应对APT攻击的中医药信息安全防御模型

TCM Information Security Defense Model Against Apt Attack

目的在全国中医药的数据中心、计算中心、网络中心互联互通建设背景下,中医药信息网络安全问题也成为重点问题。北京市中医药大数据创新实验室结合中医院特征和中医思想构建中医药网络信息安全防御体系,维护中医数据安全资产机制,保障智慧化与中医药信息网络安全工作。方法本研究采集某三甲中医院疫情期间2021年9月7日至2022年3月7日遭遇攻击数据39921条分析该三甲中医院遭受攻击特征与风险特征。结合中医古籍《黄帝内经》中“未病先防、病防变”的“治未病”的诊治思想以及“正气存内,邪不可干”等中医诊治原理构建多级APT攻击防御模型;采集该三甲中医院冬奥期间2022年1月28日至2022年2月27日遭遇攻击数据4725条作为实验数据开展实验并验证模型。结果在第一层(探测层)防御攻击3953条占总攻击量84%,放行771条进入第二层。第二层(入侵层)防御攻击708条占上一层放行攻击量92%,放行63条进入第三层。第三层(潜伏层)防御攻击41条占上一层放行攻击量65%,放行22条进入第四层。第四层(退出层)防御攻击22条,放行0条。该22条攻击行为发现均来自于院内系统和安全设备。实现全部攻击行为均实现识别与阻断。结论本研究建立的多级APT防护模型验证有效。其优点是通过多维度安全设备建立威胁情报提高防御检测率和减少误报现象,对外部攻击行为更加敏感,定位威胁更加精准,响应处置更加及时,为中医药信息化建设与管理提供支撑。

Objective In the context of the interconnection of data centers,computing centers and network centers of traditional Chinese medicine,the security of traditional Chinese medicine information network has also become a key issue.Beijing big data Innovation Laboratory of traditional Chinese medicine combines the characteristics of traditional Chinese medicine hospitals and traditional Chinese medicine thoughts to build a defense system for traditional Chinese medicine network information security,maintain the security asset mechanism of traditional Chinese medicine data,and ensure the intellectualization and traditional Chinese medicine information network security.Method This study collected 39921 attack data during the epidemic period from September 7,2021 to March 7,2022 in a three-tier traditional Chinese medicine hospital,and analyzed the attack characteristics and risk characteristics of the three-tier traditional Chinese medicine hospital.The multi-level apt attack defense model is constructed by combining the diagnosis and treatment ideas of traditional Chinese medicine such as"prevention before disease and prevention of change after disease"and the diagnosis and treatment principles of traditional Chinese medicine such as"healthy qi exists in the body and evil cannot be done";4725 attack data from January 28,2022 to February 27,2022 were collected as experimental data to carry out the experiment and verify the model.Result In the first layer(detection layer),there are 3953 defensive attacks,accounting for 84%of the total attack volume,and 771 are released into the second layer.The second layer(intrusion layer)has 708 defensive attacks,accounting for 92%of the attacks released by the upper layer,and 63 are released into the third layer.The third layer(latent layer)has 41 defensive attacks,accounting for 65%of the attacks released by the upper layer,and 22 are released into the fourth layer.The fourth layer(exit layer)has 22 defensive attacks and 0 are released.The 22 attacks were found from the hospital system and security equipment.All attacks can be identified and blocked.Conclusion The multi-level apt protection model established in this study is verified to be effective.Its advantage is to establish Threat Intelligence through multi-dimensional security equipment,improve defense detection rate and reduce false positives,be more sensitive to external attacks,locate threats more accurately,and respond and deal with them more timely,Provide support for the construction and management of TCM informatization.