LOFTER for ipad —— 让兴趣,更有趣

点击下载 关闭

LOFTER-网易轻博

cybersecurity

177浏览    7参与
Qingrong Zhu

PaRR Special Report•Article 5

China needs universal cyberspace legislative framework to align with US and EU

•The ultimate goal of US internet governance is freedom
•EU gives personal data same weight as personal dignity
•China will strengthen data localization in future data protection laws

China needs to create a universal legislative...

China needs universal cyberspace legislative framework to align with US and EU

•The ultimate goal of US internet governance is freedom
•EU gives personal data same weight as personal dignity
•China will strengthen data localization in future data protection laws

China needs to create a universal legislative framework and standards governing cyberspace to align with other jurisdictions including theUS and the European Union (EU), said Liu Jinrui, an associate researcher at the Institute of Law of China Law Society.

Liu acts as an informal adviser to lawmakers in relation to cybersecurity related rule making processes in China, and made the remarks at a legal conference held in Beijing recently.

Liu said that, as an originator of the internet, the US has taken the lead in internet regulation and engaged in promoting internet freedom and deregulation.

"Countries who follow in the steps of US with advanced technological development also prefer unregulated internet communications," said Liu.

However, today internet rule making is no longer dominated by one country, according to Liu.

The PRISM scandal was a watershed, Liu said, referring to disclosure of the covert surveillance program that allowed the US National Security Agency (NSA) to collect data from various internet giants.

In the wake of that scandal, the US ceded control over the Internet Corporation for Assigned Names and Numbers (ICANN), an organization responsible for the control of domain names, and transitioned the functions of the organization to the global multi-stakeholder community, Xu Ke, the executive director of the Digital Economy and Law Innovation Research Center at the University of International Business and Economics, said at the same panel. 

According to Liu, the ultimate goal of US internet governance is freedom. Restriction of the free flow of data is considered as restricting the free market and even freedom of speech and expression. In the EU, information and personal data have been given the same weight as personal dignity. "It became a human rights issue," said Liu. 

In China, data localisation, as well as security assessment of outbound data transfers specified in Article 37 of China's Cybersecurity Law(CSL), are measures adopted to ensure national security. However, "it is confusing to place the protection of personal rights and the safety measures for national security under one law," Liu added.

Facing the rise of big data, the EU has tightened its restrictions, whereas the US has loosened its grip, Liu said. "China shall make a judgment on its regulatory direction and opt for its preferred legislative model," he said. 

Xu said that data localisation was likely to become embroiled in a global "tit-for-tat" contest.

"China, US and the EU are engaged in a global contest to expand their authority in data regulation," Xu said.

Although China prefers the approach of adopting a multilateral mechanism and the participation of multi-stakeholders in global internet regulation, "China will seek to further strengthen data localization in its future data protection laws," Xu added.

by Qingrong Zhu in Beijing

* This article was included in the PaRR's Special Report: Cybersecurity & Data Privacy published on 29 August 2019. 

Qingrong Zhu

PaRR Special Report•Article 4

China's proposed cross-border data transfer rules to be 'substantially revised' after US trade negotiations

•China tightens grip on data flows as US lifts restrictions
•Trade talk aims at principle issues including data flows

The second draft of China's Information Security Technology–Guidelines for...

China's proposed cross-border data transfer rules to be 'substantially revised' after US trade negotiations

•China tightens grip on data flows as US lifts restrictions
•Trade talk aims at principle issues including data flows

The second draft of China's Information Security Technology–Guidelines for Data Cross-Border Transfer Security Assessment (the 'draft guidelines') will be "substantially revised or even completely abolished" as a foreseeable outcome of the China-US trade negotiations, according to a person familiar with the matter and a Beijing-based senior lawyer engaged in data compliance. 

The draft guidelines were designed to instruct network operators and relevant authorities to assess the purposes and security risks before an outbound transfer of personal and important data. Based on the second draft, network operators are required to ensure the legality, legitimacy and necessity of data transfer, as well as to minimize the risks of leakage, destruction, manipulation, or abuse of data after outbound transfer. 

