Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  百年期刊
Journal of Tsinghua University(Science and Technology)    2014, Vol. 54 Issue (1) : 35-43     DOI:
Orginal Article |
Risk assessment of complex information system security based on threat propagation
Gang MA1,2,Yuge DU3,Jiang RONG1,2,Jiarui GAN1,2,Zhongzhi SHI1(),Bo AN1
1. The Key Laboratory of Intelligent Information Processing, Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China
2. University of Chinese Academy of Sciences, Beijing 100049, China
3. China Information Technology Security Evaluation Center, Beijing 100085, China
Download: PDF(1397 KB)   HTML
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks     Supporting Info
Guide   
Abstract  

This paper presents a risk assessment method based on threat propagation between assets for assessing the risks related to complex information system security. This method describes the threat propagation route between assets as a threat propagation tree, with the risk to the complex information system security assessed by the expected value loss of each node in the threat propagation tree with the probability of each step in the threat propagation tree. The accuracy of this model is evaluated by applying the model to a representative complex information system. The analysis shows that this method represents the different probabilities for different threatened nodes and the threat propagation between nodes to identiby the key protected nodes during different periods. The system is more objective and accurate than the traditional isolated node analysis method and is able to guide security risk managers to formulate reasonable security protection strategies for complex information systems.
Keywords risk assessment      asset      threat propagation tree     
ZTFLH:     
Fund: 
Issue Date: 15 January 2014
Service
E-mail this article
E-mail Alert
RSS
Articles by authors
Gang MA
Yuge DU
Jiang RONG
Jiarui GAN
Zhongzhi SHI
Bo AN
Cite this article:   
Gang MA,Yuge DU,Jiang RONG, et al. Risk assessment of complex information system security based on threat propagation[J]. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 35-43.
URL:  
http://jst.tsinghuajournals.com/EN/     OR     http://jst.tsinghuajournals.com/EN/Y2014/V54/I1/35
  
  
  
  
  
  
结点 初始状态 脆弱性 威胁 转移状态 δ
a0 s0 v0 t0 s1 0.320
a0 s0 v1 t0 s1 0.286
a0 s0 v0 t1 s1 0.319
a0 s0 v1 t1 s1 0.075
a1 s0 v0 t0 s1 0.114
a1 s0 v1 t0 s1 0.323
a1 s0 v0 t1 s1 0.232
a1 s0 v1 t1 s1 0.331
a2 s0 v0 t0 s1 0.366
a2 s0 v1 t0 s1 0.031
a2 s0 v0 t1 s1 0.353
a2 s0 v1 t1 s1 0.250
  
结点 初始状态 转移状态 价值损失ΔW
a0 s0 s1 24.454
a1 s0 s1 17.241
a2 s0 s1 58.305
  
结点 初始状态 η
a0 s0 0.532
a1 s0 0.352
a2 s0 0.116
  
威胁 结点 转移状态 ξ
t0 a0 s1 0.411
t1 a0 s1 0.448
te a0 s1 0.141
t0 a1 s1 0.287
t1 a1 s1 0.359
te a1 s1 0.354
t0 a2 s1 0.476
t1 a2 s1 0.180
te a2 s1 0.344
  
脆弱性 结点 初始状态 威胁 β
v0 a0 s0 t0 0.446
v1 a0 s0 t0 0.183
ve a0 s0 t0 0.371
v0 a0 s0 t1 0.477
v1 a0 s0 t1 0.040
ve a0 s0 t1 0.483
v0 a1 s0 t0 0.413
v1 a1 s0 t0 0.170
ve a1 s0 t0 0.417
v0 a1 s0 t1 0.045
v1 a1 s0 t1 0.915
ve a1 s0 t1 0.040
v0 a2 s0 t0 0.445
v1 a2 s0 t0 0.034
ve a2 s0 t0 0.521
v0 a2 s0 t1 0.208
v1 a2 s0 t1 0.433
ve a2 s0 t1 0.359
  
  
威胁传播树Trj 概率P(Trj) 风险R(Trj)
Tr1 0.452 145 2.156 706
Tr2 0.012 504 0.081 632
Tr3 0.020 676 0.210 313
Tr4 0.008 250 0.118 193
Tr5 0.012 020 0.184 658
Tr6 0.011 112 0.178 734
Tr7 0.024 560 0.509 961
Tr8 0.000 065 0.001 052
Tr9 0.000 075 0.001 287
Tr10 0.000 361 0.007 112
Tr11 0.000 415 0.008 608
Tr12 0.000 138 0.002 227
Tr13 0.000 008 0.000 150
Tr14 0.000 224 0.003 842
Tr15 0.000 012 0.000 256
  
