摘要
目前,很多大型企业网络与信息系统的安全审计能力不足,无法实现审计事件的有效检测与追踪。该文介绍了国网公司信息系统行为审计系统的整体技术架构和关键技术,系统采用统一代理与插件技术整合多类日志源系统,实现异源系统日志统一采集与集中管理,构建人员、设备、文件、应用系统这四个维度的实体画像,基于机器学习算法构建实体行为动态基线和阈值,通过当前操作行为偏差分析实现用户异常行为检测,系统通过用户桌面操作行为的全程记录与规则化分析进行事件还原取证。整个行为审计系统已在国网公司总部和27家省市公司的应用,有效支撑公司整体安全态势分析及信息系统安全治理,实现了企业应用业务操作审计的可控、能控、在控,提升了信息系统的安全管理水平。
At present,many large-scale enterprise network and information system security audit ability is insufficient,unable to achieve the effective detection and tracking of audit events.This paper introduces the overall technical framework and key technologies of the information system behavior audit system of State Grid Corporation.The system adopts the unified agent and plug-in technology to integrate multiple types of log source systems,to realize the unified collection and centralized management of logs of different systems,to build the entity portrait of four dimensions of personnel,equipment,files and application systems,and to build the dynamic baseline of entity behavior based on machine learning algorithm and threshold,through the deviation analysis of current operation behavior to achieve the detection of user abnormal behavior,the system through the user desktop operation behavior of the whole process record and regular analysis of event recovery forensics.The whole behavior audit system has been applied in the headquarters of State Grid Corporation and 27 provincial and municipal companies,effectively supporting the company's overall security situation analysis and information system security governance,realizing the controllable,controllable and in control of enterprise application business operation audit,and improving the security management level of information system.
作者
郭晶
何亮
王宏
王勇
GUO Jing;HE Liang;WANG Hong;WANG Yong(Aostar Information Technologies Co.,Ltd.,Chengdu,Sichuan Province,610041 China)
出处
《科技资讯》
2021年第12期17-20,共4页
Science & Technology Information
关键词
电力信息
行为审计
安全审计
大型企业
Electric power information
Behavior audit
Safety audit
Large enterprise
