out-link frequency of other hosts connected to the network, the in-link frequency of other hosts connected to the network, and the impact analysis unit are blocked by managing all blocked hosts. Provide management and assistance, and calculate the blocking score Srcbk (IP) according to the asset score Srcinv (IP) calculated by the IP asset analysis unit module and the block list information of the host, and use this to judge the priority to block the network. The host of the road service, blocking the impact analysis unit, is the most suitable device for preferentially blocking the host to evaluate its blocking instruction delivery, and dispatching the instruction to the device, blocking the impact analysis unit, and also recording the blocked network. The start date, estimated end date, information of the device that blocks the execution of the service host, management information, information for the organization or internal assets of the enterprise, and the blocking of assets Information, all kinds of record (log) data, is the proxy server record, firewall record, system communication unit, is able to take the data collected by the data collection unit from the database, and send it to the data analysis unit for analysis, system communication The unit also receives the blocking dispatch and release command of the blocking impact analysis module, and transmits the command to the asset management unit to control the state of the specific host network service by using the internal network boundary security device of the enterprise.

一種智慧型資訊安全網路阻斷分析之方法,包括:收集資料,並傳送資料;分析資料,將資料進行處理與分析,取得總和阻斷分數, 作為某一主機是否應優先阻斷網路服務的依據;加入相關資訊,使用輔助性資訊協助分析,其輔助性資訊係指資產資訊、以及阻斷資訊等;判斷是否阻擋,是依據分析資料計算的阻斷分數Srcbk(IP),判斷當前主機IP是否須優先阻斷;若分數高於阻斷門檻,判定為是,則接續,若分數低於門檻,則判定為否並結束流程;計算執行方式,計算主機的生命週期以及最佳的指令執行裝置點;執行命令,在最適切之裝置上執行指令。 A smart information security network blocking analysis method includes: collecting data and transmitting data; analyzing data, processing and analyzing the data, and obtaining a total blocking score, As a basis for whether a host should prioritize blocking network services; add relevant information, use auxiliary information to assist analysis, and its auxiliary information refers to asset information, and blocking information; whether to block or not is based on analytical data. Blocking score Srcbk (IP), to determine whether the current host IP must be preferentially blocked; if the score is higher than the blocking threshold, the decision is yes, then continue, if the score is lower than the threshold, then the decision is no and the process ends; calculation execution The way to calculate the life cycle of the host and the best instruction execution device point; execute the command to execute the instruction on the most suitable device.

其中收集資料,是包含:收集日誌資料,是蒐集各式日誌紀錄資料,並儲存於資料庫中;傳送資料,將所蒐集的日誌紀錄資料傳送到資料分析單元供其分析。 The collection of data includes: collecting log data, collecting various log record data, and storing it in the database; transmitting the data, and transmitting the collected log record data to the data analysis unit for analysis.

其中分析資料,是包含:處理資料,將接收到的日誌紀錄資料進行前處理與分析;計算資產分數,使用日誌紀錄資料以及主機資產相關資訊計算資產分數Srcinv(IP);計算阻斷分數,根據資產分數Srcinv(IP)以及阻斷清單相關資訊,分析主機被阻斷網路服務並下線之後對企業內部網路的整體架構的影響與衝擊程度,並計算阻斷分數Srcbk(IP)。 The analysis data includes: processing data, pre-processing and analyzing the received log record data; calculating the asset score, using the log record data and the host asset related information to calculate the asset score Srcinv (IP); calculating the block score, according to The asset score, Srcinv (IP), and the block-related information analyze the impact and impact of the host on the overall architecture of the internal network after the network service is blocked and offline, and calculate the blocking score Srcbk (IP).

其中加入相關資訊,是包含:加入資產資訊,將主機資產相關資訊匯入分析程式中;加入阻斷資訊,將阻斷清單相關資訊匯入分析程式中。 The relevant information is included, including: adding asset information, importing information about the host asset into the analysis program; adding blocking information, and importing the blocking list information into the analysis program.

其中計算執行方式,是包含:計算最佳執行點,計算當前主機阻斷指令派送的裝置,為達成最高阻斷效率,本步驟將計算阻斷效果最佳的裝置;計算阻斷生命週期,透過主機生命週期的預估,計算被阻斷主機可能可以解除阻斷指令的日期;傳送阻斷指令,根據傳送資料計算出來的最佳阻斷派送裝置,將阻斷指令派送到裝置上;傳送解除指令,根據處裡資料估算出的主機生命週期與阻斷解除日期,將阻斷解除資訊傳送到裝置上並通知裝置管理員。 The calculation execution mode includes: calculating the optimal execution point and calculating the current host blocking instruction dispatching device. To achieve the highest blocking efficiency, this step will calculate the device with the best blocking effect; calculate the blocking life cycle through Estimating the life cycle of the host, calculating the date on which the blocked host may release the blocking command; transmitting the blocking instruction, dispatching the blocking instruction to the device according to the optimal blocking dispatching device calculated according to the transmitted data; The instruction, based on the estimated host life cycle and the block release date, transmits the blocking release information to the device and notifies the device administrator.

其中執行命令,是包含:執行阻斷指令,針對需要阻斷網路服務的主機,在最適切裝置上執行阻斷指令;執行解除指令,針對得以恢復網路服務的主機,在原先阻斷其網路服務的裝置上執行解除指令。 The execution command includes: executing a blocking instruction, executing a blocking instruction on the most suitable device for the host that needs to block the network service; executing the release instruction, and blocking the original host for the host that can restore the network service The release command is executed on the device of the network service.

其中主機資產相關資訊,包含主機所屬角色重要程度、主機所屬網域重要程度與機密程度、主機運作繁忙程度、主機連線頻繁程度(out-link frequency)、主機被連線頻繁程度(in-link frequency)。 The information about the host asset includes the importance of the role of the host, the importance and confidentiality of the domain to which the host belongs, the busyness of the host, the out-link frequency of the host, and the frequency of the host connection (in-link). Frequency).

