TWI667587B - Information security protection method - Google Patents

Information security protection method Download PDF

Info

Publication number
TWI667587B
TWI667587B TW107116388A TW107116388A TWI667587B TW I667587 B TWI667587 B TW I667587B TW 107116388 A TW107116388 A TW 107116388A TW 107116388 A TW107116388 A TW 107116388A TW I667587 B TWI667587 B TW I667587B
Authority
TW
Taiwan
Prior art keywords
information
monitored
usage record
platform
data analysis
Prior art date
Application number
TW107116388A
Other languages
Chinese (zh)
Other versions
TW201947441A (en
Inventor
吳欣諺
陳昱翰
詹益安
Original Assignee
玉山商業銀行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 玉山商業銀行股份有限公司 filed Critical 玉山商業銀行股份有限公司
Priority to TW107116388A priority Critical patent/TWI667587B/en
Application granted granted Critical
Publication of TWI667587B publication Critical patent/TWI667587B/en
Publication of TW201947441A publication Critical patent/TW201947441A/en

Links

Abstract

一種資訊安全防護方法,適用於一待監控設備、一數據分析平台、及一部署平台,並包含下列步驟:藉由該待監控設備產生一即時的使用紀錄資訊;藉由該數據分析平台根據該使用紀錄資訊,以機器學習的方式建立一行為模型;藉由該部署平台根據該行為模型,監控該待監控設備的一即時資料串流資訊;當該部署平台判斷該待監控設備的一即時資料串流資訊,屬於該行為模型的一異常行為時,阻擋該待監控設備的該即時資料串流資訊的傳送。該方法藉由機器學習的方式,主動建立對應該待監控設備的該行為模型,而實現一種主動且即時的資訊安全防護架構。An information security protection method is applicable to a to-be-monitored device, a data analysis platform, and a deployment platform, and includes the following steps: generating an instant usage record information by using the device to be monitored; Using the record information, a behavioral model is established in a machine learning manner; the deployment platform monitors an instant data stream information of the device to be monitored according to the behavior model; and when the deployment platform determines a real-time data of the device to be monitored The streaming information, when belonging to an abnormal behavior of the behavior model, blocks the transmission of the real-time data stream information of the device to be monitored. The method actively establishes a behavior model corresponding to the device to be monitored by means of machine learning, and implements an active and immediate information security protection architecture.

Description

資訊安全防護方法Information security protection method

本發明是有關於一種防護方法,特別是指一種資訊安全防護方法。The invention relates to a protection method, in particular to an information security protection method.

習知一種建立傳統資訊安全防禦架構的資訊安全防護方法通常包含以下步驟:設定特徵碼規則;阻擋符合異常特徵碼的連網行為;接收使用者的回饋訊息;當判斷回饋信息顯示阻擋連網行為是錯誤時(即連網行為不屬於異常時),修改特徵碼規則。此外,特徵碼規則的初期建立或後續更新還可以是來自外部資訊安全相關資料,經由人工的方式設定。然而,這種以人工制定規則為基礎(Rule-based)的資訊安全防護方法是採用被動地進行準備與反應,仍然存有很多可以改善的空間。An information security protection method for establishing a traditional information security defense architecture generally includes the following steps: setting a signature rule; blocking a network connection behavior that conforms to an abnormal signature; receiving a feedback message from a user; and determining that the feedback information displays a blocking network behavior When it is wrong (that is, when the networking behavior is not abnormal), modify the signature rules. In addition, the initial establishment or subsequent update of the signature rule may also be from an external information security related material, and is manually set. However, this rule-based information security protection method uses passive preparation and response, and there is still much room for improvement.

因此,本發明的目的,即在提供一種主動防禦的資訊安全防護方法。Accordingly, it is an object of the present invention to provide an active defense information security protection method.

於是,本發明資訊安全防護方法,適用於一待監控設備、一數據分析平台、及一部署平台,並包含步驟(a)~(d)。Therefore, the information security protection method of the present invention is applicable to a to-be-monitored device, a data analysis platform, and a deployment platform, and includes steps (a) to (d).

於步驟(a),藉由該待監控設備產生一即時的使用紀錄資訊。In step (a), an instant usage record information is generated by the device to be monitored.

於步驟(b),藉由該數據分析平台根據該使用紀錄資訊,以機器學習的方式建立一行為模型。In step (b), the data analysis platform establishes a behavioral model in a machine learning manner according to the usage record information.

於步驟(c),藉由該部署平台根據該行為模型,監控該待監控設備的一即時資料串流資訊。In step (c), the deployment platform monitors an instant data stream information of the device to be monitored according to the behavior model.

