一种基于风险传播的信息系统风险评估方法

doi:10.13190/j.jbupt.2021-019

北京邮电大学学报 ›› 2021, Vol. 44 ›› Issue (4): 41-48.doi: 10.13190/j.jbupt.2021-019

一种基于风险传播的信息系统风险评估方法

杨宏宇^1,2, 张乐², 张良³

1. 中国民航大学安全科学与工程学院, 天津 300300;
2. 中国民航大学计算机科学与技术学院, 天津 300300;
3. 亚利桑那大学信息学院, 图森 AZ 85721

收稿日期:2021-02-02 发布日期:2021-07-13
作者简介:杨宏宇(1969-),男,教授,E-mail:yhyxlx@hotmail.com.
基金资助:
国家自然科学基金民航联合研究基金项目（U1833107）

An Information System Risk Assessment Method Based on Risk Propagation

YANG Hong-yu^1,2, ZHANG Le², ZHANG Liang³

1. College of Safety Science and Engineering, Civil Aviation University of China, Tianjin 300300, China;
2. College of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China;
3. College of Information, University of Arizona, Tucson AZ 85721, USA

Received:2021-02-02 Published:2021-07-13

摘要/Abstract

摘要： 传统信息系统的风险评估方法未考虑节点的状态变化和风险的传播方向，且评估结果的准确性受专家主观性的影响，对此，提出了一种基于风险传播的信息系统风险评估方法.首先，确定节点的初始状态转移概率矩阵，并根据攻击属性对矩阵进行修正，得到节点状态转移概率；其次，基于系统风险传播网络拓扑图和节点属性值计算节点在各方向的传播概率；然后，利用三参数区间数方法获取节点威胁事件的量化值；最后，根据风险评估方法计算各节点的风险值.实验结果表明，基于风险传播方法的评估流程更客观、合理，可提高信息系统风险评估的整体性和准确性.

关键词: 风险评估, 风险传播, 状态转移概率, 传播概率, 三参数区间数

Abstract: Traditional information system risk assessment methods do not consider the state change of nodes and the direction of risk propagation, and the accuracy of the evaluation results is affected by the subjectivity of experts. To solve these problems, an information system risk assessment method based on risk propagation is proposed. First, the initial state transition probability matrix of the node is determined, and the node state transition probability is obtained by modifying the matrix according to the attack attributes. Then, the propagation probability of nodes in all directions is calculated based on the topology network and node attribute value.Next, the three-parameter interval number method is used to obtain the quantitative value of node threat events. Finally, the risk value of each node is calculated according to the risk assessment method. Experimental results show that the proposed methodis more objective and reasonable, and it improves the integrity and accuracy of the risk assessment of information systems.

Key words: risk assessment, risk propagation, state transition probability, propagation probability, three-parameter interval number

中图分类号:

TP309

杨宏宇, 张乐, 张良. 一种基于风险传播的信息系统风险评估方法[J]. 北京邮电大学学报, 2021, 44(4): 41-48.

YANG Hong-yu, ZHANG Le, ZHANG Liang. An Information System Risk Assessment Method Based on Risk Propagation[J]. Journal of Beijing University of Posts and Telecommunications, 2021, 44(4): 41-48.

