信息安全威胁场景模糊风险评估方法

doi:10.13190/j.jbupt.2013.06.019

北京邮电大学学报 ›› 2013, Vol. 36 ›› Issue (6): 89-92,107.doi: 10.13190/j.jbupt.2013.06.019

信息安全威胁场景模糊风险评估方法

葛海慧¹, 郑世慧¹, 陈天平², 杨义先¹

1. 北京邮电大学信息安全中心, 北京 100876;
2. 空军工程大学信息与导航学院, 西安 710077

收稿日期:2012-10-26 出版日期:2013-12-31 发布日期:2013-10-08
作者简介:葛海慧（1979—），女，博士生，E-mail：haiyiyanglan@126.com；杨义先（1961—），男，教授，博士生导师.
基金资助:
北京邮电大学青年科研创新计划专项人才培育项目（BUPT2012RC0219）

Fuzzy Risk Assessment of Information Security Threat Scenario

GE Hai-hui¹, ZHENG Shi-hui¹, CHEN Tian-ping², YANG Yi-xian¹

1. Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876, China;
2. School of Information and Navigation, Air Force Engineering University, Xi'an 710077, China

Received:2012-10-26 Online:2013-12-31 Published:2013-10-08

摘要/Abstract

摘要：

提出了一种针对威胁场景的风险评估方法. 首先构建了威胁场景的递阶层次化风险评价指标体系结构，定义了描述安全措施与风险形成关系的"不可控性"指标，增强了指标体系的完备性；其次定义了指标的高斯型隶属函数，在此基础上提出一种基于隶属度矩阵构造法的模糊综合评判模型，降低了评估过程中人为主观因素的影响；最后将上述模糊综合评判模型与层次分析法相结合对TS的风险度进行了量化计算. 通过实例分析表明该方法是科学的、有效的，为实现风险度大小排序提供了重要依据.

关键词: 信息安全, 威胁场景, 风险评估, 层次分析法, 隶属度矩阵

Abstract:

A risk assessment approach for threat scenario (TS) was proposed. Firstly, hierarchical index system of venture evaluation was constructed for TS, and a new index called uncontrollability was proposed to describe the uncontrollability of relationship between safety measures and risk formation, meanwhile, integrality of index system was enhanced. Secondly, membership function of indicators based on Gaussian function was defined, thereafter, an improved fuzzy comprehensive evaluation model based on membership matrix constructor method was given to reduce the influence of subjective factors. Finally, a combining method of fuzzy algorithm above and analytic hierarchy process were adopted to calculate the degree of risk quantitatively. The case study shows that this method is beneficial to risk size sort.

Key words: information security, threat scenario, risk assessment, analytic hierarchy process, membership matrix

中图分类号:

TP393.08

葛海慧, 郑世慧, 陈天平, 杨义先. 信息安全威胁场景模糊风险评估方法[J]. 北京邮电大学学报, 2013, 36(6): 89-92,107.

GE Hai-hui, ZHENG Shi-hui, CHEN Tian-ping, YANG Yi-xian. Fuzzy Risk Assessment of Information Security Threat Scenario[J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2013, 36(6): 89-92,107.

参考文献

[1] Ge Haihui, Gu Lize, Yang Yixian, et al. An attack graph based network security evaluation model for hierarchical network[C]//Yixian Yang. Proceedings 2010 IEEE International Conference on Information Theory and Information Security. Beijing: IEEE Press, 2010: 208-211.

[2] Li Kai, Gu Naijie, Bi Kun, et al. Network security evaluation algorithm based on access level vector[C]//The 9^th International Conerence for Young Computer Scientists. Hunan:[s.n.], 2008: 1538-1544.

[3] 张利, 姚轶崭, 彭建芬, 等. 基于决策树的智能信息安全风险评估方法[J]. 清华大学学报: 自然科学版, 2011, 51(10): 1236-1239. Zhang Li, Yao Yizhan, Peng Jianfen, et al. Intelligent information security risk assessment based on a decision tree algorithm[J]. Journal of Tsing hua University: Science and Technology, 2011, 51(10): 1236-1239.

