北京邮电大学学报

  • EI核心期刊

北京邮电大学学报 ›› 2021, Vol. 44 ›› Issue (4): 41-48.doi: 10.13190/j.jbupt.2021-019

• 论文 • 上一篇    下一篇

一种基于风险传播的信息系统风险评估方法

杨宏宇1,2, 张乐2, 张良3   

  1. 1. 中国民航大学 安全科学与工程学院, 天津 300300;
    2. 中国民航大学 计算机科学与技术学院, 天津 300300;
    3. 亚利桑那大学 信息学院, 图森 AZ 85721
  • 收稿日期:2021-02-02 发布日期:2021-07-13
  • 作者简介:杨宏宇(1969-),男,教授,E-mail:yhyxlx@hotmail.com.
  • 基金资助:
    国家自然科学基金民航联合研究基金项目(U1833107)

An Information System Risk Assessment Method Based on Risk Propagation

YANG Hong-yu1,2, ZHANG Le2, ZHANG Liang3   

  1. 1. College of Safety Science and Engineering, Civil Aviation University of China, Tianjin 300300, China;
    2. College of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China;
    3. College of Information, University of Arizona, Tucson AZ 85721, USA
  • Received:2021-02-02 Published:2021-07-13

摘要: 传统信息系统的风险评估方法未考虑节点的状态变化和风险的传播方向,且评估结果的准确性受专家主观性的影响,对此,提出了一种基于风险传播的信息系统风险评估方法.首先,确定节点的初始状态转移概率矩阵,并根据攻击属性对矩阵进行修正,得到节点状态转移概率;其次,基于系统风险传播网络拓扑图和节点属性值计算节点在各方向的传播概率;然后,利用三参数区间数方法获取节点威胁事件的量化值;最后,根据风险评估方法计算各节点的风险值.实验结果表明,基于风险传播方法的评估流程更客观、合理,可提高信息系统风险评估的整体性和准确性.

关键词: 风险评估, 风险传播, 状态转移概率, 传播概率, 三参数区间数

Abstract: Traditional information system risk assessment methods do not consider the state change of nodes and the direction of risk propagation, and the accuracy of the evaluation results is affected by the subjectivity of experts. To solve these problems, an information system risk assessment method based on risk propagation is proposed. First, the initial state transition probability matrix of the node is determined, and the node state transition probability is obtained by modifying the matrix according to the attack attributes. Then, the propagation probability of nodes in all directions is calculated based on the topology network and node attribute value.Next, the three-parameter interval number method is used to obtain the quantitative value of node threat events. Finally, the risk value of each node is calculated according to the risk assessment method. Experimental results show that the proposed methodis more objective and reasonable, and it improves the integrity and accuracy of the risk assessment of information systems.

Key words: risk assessment, risk propagation, state transition probability, propagation probability, three-parameter interval number

中图分类号: