[go: up one dir, main page]

TWI881506B - Information security rapid screening system - Google Patents

Information security rapid screening system Download PDF

Info

Publication number
TWI881506B
TWI881506B TW112140919A TW112140919A TWI881506B TW I881506 B TWI881506 B TW I881506B TW 112140919 A TW112140919 A TW 112140919A TW 112140919 A TW112140919 A TW 112140919A TW I881506 B TWI881506 B TW I881506B
Authority
TW
Taiwan
Prior art keywords
component
analysis
data
computer device
module
Prior art date
Application number
TW112140919A
Other languages
Chinese (zh)
Other versions
TW202518292A (en
Inventor
程毓明
王調榮
Original Assignee
樹德科技大學
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 樹德科技大學 filed Critical 樹德科技大學
Priority to TW112140919A priority Critical patent/TWI881506B/en
Application granted granted Critical
Publication of TWI881506B publication Critical patent/TWI881506B/en
Publication of TW202518292A publication Critical patent/TW202518292A/en

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Alarm Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An information security quick screening system is connected to a computer device and includes a status data collection module, a network threat analysis module and an analysis data presentation module. The status data collection module includes a logging component connected to the computer device. The network threat analysis module includes an intelligent analysis component connected to the status data collection module and a threat intelligence acquisition component connected to the intelligent analysis component and storing threat intelligence data. The intelligent analysis component has a log analysis unit. The log analysis unit analyzes the data stored in the log recording component based on the threat intelligence data to determine whether an intrusion has occurred in the computer device. The analysis data presentation module is connected to the intelligent analysis component to output the analysis results of the intelligent analysis component.

Description

資安快篩系統Information Security Quick Screening System

本發明是有關於一種資安快篩系統,尤其是一種可以自動更新威脅資料,並且能夠快速分析的資安快篩系統。The present invention relates to a quick information security screening system, in particular to a quick information security screening system that can automatically update threat data and perform quick analysis.

隨著網路技術的進步,網際網路中的網路攻擊越來越頻繁,其中,有一種網路攻擊方式為阻斷服務(DoS),其攻擊目的在於讓系統的資源短缺,使其無法回應正當的服務請求,另外一種類似的網路攻擊為分散式阻斷服務(DDoS),駭客會控制的大量被惡意軟體感染的主機,它也會試圖耗盡系統的資源,「阻斷服務」的攻擊會使受害伺服器無法提供服務給想要存取的使用者。With the advancement of network technology, network attacks on the Internet are becoming more and more frequent. Among them, one type of network attack is denial of service (DoS), the purpose of which is to cause a shortage of system resources so that it cannot respond to legitimate service requests. Another similar network attack is distributed denial of service (DDoS), in which hackers control a large number of hosts infected with malware and try to exhaust system resources. "DDoS" attacks will make the victim server unable to provide services to users who want to access.

除此之外,已經被感染的主機,會受感染程式的影響,而執行一些不屬於原來的程序,不僅電腦硬體的工作能力被占滿,也會收發網路資訊並占滿頻寬,造成伺服器原本可提供的伺服服務受阻。In addition, the infected host will be affected by the infected program and execute some non-original programs. Not only will the computer hardware capacity be fully occupied, but it will also send and receive network information and occupy the bandwidth, causing the service that the server could originally provide to be blocked.

由上述說明可知:From the above explanation, we can know that:

一、無法判斷危險流量: 目前主要的防毒技術,主要是利用儲存於防火牆中儲存的資料,阻擋已知有害位址的傳輸請求,但是針對還未儲存的有害位址,並無法阻擋其請求,造成電腦發生危險流量時,並無法對其分析及判斷。 1. Unable to identify dangerous traffic: The current main anti-virus technology mainly uses the data stored in the firewall to block the transmission requests of known harmful addresses, but it cannot block the requests of harmful addresses that have not been stored. As a result, when the computer has dangerous traffic, it cannot analyze and identify it.

二、無法快速阻斷程序: 續上所述,由於防火牆只有阻擋有害位址的傳輸請求,對於已經感染,並對系統的設定進行修改的有害程序,無法起到程序阻斷的功能,造成系統無法執行正常程序,或是佔滿網路流量等問題。 2. Unable to quickly block programs: As mentioned above, since the firewall only blocks transmission requests from harmful addresses, it cannot block harmful programs that have already infected and modified the system settings, causing the system to be unable to execute normal programs or occupying network traffic.

三、無法即時對外通知: 許多企業並未全天候設置網管人員,甚至沒有網管人員,並且電腦主機發生問題後,無法對外發出警示,造成當電腦主機發生問題時,沒有人可以了解狀況並阻擋危險,必須在使用者使用時感到發生問題時,才能通知相關技術人員進行處理。 3. Inability to immediately notify the outside world: Many companies do not have network administrators on duty around the clock, or even do not have any network administrators. When a computer host has a problem, there is no way to issue an alert to the outside world. As a result, when a computer host has a problem, no one can understand the situation and prevent danger. The relevant technical personnel can only be notified to handle it when the user feels that a problem has occurred during use.

因此,如何能夠即時更新並針對最新的危險位置進行阻擋,並且可以發現問題的程序並對其阻擋,還能夠對外發出警訊,是相關技術人員亟需努力的目標。Therefore, how to update in real time and block the latest dangerous locations, how to detect problematic programs and block them, and how to issue external warnings are goals that relevant technical personnel urgently need to work hard on.

