YD/T 4586-2023
Network security situational awareness data collection requirements (English Version)

Standard No.

YD/T 4586-2023

Language

Chinese, Available in English version

Release Date

2023

Published By

Professional Standard - Post and Telecommunication  CN  /  YD

Latest

YD/T 4586-2023

Introduction

Analysis of the core content of the standard

As an important part of the series of standards for cybersecurity situation awareness, this standard, together with standards such as vulnerability assessment and threat assessment, constitutes a complete technical system. Its core lies in establishing multi-dimensional data collection specifications to provide high-quality data input for subsequent situation analysis.

---

Comparative analysis of data collection categories

Data type	Collected content	Typical collection objects	Technical implementation
Log data	System log/network log/security log	Firewall, IDS/IPS, Server	Syslog/Kafka/Agent
Traffic data	Five-tuple information/protocol content/file sample	Network mirror port/traffic probe	NetFlow/deep packet inspection
Asset data	Hardware configuration/software version/topology relationship	IT asset management system	Active detection/passive monitoring

---

Detailed explanation of key technical requirements

1. Dual-mode mechanism for log collection

The standard requires support for both active (SFTP/SSH) and passive (Syslog/Kafka) collection methods:

• The Agent program must limit CPU ≤ 5%, memory ≤ 10%
• A breakpoint-resume mechanism must be established for historical data collection
• TLS encrypted transmission is a must

2. Layered processing of traffic collection

Special provisions for industrial Internet scenarios:

Implementation case of a smart manufacturing enterprise: Through

---

Standard Evolution and Industry Impact

Compared with related standards such as YD/T 2388-2022, this document clarifies for the first time:

1. Traffic collection specifications for industrial protocols (Modbus TCP/IEC104)
2. Requirements for multi-dimensional attribute collection of asset data
3. Quantitative indicators of collection performance (such as Agent resource limitations)

---

Implementation Suggestions

1. Phased Deployment Plan

Phase	Key Tasks	Meeting Requirements
Pilot Period	Core Network Traffic Collection + Key Equipment Logs	Meet clause 6.1(a)(b)
Promotion period	Full asset discovery + industrial protocol support	Meet clause 9.3/10.2

2. Key points for compliance inspection

• Collected data retention period ≥ 6 months
• Encrypted transmission to achieve dual support of TLCP/TLS
• Establish a collection abnormality alarm mechanism (clause 7.c)