网络安全事件应急响应联动系统研究
|
摘要
网络安全事件应急响应联动系统的主要目的是协调应急响应组织人力与信息等资源合作应对网络安全事件,目前尚未有广泛接受的模型。因此本文以目前网络安全事件应急响应技术与组织的现状为基础,从应急响应的发展趋势谈起,分析了应急响应联动的意义、目的与原则,讨论了应急响应联动的体系结构、功能与策略等;提出了应急响应联动系统的初步模型,并以PDCERF方法学的6个阶段为线索用相关的标准和建议充实了该模型;接着,本文给出了建议的系统运行模板和事例说明;最后简要探讨了联动系统其他的关键内容。
本文侧重响应的组织与过程,对技术细节并不深究;所提出的联动系统模型并不完美但已经充分考虑了协作响应的关键问题,并着重于适应我国的实际情况,具有一定的可操作性。
Network Security Incident Response Linkage System makes human and information resources of the incident response organization be in harmony to deal with the network security incidents. There isn't any abroad-accepted model about it up to now. Therefore, On the basis of recent technology and organization of incident response, begin with its trend, the author brings forward his production about the system. In this paper, there are analysis about the significance, the purpose and the principle of the system and argumentation about its organization, function, running and security strategy, software and some key technology. Then the author puts forward a primary model filled with correlative standards and suggestions with the clue of the six phases of PDCERF methodology. Then the author shows a recommended running template and some examples of the system. At last, the author talks about other important content.
This paper put its emphasis on the organization and the process of the response, without lots of study on the technology. Although this model is not perfect, it has dealt with most of the key problem on cooperation. Because it is adapted with the fact of our country, it's exercisable in a certain extent.
本文侧重响应的组织与过程,对技术细节并不深究;所提出的联动系统模型并不完美但已经充分考虑了协作响应的关键问题,并着重于适应我国的实际情况,具有一定的可操作性。
Network Security Incident Response Linkage System makes human and information resources of the incident response organization be in harmony to deal with the network security incidents. There isn't any abroad-accepted model about it up to now. Therefore, On the basis of recent technology and organization of incident response, begin with its trend, the author brings forward his production about the system. In this paper, there are analysis about the significance, the purpose and the principle of the system and argumentation about its organization, function, running and security strategy, software and some key technology. Then the author puts forward a primary model filled with correlative standards and suggestions with the clue of the six phases of PDCERF methodology. Then the author shows a recommended running template and some examples of the system. At last, the author talks about other important content.
This paper put its emphasis on the organization and the process of the response, without lots of study on the technology. Although this model is not perfect, it has dealt with most of the key problem on cooperation. Because it is adapted with the fact of our country, it's exercisable in a certain extent.
引文
[1]段海新等(译).网络安全事件响应.北京:人民邮电出版社,2002.第1-237页
[2]段海新.计算机网络安全的应急响应.电信技术.2002,12.第10页
[3]R. Shirey. RFC2828. Network Working Group. 2000, 5
[4]佚名.计算机信息系统应急预案制定和内容.IT网络视野.第22-27页
[5]Brownlee,N.,Guttman E.."Expectations for Computer Security Incident Response". RFC2350. 1998,6
[6]Fraser, B. "Site Security Handbook" . RFC2196. 1997,9
[7]Malkin,G. "Internet Users' Glossary". RFC1983. 1996,8
[8]Responding to Intrusions. http://www.cert.org/security-improvement/modules/m06.html
[9]Responding to Computer Security Incidents: Guidelines for Incident Handling. ftp://ftp. cert. dfn. de/pub/docs/csir/docs/ihg. ps. gz
[10]Forming an Incident Response Team. ftp://ftp.cert.dfn.de/pub/csir/docs/forming.an.irt.ps.gz
[11]Creating a Computer Security Incident Response Team: A Process for Getting Started. http://www.cert.org/csirts/Creating-A-CSIRT.html
[12]Detecting Signs of Intrusion. http://www.cert.org/security-improvement/modules/m09.html