本發明所提供一種智慧型資訊安全網路阻斷分析之系統與方法,與其他習用技術相互比較時,更具備下列優點: 1.相較於一般的網路阻斷方法,本發明可解決傳統上多種網路服務阻斷方法並行但卻沒有集中管理機制的問題,避免管理不周而產生重複進行阻斷而造成資源浪費、或未將需管制之設備進行阻斷而造成管 理缺漏的情形。本發明自動計算候選阻斷主機之角色與風險程度、以及阻斷該主機之影響層面,系統將推薦角色重要、風險值高、且影響層面廣之主機為須優先處理之主機,不像傳統方法不區分優先順序直接將須阻斷網路服務之主機全部阻斷。另一方面,根據各主機特徵檔案(profile)計算最有效率的阻斷閘門、以及該主機網路活動的生命週期,藉以智慧地派送阻斷指令、以及傳送阻斷解除建議,解決傳統多閘門阻斷造成的效率不彰與管理不易困擾,同時解決被阻斷之下線主機無法解除阻斷狀態的管理問題。另一方面,關於阻斷服務的派送執行裝置,本發明可配合各式攻擊可能會使用的管道,透過不同的阻斷方法更智慧化地進行阻斷,例如針對網域名稱(domain name)進行阻斷,需在DNS或NG-Firewall上執行,針對IP進行阻斷則可直接在Firewall上執行。總體而言,本發明提供更智慧化的網路阻斷方法,可在企業內部網路輔助自動決策,甚而提供自動決策的功能。 The system and method for intelligent intelligence network security blocking analysis provided by the invention have the following advantages when compared with other conventional technologies: Compared with the general network blocking method, the present invention can solve the problem that the traditional multiple network service blocking methods are parallel but have no centralized management mechanism, and avoids the management to be repeatedly blocked and the resource is wasted. Or failing to block the equipment to be controlled The situation of missing. The invention automatically calculates the role and risk degree of the candidate blocking host, and blocks the impact level of the host. The system will recommend the host with important role, high risk value and wide influence level as the host to be prioritized, unlike the traditional method. All the hosts that need to block the network service are directly blocked without prioritization. On the other hand, according to each host profile, the most efficient blocking gate and the life cycle of the host network activity are calculated, thereby intelligently dispatching blocking instructions and transmitting blocking cancellation suggestions to solve the traditional multi-gate The inefficiency caused by blocking and the management are not easy to be bothered, and at the same time, the management problem that the blocked host can not be unblocked is solved. On the other hand, with regard to the delivery execution device for blocking the service, the present invention can be more intelligently blocked by different blocking methods in conjunction with the pipelines that various attacks may use, for example, for the domain name. Blocking needs to be performed on the DNS or NG-Firewall. Blocking for IP can be performed directly on the Firewall. In general, the present invention provides a more intelligent network blocking method that can assist in automatic decision making within an enterprise internal network, and even provides automatic decision making functions.

110‧‧‧分析模組 110‧‧‧Analysis module

111‧‧‧資料分析單元 111‧‧‧Data Analysis Unit

112‧‧‧IP資產分析單元 112‧‧‧IP Asset Analysis Unit

113‧‧‧阻斷衝擊分析單元 113‧‧‧Block impact analysis unit

120‧‧‧資訊管理模組 120‧‧‧Information Management Module

121‧‧‧資產管理單元 121‧‧‧ Asset Management Unit

122‧‧‧阻斷清單管理單元 122‧‧‧Blocking list management unit

210‧‧‧執行模組 210‧‧‧Execution module

211‧‧‧系統溝通單元 211‧‧‧System Communication Unit

212‧‧‧IP阻斷控制單元 212‧‧‧IP blocking control unit

220‧‧‧收集模組 220‧‧‧Collection module

221‧‧‧資料收集單元 221‧‧‧ data collection unit

S210~S262‧‧‧流程 S210~S262‧‧‧ Process

請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:圖1為本發明智慧型資訊安全網路阻斷分析之系統與方法之架構示意圖;圖2以及圖3為本發明智慧型資訊安全網路阻斷分析之系統與方法之流程圖。 The detailed description of the present invention and the accompanying drawings will be further understood, and the technical contents of the present invention and the functions thereof can be further understood. FIG. 1 is a system and method for blocking analysis of intelligent information security network according to the present invention. Schematic diagram of the architecture; FIG. 2 and FIG. 3 are flowcharts of a system and method for blocking analysis of a smart information security network according to the present invention.

為了使本發明的目的、技術方案及優點更加清楚明白,下面結合附圖及實施例,對本發明進行進一步詳細說明。應當理解,此處所描述的具體實施例僅用以解釋本發明,但並不用於限定本發明。 The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

以下,結合附圖對本發明進一步說明:請參閱圖1所示,為本發明智慧型資訊安全網路阻斷分析之系統與方法之架構示意圖,一種智慧型資訊安全網路阻斷分析之系統,其主要包括:分析模組110,是為分析資料並計算總和的資產分數Srcinv(IP)、以及阻斷分數Srcbk(IP),其中包括:資料分析單元111,是透過系統溝通單元211接收各式日誌紀錄資料,進行前處理與分析;IP資產分析單元112,是於整合資產管理單元121分析完之企業資訊設備資產資訊,計算各主機的資產分數Srcinv(IP);阻斷衝擊分析單元113,透過阻斷清單管理單元122擷取具資安疑慮且需進行網路阻斷的主機資訊,進行主機的衝擊分析,分析主機被阻斷網路服務並下線之後對企業內部網路的整體架構的影響與衝擊程度;資訊管理模組120,是於分析以及管理資訊,其中包括:資產管理單元121,是擷取企業資訊設備資產資料庫中相關資訊,計算並分析出主機設備的資產等級與資訊;阻斷清單管理單元122,是為分析並存取阻斷清單資料庫中之相關資訊;收集模組220,是為收集相關資料,其相關資料包含網路流量日誌(Traffic log),代理伺服器日誌(Proxy log)、防火牆日誌(Firewall log)、域名系統日誌(DNS log)等;資料收集單元221,是蒐集分析資料並將其儲存於資料庫中,透過儲存裝置及網路收集各式紀錄(log)資料;執行模組210,是於傳輸資料與執 行指令,其中包括:系統溝通單元211,是於智慧型資訊安全網路阻斷分析程式與智慧型資訊安全網路阻斷控制程式之間的溝通;IP阻斷控制單元212,是於企業網路邊界的資安設備上,主要將執行網路服務阻斷指令或網路服務阻斷解除指令。 The following is a further description of the present invention with reference to the accompanying drawings: FIG. 1 is a schematic structural diagram of a system and method for blocking analysis of a smart information security network according to the present invention, and a smart information security network blocking analysis system, It mainly includes an analysis module 110, which is an asset score Srcinv (IP) for analyzing data and calculating a sum, and a blocking score Srcbk (IP), which includes: a data analysis unit 111, which receives various types through the system communication unit 211. The log record data is pre-processed and analyzed. The IP asset analysis unit 112 is the enterprise information device asset information analyzed by the integrated asset management unit 121, and calculates the asset score Srcinv (IP) of each host; the blocking impact analysis unit 113, Through the block list management unit 122, the host information of the host that is suspected and needs to be blocked by the network is analyzed, and the impact analysis of the host is performed to analyze the overall architecture of the internal network of the enterprise after the host is blocked from the network service and offline. The impact and impact level; the information management module 120 is for analyzing and managing information, including: the asset management unit 121, which is a capture enterprise The information in the information equipment asset database calculates and analyzes the asset level and information of the host device; the blocking list management unit 122 analyzes and accesses related information in the blocking list database; the collection module 220 is In order to collect related data, the related data includes a traffic log, a proxy log, a firewall log, a DNS log, etc., and the data collecting unit 221 collects data. Analyze the data and store it in the database, collect various log data through the storage device and the network; execute the module 210, which is to transfer the data and execute The line instruction includes: the system communication unit 211 is a communication between the intelligent information security network blocking analysis program and the intelligent information security network blocking control program; the IP blocking control unit 212 is on the enterprise network. On the security equipment of the road boundary, the network service blocking command or the network service blocking release command will be mainly executed.

其中資產分數,是為透過線性迴歸模型計算出總和的資產分數Srcinv(IP),資產分數之計算,是指主機所屬之角色的重要程度、網域的重要程度、機密程度、運作繁忙程度、企業網路中連線其他主機的頻繁程度(out-link frequency)、企業網路中被其他主機連線的頻繁程度(in-link frequency),阻斷衝擊分析單元113,是於管理所有阻斷主機並提供管控上的協助,並根據IP資產分析單元112模組計算的資產分數Srcinv(IP)配合主機的阻斷清單資訊計算阻斷分數Srcbk(IP),並以此分述判斷須優先阻斷其網路服務的主機,阻斷衝擊分析單元113,是另針對優先阻斷主機評估其阻斷指令派送的最適切裝置,並將指令派送到裝置上,阻斷衝擊分析單元113,是亦記錄被阻斷網路服務主機的起始日期、預計結束日期、指令阻斷執行的裝置之資訊,管理資訊,是為組織或企業內部資產資訊、以及阻斷資訊,各式紀錄(log)資料,是為代理伺服器紀錄、防火牆紀錄,系統溝通單元211,是得以將資料收集單元221所蒐集之資料從資料庫中取出,並傳送至資料分析單元111分析,系統溝通單元211,亦接收阻斷衝擊分析模組的阻斷派送與解除指令,並將指令傳送至資產管理單元121,以達成藉由企業內部網路邊界資安設備來控制特定主機網路服務狀態。 The asset score is the calculated asset score Srcinv (IP) through the linear regression model. The calculation of the asset score refers to the importance of the role of the host, the importance of the domain, the confidentiality, the busyness of the operation, and the enterprise. The out-link frequency of other hosts connected to the network, the in-link frequency of other hosts in the enterprise network, and the impact analysis unit 113 are used to manage all blocked hosts. And provide assistance in management and control, and calculate the blocking score Srcbk (IP) according to the asset score Srcinv (IP) calculated by the IP asset analysis unit 112 module and the block list information of the host, and the priority is blocked by the segmentation judgment. The host of the network service, the blocking impact analysis unit 113, is the most suitable device for preferentially blocking the host to evaluate the blocking instruction delivery, and dispatching the instruction to the device, blocking the impact analysis unit 113, also recording The start date, estimated end date, information of the device that blocked the execution of the blocked network service host, management information, information for the organization or internal assets of the enterprise, And blocking information, various types of log data are proxy server records, firewall records, and the system communication unit 211 is configured to take the data collected by the data collecting unit 221 from the database and transmit the data to the data analysis. The unit 111 analyzes that the system communication unit 211 also receives the blocking dispatch and release command for blocking the impact analysis module, and transmits the command to the asset management unit 121 to control the specific by the enterprise internal network boundary security device. Host network service status.

在本發明的使用情境中,使用者可以在企業內部網路中使用本發明,在智慧型網路阻斷分析伺服器中將會分 析一主機IP是否需阻斷其網路服務,計算該阻斷指令的派送處(或派送裝置)、以及該阻斷指令的解除建議。智慧型網路阻斷分析伺服器的分析結果將傳送至位於企業網路邊界上的智慧型網路阻斷控制伺服器中,透過控制伺服器來控制各項指令的執行。 In the use scenario of the present invention, the user can use the present invention in the intranet of the enterprise, and the smart network blocking analysis server will be divided into It is analyzed whether a host IP needs to block its network service, calculate a dispatching place (or a dispatching device) of the blocking instruction, and a release suggestion of the blocking instruction. The analysis results of the intelligent network blocking analysis server are transmitted to the intelligent network blocking control server located at the boundary of the enterprise network, and the execution of each instruction is controlled by the control server.

各個模組係按照功能的不同進行劃分,資料收集單元221主要用於蒐集待分析資料並將其儲存於資料庫中,透過儲存裝置及網路收集各式紀錄(1og)資料,所能接收的資料包括,但不限於,代理伺服器紀錄、防火牆紀錄等。 Each module is divided into functions according to different functions. The data collection unit 221 is mainly used for collecting and analyzing the data to be analyzed, and collecting various types of records (1og) through the storage device and the network. Information includes, but is not limited to, proxy server records, firewall records, etc.

所描述的系統溝通單元211主要用於智慧型資訊安全網路阻斷分析程式與智慧型資訊安全網路阻斷控制程式之間的溝通,透過系統溝通單元211可將資料收集單元221所蒐集之資料從資料庫中取出,並傳送至資料分析單元111供其分析;另一方面,此系統溝通單元211亦接收阻斷衝擊分析單元113的阻斷派送指令、以及阻斷解除指令,將所接收的指令傳送至IP阻斷控制單元212,透過企業內部網路邊界上的資安設備控制特定主機的網路服務狀態,視需要阻斷其網路服務或恢復其網路服務。 The system communication unit 211 is mainly used for communication between the intelligent information security network blocking analysis program and the intelligent information security network blocking control program, and can be collected by the data collecting unit 221 through the system communication unit 211. The data is taken out from the database and sent to the data analysis unit 111 for analysis; on the other hand, the system communication unit 211 also receives the blocking dispatch instruction of the blocking impact analysis unit 113, and the blocking release command, which will receive the data. The instructions are transmitted to the IP blocking control unit 212, which controls the network service status of the specific host through the security device on the internal network boundary of the enterprise, and blocks the network service or restores its network service as needed.

IP阻斷控制單元212安裝於企業網路邊界的資安設備上,IP阻斷控制單元212將執行但不限於網路服務阻斷指令或網路服務阻斷解除指令。 The IP blocking control unit 212 is installed on the security device at the enterprise network boundary, and the IP blocking control unit 212 will execute but is not limited to the network service blocking command or the network service blocking release command.

資料分析單元111,主要用於透過系統溝通單元211接收各式日誌紀錄資料,進行前處理與分析。 The data analysis unit 111 is mainly configured to receive various types of log record data through the system communication unit 211 for pre-processing and analysis.

IP資產分析單元112,透過資產管理單元121擷取分析完成的企業資訊設備資產資訊,計算各主機的資產分數Srcinv(IP);單一主機IP資產分數的估算囊括但不限於主 機所屬角色的重要程度、主機所屬網域的重要程度與機密程度、主機運作繁忙程度、主機在企業網路中連線其他主機的頻繁程度(out-link frequency)、主機在企業網路中被其他主機連線的頻繁程度(in-link frequency)等等多個指標,並藉由上述多項指標,透過線性迴歸模型計算出總和的資產分數Srcinv(IP)。 The IP asset analysis unit 112 obtains the analyzed enterprise information equipment asset information through the asset management unit 121, and calculates the asset score of each host, Srcinv (IP); the estimation of the single host IP asset score includes but is not limited to the main The importance of the role of the machine, the importance and confidentiality of the domain to which the host belongs, the busyness of the host, the out-link frequency of the host connecting to other hosts in the enterprise network, and the host being in the corporate network. Other indicators such as in-link frequency and other indicators, and through the above multiple indicators, calculate the sum of the asset scores Srcinv (IP) through the linear regression model.

資產管理單元121從企業資訊設備資產資料庫中取出相關資訊,計算並分析後,可輸出主機設備的資產分析結果包含但不限於主機的角色及其重要程度、主機是否為服務提供或接收服務的主機,主機的繁忙程度等。 The asset management unit 121 extracts related information from the enterprise information equipment asset database, and after calculating and analyzing, the asset analysis result of the output host device includes but is not limited to the role of the host and its importance, whether the host provides or receives the service. Host, busyness of the host, etc.

阻斷衝擊分析單元113,透過阻斷清單管理單元122擷取具有資安疑慮且需進行網路阻斷的主機資訊,進行主機的衝擊分析,分析主機被阻斷網路服務並下線之後對企業內部網路的整體架構的影響與衝擊程度。並用於管理所有阻斷主機並提供管控上的協助,根據IP資產分析單元112計算的資產分數Srcinv(IP)配合主機的阻斷清單資訊計算阻斷分數Srcbk(IP),並以此分述判斷須優先阻斷其網路服務的主機,也針對優先阻斷主機評估其阻斷指令派送的最適切裝置,並將指令派送到該裝置上,亦記錄被阻斷網路服務主機的起始日期、預計結束日期、指令阻斷執行的裝置等資訊,藉此達到集中化管理的功效。此估算機制考量當前將被阻斷網路服務之主機在企業網路中所在節點,比較由各裝置包括但不限於代理伺服器(Proxy)、防火牆(Firewall)、或網域名稱系統(DNS)進行阻擋的成本與效益,在可達相同阻絕效果的前提下,阻斷管理模組將推薦最少個阻斷派送點、及最佳的阻斷指令派送點,以達智慧型阻斷目的。另一方面,根據主機的特徵檔案(profile)預測該主機網路活動生命週期,預測主機的阻斷起訖 日期、及所需阻斷週期,當主機不再有資訊安全的風險與疑慮時,恢復期網路服務,並自動傳送阻斷解除訊息到特定阻斷裝置上,達成另一層面的智慧阻斷功效。 The blocking impact analysis unit 113 searches for the host information that has security concerns and needs to be blocked by the network through the blocking list management unit 122, analyzes the impact of the host, analyzes the host after the network service is blocked, and goes offline. The impact and impact of the overall architecture of the internal network. And used to manage all the blocking hosts and provide assistance in management and control, and calculate the blocking score Srcbk (IP) according to the asset score Srcinv (IP) calculated by the IP asset analyzing unit 112 and the block list information of the host, and judge the judgment by this. The host that must preferentially block its network service, and the most suitable device for the priority blocking host to evaluate its blocking command delivery, and dispatch the command to the device, also record the start date of the blocked network service host. Information such as the expected end date, instructions to block the execution of the device, etc., to achieve centralized management. This estimation mechanism considers the node where the host that is currently blocking the network service is located in the enterprise network, and the comparison is made by each device including but not limited to a proxy server (Proxy), a firewall, or a domain name system (DNS). The cost and benefit of blocking, under the premise of the same blocking effect, the blocking management module will recommend a minimum of blocking delivery points, and the best blocking command delivery point, in order to achieve the purpose of intelligent blocking. On the other hand, predicting the host network activity life cycle based on the host's profile, predicting the host's blocking 讫 Date, and the required blocking period, when the host no longer has the risks and concerns of information security, restore the network service, and automatically send the blocking release message to the specific blocking device to achieve another level of smart blocking. efficacy.

阻斷清單管理單元122,則從阻斷清單資料庫中取出相關資訊。 The block list management unit 122 extracts relevant information from the block list database.