The drafting process commenced at the beginning of 2017. The first draft was released on 27 May of the same year to solicit public opinions. Three months later, the second draft was released on 25 August for a second comment period. However, no substantial progress on the draft guidelines has been achieved since that time.

According to the person familiar with the matter, the current pause in the process of finalizing of the draft guidelines is due to the uncertainty in the ongoing trade negotiations between China and the US.

While China is tightening its grip on cross-border data transfers with security assessment demands, the US is lifting restrictions to promote free cross-border data flows, said the person familiar with the matter, referring to the United States-Mexico-Canada Agreement (USMCA) which discourages data localization and data flow restrictions with strong language.

The USMCA does not allow for prohibitions or restrictions on cross-border transfers of data including personal information (Article 19.11), or stipulating the location of computing facilities (i.e., computer servers) in a territory for business operation (Article 19.12), said the person familiar with the matter, adding that these requirements run contrary to China's approach to data regulation. 

The person familiar with the matter said the divergence between China and the US on cross-border data transfer is one of the "important issues of principle," referring to a statement made by China's Vice Premier Liu He on 11 May. At the time, Liu said: "While cooperation is the only right choice for China and the US, Beijing will not yield on important issues of principle".

The real purpose behind the trade talks is to negotiate principles issues, Wang Xinkui, chairman of Shanghai WTO Affairs Consultation Centre, said during a digital economy and trade seminar at Shanghai Academy of Science recently.

Speaking to members of international organizations and global experts, Wang said that current debate on tariffs are "a means but not (an) end." China's restrictions on free flow of business data and location of computing facilities, as well as requirements of safety assessments, are borne out of necessity of China's development and public policy, Wang said, adding that these restrictions are relevant to the topic of foreign access to China's cloud computing markets, which will be discussed in future negotiations. 

In addition, the person familiar with the matter said that personal data and important data will be treated differently; while regulations on personal information will be aligned with international practices, important data will fall into a distinct category in which Chinese regulators will insist on sovereignty. 

The Cyberspace Administration of China (CAC) declined to comment.

by Qingrong Zhu in Beijing

* This article was included in the PaRR's Special Report: Cybersecurity & Data Privacy published on 29 August 2019. 

Qingrong Zhu

PaRR Special Report•Article 3

China's proposed digital content labelling requirements sparks industry concerns

•Terms such as 'targeted push notification' and 'synthesis' may spook users
•Internet firms fear effect on user experience, compliance cost, global strategy

The labelling requirements included in China's draft Data Security...

China's proposed digital content labelling requirements sparks industry concerns

•Terms such as 'targeted push notification' and 'synthesis' may spook users
•Internet firms fear effect on user experience, compliance cost, global strategy

The labelling requirements included in China's draft Data Security Administrative Measures could potentially affect Chinese internet companies in terms of user experience, compliance costs and global strategy, a number of industry representatives and government advisors said during the Cybersecurity Law Two Year Anniversary and Frontier Legal Issues Seminar in Suzhou recently.

The annual seminar, jointly hosted by the Information Security Law Research Center of Xi'an Jiaotong University and the Network Security Law Research Center of the Third Institute under the Ministry of Public Security (MPS), brings together regulatory and public security authorities, as well as representatives from industry and government think tanks to discuss regulatory and technical developments regarding network security. 

The draft Data Security Administrative Measures, which is tailored for securing personal information and important data, was released on28 May to solicit public comment until 28 June.

The proposed measures have three articles stipulating content labelling, including the requirement to attach "targeted push notification" on news information and commercial advertisements gleaned through the utilization of user data and algorithms (Article 23); to label "synthesis" on information such as news pieces, blog posts, posts and comments that are automatically generated by technologies including Big Data and artificial intelligence (Article 24); and to identify the content creator's account information or unalterable user identification on the original posts when allowing other users to share the pieces (Article 25). 

Labelling "targeted push notification" and "synthesis" on information may cause panic among domestic and foreign consumers, said Gu Wei, deputy director of Law Research Center at the legal department of the Alibaba group. 