[4] Niu Honghui, Shang Yanling. Research on risk assessment model of information security based on Particle swarm algorithm-RBF neural network[C]//Circuits, Communications and System(PACCS). Beijing:[s.n.], 2010: 479-482.

[5] Qu Zhiming. Application of comprehensive fuzzy evaluation in enterprise network security[C]//Power Electronics and Intelligent Transportation System(PEITS). Shenzhen:[s.n.], 2009: 54-57.

[6] 吕镇邦, 周波. 基于Shapley熵和Choquet积分的层次化风险评估[J]. 北京邮电大学学报, 2009, 32(6): 83-87. Lü Zhenbang, Zhou Bo. Hierarchical risk assessment based on shapley entropies and choquet integrals[J]. Journal of Beijing University of Posts and Telecommunications, 2009, 32(6): 83-87.

[7] 赵冬梅, 马建峰, 王跃生. 信息系统的模糊风险评估模型[J]. 通信学报, 2007, 28(4): 51-64. Zhao Dongmei, Ma Jianfeng, Wang Yuesheng. Model of fuzzy risk assessment of the information system[J]. Journal on Communications, 2007, 28(4): 51-64.

[1]	杨宏宇, 袁海航, 张良. 一种基于主机重要度的网络主机节点风险评估方法[J]. 北京邮电大学学报, 2022, 45(2): 16-21.
[2]	杨宏宇, 张乐, 张良. 一种基于风险传播的信息系统风险评估方法[J]. 北京邮电大学学报, 2021, 44(4): 41-48.
[3]	周平, 王泽胜, 殷波, 郭少勇. 基于层次分析法的云服务可用性评价方法[J]. 北京邮电大学学报, 2021, 44(1): 79-85.
[4]	田兴鹏, 朱晓荣, 朱洪波. 基于KM算法的分布式无线节点任务分配方法[J]. 北京邮电大学学报, 2020, 43(6): 96-102.
[5]	赵健, 王瑞, 李正民, 雷敏, 马敏耀. 物联网系统安全威胁和风险评估[J]. 北京邮电大学学报, 2017, 40(s1): 135-139.
[6]	雷敏, 刘晓明, 张鸿, 王勉, 杨榆. 面向Web信息系统安全威胁和风险评估分析[J]. 北京邮电大学学报, 2016, 39(s1): 87-93.
[7]	雷维嘉, 盛洁, 谢显中. 增强安全性的LT码编译码方案[J]. 北京邮电大学学报, 2016, 39(4): 108-113.
[8]	杨宏宇, 成翔. 面向业务流程的信息系统风险控制方法[J]. 北京邮电大学学报, 2016, 39(3): 105-109.
[9]	安健, 桂小林, 何昌其, 吴若飚. 群智感知中基于层次分析法的众包机制[J]. 北京邮电大学学报, 2015, 38(5): 37-41.
[10]	姜海鸥, 宋美娜, 鄂海红, 邓江东. 运营支撑系统混合云迁移策略制定方法[J]. 北京邮电大学学报, 2014, 37(5): 1-5.
[11]	张峰, 付俊, 杨光华, 景奕昕, 唐威. Web访问日志安全分析技术研究[J]. 北京邮电大学学报, 2014, 37(2): 93-98.
[12]	亓峰, 李琪, 韩骞, 杜益, 邱雪松. 基于神经网络的电力通信网风险评估方法[J]. 北京邮电大学学报, 2014, 37(1): 90-93.
[13]	钟尚勤徐国胜姚文斌杨义先. 基于主机安全组划分的网络安全性分析 [J]. 北京邮电大学学报, 2012, 35(1): 19-23.
[14]	吴焕潘林王晓箴许榕生. 应用不完整攻击图分析的风险评估模型[J]. 北京邮电大学学报, 2010, 33(3): 57-61.
[15]	郑康锋1,2 ；王秀娟3 ；郭世泽2 ；杨义先1. 用户评价的信息系统服务质量评估模型[J]. 北京邮电大学学报, 2010, 33(1): 84-88.

信息安全威胁场景模糊风险评估方法

Fuzzy Risk Assessment of Information Security Threat Scenario

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价