有鑑於此,本發明之目的是在提供一種資安快篩系統,該資安快篩系統連接一電腦設備,該資安快篩系統包含一狀態數據採集模組、一網路威脅分析模組及一分析數據呈現模組。In view of this, the purpose of the present invention is to provide a information security fast screening system, which is connected to a computer device and includes a status data collection module, a network threat analysis module and an analysis data presentation module.

該狀態數據採集模組包括一與該電腦設備連接之日誌記錄組件。The status data collection module includes a log recording component connected to the computer device.

該網路威脅分析模組包括一與該狀態數據採集模組連接之智能分析組件及一與該智能分析組件連接並儲存一威脅情報資料之威脅情報獲取組件,該智能分析組件具有一日誌分析單元,該日誌分析單元依據該威脅情報資料分析該日誌記錄組件中儲存的資料,以判斷該電腦設備是否發生入侵狀況。The network threat analysis module includes an intelligent analysis component connected to the status data collection module and a threat intelligence acquisition component connected to the intelligent analysis component and storing threat intelligence data. The intelligent analysis component has a log analysis unit, which analyzes the data stored in the log recording component based on the threat intelligence data to determine whether the computer device has been intruded.

該分析數據呈現模組與該智能分析組件連接,用以輸出該智能分析組件的分析結果。The analysis data presentation module is connected to the intelligent analysis component to output the analysis results of the intelligent analysis component.

本發明的又一技術手段,是在於上述之資安快篩系統更包含一威脅阻斷模組,該威脅阻斷模組包括一與該分析數據呈現模組連接之黑名單記錄組件,該智能分析組件依據分析的結果將入侵攻擊的來源記錄於該黑名單記錄組件中。Another technical means of the present invention is that the above-mentioned information security fast screening system further includes a threat blocking module, which includes a blacklist recording component connected to the analysis data presentation module. The intelligent analysis component records the source of the intrusion attack in the blacklist recording component based on the analysis results.

本發明的另一技術手段,是在於上述之威脅阻斷模組更包括一與該黑名單記錄組件之設備連結阻擋組件,該設備連結阻擋組件依據該黑名單記錄組件中儲存的資料阻擋該電腦設備與其他設備連結。Another technical means of the present invention is that the above-mentioned threat blocking module further includes a device connection blocking component connected to the blacklist recording component, and the device connection blocking component blocks the computer device from connecting to other devices based on the data stored in the blacklist recording component.

本發明的再一技術手段,是在於上述之狀態數據採集模組更包括一與該電腦設備連接之流量統計組件,該智能分析組件更具有一流量分析單元,該流量分析單元中設定一異常判斷參數,該流量分析單元依據該異常判斷參數分析該流量統計組件中儲存的資料,以判斷該電腦設備中程序是否發生異常運作狀況。Another technical means of the present invention is that the above-mentioned status data collection module further includes a flow statistics component connected to the computer device, and the intelligent analysis component further includes a flow analysis unit. An abnormal judgment parameter is set in the flow analysis unit. The flow analysis unit analyzes the data stored in the flow statistics component based on the abnormal judgment parameter to determine whether an abnormal operation occurs in the program in the computer device.

本發明的又一技術手段,是在於上述之資安快篩系統更包含一威脅阻斷模組,該威脅阻斷模組包括一與該分析數據呈現模組連接之程序中斷運作組件,該程序中斷運作組件依據該流量分析單元的分析結果中斷發生異常運作狀況的程序。Another technical means of the present invention is that the above-mentioned information security fast screening system further includes a threat blocking module, which includes a program interruption operation component connected to the analysis data presentation module, and the program interruption operation component interrupts the program in which an abnormal operation condition occurs based on the analysis result of the traffic analysis unit.

本發明的另一技術手段,是在於上述之網路威脅分析模組更包括一與該狀態數據採集模組和該智能分析組件連接之資料正規化組件,該資料正規化組件中設定一對應該智能分析組件之分析特性的資料正規化參數,以使該資料正規化組件將該狀態數據採集模組中儲存的資料轉換成該智能分析組件可以使用的資料。Another technical means of the present invention is that the above-mentioned network threat analysis module further includes a data normalization component connected to the state data acquisition module and the intelligent analysis component. A data normalization parameter corresponding to the analysis characteristics of the intelligent analysis component is set in the data normalization component so that the data normalization component converts the data stored in the state data acquisition module into data that can be used by the intelligent analysis component.

本發明的再一技術手段,是在於上述之分析數據呈現模組包括一該網路威脅分析模組連接之事件通知組件,該事件通知組件將該智能分析組件的分析結果對外輸出。Another technical means of the present invention is that the above-mentioned analysis data presentation module includes an event notification component connected to the network threat analysis module, and the event notification component outputs the analysis result of the intelligent analysis component to the outside.

本發明的又一技術手段,是在於上述之分析數據呈現模組包括一該網路威脅分析模組連接之資料視覺化組件,該資料視覺化組件將該智能分析組件的分析結果輸出於電腦螢幕。Another technical means of the present invention is that the above-mentioned analysis data presentation module includes a data visualization component connected to the network threat analysis module, and the data visualization component outputs the analysis result of the intelligent analysis component on the computer screen.

本發明的另一技術手段,是在於上述之威脅情報獲取組件與一威脅情報平台保持連接,該威脅情報獲取組件從該威脅情報平台中更新該威脅情報資料。Another technical means of the present invention is that the above-mentioned threat intelligence acquisition component maintains a connection with a threat intelligence platform, and the threat intelligence acquisition component updates the threat intelligence data from the threat intelligence platform.