於步驟(d),當該部署平台判斷該待監控設備的該即時資料串流資訊,屬於該行為模型的一異常行為時,阻擋該待監控設備的該即時資料串流資訊的傳送。In the step (d), when the deployment platform determines that the real-time data stream information of the device to be monitored belongs to an abnormal behavior of the behavior model, blocking the transmission of the real-time data stream information of the device to be monitored.

在一些實施態樣中,還適用於一過濾平台,其中,在步驟(a)中,當該使用紀錄資訊屬於一第一類資訊時,該待監控設備將該使用紀錄資訊直接傳送至該數據分析平台。當該使用紀錄資訊屬於一第二類資訊時,該待監控設備將該使用紀錄資訊直接傳送至該過濾平台,該過濾平台將該使用紀錄資訊過濾後,再傳送至該數據分析平台。其中,該第一類資訊包含該數據分析平台所需要分析的資訊而不包含一隱私資訊,該第二類資訊包含該數據分析平台所需要分析的資訊及該隱私資訊。In some implementations, the method is further applicable to a filtering platform, wherein, in the step (a), when the usage record information belongs to a first type of information, the device to be monitored directly transmits the usage record information to the data. Analysis platform. When the usage record information belongs to a second type of information, the device to be monitored directly transmits the usage record information to the filtering platform, and the filtering platform filters the usage record information and transmits the usage record information to the data analysis platform. The first type of information includes information that the data analysis platform needs to analyze and does not include a privacy information. The second type of information includes information that the data analysis platform needs to analyze and the private information.

在一些實施態樣中,其中,在步驟(b)中,該數據分析平台還根據該待監控設備的一資安紀錄資訊及該部署平台判斷的結果,監控該行為模型的一準確率。In some implementations, in step (b), the data analysis platform monitors an accuracy rate of the behavior model according to a security record information of the device to be monitored and a result of the determination by the deployment platform.

在一些實施態樣中,其中,在步驟(a)中,該使用紀錄資訊包含一資安防禦設備使用紀錄、一網路設備使用紀錄、一伺服器使用紀錄之其中任一者。In some implementations, wherein in step (a), the usage record information includes any one of a security device usage record, a network device usage record, and a server usage record.

本發明的功效在於:藉由該數據分析平台根據該待監控設備的該使用紀錄資訊,以機器學習的方式主動建立對應該待監控設備的該行為模型,使得該部署平台能夠根據該行為模型,即時監控該待監控設備的該即時資料串流資訊,進而能夠實現一種主動且即時的資訊安全防護架構。The effect of the present invention is that the data analysis platform actively establishes the behavior model corresponding to the device to be monitored in a machine learning manner according to the usage record information of the device to be monitored, so that the deployment platform can be based on the behavior model. Instantly monitoring the real-time data stream information of the device to be monitored, thereby realizing an active and immediate information security protection architecture.

在本發明被詳細描述之前,應當注意在以下的說明內容中,類似的元件是以相同的編號來表示。Before the present invention is described in detail, it should be noted that in the following description, similar elements are denoted by the same reference numerals.

參閱圖1與圖2,本發明資訊安全防護方法,適用於一待監控設備1、一數據分析平台3、一部署平台4、及一過濾平台2。舉例來說,該監控設備是企業內部既有的資訊基礎設施,如資安防禦設備、網路設備、伺服器主機、電腦主機、連網裝置等等,但不以此為限。該數據分析平台3是採用大數據(Big Data)分析的技術,且需要電腦叢集(Cluster)或功能夠強大的單一電腦主機來實施,並包括一監控(Tracing)模組31及一分析(Mining)模組32。該部署平台4是屬於一種人工智慧引擎(AI Engine)。該過濾平台2是一種過濾器(Collector),例如是另一電腦主機或另一伺服器主機。Referring to FIG. 1 and FIG. 2, the information security protection method of the present invention is applicable to a to-be-monitored device 1, a data analysis platform 3, a deployment platform 4, and a filtering platform 2. For example, the monitoring device is an existing information infrastructure within the enterprise, such as a security defense device, a network device, a server host, a computer host, a network device, and the like, but is not limited thereto. The data analysis platform 3 is a technology that uses Big Data analysis and requires a computer cluster or a powerful single computer host to implement, and includes a monitoring module 31 and an analysis (Mining). ) Module 32. The deployment platform 4 belongs to an artificial intelligence engine (AI Engine). The filtering platform 2 is a type of collector, such as another computer host or another server host.