請參閱圖2、圖3所示,為本發明智慧型資訊安全網路阻斷分析之系統與方法之流程圖,包括:S210收集資料,並傳送資料;S220分析資料,將資料進行處理與分析,取得總和阻斷分數,作為某一主機是否應優先阻斷網路服務的依據;S230加入相關資訊,使用輔助性資訊協助分析,其輔助性資訊係指資產資訊、以及阻斷資訊等;S240判斷是否阻擋,是依據分析資料計算的阻斷分數Srcbk(IP),判斷當前主機IP是否須優先阻斷;若分數高於阻斷門檻,判定為是,則接續,若分數低於門檻,則判定為否並結束流程;S250計算執行方式,計算主機的生命週期以及最佳的指令執行裝置點;S260執行命令,在最適切之裝置上執行指令。 Please refer to FIG. 2 and FIG. 3, which are flowcharts of a system and method for blocking analysis of a smart information security network according to the present invention, including: S210 collecting data and transmitting data; S220 analyzing data, processing and analyzing data. , to obtain the total blocking score, as a basis for whether a host should prioritize blocking network services; S230 join relevant information, use auxiliary information to assist analysis, and its auxiliary information refers to asset information, and blocking information; S240 Judging whether to block or not is based on the blocked score Srcbk (IP) calculated by the analysis data to determine whether the current host IP needs to be preferentially blocked; if the score is higher than the blocking threshold, the determination is yes, then if the score is lower than the threshold, then The determination is no and the flow is ended; S250 calculates the execution mode, calculates the life cycle of the host and the optimal instruction execution device point; S260 executes the command to execute the instruction on the most suitable device.

其中S210收集資料,是包含:S211收集日誌資料,是蒐集各式日誌紀錄資料,並儲存於資料庫中;S212傳送資料,將所蒐集的日誌紀錄資料傳送到資料分析單元供其分析。 The data collected by S210 includes: S211 collects log data, collects various log record data, and stores it in the database; S212 transmits the data, and transmits the collected log record data to the data analysis unit for analysis.

其中S220分析資料,是包含:S221處理資料,將接收到的日誌紀錄資料進行前處理與 分析;S222計算資產分數,使用日誌紀錄資料以及主機資產相關資訊計算資產分數Srcinv(IP);S223計算阻斷分數,根據資產分數Srcinv(IP)以及阻斷清單相關資訊,分析主機被阻斷網路服務並下線之後對企業內部網路的整體架構的影響與衝擊程度,並計算阻斷分數Srcbk(IP)。 The S220 analysis data includes: S221 processing data, pre-processing the received log record data and Analysis; S222 calculates the asset score, uses the log record data and the host asset related information to calculate the asset score Srcinv (IP); S223 calculates the block score, and analyzes the host blocked network according to the asset score Srcinv (IP) and the block list related information. The impact and impact of the service and the offline on the overall architecture of the company's internal network, and calculate the blocking score Srcbk (IP).

其中S230加入相關資訊,是包含:S231加入資產資訊,將主機資產相關資訊匯入分析程式中;S232加入阻斷資訊,將阻斷清單相關資訊匯入分析程式中。 S230 adds relevant information, which includes: S231 joins the asset information, and imports the host asset related information into the analysis program; S232 adds the blocking information, and the blocking list related information is imported into the analysis program.

其中S250計算執行方式,是包含:S251計算最佳執行點,計算當前主機阻斷指令派送的裝置,為達成最高阻斷效率,本步驟將計算阻斷效果最佳的裝置;S252計算阻斷生命週期,透過主機生命週期的預估,計算被阻斷主機可能可以解除阻斷指令的日期;S253傳送阻斷指令,根據傳送資料計算出來的最佳阻斷派送裝置,將阻斷指令派送到裝置上;S254傳送解除指令,根據處裡資料估算出的主機生命週期與阻斷解除日期,將阻斷解除資訊傳送到裝置上並通知裝置管理員。 The S250 calculates the execution mode, which includes: S251 calculates the optimal execution point, and calculates the current host blocking instruction dispatching device. In order to achieve the highest blocking efficiency, this step will calculate the device with the best blocking effect; S252 calculates the blocking life. Cycle, through the estimation of the host life cycle, calculate the date that the blocked host may release the blocking command; S253 transmits the blocking command, and sends the blocking command to the device according to the optimal blocking dispatching device calculated based on the transmitted data. Up; S254 transmits a release command, and based on the estimated host life cycle and the block release date, the block release information is transmitted to the device and notified to the device administrator.

其中S260執行命令,是包含:S261執行阻斷指令,針對需要阻斷網路服務的主機,在最適切裝置上執行阻斷指令; S262執行解除指令,針對得以恢復網路服務的主機,在原先阻斷其網路服務的裝置上執行解除指令。 The S260 executes the command, which includes: S261 executes a blocking instruction, and performs a blocking instruction on the most suitable device for the host that needs to block the network service; S262 executes a release command to execute a release command on the device that originally blocked the network service for the host that is able to resume the network service.

其中主機資產相關資訊,包含主機所屬角色重要程度、主機所屬網域重要程度與機密程度、主機運作繁忙程度、主機連線頻繁程度(out-link frequency)、主機被連線頻繁程度(in-link frequency)。 The information about the host asset includes the importance of the role of the host, the importance and confidentiality of the domain to which the host belongs, the busyness of the host, the out-link frequency of the host, and the frequency of the host connection (in-link). Frequency).