本發明的再一技術手段,是在於上述之該網路威脅分析模組及該分析數據呈現模組是設置於一資安快篩主機中,該狀態數據採集模組是設置於該電腦設備中,該資安快篩系統更包含一設置於該電腦設備與該資安快篩主機間之傳輸通道,傳輸通道供該電腦設備與該資安快篩主機傳輸資料。Another technical means of the present invention is that the network threat analysis module and the analysis data presentation module are arranged in a security fast screening host, the status data collection module is arranged in the computer device, and the security fast screening system further includes a transmission channel arranged between the computer device and the security fast screening host, and the transmission channel is used for the computer device and the security fast screening host to transmit data.

本發明之有益功效在於,該網路威脅分析模組針對日誌及流量進行偵測,並將有問題的程序告知該分析數據呈現模組,以使使用者或該威脅阻斷模組能夠即時阻斷有問題的程序,避免損失擴大。The beneficial effect of the present invention is that the network threat analysis module detects logs and traffic, and informs the analysis data presentation module of problematic programs, so that the user or the threat blocking module can immediately block the problematic programs to avoid loss expansion.

有關本發明之相關申請專利特色與技術內容,在以下配合參考圖式之兩個較佳實施例的詳細說明中,將可清楚地呈現。在進行詳細說明前應注意的是,類似的元件是以相同的編號來做表示。The related patent application features and technical contents of the present invention will be clearly presented in the following detailed description of two preferred embodiments with reference to the drawings. Before the detailed description, it should be noted that similar components are represented by the same numbers.

參閱圖1、圖2及圖3,為本發明一種資安快篩系統之一第一較佳實施例,該資安快篩系統連接一電腦設備21,該電腦設備21可為一般電腦、伺服器、分享器、防火牆等,但不以此為限。Referring to FIG. 1 , FIG. 2 and FIG. 3 , a first preferred embodiment of a fast information security screening system of the present invention is shown. The fast information security screening system is connected to a computer device 21 , and the computer device 21 may be a general computer, a server, a sharing device, a firewall, etc., but is not limited thereto.

於該第一較佳實施例中,該電腦設備21中設置複數數據採集感測器22,該電腦設備21使用一傳輸通道與一資安快篩主機23連接,該傳輸通道為傳輸線,但也可以使用其他的傳輸方式。該資安快篩主機23與使用端24的輸出裝置連接,該輸出裝置可以使螢幕及喇叭,以將該電腦設備21的狀況通知使用端24的警衛、技術員等相關人員,實際實施時,也可以使用其他設置,不應以此為限。In the first preferred embodiment, a plurality of data collection sensors 22 are provided in the computer device 21, and the computer device 21 is connected to a security screening host 23 using a transmission channel, and the transmission channel is a transmission line, but other transmission methods can also be used. The security screening host 23 is connected to an output device of a user end 24, and the output device can use a screen and a speaker to notify the security guards, technicians and other relevant personnel of the user end 24 of the status of the computer device 21. In actual implementation, other settings can also be used, and should not be limited to this.

該資安快篩系統包含一狀態數據採集模組3、一網路威脅分析模組4及一分析數據呈現模組5。於該第一較佳實施例,該狀態數據採集模組3設置於該複數數據採集感測器22中,該網路威脅分析模組4及該分析數據呈現模組5設置於該資安快篩主機23中,但不以此為限。The information security fast screening system includes a state data collection module 3, a network threat analysis module 4 and an analysis data presentation module 5. In the first preferred embodiment, the state data collection module 3 is disposed in the plurality of data collection sensors 22, and the network threat analysis module 4 and the analysis data presentation module 5 are disposed in the information security fast screening host 23, but not limited thereto.

該狀態數據採集模組3包括一與該電腦設備21連接之日誌記錄組件31及一與該電腦設備21連接之流量統計組件32。該網路威脅分析模組4包括一與該狀態數據採集模組3連接之智能分析組件41、一與該智能分析組件41連接並儲存一威脅情報資料之威脅情報獲取組件42及一與該狀態數據採集模組3和該智能分析組件41連接之資料正規化組件43。該分析數據呈現模組5包括一該網路威脅分析模組4連接之事件通知組件51及一該網路威脅分析模組4連接之資料視覺化組件52。該智能分析組件41具有一與該日誌記錄組件31連接之日誌分析單元411及一與該流量統計組件32連接之流量分析單元412。The state data collection module 3 includes a log recording component 31 connected to the computer device 21 and a traffic statistics component 32 connected to the computer device 21. The network threat analysis module 4 includes an intelligent analysis component 41 connected to the state data collection module 3, a threat intelligence acquisition component 42 connected to the intelligent analysis component 41 and storing threat intelligence data, and a data normalization component 43 connected to the state data collection module 3 and the intelligent analysis component 41. The analysis data presentation module 5 includes an event notification component 51 connected to the network threat analysis module 4 and a data visualization component 52 connected to the network threat analysis module 4. The intelligent analysis component 41 has a log analysis unit 411 connected to the log recording component 31 and a traffic analysis unit 412 connected to the traffic statistics component 32 .

該日誌分析單元411依據該威脅情報資料分析該日誌記錄組件31中儲存的資料,以判斷該電腦設備21是否發生入侵狀況,舉例來說,該日誌記錄組件31中儲存已知病毒的執行軌跡,當該日誌記錄組件31中儲存了已知病毒的執行軌跡,該日誌分析單元411能抓出該病毒,並透過該分析數據呈現模組5進行中毒事件的發報。The log analysis unit 411 analyzes the data stored in the log recording component 31 according to the threat intelligence data to determine whether the computer device 21 has been invaded. For example, the log recording component 31 stores the execution track of a known virus. When the log recording component 31 stores the execution track of a known virus, the log analysis unit 411 can capture the virus and report the poisoning incident through the analysis data presentation module 5.

