| With the rapid development of Internet technology, and continuous increase in Internet applications, the network security issues are also increasingly serious. There are always security incidents on the Internet, and the response of related security incident is an essential part of the network security architecture. At present, the emergency response-related research is gradually rising, which also has caught the eyesight of the government, education/academic institutions and industries. A large distributed emergency response management system called CHAIRS is designed and developed referring to the response practice of CERNET Eastern China (North) Network Center. CHAIRS has been deployed in the 38 key nodes in CERNET, providing incident response management functionality for security managers, and the system has been proved efficient for supporting the incident response through practice.The primary issue in emergency incident response management system is the workflow of it, which is based on the whole frame of the most authoritative incident response procedure PDCERF in the world in CHAIRS. It is fit for the response requirement of CERNET because it also refers to the agency’s work experience. CHAIRS is designed according to the response workflow. The design work includes incident format on the basis of IDMEF, system architecture, system functions and user interface.A Security incidents database is implemented depending on CHAIRS, providing the required IP address information for the operation management and security of CERNET. The database collects the event-data from all the child nodes of CHAIRS, and others can query information from the system. So it is also an open platform for incident data. Due to the heterogeneous data of event information, the database finally adopted NOSQL database for storage. In addition, WebService is chosen as the as the data communication method for it is platform independent and low-coupled.CHAIRS also provides semi-automated response decision-making function. The current response systems generate solutions mostly relying on the incident type, differing only in the way of classification. The Semi-automatic decision-making model is proposed after the analysis of the actual response situation of CERENT. It is finished based on event classification of CHAIRS.The overall structure of CHAIRS is also introduced and the operation management part of the system has been improved. At the same time, the entire system is completely tested. Finally, the future of the emergency response system is discussed, pointing out that data mining of the event database will be important to prevention of incidents and incident response. |
PDF Full Text Request