該資訊安全防護方法包含步驟S1~S4。The information security protection method includes steps S1 to S4.

於步驟S1,藉由該待監控設備1產生一即時的使用紀錄資訊(Log)。該使用紀錄資訊依照該待監控設備1的不同,例如包含一資安防禦設備使用紀錄、一網路設備使用紀錄、一伺服器使用紀錄之其中任一者,但不以此為限。In step S1, an instant usage record information (Log) is generated by the device to be monitored 1 . The usage record information is different according to the device to be monitored 1, for example, including a security security device usage record, a network device usage record, and a server usage record, but is not limited thereto.

另外,該使用紀錄資訊可以區分成一第一類資訊及一第二類資訊,其中,該第一類資訊包含該數據分析平台3所需要分析的資訊而不包含一隱私資訊,該第二類資訊包含該數據分析平台3所需要分析的資訊及該隱私資訊。In addition, the usage record information can be divided into a first type of information and a second type of information, wherein the first type of information includes information to be analyzed by the data analysis platform 3 without including a privacy information, and the second type of information Contains the information and the privacy information that the data analysis platform 3 needs to analyze.

當該使用紀錄資訊屬於該第一類資訊時,該待監控設備1將該使用紀錄資訊直接傳送至該數據分析平台3,如圖2的路徑P2。當該使用紀錄資訊屬於該第二類資訊時,該待監控設備1將該使用紀錄資訊先傳送至該過濾平台2,該過濾平台2將該使用紀錄資訊過濾後,才將過濾後的該使用紀錄資訊傳送至該數據分析平台3,如圖2的路徑P1與P3。When the usage record information belongs to the first type of information, the device to be monitored 1 directly transmits the usage record information to the data analysis platform 3, such as path P2 of FIG. When the usage record information belongs to the second type of information, the to-be-monitored device 1 first transmits the usage record information to the filtering platform 2, and the filtering platform 2 filters the usage record information before the filtered usage is used. The record information is transmitted to the data analysis platform 3, such as paths P1 and P3 of FIG.

舉例來說,該使用紀錄資訊可能是企業(如銀行)內部的電腦主機之間所傳遞的網路封包,當該網路封包的內容包括某些使用者的帳號、密碼、或其他的個人隱私訊息,尤其是不屬於該數據分析平台3所需要分析的資訊時,該過濾平台2會將這些不必要或多餘的資訊過濾(刪除),以保障相關的隱私內容。For example, the usage record information may be a network packet transmitted between computer hosts within a company (eg, a bank), and the content of the network packet includes some user's account number, password, or other personal privacy. The message, especially if it is not the information that the data analysis platform 3 needs to analyze, the filtering platform 2 will filter (delete) the unnecessary or redundant information to protect the related privacy content.

於步驟S2,藉由該數據分析平台3根據該使用紀錄資訊,以機器學習的方式建立一行為模型。機器學習應用於資安分析的方法包含第一種的分類方法,如邏輯回歸(Logistic Regression)、決策樹、隨機森林、Xgboost、深度學習(Deep Learning)等等,以判斷惡意與正常的連線或檔案,第二種的分群方法,如k-means演算法、基於密度的聚類演算法(Dbscan)等等,以把檔案或是行為模式分群。透過分析軟體或是程式模組,如R語言、Python語言、TensorFlow、SAS等等,可以實現上述各種機器學習的方法,且藉由上述各種方法之其中一種或其中多種的組合,能夠建立該行為模型。In step S2, the data analysis platform 3 establishes a behavior model in a machine learning manner according to the usage record information. The method of machine learning applied to the security analysis includes the first classification method, such as Logistic Regression, Decision Tree, Random Forest, Xgboost, Deep Learning, etc., to judge the connection between malicious and normal. Or archives, the second clustering method, such as k-means algorithm, density-based clustering algorithm (Dbscan), etc., to group files or behavior patterns. The above various machine learning methods can be implemented by analyzing software or program modules, such as R language, Python language, TensorFlow, SAS, etc., and the behavior can be established by one or a combination of the above various methods. model.