該流量分析單元412中設定一異常判斷參數,該流量分析單元412依據該異常判斷參數分析該流量統計組件32中儲存的資料,以判斷該電腦設備21中程序是否發生異常運作狀況,舉例來說,當該電腦設備21正常工作時,電腦硬體的工作壓力會維持於正常範圍中,對外傳輸資料也會維持於正常範圍中,該流量分析單元412會分析該電腦設備21的工作壓力及傳輸資料的正常範圍並儲存成該異常判斷參數,該流量分析單元412時時對該電腦設備21的工作壓力及傳輸資料進行分析,當該電腦設備21的工作壓力及傳輸資料超出該異常判斷參數時,並過該分析數據呈現模組5進行事件的發報。The flow analysis unit 412 is set with an abnormality judgment parameter. The flow analysis unit 412 analyzes the data stored in the flow statistics component 32 according to the abnormality judgment parameter to judge whether the program in the computer device 21 has an abnormal operation. For example, when the computer device 21 is working normally, the working pressure of the computer hardware will be maintained within the normal range, and the external transmission data will also be maintained within the normal range. In the environment, the flow analysis unit 412 analyzes the working pressure and transmission data of the computer device 21 within the normal range and stores them as the abnormal judgment parameters. The flow analysis unit 412 analyzes the working pressure and transmission data of the computer device 21 at all times. When the working pressure and transmission data of the computer device 21 exceed the abnormal judgment parameters, the event is reported through the analysis data presentation module 5.

其中,該威脅情報獲取組件42與一威脅情報平台7保持連接,該威脅情報獲取組件42從該威脅情報平台7中更新該威脅情報資料,較佳地,該威脅情報平台7為資策會資安所的病毒碼資料庫,可對外發佈的已知的病毒碼,但不以此為限,該威脅情報獲取組件42能從該威脅情報平台7取得最新的病毒碼,令該電腦設備21能夠被最新的病毒碼所保護。Among them, the threat intelligence acquisition component 42 maintains connection with a threat intelligence platform 7, and the threat intelligence acquisition component 42 updates the threat intelligence data from the threat intelligence platform 7. Preferably, the threat intelligence platform 7 is the virus code database of the Information Security Institute of the Institute for Information Industry, which can publish known virus codes to the outside, but is not limited to this. The threat intelligence acquisition component 42 can obtain the latest virus code from the threat intelligence platform 7, so that the computer device 21 can be protected by the latest virus code.

該分析數據呈現模組5與該智能分析組件41連接,用以輸出該智能分析組件41的分析結果,其中,該事件通知組件51將該智能分析組件41的分析結果對外輸出,舉例來說,該事件通知組件51可以將該智能分析組件41分析出的危險事件通知設定的電腦(包含一般電腦、手機、平板等等),但不以此為限。該資料視覺化組件52將該智能分析組件41的分析結果輸出於電腦螢幕,該資料視覺化組件52可使用文字或數字呈現該智能分析組件41的分析結果,也能夠利用圖表呈現該智能分析組件41的分析結果,但不以此為限。The analysis data presentation module 5 is connected to the intelligent analysis component 41 to output the analysis result of the intelligent analysis component 41, wherein the event notification component 51 outputs the analysis result of the intelligent analysis component 41 to the outside. For example, the event notification component 51 can notify the set computer (including general computers, mobile phones, tablets, etc.) of the dangerous events analyzed by the intelligent analysis component 41, but it is not limited to this. The data visualization component 52 outputs the analysis result of the intelligent analysis component 41 on the computer screen. The data visualization component 52 can use text or numbers to present the analysis result of the intelligent analysis component 41, and can also use charts to present the analysis result of the intelligent analysis component 41, but it is not limited to this.

值得一提的是,當企業中的電腦設備21需要專業級的防毒需求時,可以將設置有該網路威脅分析模組4及該分析數據呈現模組5的資安快篩主機23架設於企業區域網路中,並於連接該區域網路的電腦設備21進行設定,以使該電腦設備21與該資安快篩主機23資訊連接,並且在該電腦設備21中設置具有該狀態數據採集模組3的數據採集感測器22,較佳地,可以該數據採集感測器22為該電腦設備21中的程式,並且可以設定該狀態數據採集模組3的參數,以使該狀態數據採集模組3可以取得該電腦設備21的日誌及流量。It is worth mentioning that when the computer equipment 21 in the enterprise requires professional-level anti-virus requirements, the information security quick screening host 23 equipped with the network threat analysis module 4 and the analysis data presentation module 5 can be set up in the enterprise local area network, and the computer equipment 21 connected to the local area network can be configured so that the computer equipment 21 is informationally connected to the information security quick screening host 23, and a data collection sensor 22 with the status data collection module 3 is set in the computer equipment 21. Preferably, the data collection sensor 22 can be a program in the computer equipment 21, and the parameters of the status data collection module 3 can be set so that the status data collection module 3 can obtain the log and flow of the computer equipment 21.