Applying content labelling on apps not only disrupts consumers' user experience, it will give rise to fear for surveillance for foreign users, said Gu.

According to Gu, under the circumstances, internet enterprises will likely launch two versions of an app for domestic and international markets respectively; however, it will be extremely challenging to ensure lawful communication and information integration between the two markets.

If China's data security legislation does not align with international practices, it will bring enormous challenges to Chinese enterprises who want to expand into international markets, Gu added.

In addition, the terms "targeted push notification" and "synthesis" are technical jargon that ordinary users may not understand, said Tan Xiaosheng, who was the vice president and chief security officer of Qihoo360, China's internet security giant, before founding his own firm BeijingCyber Hero.

Under Article 25, internet enterprises will face technical and financial costs of overhauling their systems, including the adjustment of interface and format of database in order to ensure the creator's identity can be found on the social media post, said Li Xinyou. Li is the chief engineer of the State Information Center, which is affiliated to China's National Development and Reform Commission (NDRC).

Although the labelling requirement will help track the origin of information and to stop disinformation, thus lessening a network operators' legal risk, practical issues such as compliance costs and user experience should also be taken into account, Li said.

Article 25 set off heated debate among corporate counsel at a recent meeting hosted by the National Information Security Standardization Technical Committee (TC260), Li said, adding that a specification for social network labels will be formulated in the near future.

Labelling is a legal or administrative method to regulate content; however, the regulatory scope of data security under the draft is too broad and inclusive, said Hui Zhibin, director of Internet Research Center at Shanghai Academy of Social Science.

In addition, Hui emphasized the importance of including feedback of the draft from the foreign side, adding that regulation of multinationals needs to be "flexible and pragmatic" and with along-term perspective.

by Qingrong Zhu in Beijing

* This article was included in the PaRR's Special Report: Cybersecurity & Data Privacy published on 29 August 2019. 

Qingrong Zhu

PaRR Special Report•Article 2

China's data security rules raise worries on privacy of correspondence

•Latest amendments ensure privacy and safety of correspondence
•Article 25 may violate constitutional rights and Legislation Law
•Increasing compliance duties harm small- and mid-sized companies

Draft Data Security Administrative...

China's data security rules raise worries on privacy of correspondence

•Latest amendments ensure privacy and safety of correspondence
•Article 25 may violate constitutional rights and Legislation Law
•Increasing compliance duties harm small- and mid-sized companies

Draft Data Security Administrative Measures ('draft measures'), released on 28 May by the Cyberspace Administration of China (CAC) for a month-long public comment period, have raised concerns over infringement of freedom and privacy of correspondence protected in China's Constitution, a number of academics said during a data legal governance event hosted in Beijing recently. 

As departmental rules, the draft measures should adhere to the Constitution and the Legislation Law and be in line with other domestic laws, in order to ensure their legality, said a law professor.

However, once it is effective Article 25 of the draft measures could jeopardize citizens' freedom and privacy of correspondence protected by Article 40 of the Constitution, said a second law professor.

Article 25 calls for network operators to take measures not simply to remind users to be responsible for their online activities and strengthen self-discipline, but also to include the information releaser's account details or permanent user identification within the original information for other users to share the items. There is no exclusion, moreover, for private communications on social media from the application scenarios within the Article.

Attaching warning notices within private conversations on social media could spark controversy over surveillance of correspondence, said the second law professor, highlighting that the Constitution allows only public security or prosecution authorities such surveillance powers under the law, to adopt procedures to investigate communications for the purposes of national security or criminal investigation. 

Violating the constitutional rights of freedom of correspondence will make Chinese tech companies easily fall prey to foreign regulators and hamper their overseas markets, echoed the first professor, adding that the labelling requirement was initially designed to prevent defamation, especially on messaging and social media apps.

In addition, the provision could result in reduction of dataflows, which will have a far-reaching influence on the development and prosperity of the internet industry, the first professor added.

Article 25 lacks clarity on the liability for sharing misinformation; it is unclear whether the users who share items will bear the same responsibility as the originator, said a researcher of a government thinktank. According to the researcher, the labelling requirement could become an additional burden for tech companies involving content regulation, such as blocking accounts that posted illegal information.

