YD/T 4590-2023
Cyberspace security simulation attack behavior detection technical requirements (English Version)
- Standard No.
- YD/T 4590-2023
- Language
- Chinese, Available in English version
- Release Date
- 2023
- Published By
- Professional Standard - Post and Telecommunication CN / YD
- Latest
- YD/T 4590-2023
- Introduction
Analysis of the standard technical framework
The standard builds a four-layer detection technology architecture: data collection layer (traffic/terminal/asset/vulnerability), security event detection layer, knowledge base management layer and effective attack analysis layer. The network target range environment needs to achieve the real-time processing capability of ≥100,000 security events per second.
Core Function Comparison Matrix
Functional Modules Basic Requirements Advanced Requirements Detection Accuracy Data Collection Support SNMP/Syslog Custom Filtering Rules ≥99.5% Security Event Detection 4 Types of Basic Attack Identification APT/DDoS Detection ≥98% Knowledge Base Matching CVE Vulnerability Library Integration Spatial-temporal Feature Modeling ≤50ms response
Key technical implementation points
1. Multi-dimensional data collection specifications
Asset data must include 18 metadata items such as hardware model and OS version, and vulnerability data must be compatible with the OWASP Top 10 classification standard. Traffic collection must record topology information such as VLAN and MAC, as shown in the standardized event format defined in Table 1.
2. Complex attack detection algorithm
For APT attacks, the following needs to be implemented:
- Time series analysis: use a sliding time window algorithm (window size ≥ 5 minutes)
- Spatial correlation: attack path deduction based on asset vulnerability graph
Standard evolution analysis
Compared with YD/T 1800-2008, this standard has made the following breakthroughs:
1. Define the effective attack behavior detection system for the first time
2. Introduce a dynamic update mechanism for the knowledge base
3. Add new attack detection indicators such as DDoS/APT
Compliance implementation recommendations
- Construction phase: prioritize the deployment of a unified data collection platform to ensure compliance with GB/T 28517-2012 format requirements
- Testing phase: need to verify the dual indicators of attack identification accuracy (≥95%) and response time (≤1 second)
- Operation and maintenance phase: establish a weekly update mechanism for the knowledge base and include the latest vulnerability data from CVE/NVD
YD/T 4590-2023 Referenced Document
- GB/T 28517-2012 Network incident object description and exchange format
- YD/T 1800-2008 Framework of Information Security Operation Center
YD/T 4590-2023 history
- 2023 YD/T 4590-2023 Cyberspace security simulation attack behavior detection technical requirements