其中,企業中會使用不同的電腦設備21,並分別產生不同規格的日誌及流量,該智能分析組件41無法直接進行分析,為了使該智能分析組件41可以針對不同的電腦設備21進行病毒的監測,該資料正規化組件43中設定一對應該智能分析組件41之分析特性的資料正規化參數,以使該資料正規化組件43將每一電腦設備21中之狀態數據採集模組3內儲存的資料,進一步轉換成該智能分析組件41可以使用的資料,以使該智能分析組件41能對每一電腦設備21的日誌及流量進行分析,藉此達成以一台資安快篩主機23對複數電腦設備21進行病毒的檢測,有效防止病毒的入侵。Among them, different computer devices 21 are used in the enterprise, and logs and flows of different specifications are generated respectively. The intelligent analysis component 41 cannot directly perform analysis. In order to enable the intelligent analysis component 41 to monitor viruses for different computer devices 21, a data normalization parameter corresponding to the analysis characteristics of the intelligent analysis component 41 is set in the data normalization component 43, so that the data normalization component 43 can further convert the data stored in the status data collection module 3 in each computer device 21 into data that can be used by the intelligent analysis component 41, so that the intelligent analysis component 41 can analyze the logs and flows of each computer device 21, thereby achieving virus detection on multiple computer devices 21 with one information security fast screening host 23, and effectively preventing virus invasion.

除此之外,獨立出一台資安快篩主機23作為主要的病毒偵測主機,能夠於該電腦設備21發生當機,或是電腦設備21已被病毒入侵時,該資安快篩系統依然能夠正常運作,並對相關人員發出警報,避免發生無法發出警報的狀況,甚至還能夠從網管端阻擋受感染電腦設備21的網路連線,避免企業財產的損失。In addition, an independent information security fast screening host 23 is used as the main virus detection host. When the computer device 21 crashes or is invaded by a virus, the information security fast screening system can still operate normally and send out an alarm to relevant personnel to avoid the situation where the alarm cannot be sent out. It can even block the network connection of the infected computer device 21 from the network management end to avoid the loss of corporate property.

參閱圖4及圖5,為本發明一種資安快篩系統之一第二較佳實施例,該第二較佳實施例與該第一較佳實施例大致相同,相同之處於此不再詳述,不同之處在於,該資安快篩系統更包含一威脅阻斷模組6。4 and 5 , which are a second preferred embodiment of a fast information security screening system of the present invention. The second preferred embodiment is substantially the same as the first preferred embodiment, and the similarities are not described in detail here. The difference is that the fast information security screening system further includes a threat blocking module 6.

該威脅阻斷模組6包括一與該分析數據呈現模組5連接之黑名單記錄組件61、一與該黑名單記錄組件61之設備連結阻擋組件62及一與該分析數據呈現模組5連接之程序中斷運作組件63。The threat blocking module 6 includes a blacklist recording component 61 connected to the analysis data presentation module 5 , a device connection blocking component 62 connected to the blacklist recording component 61 , and a program interruption operation component 63 connected to the analysis data presentation module 5 .

該智能分析組件41依據分析的結果將入侵攻擊的來源記錄於該黑名單記錄組件61中,該設備連結阻擋組件62依據該黑名單記錄組件61中儲存的資料阻擋該電腦設備21與其他設備連結,該程序中斷運作組件63依據該流量分析單元412的分析結果中斷發生異常運作狀況的程序,舉例來說,該流量分析單元412分析出一位址對電腦設備21發出傳輸請求,但一直產生錯誤碼,此時該智能分析組件41將該位址記錄於該黑名單記錄組件61中,並且藉由該設備連結阻擋組件62將該位址儲存於每一電腦設備21的防火牆黑名單中,以網路阻擋的方式阻擋該位址之任何網路攻擊。另外,當電腦設備21發生中毒時,該程序中斷運作組件63利用強制關閉有毒的程序,以關閉異常程序的方式恢復該電腦硬體的工作能力,除此之外,可利用該威脅情報獲取組件42將該位址上傳至該威脅情報平台7。The intelligent analysis component 41 records the source of the intrusion attack in the blacklist recording component 61 according to the analysis result. The device connection blocking component 62 blocks the computer device 21 from connecting with other devices according to the data stored in the blacklist recording component 61. The program interruption operation component 63 interrupts the program that has abnormal operation according to the analysis result of the traffic analysis unit 412. For example, the traffic analysis unit 412 analyzes an address that sends a transmission request to the computer device 21, but always generates an error code. At this time, the intelligent analysis component 41 records the address in the blacklist recording component 61, and the device connection blocking component 62 stores the address in the firewall blacklist of each computer device 21 to block any network attack of the address in a network blocking manner. In addition, when the computer device 21 is infected, the program interruption component 63 uses forced closure of the infected program to restore the working capacity of the computer hardware by closing the abnormal program. In addition, the threat intelligence acquisition component 42 can be used to upload the address to the threat intelligence platform 7.

較佳地,該威脅阻斷模組6設置於該資安快篩主機23中,該電腦設備21中設定權限,使該威脅阻斷模組6能夠對該電腦設備21傳輸資料並加以控制。另外,該資安快篩主機23具有最高的權限,禁止連接之電腦設備21存取及設定,有效防止該資安快篩系統自身受到病毒的感染。Preferably, the threat blocking module 6 is installed in the information security fast screening host 23, and the computer device 21 is set with permissions so that the threat blocking module 6 can control the data transmission of the computer device 21. In addition, the information security fast screening host 23 has the highest permissions, prohibiting the connected computer device 21 from accessing and setting, effectively preventing the information security fast screening system itself from being infected by viruses.

