Lifecycle Management Of Network Security Incident Emergency Response

With the popularity of the Internet and the rapid development of technology,the types of attacks have become more complex and diverse,the security situation is serious.Therefore,In order to guarantee the security of the network,Incident Emergency response has become an indispensable part.How to establish an effective emergency response mechanism has become the focus of the research.Based on the existing Cooperative Hybrid Aided Incidence Response System(CHAIRS),this paper studies the exchange standards of threat information,and then applies Structured Threat Information Expression(STIX)to CHAIRS.Under the circumstances,the case information,automated response steps and page is standardized,which can export Structured Threat Information Expression Objects.The information exchange and sharing can realize the emergency response based on the maximum information,improve the efficiency and accuracy of the response,and ensure the security of the network.To standardize the cases information of CHAIRS,this paper studies threat information standards that used widely at home and abroad.By analyzing the pros and cons,and considering the actual scenarios of CHAIRS,the STIX is applied to improve CHAIRS.This paper analyzes the mapping relationship between the case information of CHAIRS and STIX objects,and ensures that CHAIRS meets STIX's criteria.On the basis of realizing CHAIRS case information design based on STIX,response process is standardized.By analyzing the similarities and differences between the Course Of Action and the CHAIRS response steps,response procedure is standardized.Then,this paper study the automatic response process after the application of STIX.This paper decouple each step in the static template and parameterize the configuration information,so that each part is relatively independent.In this case,the parameters can be dynamically changed,the function can be reused,this configurable template is flexible and improve automation of the case response.In addition,to provide data source for CHAIRS,this paper implements the Security Event Database,which collect data from multiple detection system.In order to be compatible with multi-source heterogeneous data formats and meet the performance requirements of CHAIRS,the MongoDB in NoSQL is choosed to implement SED.At the same time,in order to ensure reliable data transmission,this paper select the socket communication method based on TCP.Finally,taking the automatic tracking of C&C(command and control server)as an example,this paper verifies the realization of automatic response after applying STIX standard.At the end of the thesis,the future emergency response is forecasted.The in-depth study of correlation analysis and forensic message analysis will be of great significance to emergency response.