Matrix correction method based information system security assessment model
YANG Hongyu1, ZHANG Xugao1, LU Weili2
1. School of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China; 2. Pipeline Changchun Transmission and Oil Company, China National Petroleum Corporation, Changchun 130000, China
Abstract:The accuracy of existing information system security assessments is affected by the expert evaluation preferences. This paper presents a matrix correction method (MCM) based on information system security situation assessment model (ISSSAM). The system uses a modified interval number judgment matrix to reflect the relative importance of various indicators to improve the objectivity of the indicator layer weight vector. Then, an entropy weight based cloud is used to quantify the criterion layer and the target layer security situation index to grade the system security level. Tests on a departure control system (DCS) verify the model validity and demonstrate that the evaluation stability of this model is better than the entropy weight coefficient method and the traditional analytic hierarchy process (AHP).
杨宏宇, 张旭高, 吕伟力. 基于矩阵修正方法的信息系统安全态势评估模型[J]. 清华大学学报(自然科学版), 2020, 60(5): 393-401.
YANG Hongyu, ZHANG Xugao, LU Weili. Matrix correction method based information system security assessment model. Journal of Tsinghua University(Science and Technology), 2020, 60(5): 393-401.
[1] 曲向华, 史雪梅. 基于层次分析法的网络安全态势评估技术研究[J]. 自动化技术与应用, 2018, 37(11):43-45, 50.QU X H, SHI X M. Research of network security situation assessment based on AHP[J]. Techniques of Automation and Applications, 2018, 37(11):43-45, 50. (in Chinese) [2] 付钰, 吴晓平, 叶清, 等. 基于模糊集与熵权理论的信息系统安全风险评估研究[J]. 电子学报, 2010, 38(7):1489-1494.FU Y, WU X P, YE Q, et al. An approach for information systems security risk assessment on fuzzy set and entropy-weight[J]. Acta Electronica Sinica, 2010, 38(7):1489-1494. (in Chinese) [3] LUO H S, SHEN Y J, ZHANG G D, et al. Information security risk assessment based on two stages decision model with grey synthetic measure[C]//Proceedings of the 6th IEEE International Conference on Software Engineering and Service Science. Beijing, China:IEEE, 2015:795-798. [4] 席荣荣, 云晓春, 张永铮, 等. 一种改进的网络安全态势量化评估方法[J]. 计算机学报, 2015, 38(4):749-758.XI R R, YUN X C, ZHANG Y Z, et al. An improved quantitative evaluation method for network security[J]. Chinese Journal of Computers, 2015, 38(4):749-758. (in Chinese) [5] SHU F, LI M, CHEN S T, et al. Research on network security protection system based on dynamic modeling[C]//2017 IEEE 2nd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC). Chengdu, China:IEEE Press, 2017:1602-1605. [6] HEMANIDHI A, CHIMMANEE S, SANGUANSAT P. Network risk evaluation from security metric of vulnerability detection tools[C]//TENCON 2014-2014 IEEE Region 10 Conference. Bangkok, Thailand:IEEE Press, 2014:1-6. [7] EOM J H, PARK S H, HAN Y J, et al. Risk assessment method based on business process-oriented asset evaluation for information system security[C]//Proceedings of the 7th International Conference on Computational Science. Beijing, China:Springer-Verlag, 2007:1024-1031. [8] RIMSHA A S, ZAKHAROV A A. Method for risk assesment of industrial networks' information security of gas producing enterprise[C]//2018 Global Smart Industry Conference. Chelyabinsk, Russia:IEEE Press, 2018:1-5. [9] 中华人民共和国国家质量监督检验检疫总局, 中国国家标准化管理委员会. 信息安全技术信息系统安全等级保护定级指南:GB/T 22240-2008[S]. 北京:中国标准出版社, 2008.General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China, Standardization Administration of the People's Republic of China. Information security technology-classification guide for classified protection of information systems security:GB/T 22240-2008[S]. Beijing:Standards Press of China, 2008. (in Chinese) [10] 成翔. 信息系统安全态势评估与基于业务流程的风险控制方法[D]. 天津:中国民航大学, 2016.CHENG X. Information system security situation assessment and risk control method based on operation-flow[D]. Tianjin:Civil Aviation University of China, 2016. (in Chinese) [11] 朱建军, 刘士新, 王梦光. 一种新的求解区间数判断矩阵权重的方法[J]. 系统工程理论与实践, 2005, 25(4):29-34, 54.ZHU J J, LIU S X, WANG M G. Novel weight approach for interval numbers comparison matrix in the analytic hierarchy process[J]. Systems Engineering-Theory & Practice, 2005, 25(4):29-34, 54. (in Chinese) [12] 李德毅, 孟海军, 史雪梅. 隶属云和隶属云发生器[J]. 计算机研究与发展, 1995, 32(6):15-20.LI D Y, MENG H J, SHI X M. Membership clouds and membership cloud generators[J]. Journal of Computer Research and Development, 1995, 32(6):15-20. (in Chinese) [13] 冯增辉, 张金成, 张凯, 等. 基于云重心评判的战场态势评估方法[J]. 火力与指挥控制, 2011, 36(3):13-15.FENG Z H, ZHANG J C, ZHANG K, et al. Techniques for battlefield situation assessment based on cloud-gravity-center assessing[J]. Fire Control & Command Control, 2011, 36(3):13-15. (in Chinese) [14] 李志伟. 信息系统风险评估及风险管理对策研究[D]. 北京:北京交通大学, 2010.LI Z W. The study on the information system risk assessment and management countermeasure[D]. Beijing:Beijing Jiaotong University, 2010. (in Chinese) [15] 李耀波. SD核电工程管理信息系统分析与设计[D]. 济南:山东大学, 2013.LI Y B. Analysis and design of MIS (management information system) on nuclear power construction of SD[D]. Jinan:Shandong University, 2013. (in Chinese) [16] 赵冬梅, 张玉清, 马建峰. 熵权系数法应用于网络安全的模糊风险评估[J]. 计算机工程, 2004, 30(18):21-23.ZHAO D M, ZHANG Y Q, MA J F. Fuzzy risk assessment of entropy-weight coefficient method applied in network security[J]. Computer Engineering, 2004, 30(18):21-23. (in Chinese)