由上述說明可知,本發明一種資安快篩系統確實具有下列功效:From the above description, it can be seen that the information security quick screening system of the present invention has the following effects:

一、分析異常的流量: 該流量分析單元412分析該電腦設備21的工作壓力及傳輸資料的正常範圍並儲存成該異常判斷參數,以使該流量分析單元412能夠時時對該電腦設備21的工作壓力及傳輸資料進行分析,藉此分析出該電腦設備21對外傳輸的異常流量。 1. Analyze abnormal traffic: The traffic analysis unit 412 analyzes the normal range of the working pressure and transmission data of the computer device 21 and stores it as the abnormal judgment parameter, so that the traffic analysis unit 412 can analyze the working pressure and transmission data of the computer device 21 at any time, thereby analyzing the abnormal traffic of the computer device 21 to the outside.

二、阻斷異常的程序: 該智能分析組件41依據分析的結果將入侵攻擊的來源記錄於該黑名單記錄組件61中,該設備連結阻擋組件62依據該黑名單記錄組件61中儲存的資料阻擋該電腦設備21與其他設備連結,該程序中斷運作組件63依據該流量分析單元412的分析結果,阻斷該電腦設備21中發生異常運作狀況的程序。 2. Blocking abnormal programs: The intelligent analysis component 41 records the source of the intrusion attack in the blacklist recording component 61 according to the analysis results. The device connection blocking component 62 blocks the computer device 21 from connecting with other devices according to the data stored in the blacklist recording component 61. The program interruption component 63 blocks the program in the computer device 21 that has abnormal operation according to the analysis results of the traffic analysis unit 412.

三、即時發佈警報: 該資安快篩系統將病毒的偵測獨立設置於一台資安快篩主機23,當電腦設備21已被病毒入侵並且發生異常而導致緩慢或當機的狀況時,設置於該台資安快篩主機23中之資安快篩系統仍然可以正常的運作,並對相關人員發出警報,避免發生警報無法發出的狀況。 3. Immediate alarm issuance: The information security fast screening system independently sets up virus detection in an information security fast screening host 23. When the computer device 21 has been invaded by a virus and an abnormality occurs, resulting in slowness or crash, the information security fast screening system set up in the information security fast screening host 23 can still operate normally and issue an alarm to relevant personnel to avoid the situation where the alarm cannot be issued.

綜上所述,該資安快篩系統獨立設置於一台資安快篩主機23上,企業架設非常方便,該電腦設備21只需要簡單的設定,就可以連上該資安快篩主機23並受到很好的保護,除此之外,該電腦設備21發生異常時,該資安快篩系統可對其偵測並立即封鎖,不僅可以避免造成企業的損失,更能夠立即並確實通知相關設備及人員,故確實可以達成本發明之目的。In summary, the information security fast screening system is independently set up on an information security fast screening host 23, which is very convenient for enterprises to set up. The computer device 21 only needs simple settings to connect to the information security fast screening host 23 and be well protected. In addition, when the computer device 21 is abnormal, the information security fast screening system can detect it and block it immediately, which can not only avoid losses to the enterprise, but also can immediately and accurately notify related equipment and personnel, so the purpose of the present invention can be achieved.

惟以上所述者,僅為本發明之兩個較佳實施例而已,當不能以此限定本發明實施之範圍,即大凡依本發明申請專利範圍及發明說明內容所作之簡單的等效變化與修飾,皆仍屬本發明專利涵蓋之範圍內。However, the above are only two preferred embodiments of the present invention, and should not be used to limit the scope of implementation of the present invention. In other words, any simple equivalent changes and modifications made according to the scope of the patent application of the present invention and the content of the invention description are still within the scope of the present patent.

21        電腦設備 22        數據採集感測器 23        資安快篩主機 24        使用端 3          狀態數據採集模組 31        日誌記錄組件 32        流量統計組件 4          網路威脅分析模組 41        智能分析組件 411      日誌分析單元 412      流量分析單元 42        威脅情報獲取組件 43        資料正規化組件 5          分析數據呈現模組 51        事件通知組件 52        資料視覺化組件 6          威脅阻斷模組 61        黑名單記錄組件 62        設備連結阻擋組件 63        程序中斷運作組件 7          威脅情報平台 21        Computer equipment 22        Data collection sensor 23        Security fast screening host 24        User end 3          Status data collection module 31        Log recording component 32        Traffic statistics component 4          Network threat analysis module 41        Intelligent analysis component 411      Log analysis unit 412      Traffic analysis unit 42        Threat intelligence acquisition component 43        Data normalization component 5          Analysis data presentation module 51        Event notification component 52        Data visualization component 6          Threat blocking module 61       Blacklist recording component 62        Device connection blocking component 63        Program interruption component 7          Threat intelligence platform

圖1是一系統設置示意圖,為本發明一種資安快篩系統之一第一較佳實施例,說明該資安快篩系統的設置態樣; 圖2是一功能模組設置示意圖,說明於該第一較佳實施例中,該資安快篩系統中功能模組的設置態樣; 圖3是一功能元件設置示意圖,說明於該第一較佳實施例中,該資安快篩系統中一智能分析組件的設置態樣; 圖4是一功能模組設置示意圖,為本發明一種資安快篩系統之一第二較佳實施例,說明該資安快篩系統的設置態樣;及 圖5是一功能元件設置示意圖,說明於該第二較佳實施例中,該資安快篩系統中一威脅阻斷模組的設置態樣。 FIG1 is a schematic diagram of a system setting, which is a first preferred embodiment of a security fast screening system of the present invention, illustrating the setting state of the security fast screening system; FIG2 is a schematic diagram of a functional module setting, which illustrates the setting state of the functional module in the security fast screening system in the first preferred embodiment; FIG3 is a schematic diagram of a functional component setting, which illustrates the setting state of an intelligent analysis component in the security fast screening system in the first preferred embodiment; FIG4 is a schematic diagram of a functional module setting, which is a second preferred embodiment of a security fast screening system of the present invention, illustrating the setting state of the security fast screening system; and FIG5 is a schematic diagram of a functional component setting, illustrating the setting of a threat blocking module in the information security fast screening system in the second preferred embodiment.