更詳細地說,在本實施例中,該數據分析平台3的該監控模組31根據該待監控設備1的該使用紀錄資訊(如圖2的路徑P2與P3)及該部署平台4的一判斷結果(如圖2的路經P7),監控整體的資訊安全現況及該行為模型的準確率。該數據分析平台3的該分析模組32對該使用紀錄資訊進行進一步的資料探勘,並透過機器學習的方式找出特定的行為模式,而建立該行為模型。而在其他實施例中,該數據分析平台3的該監控模組31也可以根據該待監控設備1的該使用紀錄資訊與一資安紀錄資訊,及該部署平台4的該判斷結果,監控整體的資訊安全現況及該行為模型的準確率。In more detail, in the embodiment, the monitoring module 31 of the data analysis platform 3 is based on the usage record information of the device to be monitored 1 (paths P2 and P3 of FIG. 2) and one of the deployment platforms 4. Judging the result (as shown in Figure 2, P7), monitoring the overall information security status and the accuracy of the behavior model. The analysis module 32 of the data analysis platform 3 performs further data exploration on the use record information, and finds a specific behavior pattern through machine learning to establish the behavior model. In other embodiments, the monitoring module 31 of the data analysis platform 3 can also monitor the overall information according to the usage record information and the security record information of the device to be monitored 1 and the judgment result of the deployment platform 4. The current state of information security and the accuracy of the behavioral model.

另外要補充說明的是:在本實施例中,該數據分析平台3的該分析模組32是根據該使用紀錄資訊,建立該行為模型。而在其他實施例中,該分析模組32也可以是根據該使用者紀錄資訊(如圖2的路徑P8),及來自一外部資訊源5的外部資訊,來建立該行為模型。該外部資訊源例如是其他網站,該外部資訊例如是包含黑名單與白名單的資訊內容。In addition, in the embodiment, the analysis module 32 of the data analysis platform 3 establishes the behavior model according to the usage record information. In other embodiments, the analysis module 32 may also establish the behavior model based on the user record information (path P8 of FIG. 2) and external information from an external information source 5. The external information source is, for example, another website, and the external information is, for example, information content including a blacklist and a whitelist.

於步驟S3,藉由該部署平台4根據該行為模型(如圖2的路徑P4),監控該待監控設備1的一即時資料串流資訊(如圖2的路徑P1與P5)。也就是說,該部署平台4所監控的該即時資料串流資訊,是先經由該過濾平台2作過濾以去除機密或敏感的隱私內容,再作即時地監控。In step S3, the deployment platform 4 monitors an instant data stream information of the device to be monitored 1 according to the behavior model (path P4 of FIG. 2) (such as paths P1 and P5 of FIG. 2). That is to say, the real-time data stream information monitored by the deployment platform 4 is filtered through the filtering platform 2 to remove confidential or sensitive private content, and then monitored in real time.

此外,在本實施例中,該部署平台4是根據該行為模型,監控該即時資料串流資訊,而在其他實施例中,該部署平台除了根據該行為模型,還可以根據來自該外部資訊源的另一模型,同時據以監控該即時資料串流資訊。也就是說,本案的資訊安全防護方法可以與現有的資安防護機制同時運作,而不相衝突。In addition, in this embodiment, the deployment platform 4 monitors the real-time data stream information according to the behavior model, and in other embodiments, the deployment platform may be based on the external information source according to the behavior model. Another model is also used to monitor the live data stream information. In other words, the information security protection method of this case can be operated simultaneously with the existing security protection mechanism without conflict.

於步驟S4,當該部署平台4判斷該待監控設備1的該即時資料串流資訊,屬於該行為模型的一異常行為時,阻擋該待監控設備1的該即時資料串流資訊的傳送,如圖2的路徑P6。當該部署平台4判斷該即時資料串流資訊,不屬於該行為模型的該異常行為時,則持續保持監控與判斷。In step S4, when the deployment platform 4 determines that the real-time data stream information of the device to be monitored 1 belongs to an abnormal behavior of the behavior model, blocking the transmission of the real-time data stream information of the device to be monitored 1, such as Path P6 of Figure 2. When the deployment platform 4 determines the instant data stream information and does not belong to the abnormal behavior of the behavior model, the monitoring and judgment are continuously maintained.