綜上所述,智慧型網路阻斷分析伺服器、及智慧型網路阻斷控制伺服器中的智慧型資訊安全網路阻斷分析之程式及智慧型資訊安全網路阻斷控制之程式被啟動運行後,將開始資料處理與分析,蒐集各式日誌紀錄資料,並儲存於資料庫中,將所蒐集的日誌紀錄資料傳送到資料分析模組供其分析,將接收到的日誌紀錄資料進行前處理與分析,將主機資產相關資訊匯入分析程式中,使用日誌紀錄資料以及主機資產相關資訊,根據各項指標包含但不限於主機所屬角色重要程度、主機所屬網域重要程度與機密程度、主機運作繁忙程度、主機連線頻繁程度(out-link frequency)、主機被連線頻繁程度(in-link frequency)計算資產分數Srcinv(IP),將阻斷清單相關資訊匯入分析程式中,根據資產分數Srcinv(IP)以及阻斷清單相關資訊,分析主機被阻斷網路服務並下線之後對企業內部網路的整體架構的影響與衝擊程度,並計算阻斷分數Srcbk(IP),依據前一步驟所計算的阻斷分數Srcbk(IP),判斷當前主機IP是否須優先阻斷;若分數高於阻斷門檻,判定為Yes則往下接續,若分數低於門檻,判定為No並結束流程,計算當前主機阻斷指令派送的裝置,為達成最高阻斷效率,本步驟將計算阻斷效果最佳的裝置(例如:防火牆),透過主機生命週期的預估,計算被阻斷主機可能可以解除阻斷指令的日 期,根據計算出來的最佳阻斷派送裝置,將阻斷指令派送到該裝置上,根據估算出的主機生命週期與阻斷解除日期,將阻斷解除資訊傳送到該裝置上並通知裝置管理員,針對需要阻斷網路服務的主機,在最適切裝置上執行阻斷指令,針對可恢復網路服務的主機,在原先阻斷其網路服務的裝置上執行解除指令。 In summary, the smart network blocking analysis server and the intelligent network security network blocking analysis program and the intelligent information security network blocking control program in the intelligent network blocking control server After being started, data processing and analysis will be started, various log records will be collected, stored in the database, and the collected log records will be sent to the data analysis module for analysis, and the log records will be received. Pre-processing and analysis, importing host asset related information into the analysis program, using log record data and host asset related information, according to various indicators including but not limited to the importance of the role of the host, the importance of the domain to which the host belongs and the degree of confidentiality The host operation is busy, the out-link frequency, the in-link frequency calculates the asset score Srcinv (IP), and the block-related information is imported into the analysis program. According to the asset score Srcinv (IP) and blocking list related information, analyze the host after being blocked by the network service and go offline after the internal The impact of the overall architecture of the road and the degree of impact, and calculate the blocking score Srcbk (IP), according to the blocking score Srcbk (IP) calculated in the previous step, determine whether the current host IP must be preferentially blocked; if the score is higher than the resistance When the door is broken, it is judged as Yes, and if it is lower than the threshold, it is judged as No and the flow is terminated, and the device that the current host block command is dispatched is calculated. In order to achieve the highest blocking efficiency, this step will calculate the best blocking effect. Device (for example: firewall), through the estimation of the host life cycle, calculate the day when the blocked host may be able to release the blocking command. Period, according to the calculated optimal blocking dispatching device, dispatching a blocking instruction to the device, and transmitting the blocking release information to the device according to the estimated host life cycle and the blocking release date, and notifying the device management For the host that needs to block the network service, the blocking instruction is executed on the most suitable device, and the host that can recover the network service performs the release instruction on the device that originally blocked the network service.

上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請 貴局核准本件發明專利申請案,以勵發明,至感德便。 To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.

110‧‧‧分析模組 110‧‧‧Analysis module

111‧‧‧資料分析單元 111‧‧‧Data Analysis Unit

112‧‧‧IP資產分析單元 112‧‧‧IP Asset Analysis Unit

113‧‧‧阻斷衝擊分析單元 113‧‧‧Block impact analysis unit

120‧‧‧資訊管理模組 120‧‧‧Information Management Module

121‧‧‧資產管理單元 121‧‧‧ Asset Management Unit

122‧‧‧阻斷清單管理單元 122‧‧‧Blocking list management unit

210‧‧‧執行模組 210‧‧‧Execution module

211‧‧‧系統溝通單元 211‧‧‧System Communication Unit

212‧‧‧IP阻斷控制單元 212‧‧‧IP blocking control unit

220‧‧‧收集模組 220‧‧‧Collection module

221‧‧‧資料收集單元 221‧‧‧ data collection unit

Claims (16)