3:狀態數據採集模組 3: Status data collection module

31:日誌記錄組件 31: Log record component

32:流量統計組件 32: Traffic statistics component

4:網路威脅分析模組 4: Network threat analysis module

41:智能分析組件 41: Intelligent analysis components

42:威脅情報獲取組件 42: Threat Intelligence Acquisition Components

43:資料正規化組件 43: Data Normalization Component

5:分析數據呈現模組 5: Analysis data presentation module

51:事件通知組件 51: Event notification component

52:資料視覺化組件 52: Data visualization component

7:威脅情報平台 7: Threat intelligence platform

Claims (5)

一種資安快篩系統,連接一電腦設備,並包含: 一狀態數據採集模組,包括一與該電腦設備連接之日誌記錄組件,及一與該電腦設備連接之流量統計組件; 一網路威脅分析模組,包括一與該狀態數據採集模組連接之智能分析組件、一與該智能分析組件連接並儲存一威脅情報資料之威脅情報獲取組件,及一與該黑名單記錄組件之設備連結阻擋組件,該智能分析組件具有一日誌分析單元,及一流量分析單元,該日誌分析單元依據該威脅情報資料分析該日誌記錄組件中儲存的資料,以判斷該電腦設備是否發生入侵狀況,該流量分析單元中設定一異常判斷參數,該流量分析單元依據該異常判斷參數分析該流量統計組件中儲存的資料,以判斷該電腦設備中程序是否發生異常運作狀況,該威脅情報獲取組件與一威脅情報平台保持連接,該威脅情報獲取組件從該威脅情報平台中更新該威脅情報資料; 一分析數據呈現模組,與該智能分析組件連接,用以輸出該智能分析組件的分析結果; 一威脅阻斷模組,包括一與該分析數據呈現模組連接之黑名單記錄組件,該智能分析組件依據分析的結果將入侵攻擊的來源記錄於該黑名單記錄組件中,該設備連結阻擋組件依據該黑名單記錄組件中儲存的資料阻擋該電腦設備與其他設備連結;及 一威脅阻斷模組,包括一與該分析數據呈現模組連接之程序中斷運作組件,該程序中斷運作組件依據該流量分析單元的分析結果中斷發生異常運作狀況的程序; 該流量分析單元能夠分析一位址對該電腦設備發出傳輸請求並且該電腦設備一直產生錯誤碼的狀況,該智能分析組件將該位址記錄於該黑名單記錄組件中,該威脅情報獲取組件將該位址上傳至該威脅情報平台; 該異常判斷參數為該電腦設備之工作壓力及傳輸資料的正常範圍,該流量分析單元對該電腦設備的工作壓力及傳輸資料進行分析,以於該電腦設備的工作壓力及傳輸資料超出該異常判斷參數時,透過該分析數據呈現模組進行資料的發報。 A quick screening system for information security is connected to a computer device and includes: a state data collection module, including a log recording component connected to the computer device, and a traffic statistics component connected to the computer device; a network threat analysis module, including an intelligent analysis component connected to the state data collection module, a threat intelligence acquisition component connected to the intelligent analysis component and storing threat intelligence data, and a device connection blocking component connected to the blacklist recording component, the intelligent analysis component has a log analysis unit and a traffic analysis unit, the log analysis unit analyzes the data stored in the log recording component according to the threat intelligence data The data is collected by the computer device to determine whether the computer device is in an intrusion state. An abnormal judgment parameter is set in the traffic analysis unit. The traffic analysis unit analyzes the data stored in the traffic statistics component according to the abnormal judgment parameter to determine whether the program in the computer device is in an abnormal operation state. The threat intelligence acquisition component maintains a connection with a threat intelligence platform. The threat intelligence acquisition component updates the threat intelligence data from the threat intelligence platform; An analysis data presentation module connected to the intelligent analysis component to output the analysis result of the intelligent analysis component; A threat blocking module, including a blacklist recording component connected to the analysis data presentation module, the intelligent analysis component records the source of the intrusion attack in the blacklist recording component according to the analysis result, and the device connection blocking component blocks the computer device from connecting to other devices according to the data stored in the blacklist recording component; and A threat blocking module, including a program interruption operation component connected to the analysis data presentation module, the program interruption operation component interrupts the program that has abnormal operation status according to the analysis result of the traffic analysis unit; The traffic analysis unit can analyze the situation where an address sends a transmission request to the computer device and the computer device always generates an error code. The intelligent analysis component records the address in the blacklist recording component, and the threat intelligence acquisition component uploads the address to the threat intelligence platform; The abnormal judgment parameter is the normal range of the working pressure and transmission data of the computer device. The traffic analysis unit analyzes the working pressure and transmission data of the computer device, so that when the working pressure and transmission data of the computer device exceed the abnormal judgment parameter, the data is reported through the analysis data presentation module. 如請求項1所述資安快篩系統,其中,該網路威脅分析模組更包括一與該狀態數據採集模組和該智能分析組件連接之資料正規化組件,該資料正規化組件中設定一對應該智能分析組件之分析特性的資料正規化參數,以使該資料正規化組件將該狀態數據採集模組中儲存的資料轉換成該智能分析組件可以使用的資料。The information security fast screening system as described in claim 1, wherein the network threat analysis module further includes a data normalization component connected to the state data collection module and the intelligent analysis component, and a data normalization parameter corresponding to the analysis characteristics of the intelligent analysis component is set in the data normalization component so that the data normalization component converts the data stored in the state data collection module into data that can be used by the intelligent analysis component. 如請求項1所述資安快篩系統,其中,該分析數據呈現模組包括一該網路威脅分析模組連接之事件通知組件,該事件通知組件將該智能分析組件的分析結果對外輸出。As described in claim 1, the information security fast screening system, wherein the analysis data presentation module includes an event notification component connected to the network threat analysis module, and the event notification component outputs the analysis results of the intelligent analysis component to the outside. 如請求項1所述資安快篩系統,其中,該分析數據呈現模組包括一該網路威脅分析模組連接之資料視覺化組件,該資料視覺化組件將該智能分析組件的分析結果輸出於電腦螢幕。As described in claim 1, the information security fast screening system, wherein the analysis data presentation module includes a data visualization component connected to the network threat analysis module, and the data visualization component outputs the analysis results of the intelligent analysis component on a computer screen. 如請求項1所述資安快篩系統,其中,該網路威脅分析模組及該分析數據呈現模組是設置於一資安快篩主機中,該狀態數據採集模組是設置於該電腦設備中,該資安快篩系統更包含一設置於該電腦設備與該資安快篩主機間之傳輸通道,傳輸通道供該電腦設備與該資安快篩主機傳輸資料。As described in claim 1, the network threat analysis module and the analysis data presentation module are arranged in a security fast screening host, the status data collection module is arranged in the computer device, and the security fast screening system further includes a transmission channel arranged between the computer device and the security fast screening host, and the transmission channel is used for data transmission between the computer device and the security fast screening host.
TW112140919A 2023-10-25 2023-10-25 Information security rapid screening system TWI881506B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW112140919A TWI881506B (en) 2023-10-25 2023-10-25 Information security rapid screening system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW112140919A TWI881506B (en) 2023-10-25 2023-10-25 Information security rapid screening system