利用本發明資訊安全防護方法所建立的資訊安全架構除了可以單獨運作,也可以輔助既有的資安防禦設備來共同運作,以檢視是否有潛在的網路威脅。舉例來說,該待監控設備1是企業內部的一電腦主機,該使用紀錄資訊包括相關於該電腦主機使用時的連線時間及連線目標等資訊,該數據分析平台3根據該連線時間及該連線目標,建立對應該待監控設備1的多個行為模型,第一個行為模型是相關於該電腦主機的連線目標是否異常,第二個行為模型是相關於該電腦主機的連線時間是否異常,第三個行為模型是相關於該電腦主機在預定時間區間內連結一個特定的內部或外部的網頁(或系統)的頻率是否異常,第四個行為模型是相關於該電腦主機在連結至一網站時是否有異常跳轉現象,第五個行為模型是相關於該電腦主機所連結之站台是否屬於疑似黑名單或相似正常網站(即釣魚網站)。The information security architecture established by the information security protection method of the present invention can be operated separately, and can also assist the existing security equipment to operate together to check whether there is a potential network threat. For example, the device to be monitored 1 is a computer host in the enterprise, and the usage record information includes information related to the connection time and the connection target when the host computer is used, and the data analysis platform 3 according to the connection time. And the connection target, establishing a plurality of behavior models corresponding to the device 1 to be monitored, the first behavior model is whether the connection target of the computer host is abnormal, and the second behavior model is related to the computer host. Whether the line time is abnormal, the third behavior model is related to whether the host computer connects a specific internal or external webpage (or system) in a predetermined time interval, and the fourth behavior model is related to the computer host. Whether there is an abnormal jump when linking to a website, the fifth behavior model is related to whether the platform connected to the host computer belongs to a suspected blacklist or a similar normal website (ie, a phishing website).

更詳細地說,第五個行為模型是一種相關於網域名稱(Domain Name)的長短期記憶(Long Short-Term Memory;LSTM)模型。長短期記憶是一種時間遞歸神經網路(Recurrent Neural Network;RNN),透過建立帶有「記憶與忘卻」機制的模型,以分析前後文中辭彙的相關性,而作到語意分析。In more detail, the fifth behavioral model is a Long Short-Term Memory (LSTM) model related to the Domain Name. Long-term and short-term memory is a kind of time recurrent neural network (RNN). By establishing a model with "memory and forgetting" mechanism to analyze the correlation of vocabulary in the context, the semantic analysis is made.

長短期記憶(LSTM)模型是一種已知的技術,利用類神經網路框架所建立的一個二元分類模型,其建立的過程,簡單說明如後。該電腦主機會根據屬於一個白名單的多個網域名稱,並將其標記為正常域名的樣本。該電腦主機還根據屬於一個黑名單的多個網域名稱,並將其標記為異常域名的樣本。該白名單可以藉由網路現存的白名單網站而獲得,該黑名單可以藉由已知的多組網域產生演算法(DGA)來產生,但不在此限。舉例來說,屬於白名單的網域名稱如google.com、esunbank.com、yahoo.com等等,屬於黑名單的網域名稱如xyafilk.com、uiteeraab.com等等。The Long-Term and Short-Term Memory (LSTM) model is a known technique that uses a binary classification model established by a neural network-like framework. The process of its establishment is briefly described as follows. The host will mark multiple domain names that belong to a whitelist and mark them as samples of normal domain names. The host also marks multiple domain names belonging to a blacklist and marks them as samples of the abnormal domain name. The whitelist can be obtained by an existing whitelisted website on the network, which can be generated by known multiple sets of domain generation algorithms (DGA), but not limited to this. For example, domain names that are whitelisted, such as google.com, esunbank.com, yahoo.com, etc., are blacklisted domain names such as xyafilk.com, uiteeraab.com, and so on.

該電腦主機會先在白名單及黑名單的每一網域名稱中,擷取其中最長字串的前八個字元,如google、esunbank、yahoo、xyafilk、uiteeraa等等。該電腦主機再將每一被擷取的字串轉換為一向量,也就是將每一個字元對應到一個預訂的數值,且當字元長度小於八個時,以數值0填補,承上述例子,例如將a、b、c、…、z、…、-、_分別轉換為數值1、2、3、…、26、…、36、37等等,則google、esunbank、yahoo、xyafilk、uiteeraa分別被轉換為向量[7,15,15,7,12,5,0,0]、[5,19,21,14,2,1,14,11]、[25,1,8, 15,15,0,0,0]、[24,25,1,6,9,12, 11,0]、[21,9,20,5,5,18,1,1]。The host computer will first extract the first eight characters of the longest string in each of the whitelist and blacklist domain names, such as google, esunbank, yahoo, xyafilk, uiteeraa, and so on. The host computer then converts each of the retrieved strings into a vector, that is, each character is mapped to a predetermined value, and when the length of the character is less than eight, the value is filled with a value of 0, according to the above example. For example, convert a, b, c, ..., z, ..., -, _ to values 1, 2, 3, ..., 26, ..., 36, 37, etc., then google, esunbank, yahoo, xyafilk, uiteeraa Converted to vectors [7,15,15,7,12,5,0,0], [5,19,21,14,2,1,14,11], [25,1,8, 15, respectively 15,0,0,0], [24,25,1,6,9,12, 11,0], [21,9,20,5,5,18,1,1].