一種智慧型資訊安全網路阻斷分析之系統,其主要包括:分析模組,係為分析資料並計算總和的資產分數Srcinv(IP)、以及阻斷分數Srcbk(IP),其中包括:資料分析單元,係透過系統溝通單元接收各式日誌紀錄資料,進行前處理與分析;IP資產分析單元,係於整合資產管理單元分析完之企業資訊設備資產資訊,計算各主機的資產分數Srcinv(IP);阻斷衝擊分析單元,透過阻斷清單管理單元擷取具資安疑慮且需進行網路阻斷的主機資訊,進行主機的衝擊分析,分析該主機被阻斷網路服務並下線之後對企業內部網路的整體架構的影響與衝擊程度;資訊管理模組,係於分析以及管理資訊,其中包括:資產管理單元,係擷取企業資訊設備資產資料庫中相關資訊,計算並分析出主機設備的資產等級與資訊;阻斷清單管理單元,係為分析並存取阻斷清單資料庫中之相關資訊;收集模組,係為收集相關資料,包含網路流量日誌(Traffic log),代理伺服器日誌(Proxy log)、防火牆日誌(Firewall log)、域名系統日誌(DNS log);資料收集單元,係蒐集分析資料並將其儲存於資料庫中,透過儲存裝置及網路收集各式紀錄(log)資料;執行模組,係於傳輸資料與執行指令,其中包括:系統溝通單元,係於智慧型資訊安全網路阻斷分析程式與智慧型資訊安全網路阻斷控制程式之間的溝通; IP阻斷控制單元,係於企業網路邊界的資安設備上,主要將執行網路服務阻斷指令或網路服務阻斷解除指令。 A smart information security network blocking analysis system, which mainly comprises: an analysis module, which is to analyze data and calculate a sum of asset scores Srcinv (IP), and a blocking score Srcbk (IP), including: data analysis The unit receives various log records and data through the system communication unit for pre-processing and analysis; the IP asset analysis unit is based on the enterprise information equipment asset information analyzed by the integrated asset management unit, and calculates the asset score of each host, Srcinv (IP). The blocking impact analysis unit intercepts the host information that is suspicious and needs to be blocked by the network through the blocking list management unit, analyzes the impact of the host, analyzes that the host is blocked by the network service and goes offline after the enterprise The impact and impact of the overall architecture of the internal network; the information management module is based on analysis and management information, including: asset management unit, which draws relevant information from the enterprise information equipment asset database, calculates and analyzes the host device. Asset level and information; block list management unit for analyzing and accessing related assets in the block list database The collection module is a collection of related data, including a traffic log, a proxy log, a firewall log, a DNS log, and a data collection unit. It collects analytical data and stores it in a database. It collects various types of log data through storage devices and the Internet. The execution module is used to transmit data and execute instructions, including: system communication unit, which is based on wisdom. Communication between the information security network blocking analysis program and the intelligent information security network blocking control program; The IP blocking control unit is attached to the security equipment of the enterprise network boundary, and mainly performs a network service blocking instruction or a network service blocking release command. 如申請專利範圍第1項所述之智慧型資訊安全網路阻斷分析之系統,其中該資產分數,係為透過線性迴歸模型計算出總和的資產分數Srcinv(IP)。 For example, the intelligent information security network blocking analysis system described in claim 1 wherein the asset score is calculated by a linear regression model to calculate the sum of the asset scores Srcinv (IP). 如申請專利範圍第1項所述之智慧型資訊安全網路阻斷分析之系統,其中該資產分數之計算,係指該主機所屬之角色的重要程度、網域的重要程度、機密程度、運作繁忙程度、企業網路中連線其他主機的頻繁程度(out-link frequency)、企業網路中被其他主機連線的頻繁程度(in-link frequency)。 For example, the intelligent information security network blocking analysis system described in claim 1 wherein the calculation of the asset score refers to the importance of the role of the host, the importance of the domain, the confidentiality, and the operation. Busyness, the out-link frequency of other hosts connected to the corporate network, and the in-link frequency of other hosts connected to the corporate network. 如申請專利範圍第1項所述之智慧型資訊安全網路阻斷分析之系統,其中該阻斷衝擊分析單元,係於管理所有阻斷主機並提供管控上的協助,並根據該IP資產分析單元模組計算的資產分數Srcinv(IP)配合主機的阻斷清單資訊計算阻斷分數Srcbk(IP),並以此分數判斷須優先阻斷其網路服務的主機。 For example, the intelligent information security network blocking analysis system described in claim 1 of the patent scope, wherein the blocking impact analysis unit is responsible for managing all blocking hosts and providing management assistance, and analyzing according to the IP assets. The asset score calculated by the unit module, Srcinv (IP), is combined with the block list information of the host to calculate the blocking score Srcbk (IP), and the score is used to determine the host that must preferentially block its network service. 如申請專利範圍第1項所述之智慧型資訊安全網路阻斷分析之系統,其中該阻斷衝擊分析單元,係另針對優先阻斷主機評估其阻斷指令派送的最適切裝置,並將指令派送到該裝置上。 The system for intelligent intelligence network blocking analysis according to claim 1, wherein the blocking impact analysis unit is further configured to preferentially block the host to evaluate the optimal delivery device for the blocking instruction, and Instructions are dispatched to the device. 如申請專利範圍第1項所述之智慧型資訊安全網路阻斷分析之系統,其中該阻斷衝擊分析單元,係亦記錄被阻斷網路服務主機的起始日期、預計結束日期、指令阻斷執行的裝置之資訊。 The system for intelligent intelligence network blocking analysis according to claim 1, wherein the blocking impact analysis unit also records the start date, estimated end date, and instruction of the blocked network service host. Block information about the device being executed. 如申請專利範圍第1項所述之智慧型資訊安全網路阻斷分析之系統,其中該管理資訊,係為組織或企業內部資產資訊、以及阻斷資訊。 For example, the intelligent information security network blocking analysis system described in claim 1 of the patent scope, wherein the management information is information about the organization or internal assets of the enterprise, and blocking information. 如申請專利範圍第1項所述之智慧型資訊安全網路阻斷分析之系統,其中該各式紀錄(log)資料,係為代理伺服器紀錄、防火牆紀錄。 For example, the intelligent information security network blocking analysis system described in claim 1 of the patent scope, wherein the various types of log data are proxy server records and firewall records. 如申請專利範圍第1項所述之智慧型資訊安全網路阻斷分析之系統,其中該系統溝通單元,係得以將該資料收集單元所蒐集之資料從資料庫中取出,並傳送至該資料分析單元分析。 For example, the intelligent information security network blocking analysis system described in claim 1 wherein the system communication unit is capable of taking the data collected by the data collection unit from the database and transmitting the data to the data. Analysis unit analysis. 如申請專利範圍第1項所述之智慧型資訊安全網路阻斷分析之系統,其中該系統溝通單元,亦接收該阻斷衝擊分析模組的阻斷派送與解除指令,並將指令傳送至該資產管理單元,以達成藉由企業內部網路邊界資安設備來控制特定主機網路服務狀態。 The system for intelligent intelligence network blocking analysis according to claim 1, wherein the system communication unit further receives the blocking delivery and release command of the blocking impact analysis module, and transmits the instruction to The asset management unit is configured to control the status of a specific host network service by means of an intranet network security device. 一種智慧型資訊安全網路阻斷分析之方法,包括:收集資料,由收集模組收集相關資料,並傳送資料;分析資料,由分析模組將資料進行處理與分析,取得總和阻斷分數,作為某一主機是否應該優先阻斷網路服務的依據,其中該分析資料,係包含:處理資料,將接收到的日誌紀錄資料進行前處理與分析;計算資產分數,使用日誌紀錄資料以及主機資產相關資訊計算資產分數Srcinv(IP);計算阻斷分數,根據資產分數Srcinv(IP)以及阻斷清單相關資訊,分析主機被阻斷網路服務並下線之後對企 業內部網路的整體架構的影響與衝擊程度,並計算阻斷分數Srcbk(IP);加入相關資訊,資訊管理模組提供的輔助性資訊協助分析,其輔助性資訊係指資產資訊、以及阻斷資訊;判斷是否阻擋,係依據該分析資料計算的阻斷分數Srcbk(IP),判斷當前主機IP是否須優先阻斷;若分數高於阻斷門檻,判定為是,則接續,若分數低於門檻,則判定為否並結束流程;計算執行方式,計算主機的生命週期以及最佳的指令執行裝置點;執行命令,由執行模組在最適切之裝置上執行指令。 A smart information security network blocking analysis method includes: collecting data, collecting relevant data by a collection module, and transmitting data; analyzing data, processing and analyzing the data by the analysis module, and obtaining a total blocking score, As a basis for whether a host should preferentially block network services, the analysis data includes: processing data, pre-processing and analyzing the received log record data; calculating asset scores, using log record data, and host assets Related information calculates the asset score Srcinv (IP); calculates the blocking score, analyzes the host's blocked network service and goes offline after the offline based on the asset score Srcinv (IP) and the block list related information. The impact of the overall structure of the internal network and the impact degree, and calculate the blocking score Srcbk (IP); add relevant information, the auxiliary information provided by the information management module to assist analysis, the auxiliary information refers to asset information, and resistance Breaking the information; determining whether to block, based on the blocking score Srcbk (IP) calculated by the analysis data, determining whether the current host IP needs to be preferentially blocked; if the score is higher than the blocking threshold, the determination is yes, then the continuation, if the score is low At the threshold, the determination is no and the process is terminated; the execution mode is calculated, the life cycle of the host and the optimal instruction execution device point are calculated; and the execution module executes the command on the most suitable device by the execution module. 如申請專利範圍第11項所述之智慧型資訊安全網路阻斷分析之方法,其中該收集資料,係包含:收集日誌資料,係蒐集各式日誌紀錄資料,並儲存於資料庫中;傳送資料,將所蒐集的日誌紀錄資料傳送到資料分析單元供其分析。 The method for blocking analysis of the intelligent information security network described in claim 11 of the patent application, wherein the collecting data includes: collecting log data, collecting various log record data, and storing in the database; transmitting The data is transmitted to the data analysis unit for analysis. 如申請專利範圍第11項所述之智慧型資訊安全網路阻斷分析之方法,其中該加入相關資訊,係包含:加入資產資訊,將主機資產相關資訊匯入分析程式中;加入阻斷資訊,將阻斷清單相關資訊匯入分析程式中。 For example, the smart information security network blocking analysis method described in claim 11 of the patent application, wherein the related information includes: adding asset information, importing host asset related information into the analysis program; adding blocking information , the block list related information is imported into the analysis program. 如申請專利範圍第11項所述之智慧型資訊安全網路阻斷分析之方法,其中該計算執行方式,係包含:計算最佳執行點,計算當前主機阻斷指令派送的裝置,為達成最高阻斷效率,本步驟將計算阻斷效果最佳的裝置; 計算阻斷生命週期,透過主機生命週期的預估,計算被阻斷主機可能可以解除阻斷指令的日期;傳送阻斷指令,根據該傳送資料計算出來的最佳阻斷派送裝置,將阻斷指令派送到該裝置上;傳送解除指令,根據處裡資料估算出的主機生命週期與阻斷解除日期,將阻斷解除資訊傳送到該裝置上並通知裝置管理員。 For example, the smart information security network blocking analysis method described in claim 11 of the patent scope includes: calculating the optimal execution point, and calculating the current host blocking instruction dispatching device, to achieve the highest Blocking efficiency, this step will calculate the device with the best blocking effect; Calculate the blocking life cycle, calculate the date that the blocked host may release the blocking command through the estimation of the host life cycle; transmit the blocking command, and the optimal blocking dispatching device calculated based on the transmitted data will block The instruction is dispatched to the device; the transfer release command transmits the block release information to the device and notifies the device administrator based on the estimated host life cycle and the block release date based on the local data. 如申請專利範圍第11項所述之智慧型資訊安全網路阻斷分析之方法,其中該執行命令,係包含:執行阻斷指令,針對需要阻斷網路服務的主機,在最適切裝置上執行阻斷指令;執行解除指令,針對得以恢復網路服務的主機,在原先阻斷其網路服務的裝置上執行解除指令。 The method for blocking analysis of a smart information security network according to claim 11, wherein the executing the command comprises: executing a blocking instruction, for a host that needs to block the network service, on the most suitable device Execute the block instruction; execute the release command to execute the release command on the device that originally blocked the network service for the host that is able to recover the network service. 如申請專利範圍第13項所述之智慧型資訊安全網路阻斷分析之方法,其中主機資產相關資訊,包含主機所屬角色重要程度、主機所屬網域重要程度與機密程度、主機運作繁忙程度、主機連線頻繁程度(out-link frequency)、主機被連線頻繁程度(in-link frequency)。 For example, the smart information security network blocking analysis method described in claim 13 of the patent scope, wherein the host asset related information includes the importance degree of the host belonging to the host, the importance degree and confidentiality of the host domain, and the busyness of the host operation. The out-link frequency of the host and the in-link frequency of the host.
TW105120119A 2016-06-27 2016-06-27 System and Method for Blocking Intelligent Information Security Network TWI591576B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW105120119A TWI591576B (en) 2016-06-27 2016-06-27 System and Method for Blocking Intelligent Information Security Network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW105120119A TWI591576B (en) 2016-06-27 2016-06-27 System and Method for Blocking Intelligent Information Security Network