参考文献

[1] 许硕, 唐作其, 王鑫. 基于D-AHP与灰色理论的信息安全风险评估[J]. 计算机工程, 2019, 45(7):194-202. Xu Shuo, Tang Zuoqi, Wang Xin. Information security risk assessment based on D-AHP and grey theory[J]. Computer Engineering, 2019, 45(7):194-202.
[2] 赵刚, 吴天水. 结合灰色网络威胁分析的信息安全风险评估[J]. 清华大学学报(自然科学版), 2013, 53(2):1761-1767. Zhao Gang, Wu Tianshui. Information security risk assessment based on G-ANP[J]. Journal of Tsinghua University (Science and Technology), 2013, 53(2):1761-1767.
[3] Antonio R, Ortega F, Ramrio C. A method for the evaluation of risk in IT projects[J]. Expert Systems with Applications, 2016, 45(C):273-285.
[4] Hong Q, Jian W T, Zheng T, et al. An information security risk assessment algorithm based on risk propagation in energy Internet[C]//2017 IEEE Conference on Energy Internet and Energy System Integration (EI2). Beijing:IEEE, 2017:1-6.
[5] Feng N, Wang H J, Li M Q. A security risk analysis model for information systems:causal relationships of risk factors and vulnerability propagation analysis[J]. Information Sciences, 2014, 6:57-73.
[6] Brin S, Page L. The anatomy of a large-scale hyper textual web search engine[J]. Computer Networks and ISDN Systems, 1998, 30(1):107-117.
[7] 席荣荣, 云晓春, 张永铮, 等. 一种改进的网络安全态势量化评估方法[J]. 计算机学报, 2015, 38(4):749-758. Xi Rongrong, Yun Xiaochun, Zhang Yongzheng, et al. An improved quantitative evaluation method for network security[J]. Chinese Journal of Computers, 2015, 38(4):749-758.
[8] Whitman M, Mattord H, Whitman, et al. Principles of information security[M]. Beijing:Tsinghua University Press, 2003:60-64.
[9] 中国国家标准化管理委员会. 信息安全风险评估规范:GB/T 20984-2007[S]. 北京:中国标准出版社, 2007:6-8. The standardization administration of China. Information security risk assessment specification:GB/T 20984-2007[S]. Beijing:Standards Press of China, 2007:6-8.
[10] 黄玉洁, 唐作其, 梁静. 基于信息熵与三参数区间的信息安全风险评估[J]. 计算机工程, 2018, 44(12):178-183. Huang Yujie, Tang Zuoqi, Liang Jing. Information security risk assessment based on information entropy and three-parameter interval[J]. Computer Engineering, 2018, 44(12):65-69.
[11] 林健, 姜永. 基于三参数区间数型偏好序的群决策方法[J]. 山东大学学报(理学版), 2011, 46(7):65-69. Lin Jian, Jiang Yong. Information security risk assessment based on information entropy and three-parameter interval[J]. Journal of Shandong University (Natural Science), 2011, 46(7):65-69.

[1]	杨宏宇, 袁海航, 张良. 一种基于主机重要度的网络主机节点风险评估方法[J]. 北京邮电大学学报, 2022, 45(2): 16-21.
[2]	赵健, 王瑞, 李正民, 雷敏, 马敏耀. 物联网系统安全威胁和风险评估[J]. 北京邮电大学学报, 2017, 40(s1): 135-139.
[3]	雷敏, 刘晓明, 张鸿, 王勉, 杨榆. 面向Web信息系统安全威胁和风险评估分析[J]. 北京邮电大学学报, 2016, 39(s1): 87-93.
[4]	张峰, 付俊, 杨光华, 景奕昕, 唐威. Web访问日志安全分析技术研究[J]. 北京邮电大学学报, 2014, 37(2): 93-98.
[5]	亓峰, 李琪, 韩骞, 杜益, 邱雪松. 基于神经网络的电力通信网风险评估方法[J]. 北京邮电大学学报, 2014, 37(1): 90-93.
[6]	葛海慧, 郑世慧, 陈天平, 杨义先. 信息安全威胁场景模糊风险评估方法[J]. 北京邮电大学学报, 2013, 36(6): 89-92,107.
[7]	钟尚勤徐国胜姚文斌杨义先. 基于主机安全组划分的网络安全性分析 [J]. 北京邮电大学学报, 2012, 35(1): 19-23.
[8]	吴焕潘林王晓箴许榕生. 应用不完整攻击图分析的风险评估模型[J]. 北京邮电大学学报, 2010, 33(3): 57-61.
[9]	陆峰;郑康锋;钮心忻;杨义先. 构建风险敏感的对等网安全信任模型[J]. 北京邮电大学学报, 2010, 33(1): 33-37.
[10]	吕镇邦;周　波. 基于Shapley熵和Choquet积分的层次化风险评估[J]. 北京邮电大学学报, 2009, 32(6): 83-87.
[11]	王晓箴1,2，卢志刚1,2，刘宝旭1. 结合OCTAVE和灰色系统的信息安全风险评估方法[J]. 北京邮电大学学报, 2009, 32(5): 128-131.
[12]	彭俊好，徐国爱，杨义先，汤永利. 基于效用的安全风险度量模型[J]. 北京邮电大学学报, 2006, 29(2): 59-61.

一种基于风险传播的信息系统风险评估方法

An Information System Risk Assessment Method Based on Risk Propagation

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 12

编辑推荐

Metrics

本文评价