Publications (2)

Publication Number Publication Date
TWI881506B true TWI881506B (en) 2025-04-21
TW202518292A TW202518292A (en) 2025-05-01

Family

ID=96141874

Family Applications (1)

Application Number Title Priority Date Filing Date
TW112140919A TWI881506B (en) 2023-10-25 2023-10-25 Information security rapid screening system

Country Status (1)

Country Link
TW (1) TWI881506B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW202009767A (en) * 2018-08-28 2020-03-01 中華電信股份有限公司 Gateway apparatus, detecting method of malicious domain and hacked host, and non-transitory computer readable medium thereof
US20210192057A1 (en) * 2019-12-24 2021-06-24 Sixgill Ltd. Information security risk management
TWM632159U (en) * 2022-04-08 2022-09-21 彰化商業銀行股份有限公司 System for performing tasks according to recorded analysis results to realize device joint defense

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW202009767A (en) * 2018-08-28 2020-03-01 中華電信股份有限公司 Gateway apparatus, detecting method of malicious domain and hacked host, and non-transitory computer readable medium thereof
US20210192057A1 (en) * 2019-12-24 2021-06-24 Sixgill Ltd. Information security risk management
TWM632159U (en) * 2022-04-08 2022-09-21 彰化商業銀行股份有限公司 System for performing tasks according to recorded analysis results to realize device joint defense

Also Published As

Publication number Publication date
TW202518292A (en) 2025-05-01

Similar Documents

Publication Publication Date Title
CN117155625A (en) Computer network monitoring system
CN113839935B (en) Network situation awareness method, device and system
KR101788410B1 (en) An analysis system of security breach with analyzing a security event log and an analysis method thereof
KR20190010956A (en) intelligence type security log analysis method
CN113660224A (en) Situational awareness defense method, device and system based on network vulnerability scanning
CN116827675A (en) Network information security analysis system
CN111628981B (en) Network security system and method capable of being linked with application system
CN114640548A (en) Network security sensing and early warning method and system based on big data
CN101018119A (en) Hardware-based server network security centralized management system without relevance to the operation system
White et al. Cooperating security managers: Distributed intrusion detection systems
CN117614717A (en) A full-process processing system and method based on network security alarm events
CN113794590B (en) Method, device and system for processing network security situation awareness information
CN113660115B (en) Alarm-based network security data processing method, device and system
CN111131168A (en) Self-adaptive protection method based on Web application
CN116781380A (en) Campus network security risk terminal interception traceability system
CN116668166A (en) Software and hardware cooperated data security monitoring system
KR20200054495A (en) Method for security operation service and apparatus therefor
TWI881506B (en) Information security rapid screening system
KR100625096B1 (en) Prediction method and system based on correlation analysis of traffic variation and hacking threat rate
KR20140078329A (en) Method and apparatus for defensing local network attacks
TWM652740U (en) computer protection device
Fanfara et al. Autonomous hybrid honeypot as the future of distributed computer systems security
RU186198U1 (en) Host Level Intrusion Detector
CN113132389A (en) Network security monitoring system
KR100961438B1 (en) Record media recording real-time intrusion detection system and method and program for performing the method