The first professor told the seminar that the CAC is aware of the concerns over privacy of correspondence. He said as far as he knew the latest amended version of Article 25 stipulates social network operators need to take measures to "ensure the privacy and safety of individuals' correspondence", and "automatically attach the user's account identification to the original or initial information of the user post in public on social media.”

The second professor expressed further concern over the "information identification" requirement in the recommended national standard 'Information security technology – Specification for the management of information identification on social networking platform' ('Specification'), which was released on 1 February this year by the National Information Security Standardization Technical Committee (TC260) for public consultation until 18 March.

Article 5.1 of the Specification calls for social network platforms to generate a unique identification containing details including user code, information code, and published time, for information that users post on the platforms. This requirement will impair citizens' rights and expand the scope of platforms' duties which is prohibited by Article 80 of the Legislation Law, the second professor said. Article 80 stipulates that without legal basis from the laws, or administrative regulations, decisions or orders issued by theState Council, any departmental regulation must not impair the rights or expand the scope of duties of any citizens, legal persons, or organizations. 

Although Article 25 was designed to tackle defamation on messaging and social network apps, the necessity of addressing the issue with a regulatory provision remains questionable, a legal counsel from a tech giant said.

Since the draft measure applies to all network operators, increasing compliance duties will bring unintended consequences to the internet industry, and especially for the development of small- and mid-sized companies, said a third law professor.

by Qingrong Zhu in Beijing

* This article was included in the PaRR's Special Report: Cybersecurity & Data Privacy published on 29 August 2019. 

Qingrong Zhu

PaRR Special Report•Article 1

China trade associations encouraged to take role in personal information protection legislation, says CAC official

•Scope of personal information important to achieve balance in legislation
•User consent requirement to be lifted in cases of missing children, news reports
•Handling of indirect identifiable...

China trade associations encouraged to take role in personal information protection legislation, says CAC official

•Scope of personal information important to achieve balance in legislation
•User consent requirement to be lifted in cases of missing children, news reports
•Handling of indirect identifiable information still a matter of debate

Trade associations should take a more active role in helping legislators identify exceptional situations in terms of personal information protection while ensuring companies comply with relevant laws and rules, according to Li Min, deputy director of the legal affairs division of the Bureau of Policy and Regulations under the Cyberspace Administration of China (CAC).

Li made the comments at a 'Personal Information Protection' sub-conference during the three-day 2019 China Internet Conference hosted by the Internet Society of China in Beijing recently. The conference brought together members of the Internet Society of China, the Ministry of Industry and Infomation Technology, the Communications Administration of Hebei province, as well as representatives from internet enterprises.

According to Li, defining the scope of 'personal information' is the prime task of China's legislation covering personal information protection, which is among the legislative agenda items to be taken up by the Standing Committee of the 13th National People's Congress in the current term. It has yet to be decided whether the new law will adopt the existing definition under the supplementary Article 76 (5) of the Cybersecurity Law (CSL), or seeks to refine and amend the term, Li added.

Under Article 76 (5) of the CSL, personal information refers to all types of information recorded in electronic or other forms that, taken alone or together with other information, is sufficient to identify a natural person's identity, including but not limited to information such as the full name, birth date, national identification number, personal biometric information, address, and telephone number of a natural person.

A broad definition of the term containing more regulatory subjects will result in strict regulation, whereas a narrow scope of the term will lead to a more tolerant approach in policy making, said Li, highlighting that the relevant legislation needs to tackle both the protection of personal information while leaving certain space for companies to develop.

Identifiable information

Personal information, also known as 'personal data' or 'privacy', generally refers to the information that can directly or indirectly identify an individual, said Li.

While directly identifiable information such as names and national identification numbers can be immediately associated with a specific person, indirect identifiable information alone is insufficient to identify an individual, said Li.

However, whether the indirect identifiable information falls into the category of personal information is a matter of some debate. Li gave location information collected by apps as a real life example. He said an individual who regularly visits a governmental building during office hours is likely to be identified as a government employee.