Publications (2)

Publication Number Publication Date
TWI591576B true TWI591576B (en) 2017-07-11
TW201810176A TW201810176A (en) 2018-03-16

Family

ID=60048360

Family Applications (1)

Application Number Title Priority Date Filing Date
TW105120119A TWI591576B (en) 2016-06-27 2016-06-27 System and Method for Blocking Intelligent Information Security Network

Country Status (1)

Country Link
TW (1) TWI591576B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111028085A (en) * 2019-03-29 2020-04-17 哈尔滨安天科技集团股份有限公司 Network shooting range asset information acquisition method and device based on active and passive combination

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI826227B (en) * 2023-01-06 2023-12-11 中華電信股份有限公司 Management system and management method for information security of network equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111028085A (en) * 2019-03-29 2020-04-17 哈尔滨安天科技集团股份有限公司 Network shooting range asset information acquisition method and device based on active and passive combination

Also Published As

Publication number Publication date
TW201810176A (en) 2018-03-16

Similar Documents

Publication Publication Date Title
JP2006520937A5 (en)
EP2327024B1 (en) Techniques for resource location and migration across data centers
US20190378148A1 (en) System and method for applying tracing tools for network locations
US7792957B2 (en) Method and system for determining a plurality of scheduling endpoints in a grid network
US20200045110A1 (en) Storage aggregator controller with metadata computation control
US10404556B2 (en) Methods and computer program products for correlation analysis of network traffic in a network device
US10868732B2 (en) Cloud resource scaling using programmable-network traffic statistics
US20150186779A1 (en) Dynamic Model-Based Analysis of Data Centers
US11463536B2 (en) Curating proxy server pools
Ge et al. Q‐learning based flexible task scheduling in a global view for the Internet of Things
US8874642B2 (en) System and method for managing the performance of an enterprise application
CN103001809B (en) Service node method for monitoring state for cloud storage system
KR20110074820A (en) Method and device for managing security events
US20150215426A1 (en) Non-transitory computer-readable recording medium having stored therein control program, control apparatus and control method
TW201312346A (en) Virtual machine monitoring method, system and computer readable storage medium for storing thereof
CN101820635A (en) Method and device for acquiring mobile communication data
TWI591576B (en) System and Method for Blocking Intelligent Information Security Network
CN111311286A (en) Intelligent customer service data processing method and device, computing equipment and storage medium
CN107783881A (en) Website dynamic property monitoring method and system based on memory queue
CN111131339A (en) NAT equipment identification method and system based on IP identification number
CN118133274A (en) Information security management and monitoring method and system based on big data
Samir et al. Anomaly detection and analysis for reliability management clustered container architectures
CN117235035A (en) Automatic management system for managing enterprise internal elastic search cluster
CN107566187B (en) SLA violation monitoring method, device and system
CN201499180U (en) Device capable of achieving bank-enterprise intercommunication