数据与计算发展前沿 ›› 2021, Vol. 3 ›› Issue (3): 32-47.

doi: 10.11871/jfdc.issn.2096-742X.2021.03.004

• 网络通信与安全专刊 • 上一篇    下一篇

AISecOps智能安全运营技术体系框架

张润滋1,2,*(),刘文懋1,*()   

  1. 1.绿盟科技集团股份有限公司,北京 100089
    2.清华大学,自动化系,北京 100084
  • 收稿日期:2021-03-08 出版日期:2021-06-20 发布日期:2021-07-09
  • 通讯作者: 张润滋,刘文懋
  • 作者简介:张润滋,绿盟科技集团股份有限公司,高级安全研究员,博士,清华大学博士后,目前主要研究方向为智能安全运营、威胁狩猎、可解释人工智能等。
    本文中负责总体统稿,文章整体构思和设计,文献调研和论文撰写。
    ZHANG Runzi, Ph.D., is a senior security researcher of Nsfocus Information Technology Co., Ltd and post-doctoral at Tsinghua University. His recent research interests include AISecOps, threat hunting, and explainable AI.
    In this paper, he is responsible for the overall construction and draft, literature survey and manuscript writing.
    E-mail: runzi_zhang@163.com|刘文懋,绿盟科技集团股份有限公司,创新中心部门总监,高级工程师,博士,目前主要研究方向为网络安全、云安全、安全机器学习等。
    本文中参与整体构思和设计,修改全文。
    LIU Wenmao, Ph.D., senior engineer, is the chief inspector of innovation center of NSFOCUS Information Technology Co., Ltd. His recent research interests include network security, cloud security, and secure machine learning.
    For this paper he conceived and revised the paper.
    E-mail: liuwenmao@nsfocus.com
  • 基金资助:
    中国博士后科学基金资助项目(2020M670181)

An Intelligent Security Operation Technology System Framework AISecOps

ZHANG Runzi1,2,*(),LIU Wenmao1,*()   

  1. 1. NSFOCUS Information Technology Co., Ltd., Beijing 100089, China
    2. Department of Automation, Tsinghua University, Beijing 100084, China
  • Received:2021-03-08 Online:2021-06-20 Published:2021-07-09
  • Contact: ZHANG Runzi,LIU Wenmao

摘要:

【目的】 从安全智能、数据驱动威胁狩猎的实践出发,面向安全运营的自动化、智能化需求,梳理安全运营技术发展脉络,为智能安全运营技术的发展提供系统的方法论。【方法】 从核心内涵、评估指标、数据分类、系统架构、技术成熟度、前沿技术分类等多个层次,梳理并提出AISecOps智能安全运营技术体系。【结果】 AISecOps技术框架旨在面向网络空间高度对抗环境,针对安全运营风险管控的核心指标与关键环节,基于行为、环境、情报、知识等多维、多源数据,通过人-机智能融合,以全面提升安全运营能力的自动化水平。【结论】 AISecOps多个阶段的关键技术能力尚未成熟,唯有高预测性能、透明可解释、安全鲁棒、合法合规的可信任安全智能,才能支撑网络安全运营中的关键决策输出,有效提升运营的自动化水平。

关键词: 智能安全运营, 智能安全, 可解释人工智能, 威胁狩猎

Abstract:

[Objective] Based on the practice of AI-driven security and data-driven threat hunting technologies and targeting at the automation and intelligence pursuing for security operations (SecOps), this paper summarizes the evolution of SecOps processes and aims at offering a systematic methodology for technology development in this domain.[Methods] We propose the system framework for AISecOps (AI-driven Security operations) technologies from multi-level perspectives, such as core concepts, evaluation metrics, data categories, system architectures, maturity levels, classification for advanced technologies and so on. [Results] AISecOps fits to the adversarial environment in cyberspace and is responsible for key indicators and critical procedures in SecOps. Behavioral, environmental, intelligence, and knowledge data are fused with human-machine intelligent interfaces, contributing to the promotion of SecOps automation levels.[Conclusions] AISecOps technologies are far from mature at present. Trustworthy security intelligence with outstanding prediction performance, interpretability, robust and compliance properties is the ultimate goal to seek in the SecOps automation process.

Key words: AISecOps, AI-driven security, explainable artificial intelligence, threat hunting