Defining scope

According to Li, existing opinions regarding the scope of personal information generally fall into three categories. The opinion reflecting a broad view calls for equal protection for both directly and indirectly identifiable information, whereas the contrary view suggests excluding the indirectly identifiable information from the scope of personal information, Li said.

The moderate opinion suggests that the indirectly identifiable information, in combination with other pieces of information, can be deemed as personal information. 

"We need to draw an appropriate scope to keep a balance between development and regulation," Li said.

Exemptions, special cases

Li told the conference that legislation on personal information protection should provide exemptions to allow industry development. Obtaining user consent prior to collecting personal information becomes questionable under special circumstances, for example, the information collected through open source channels, search for missing children, as well as news reports, said Li.

"It is unfeasible to adopt a sweeping approach in personal information protection," said Li, adding that classification and grading of personal information can be helpful in applying different rules to special cases.

According to Li, sensitive personal information including genetic data and health records is worthy of the strictest protection, whereas juveniles should receive different protection levels from adults. How big power should government agencies be given in terms of collecting and using personal information is an issue that needs further discussion, Li said.

by Qingrong Zhu in Beijing

* This article was included in the PaRR's Special Report: Cybersecurity & Data Privacy published on 29 August 2019. 

Qingrong Zhu

PaRR Article List


27 March 2019
China expects to release two detailed cybersecurity-related regulations this year

01 April 2019
China's personal information security standard to touch algorithm-related issues with three new amendments

08 April 2019
Defining 'important data' to be hot-button issue in WTO negotiations, says China expert

09 April 2019
China government-backed think tank predicts three new data regulatory trends

10 April 2019
China needs universal cyberspace legislative framework to align with US and EU
•see full text

23 April 2019
China seen broadening, deepening cybersecurity enforcement

02 May 2019
China's data security facing technical and regulatory challenges

07 May 2019
China's final amended version of personal information specification to include 'privacy by design' provision

14 May 2019
China's cybersecurity regulatory approaches shift to 'threat perception,' says government advisor

17 May 2019
China to expand cybersecurity classified protection scheme with new standards, say regulators

24 May 2019
China's ride-hailing platforms face regulatory challenges in handing over operational data

24 May 2019
Big Data in China to be regulated independently from new classified protection standards, says MPS official

27 May 2019
China's internet companies seek data laws focused on legitimate use of data

28 May 2019
China's MPS evolving into full-fledged CSL enforcer with three instruments, government advisor says 

30 May 2019
China's proposed cross-border data transfer rules to be 'substantially revised' after US trade negotiations
•see full text

05 June 2019
China's data security measures address defamation and important data, says official 

10 June 2019
China's proposed digital content labelling requirements sparks industry concerns
* see full text

14 June 2019
China's proposed personal information outbound transfer rules include employee data

25 June 2019
China's new data security measures aim to restrict government access to corporate data, says drafter

28 June 2019
China's draft protection rules for children's data may lead to excessive information collection

05 July 2019
China's data security rules raise worries on privacy of correspondence
•see full text

12 July 2019
28 Chinese companies sign 'self-discipline convention' on handling of personal data - China Internet Conference

12 July 2019
China's MIIT to boost protection of personal information from four perspectives, official says 

17 July 2019
China trade associations encouraged to take role in personal information protection legislation, says CAC official
•see full text

18 July 2019
China's CAC drafts outbound important data transfer assessment rules, says official–CNCERT Guangzhou

20 July 2019
China's MPS to map safety of critical, personal and big data, says official–CNCERT Guangzhou

24 July 2019
China's online lending apps blamed for illegal use of user contacts, complaints office says

31 July 2019
China's cybersecurity regulators push for information sharing to combat cybercrimes–CSS Beijing

12 August 2019
Data localization provides 'low-cost' means to comply with China's cross-border data transfer rules

16 August 2019
China to draft regulatory standards to control personal data harvesting 

20 August 2019
CAC official cautions on scope of critical information infrastructure–ISC 2019 Beijing

23 August 2019
China to apply 'boundaries' concept to protect core business of CII-designated entities - ISC 2019 Beijing