該長短期記憶模型以分別屬於正常域名及異常域名的該兩種樣本作為輸入資料,以訓練模型如何分辨域名是否正常,且利用遞迴執行向前傳播(Forward Propagation)及反向傳播(Back Propagation),再透過給定的優化演算法修正模型。此外,在模型的建立過程中,經由該模型判斷域名的精確率(Precision)、召回率(Recall)、及參數(F1-value)等常用的數學評量指標,評估該模型的準確率。The long-and short-term memory model uses the two samples belonging to the normal domain name and the abnormal domain name as input data to train the model to determine whether the domain name is normal, and performs forward propagation and backpropagation by using recursion. ), and then modify the model through a given optimization algorithm. In addition, during the establishment of the model, the model is used to determine the accuracy of the domain name (Precision), recall rate (Recall), and parameters (F1-value) and other commonly used mathematical evaluation indicators to evaluate the accuracy of the model.

該部署平台4根據該長短期記憶模型,監控該待監控設備1的該即時資料串流資訊。更具體的說,該電腦主機是擷取每一個偵測到的封包的網域名稱中最長的字串,並當該最長的字串大於八個字元時,刪減至八個字元,再對其作數值轉換,而獲得一個向量。該長短期記憶模型是接收該向量,並據以判斷是否屬於一個惡意網域名稱(即異常域名),且輸出一個介於0~1之間的數字作為一判斷數值,如0.4、0.98…等等。該長短期記憶模型具有一個預先設定的門檻值,例如0.9,當該判斷數值小於該門檻值時,如0.4<0.9,則判斷該網域名稱不屬於一個惡意網域名稱。反之,當該判斷數值大於該門檻值時,如0.98>0.9,則判斷該網域名稱屬於一個惡意網域名稱。The deployment platform 4 monitors the real-time data stream information of the device 1 to be monitored according to the long-term and short-term memory model. More specifically, the computer host captures the longest string of the domain names of each detected packet, and when the longest string is greater than eight characters, it is reduced to eight characters. Then it is numerically converted to obtain a vector. The long-term and short-term memory model receives the vector and determines whether it belongs to a malicious domain name (ie, an abnormal domain name), and outputs a number between 0 and 1 as a judgment value, such as 0.4, 0.98, etc. Wait. The long-term and short-term memory model has a preset threshold value, for example, 0.9. When the judgment value is less than the threshold value, such as 0.4<0.9, it is determined that the domain name does not belong to a malicious domain name. Conversely, when the judgment value is greater than the threshold, such as 0.98>0.9, it is determined that the domain name belongs to a malicious domain name.

另外要補充說明的是:在本實施例中,為方便說明起見,該資訊安全防護方法所適用的該待監控設備1僅以一個待監控設備表示,而實際上,該資訊安全防護方法也可以適用於多個待監控設備,例如企業內部的多個電腦主機、伺服器主器、網路設備、連網裝置等等,藉由該數據分析平台3根據該等待監控設備建立對應的該行為模型,例如根據同單位或執行同業務性質的電腦設備,建立相同的行為模型,也可以根據每一台電腦設備,建立各自的行為模型,並藉由該部署平台4將每一該行為模型部署至對應的每一該監控設備,則能達到相同的功效。In addition, in this embodiment, for convenience of description, the device to be monitored 1 to which the information security protection method is applied is represented by only one device to be monitored, and in fact, the information security protection method is also It can be applied to multiple devices to be monitored, such as multiple computer hosts, server mains, network devices, networking devices, etc. within the enterprise, by which the data analysis platform 3 establishes corresponding behavior according to the waiting monitoring device. The model, for example, establishes the same behavior model according to the same unit or computer equipment of the same business nature, and can also establish a respective behavior model according to each computer device, and deploy each behavior model by the deployment platform 4. The same effect can be achieved by each of the corresponding monitoring devices.

也就是說,本發明資訊安全防護方法所建立的資訊安全架構是屬於一種主動式的資安防禦,能夠藉由分析同一台或多台待監控設備相似的連網行為,建立其行為模型,並在驗證可疑的行為案例時修正行為模型的假設條件,而定義出行為模型的正常行為及異常行為,以阻斷非法連網行為而能進一部作事件調查,且進而回饋阻擋連網的機制。That is to say, the information security architecture established by the information security protection method of the present invention belongs to an active security defense, and can establish a behavior model by analyzing similar networking behaviors of the same or multiple devices to be monitored, and In the verification of suspicious behavior cases, the hypothetical conditions of the behavioral model are revised, and the normal behavior and abnormal behavior of the behavioral model are defined to block the illegal networking behavior and to conduct an event investigation, and then feedback the mechanism of blocking the network.