[13]Collect and protect information associated with an intrusion. http://www.cert.org/security-improvement/practices/p048.html
[14]CERT/CC Steps for Recovering from a UNIX or NT System Compromise. http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
[15]常晓波(译).应急响应:计算机犯罪调查.北京:清华大学出版社.2002,3
[16]方滨兴.建设网络应急体系—保障网络安全空间.通信学报,2002
[17]方滨兴.谈计算机网络应急处理体系.计算机安全
[18]李卫,刘小刚,李国栋等.网络安全管理及安全联动响应的研究.计算机工程与应用.2003.26
[19]魏忠,卿昊,叶铭.基于策略的信息安全应急响应机制的研究.信息技术.2003.2
[20]黄遵国,任剑勇,胡光明.一种信息安全事件的快速响应与恢复(r-RR)框架研究.计算机工程与科学.2001.6
[21]丁常福,方敏.防火墙与网络入侵检测联动系统研究.航空计算技术.2003.3
[22]明杨,梁群.专家系统在应急响应系统中的应用.信息网络安全.2003.8
[23]入侵管理技术与应急响应体系.信息安全与通信保密.2003.10
[24]戴英侠,连一峰,王航.系统安全与入侵检测.北京:清华大学出版社.2002,3
[25]卿斯汉,刘文清,刘海峰.操作系统安全导论.北京:科学出版社,2003.第218-235页
[26]康博(译).Windows Internet黑客防范与安全策略.北京:清华大学出版社.2002,3
[27]动态网络安全体系结构.http://www.hub.cetin.net.cn/info/commentnew.asp?infoid=4111
[28]北京启明星晨信息技术有限公司.如何实现动态网络安全.数据通信.2002.2
[29]张广龙.安全响应服务.中国计算机报.2001.1076
[30]段海新.网络安全应急响应及发展方向.网络安全技术与应用,2002.10
[31]谭小彬,王卫平,奚宏生.计算机系统入侵检测的隐马尔可夫模型.计算机研究与发展,2003.40(2)
[32]廉育功.立体防护体系的新手段——联动防火墙.电脑知识与技术.2002,6.第48-50页
[33]左晓栋,赵战生.美国《信息系统保护国家计划》简析.中国金融电脑.2001.4.第4-7页
[34]姬宪辉,王晓晖.局域网路由设备故障应急方案分析.工业控制计算机.2002.5第15,16,25页
[35]王果明.试论黑客行为的法律性质及处罚原则.电脑.1997.5
[36]龙敏敏,黄健强,赵勤燕等.剖析黑客突破网络安全系统的基本手段——堵住安全漏洞,防止不必要的损失.微型电脑应用.1998.6
[37]蒋建春,黄菁,卿斯汉.黑客攻击机制与防范.计算机工程.2002.7
[38]王晓明.黑客攻击网站的方式及应对措施.信息化建设.2003.1
[39]电信基础网络应急处理协调流程/方案.2002
[40]CNCERT发展规划处.应急体系发展规划.2002
[41]CNNIC.IP地址自治系统号码分配.http://www.cnnic.com.cn/ip&as/index.shtml
[2]段海新.计算机网络安全的应急响应.电信技术.2002,12.第10页
[3]R. Shirey. RFC2828. Network Working Group. 2000, 5
[4]佚名.计算机信息系统应急预案制定和内容.IT网络视野.第22-27页
[5]Brownlee,N.,Guttman E.."Expectations for Computer Security Incident Response". RFC2350. 1998,6
[6]Fraser, B. "Site Security Handbook" . RFC2196. 1997,9
[7]Malkin,G. "Internet Users' Glossary". RFC1983. 1996,8
[8]Responding to Intrusions. http://www.cert.org/security-improvement/modules/m06.html
[9]Responding to Computer Security Incidents: Guidelines for Incident Handling. ftp://ftp. cert. dfn. de/pub/docs/csir/docs/ihg. ps. gz
[10]Forming an Incident Response Team. ftp://ftp.cert.dfn.de/pub/csir/docs/forming.an.irt.ps.gz
[11]Creating a Computer Security Incident Response Team: A Process for Getting Started. http://www.cert.org/csirts/Creating-A-CSIRT.html
[12]Detecting Signs of Intrusion. http://www.cert.org/security-improvement/modules/m09.html
[13]Collect and protect information associated with an intrusion. http://www.cert.org/security-improvement/practices/p048.html
[14]CERT/CC Steps for Recovering from a UNIX or NT System Compromise. http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
[15]常晓波(译).应急响应:计算机犯罪调查.北京:清华大学出版社.2002,3
[16]方滨兴.建设网络应急体系—保障网络安全空间.通信学报,2002
[17]方滨兴.谈计算机网络应急处理体系.计算机安全
[18]李卫,刘小刚,李国栋等.网络安全管理及安全联动响应的研究.计算机工程与应用.2003.26
[19]魏忠,卿昊,叶铭.基于策略的信息安全应急响应机制的研究.信息技术.2003.2
[20]黄遵国,任剑勇,胡光明.一种信息安全事件的快速响应与恢复(r-RR)框架研究.计算机工程与科学.2001.6
[21]丁常福,方敏.防火墙与网络入侵检测联动系统研究.航空计算技术.2003.3
[22]明杨,梁群.专家系统在应急响应系统中的应用.信息网络安全.2003.8
[23]入侵管理技术与应急响应体系.信息安全与通信保密.2003.10
[24]戴英侠,连一峰,王航.系统安全与入侵检测.北京:清华大学出版社.2002,3
[25]卿斯汉,刘文清,刘海峰.操作系统安全导论.北京:科学出版社,2003.第218-235页
[26]康博(译).Windows Internet黑客防范与安全策略.北京:清华大学出版社.2002,3
[27]动态网络安全体系结构.http://www.hub.cetin.net.cn/info/commentnew.asp?infoid=4111
[28]北京启明星晨信息技术有限公司.如何实现动态网络安全.数据通信.2002.2
[29]张广龙.安全响应服务.中国计算机报.2001.1076
[30]段海新.网络安全应急响应及发展方向.网络安全技术与应用,2002.10
[31]谭小彬,王卫平,奚宏生.计算机系统入侵检测的隐马尔可夫模型.计算机研究与发展,2003.40(2)
[32]廉育功.立体防护体系的新手段——联动防火墙.电脑知识与技术.2002,6.第48-50页
[33]左晓栋,赵战生.美国《信息系统保护国家计划》简析.中国金融电脑.2001.4.第4-7页
[34]姬宪辉,王晓晖.局域网路由设备故障应急方案分析.工业控制计算机.2002.5第15,16,25页
[35]王果明.试论黑客行为的法律性质及处罚原则.电脑.1997.5
[36]龙敏敏,黄健强,赵勤燕等.剖析黑客突破网络安全系统的基本手段——堵住安全漏洞,防止不必要的损失.微型电脑应用.1998.6
[37]蒋建春,黄菁,卿斯汉.黑客攻击机制与防范.计算机工程.2002.7
[38]王晓明.黑客攻击网站的方式及应对措施.信息化建设.2003.1
[39]电信基础网络应急处理协调流程/方案.2002
[40]CNCERT发展规划处.应急体系发展规划.2002
[41]CNNIC.IP地址自治系统号码分配.http://www.cnnic.com.cn/ip&as/index.shtml