29 August 2019
China's digital ad industry under threat from new data privacy rules - DPO Salon Beijing

31 August 2019
China follows GDPR with new data privacy rules for apps - DPO Salon Beijing

17 September 2019
China's special work group identified around 200 'problematic' Apps this year - Tianjin Cybersecurity Week

17 September 2019
CAC official urges app developers to be disciplined, coordinated - Tianjin Cybersecurity Week 

18 September 2019
Asian nations adopt varying positions on EU GDPR adequacy decisions–regulators

18 September 2019
China app working group receives over 9,000 complaints - Tianjin Cybersecurity Week 

18 September 2019
China's privacy rules for minors allows that guardian consent need not be explicit - analysis

20 September 2019
China launches pilot project for voluntary app security certification–Tianjin Cybersecurity Week 

24 September 2019
China forum sounds note of caution on data collection tool - Asia Corporate Counsel Summit  

25 October 2019
China police 'Clean Net' campaign scrutinizes foreign, domestic firms' online content - analysis 

25 October 2019
China tightens regulation on facial recognition in revised personal information standard - DPO Salon

28 October 2019
China's working group on mobile apps to automatically monitor using five 'indicators' - TC260 Chongqing

29 October 2019
China to distinguish explicit, implicit consent in data privacy rules - TC260 Chongqing 

30 October 2019
China to relax controls on means of identifying content delivered by 'targeted push' tools - TC260 Chongqing

31 October 2019
China's new privacy rules for apps raise concerns on repeated permission requests in browsing mode

08 November 2019
China to conduct national security review on CII-related commercial code products

21 November 2019
China's personal financial data rules to adversely affect Big Data players, third party service providers 

26 November 2019
China leans toward expanding 'right to access' in data legislation–Internet Law Conference

28 November 2019
China's central bank targets cross-border data with new privacy rules

05 December 2019
China's Central Bank proposes 24-hour data breach notification

09 December 2019
China's existing antitrust framework can handle digital economy, SAMR official says
* cowritten work

12 December 2019
China needs to align data security rules with EU and US –Renmin University forum

13 December 2019
China faces twin challenges in cybersecurity governance, MPS official says

19 December 2019
China's 'Clean Net' campaign aims at cybercrime-related service providers, says official 

24 December 2019
China's cyber legislation tackling new developments including 'deepfake', says CAC official 

06 January 2020
Hong Kong data privacy office endeavors to 'directly' regulate data processors, top official says 

06 January 2020
China's definition of personal data rights in draft Civil Code may clash with pending law 

08 January 2020
China think tank deputy director predicts 'data lineage' to become key trend for data governance 

17 January 2020
China's criminal penalties for privacy violation insufficient to serve as deterrent


[to be continued]


碳基体

Data minging for security at Google —— Max Poletto

2014年秋 斯坦福大学网络课程 Data Mining For Cyber Security CS259D 上来自google security Monitoring Tools组负责人Max Poletto 的现身说法PPT的笔记加个人批注


一、背景

1. 在google数据挖掘的常见安全应用场景

(1)账号劫持检测

(2)广告点击欺诈检测

(3)DoS检测

(4)入侵检测


批注:更多安全应用场景可以参考 http://danqingdani.blog.163.com/blog/static/18609419520150270592208...

2014年秋 斯坦福大学网络课程 Data Mining For Cyber Security CS259D 上来自google security Monitoring Tools组负责人Max Poletto 的现身说法PPT的笔记加个人批注


一、背景

1. 在google数据挖掘的常见安全应用场景

(1)账号劫持检测

(2)广告点击欺诈检测

(3)DoS检测

(4)入侵检测


批注:更多安全应用场景可以参考 http://danqingdani.blog.163.com/blog/static/18609419520150270592208/



2. 安全分析的主要工作

(1)监控:

主动、持续性的发现入侵、越权操作、脱裤等 



(2)分析:

