【作者】 苑庆涛；

【导师】 朱晓东；

【作者基本信息】 吉林大学 ， 软件工程， 2007， 硕士

【摘要】 网络安全事件应急响应联动系统的主要目的是协调应急响应组织人力与信息等资源合作应对网络安全事件,目前尚未有广泛接受的模型。本文讨论的是网络安全事件应急响应联动系统一个初步的模型,力图研究一种应急响应组统一组织的模式,以提高业界整体的应急预警和响应能力。本文共划分了六章。第一章从网络安全事件应急响应技术的特点和发展趋势谈起,讨论了所建立的应急响应联动系统基本模型的背景。第二章详细讲述了PDCERF方法学各阶段的内容。第三章讲述了应急响应组织学与网络安全事件应急响应联动系统基本模型。第四章以PDCERF方法学为线索,用一些建议性的标准来充实前面建立的基本模型。第五章给出一个经笔者整理过的参考的建议和一个具体情况的个案说明。第六章简要探讨了联动系统其他的关键内容。本文侧重响应的组织与过程,对技术细节并不深究;所提出的联动系统模型并不完美但己经充分考虑了协作响应的关键问题,并着重于适应我国的实际情况,具有一定的可操作性。更多还原

【Abstract】 With the increasing development on the importance of network, various kinds of dangers concealing in the net become more and more visible. Many security affairs happen one after another such as the Virus, Worm, Trojan Horse, Invade etc. The technique of Anti-Virus, Fire wall, invade examination technique develops fast for this reason. However, by many years’practices, even the most expensive measures for security protection cannot defend themselves against viruses and other internet attacks. Tools for intrusion detection existed today are far from perfection. To perfect the network security system requires Computer Emergency Response System as well as the Protection System in order to reduce and avoid loss of information.Therefore, the Integrated Emergency Management System came into being. Although the research in this field has already began, there’s no Network Security Incident Response Linkage System formed and accepted widely yet. According to the analysis of plentiful references on the Network Security and Emergency Response System and the integrated discussion and comparison of present typical model of Emergency Response Team, the author tries to establish a more perfect Network Security Incident Response Linkage System Model to adapt the worsening trend of network security.The study of Network Security Incident Response Linkage System begins from the Technique for Emergency Response. Emergency Response function behaves on both sides of taking precautions before suffering a loss and after it. On the one hand, we should make full preparations for Network Security Incidents. On the other hand, we can take measures such as Containment Strategies, Eradication Procedures, Recovery Steps etc.Emergency Response requires high technique containing lots of practicality and integrity. Due to the complex problems and the lack of function in the Internet Protocol, Emergency Response remains its own characteristics and research method. The key technique of Emergency Response is as follows: Intrusion Detection Technology; event separation and rapid cover of computers; tracknet and localization; Computer Forensics.The key technique of Computer Emergency Response represents its developing direction, besides, relative technique and tools are struggling to prove the validation, but in fact there are more challenges than results. Consequently, the development of Emergency Response on social organizations becomes another development trend. The function mainly present in two aspects: the laws and Linkage Response.Methodology is the science that study with the procession of incident response.Methodology is not the exclusive method. The theory we will introduce in this paper is the widely accepted classical one which is called“PDCERF”. It includes six stages of Preparatory Works, Detection Mechanisms, Containment Strategies, Eradication Procedures, Recovery Steps and Follow-Up Reviews. PDCERF Methodology simply confirms the definition of stages and ideal procession of incident response. Task coordinate of every stage and the man relationship in the procession of incident response are the two important subjects for ever.The first body of Emergency Response at present is CSIRT (Computer Security Incident Response Team). As the crucial force in the procession, CSIRT is not only the administrator but also the instructor in every stage.The characteristic of Network Incident lies in its emergency, diversity as well as unpredictability, which can lead to enormous loss in a short time. It results the defense far more difficult than attack in the field of network. Meanwhile, it demands the defender have a good command of integrated knowledge as system, software and network etc., in addition, it even requires the defender himself get some relative knowledge and experiences about the network attack. As a result, it not only require high technique and abundant experience of the defender, more important it requires full use of resources, such as human, materials, information, technique etc., unite and cooperate to deal with security events. The new trend has appeared in the network events that the enlarging/powerful experienced hack teams attack the net more professional and complicated. It’s rather difficult to efficiently apply the diverse network incident according to the unit itself. We have no choice but association.On the basis of CSIRT (Computer Security Incident Response Team)and Linkage System, We put forward a basic model of Network Security Incident Response Linkage System. Based on full coordinate of resources as human and information in different positions to apply for the Network Security Incidents, the system is developed from the CSIRT (Computer Security Incident Response Team) and its coordinate center. It belongs to organizational form in the later stage of CSIRT’s development.After generally understanding of the background and basic model of Emergency Response Linkage System, we will keep track of Methodology to perfect the primary establishment of basic model with some suggestive standards. This model lays particular emphasis on management, so we won’t put stress on the concrete response technique involved in the four stages of response procession but both the ends, Preparatory Works and Follow-Up Reviews. Although emergency response is the passive safety technique which takes precautions after suffering a loss, Methodology put more attention on the preparation stage according to the understanding of events and accumulation of experiences.Information share is the core of linkage system. But how to realize enough share of information still needs to be discussed. At the information explosion time, there’s no actual effect to provide a great deal of unconcerned information,on the contrary,it will reduce the rate of important Information Hiding being discovered.Therefore we take sharable object and content of the information into a distinction to classify and set permission, and then send the information through multiple Releasing Channels, for instance, website, mail and Private messenger etc. Linkage System highly attaches importance to the technique accumulation because Emergency Response pays attention to experiences. Response Team must hold the file of Vulnerabilities.Since we have already made clear of the composition, organization, description of the function and the related Reference standard for Network Security Incident Response Linkage System Model, now we can study the operation of system based on it. Here gives a reference proposal coordinated by the author with a detailed case elucidation.In the end, the author will introduce other important contents including Communication, coordination of Parallel Management of Multi-Cases, Information Share and Privacy Protection, establishment of supporting Laws and Regulations and robustness of the system etc. in addition to each stage of PDCERF.Compared with the current operation of CSIRT (Computer Security Incident Response Team), this model contains more reasonable operation mode and perfect Information Security cycle model. It pay more attention on the stage of Preparatory Works, moreover, it also takes the efficiency and coordination of applying Network Security Incident into considerationThis frame model needs a lot of perfection and improvement, many contents are not detailed enough, we also didn’t take much consideration on technique. In this aspect, we are still carrying on thorough and meticulous research. Response Linkage System had been successfully explored in other fields, thereby Network Security Incident Response Linkage System will definitely show great impact on the security of the internet.更多还原