綜上所述,藉由該數據分析平台根據該待監控設備的該使用紀錄資訊,以人工智慧的機器學習的方式主動建立對應該待監控設備的該行為模型,使得該部署平台能夠根據該行為模型,即時監控該待監控設備的該即時資料串流資訊。另外,藉由該過濾平台過濾該使用紀錄資訊中的機密或敏感資訊,也能達到個人資訊保密的良好控管,故確實能達成本發明的目的。In summary, the data analysis platform actively establishes the behavior model corresponding to the device to be monitored in an artificially intelligent machine learning manner according to the usage record information of the device to be monitored, so that the deployment platform can perform the behavior according to the behavior. The model monitors the real-time data stream information of the device to be monitored in real time. In addition, by filtering the confidential or sensitive information in the usage record information by the filtering platform, the personal information confidentiality can also be well controlled, so the object of the present invention can be achieved.

惟以上所述者,僅為本發明的實施例而已,當不能以此限定本發明實施的範圍,凡是依本發明申請專利範圍及專利說明書內容所作的簡單的等效變化與修飾,皆仍屬本發明專利涵蓋的範圍內。However, the above is only the embodiment of the present invention, and the scope of the invention is not limited thereto, and all the simple equivalent changes and modifications according to the scope of the patent application and the patent specification of the present invention are still Within the scope of the invention patent.

S1~S4‧‧‧步驟S1~S4‧‧‧ steps

1‧‧‧待監控設備1‧‧‧Monitoring equipment

2‧‧‧過濾平台2‧‧‧Filter platform

3‧‧‧數據分析平台3‧‧‧Data Analysis Platform

31‧‧‧監控模組31‧‧‧Monitor module

32‧‧‧分析模組32‧‧‧Analysis module

4‧‧‧部署平台4‧‧‧Deployment platform

5‧‧‧外部資訊源5‧‧‧External information sources

P1~P9‧‧‧路徑P1~P9‧‧‧ Path

本發明的其他的特徵及功效,將於參照圖式的實施方式中清楚地呈現,其中: 圖1是一個流程圖,說明本發明資訊安全防護方法的一個實施例;及。 圖2是一個方塊圖,說明該實施例所適用的一種態樣。Other features and advantages of the present invention will be apparent from the embodiments of the present invention, wherein: Figure 1 is a flow chart illustrating an embodiment of the information security protection method of the present invention; Figure 2 is a block diagram showing an aspect to which the embodiment is applied.

Claims (3)

一種資訊安全防護方法,適用於一待監控設備、一數據分析平台、一過濾平台、及一部署平台,並包含下列步驟:(a)藉由該待監控設備產生一即時的使用紀錄資訊;(b)藉由該數據分析平台根據該使用紀錄資訊,以機器學習的方式建立一行為模型;(c)藉由該部署平台根據該行為模型,監控該待監控設備的一即時資料串流資訊;及(d)當該部署平台判斷該待監控設備的該即時資料串流資訊,屬於該行為模型的一異常行為時,阻擋該待監控設備的該即時資料串流資訊的傳送;其中,在步驟(a)中,當該使用紀錄資訊屬於一第一類資訊時,該待監控設備將該使用紀錄資訊直接傳送至該數據分析平台,當該使用紀錄資訊屬於一第二類資訊時,該待監控設備將該使用紀錄資訊直接傳送至該過濾平台,該過濾平台將該使用紀錄資訊過濾後,再傳送至該數據分析平台,該第一類資訊包含該數據分析平台所需要分析的資訊而不包含一隱私資訊,該第二類資訊包含該數據分析平台所需要分析的資訊及該隱私資訊。 An information security protection method is applicable to a to-be-monitored device, a data analysis platform, a filtering platform, and a deployment platform, and includes the following steps: (a) generating an instant usage record information by the device to be monitored; b) establishing, by the data analysis platform, a behavioral model in a machine learning manner according to the usage record information; (c) monitoring, by the deployment platform, an instant data stream information of the device to be monitored according to the behavior model; And (d) when the deployment platform determines that the real-time data stream information of the device to be monitored belongs to an abnormal behavior of the behavior model, blocking transmission of the real-time data stream information of the device to be monitored; wherein, in the step (a), when the usage record information belongs to a first type of information, the device to be monitored transmits the usage record information directly to the data analysis platform, and when the usage record information belongs to a second type of information, the The monitoring device directly transmits the usage record information to the filtering platform, and the filtering platform filters the usage record information and transmits the usage record information to the data analysis platform. The first information includes information required to analyze the data analysis platform does not contain a private information, the second type of information comprises the information and private information required to analyze the data analysis platform. 如請求項1所述的資訊安全防護方法,其中,在步驟(b)中,該數據分析平台還根據該待監控設備的一資安紀錄資訊及該部署平台判斷的結果,監控該行為模型的一準確率。 The information security protection method according to claim 1, wherein in step (b), the data analysis platform further monitors the behavior model according to a security record information of the device to be monitored and a result of the judgment of the deployment platform. An accuracy rate. 如請求項2所述的資訊安全防護方法,其中,在步驟(a)中,該使用紀錄資訊包含一資安防禦設備使用紀錄、一網路設備使用紀錄、一伺服器使用紀錄之其中任一者。The information security protection method according to claim 2, wherein, in the step (a), the usage record information includes any one of a security device usage record, a network device usage record, and a server usage record. By.
TW107116388A 2018-05-15 2018-05-15 Information security protection method TWI667587B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW107116388A TWI667587B (en) 2018-05-15 2018-05-15 Information security protection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW107116388A TWI667587B (en) 2018-05-15 2018-05-15 Information security protection method

