Design And Implementation Of Emergency Response Management System For Network Security Incident

With the rapid development of computer application technology,the new types of network security incidents emerge constantly and the network security problem is becoming more and more serious.Event emergency response technology can reduce the impact of the incident.The main task of this thesis is to reconstruct the existing distributed system CHAIRS(Cooperative Hybrid Aided Incidence Response System)based on the real network environment of CERNET(the China Education and Research Network)and other systems of CERNET security system which researched and developed by East China(North)Network Center.It provides better incident response function for the security manages who is on the key nodes of the CERNET,thus ensuring the safety of the CERNET network.How to effectively manage the cases and support the automation response is the focus of this thesis.The case response workflow is the primary content of case management.For some cases which is need longer response time,only responsing once will waste the system resources and reduce the efficiency of response.Therefore,it is necessary to divide the case which has a longer response period into multiple response steps.This thesis constructs the response framework of the whole system according to the authoritative PDCERF response method and the Sagas transaction model,so as to realizes the effective management of the data generated by the case response.On the basis,this thesis designed five tags to record the different state of the cases response.In addition,the case data structure design is one of the key cases management.In this thesis,the case information is divided into the case of alarm information,the specific evidence of the case information and evidence to obtain process information.The system needs to combine the case information organically,and then store and display.Thus ensuring the availability of the case information and improving the reliability of the case response.Based on achieving the response of the manual,the system provides the automated response capabilities,thus enhancing the response speed of the system.As some automatic response systems,the current system automation response decision-making function is based on the type of case.In order to solve the shortcomings of automatic response system,which can not be timely manual intervention,this thesis presents the concept of template.Templates provide a predefined interface to team members to define the response flow for a case according to defined rules.The most important part of the template is the ability to accurately describe the requirements of each of the predefined steps of the case and the order in which they are executed,and then how they can be automated.Therefore,this thesis divides the template information into basic template information and automatic configuration information,and then uses a combination of charts to show the whole predefined response flow.In order to enhance the scalability of the system,this thesis uses the interface to access the case type and auxiliary tools.When new types of cases and toolkits are discovered,system administrators are able to access the appropriate case types and response toolkits in time,thereby improving the system accessibility and enriching the case response means.At the end of this thesis,the function,performance and automation of the system are tested respectively.The test results show that the system can effectively respond to the case.