被动、事件驱动、以人为主导的产出威胁情报,事件调查


批注:根据介绍推测,google的安全工作同国内其他公司一样,都是以攻击事件来驱动的后发安全


二、监控

1. 监控流程图

 2. 经验之谈

a. 漏报花费-破坏造成的损失成本

b. 误报花费-安全分析人员时间花费成本

c. 报警信息信息要有效(批注:目前IDS/SIEM产品的最大问题是,产出大量报警信息导致无效运维,后文会展现什么是有效的数据展现,提前剧透一下,数据去噪后的多维度(时间维度+关系维度)图形化展示)

d. 分析能力受限于数据质量(批注:现实中,完美的数据是不可能的,很多情况下都在有限的数据下发挥作用,每缺一种数据,就需要一种甚至多种分析方法来弥补)

3.检测方法一异常检测


原则:对正常行为建模,查找异常点

优点:理论上绝对可以发现新的未知攻击

缺点:噪音太多 ,聚类的结果不可读


实际案例:账号异常检测

原理:对正常账号行为建模查找异常点

步骤:feature确认-正常行为建模-异常点查找

方法:


 模型结果: 准确率太低,1%的异常意味着500个员工都是异常账号(批注:数据越大,误报的问题就越扩大)



 经验:不是所有的异常都是攻击,异常但正常的特例太多 


批注:个人经验,异常检测+攻击确认是必不可少的,无论是HTTP参数长度异常检测模型,webshell检测模型的实际经验都证明了这个结论


4. 检测方法二:基于规则(其实是策略)的检测,也就是专家系统


原则:基于专家领域知识直接设置规则(策略)

优点:可以直接将策略与预警对应起来

缺点:未知攻击不可感知,规则绕过问题


批注:其实规则(策略)绕过问题,个人觉得是对攻击行为的总结太过局限,比如说正则狗,我们可以抓住攻击行为的关键路径更加抽象一点来描述攻击行为



google自研系统:

   三、分析


1. 经验


我们要认清以下事实:

(1)完全自动化是不可能的(批注:现阶段我们必须承认这个事实)

(2)以人为本——必须以安全分析人员为主导

(3)在安全分析中应用数据挖掘的本质——更好的辅助安全分析人员的分析工作


批注:辅助包括数据的去噪与多维度(时间维度与关系维度)的可视化展现,可视化有两个方向,分析过程可视化与分析结果可视化,都是为了更好的理解),让安全人员可以聚焦到深度分析中,来找到攻击事件的成因。

 2.分析方法与实例


(1)方法综述

攻击事件取证:graph traversal

去噪:graph summarization, cluster

恶意软件分类:classification


批注:将算法术语翻译成中文,就感觉像将shell翻译成壳一样的不自在


(2)案例1: 水坑攻击事件取证

经验:数据需要做去噪操作,全局的图计算花费大



(3)案例2:通过图转换 graph transform 来进行 log summarization


反例:

开源取证工具: https://github.com/log2timeline/plaso 基于时间线的单维度来展现事件

 

缺陷:结果太多,无法运维

改善版本:数据的多维度细粒度展现:时间维度+关系维度(批注:特别是关系维度,目前的产品几乎以时间维度为标配)

方法:将日志转换为图,定义等价条件(例如时间点转换为时间段;url转换为域名,子操作聚合成一类操作)采用图的最小化算法(graph automata minimizationhttps://en.wikipedia.org/wiki/DFA_minimization  )来去噪,只提取最有意义的数据(批注:日志去噪技巧上,sumologic最新提出了logreduce的概念,采用聚类的方式来减少日志量)


对比结果如下

 最终结果展现

 (4)案例4:恶意软件分类

恶意软件分类:样本,indicators,所属家族


最终方案:

Web-scale annotation by input embedding


四、结论

1. 安全分析的应用领域很多——前景

2. 数据增长与未知攻击使得数据分析过程如果不自动化,将让安全分析人员陷入困局,而要保证高的检出率准确率的完全自动化是不现实的,所以采用交互式的分析过程(以安全专家为主,利用数据挖掘提供更好的分析工具)是目前唯一明朗的道路

来源:碳基体

LOFTER

让兴趣,更有趣

简单随性的记录
丰富多彩的内容
让生活更加充实

下载移动端
关注最新消息