Publications (2)

Publication Number Publication Date
TWI667587B true TWI667587B (en) 2019-08-01
TW201947441A TW201947441A (en) 2019-12-16

Family

ID=68316419

Family Applications (1)

Application Number Title Priority Date Filing Date
TW107116388A TWI667587B (en) 2018-05-15 2018-05-15 Information security protection method

Country Status (1)

Country Link
TW (1) TWI667587B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220311790A1 (en) * 2020-09-29 2022-09-29 Rakuten Group, Inc. Anomaly determining system, anomaly determining method and program

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201502845A (en) * 2013-07-15 2015-01-16 Isgoodidea Website antivirus information security system
CN105553940A (en) * 2015-12-09 2016-05-04 北京中科云集科技有限公司 Safety protection method based on big data processing platform
TW201719484A (en) * 2015-11-20 2017-06-01 財團法人資訊工業策進會 Information security management system for application level log-based analysis and method using the same

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201502845A (en) * 2013-07-15 2015-01-16 Isgoodidea Website antivirus information security system
TW201719484A (en) * 2015-11-20 2017-06-01 財團法人資訊工業策進會 Information security management system for application level log-based analysis and method using the same
CN105553940A (en) * 2015-12-09 2016-05-04 北京中科云集科技有限公司 Safety protection method based on big data processing platform

Also Published As

Publication number Publication date
TW201947441A (en) 2019-12-16

Similar Documents

Publication Publication Date Title
US11936667B2 (en) Cyber security system applying network sequence prediction using transformers
US20240121263A1 (en) Autonomous report composer
CN107645503B (en) Rule-based method for detecting DGA family to which malicious domain name belongs
Yavanoglu et al. A review on cyber security datasets for machine learning algorithms
US11218510B2 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
CN108156131B (en) Webshell detection method, electronic device and computer storage medium
CN110012005B (en) Method and device for identifying abnormal data, electronic equipment and storage medium
TW201909016A (en) Gateway device, detection method of malicious domain and host host, and non-transitory computer readable media
US20220210202A1 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
Haddadi et al. On botnet behaviour analysis using GP and C4. 5
TWI615730B (en) Information security management system for application level log-based analysis and method using the same
US20230095415A1 (en) Helper agent and system
Tayal et al. Active monitoring & postmortem forensic analysis of network threats: A survey
Fallah et al. Android malware detection using network traffic based on sequential deep learning models
Buchyk et al. Devising a method of protection against zero-day attacks based on an analytical model of changing the state of the network sandbox
Alhassan et al. A fuzzy classifier-based penetration testing for web applications
Cao et al. Learning state machines to monitor and detect anomalies on a kubernetes cluster
US20210084061A1 (en) Bio-inspired agile cyber-security assurance framework
CN114338064B (en) Method, device, system, equipment and storage medium for identifying network traffic type
US10965693B2 (en) Method and system for detecting movement of malware and other potential threats
TWI667587B (en) Information security protection method
Zammit A machine learning based approach for intrusion prevention using honeypot interaction patterns as training data
Wen et al. Detecting and predicting APT based on the study of cyber kill chain with hierarchical knowledge reasoning
CN113992419A (en) User abnormal behavior detection and processing system and method thereof
CN113225331A (en) Method, system and device for detecting host intrusion safety based on graph neural network