  
[1] Jamin S, Raz D, Shavitt Y, et al.Guest editorial Internet and WWW measurement, mapping, and modeling [J]. IEEE Journal on Selected Areas in Communications, 2003, 21(6): 877-878.
url: http://dx.doi.org/10.1109/JSAC.2003.814664
[2] Jeong H, Tonbor B, Albert R, et al. The large-scale organization of metabolic networks [J]. Nature, 2000, 407(6804): 651-654.
url: http://dx.doi.org/10.1038/35036627
[3] 王占山, 王军义, 梁洪晶. 复杂网络的相关研究及其进展[J]. 自动化学会通讯, 2013, 34(170): 4-16. WANG Zhanshan, WANG Junyi, LIANG Hongjing. Research and progress of complex networks[J]. Communications of CAA, 2013, 34(170): 4-16. (in Chinese)
url: http://www.cnki.com.cn/Article/CJFDTotal-HUAI200602033.htm
[4] Watts D J, Strogatz S H. Collective dynamics of “small-world” networks[J]. Nature, 1998, 393(6684): 440-442.
url: http://dx.doi.org/10.1038/30918
[5] 何大韧, 刘宗华, 汪秉宏. 复杂系统与复杂网络 [M]. 北京: 高等教育出版社, 2009. HE Daren, LIU Zonghua, WANG Binghong. Complex Systems and Complex Networks [M]. Beijing: Higher Education Press, 2009. (in Chinese)
[6] 吴晓平, 付钰. 信息安全风险评估教程 [M]. 武汉: 武汉大学出版社, 2011. WU Xiaoping, FU Yu. Textbook for Information Security Risk Assessment [M]. Wuhan: Wuhan University Press, 2011. (in Chinese)
[7] 张利, 彭建芬, 杜宇鸽, 等. 信息安全风险评估的综合评估方法综述[J]. 清华大学学报: 自然科学版, 2012, 52(10): 1364-1368. ZHANG Li, PENG Jianfen, DU Yuge, et al.Information security risk assessment survey[J]. Journal of Tsinghua University: Science and Technology, 2012, 52(10): 1364-1368. (in Chinese)
url: http://d.wanfangdata.com.cn/Conference_8100435.aspx
[8] 张永铮, 方滨兴, 迟悦, 等. 用于评估网络信息系统的风险传播模型[J]. 软件学报, 2007, 18(1): 137-145. ZHANG Yongzheng, FANG Bingxing, CHI Yue, et al.Risk propagation model for assessing network information systems[J]. Journal of Software, 2007, 18(1): 137-145. (in Chinese)
url: http://www.cnki.com.cn/Article/CJFDTotal-RJXB200701016.htm
[9] 李晓蓉, 庄毅, 许斌. 基于危险理论的信息安全风险评估模型[J]. 清华大学学报: 自然科学版, 2011, 51(10): 1231-1235. LI Xiaorong, ZHUANG Yi, XU Bin. Risk assessment model for information security based on danger theory[J]. Journal of Tsinghua University: Science and Technology, 2011, 51(10): 1231-1235. (in Chinese)
url: http://www.cnki.com.cn/Article/CJFDTotal-QHXB201110002.htm
[10] 金鸿章, 韦琦, 郭建, 等. 复杂系统的脆性理论及应用 [M]. 西安: 西北工业大学出版社, 2010. JIN Hongzhang, WEI Qi, GUO Jian, et al.Vulnerability Theory and Application of Complex System [M]. Xi'an: Northwestern Polytechnical University Press, 2010. (in Chinese)
[11] 穆成坡, 黄厚宽, 田盛丰. 入侵进程的层次化在线风险评估[J]. 计算机研究与发展, 2010, 47(10): 1724-1732. MU Chengpo, HUANG Houkuan, TIAN Shengfeng. Hierarchical online risk assessment for intrusion scenarios[J]. Journal of Computer Research and Development, 2010, 47(10): 1724-1732. (in Chinese)
url: http://www.cnki.com.cn/Article/CJFDTotal-JFYZ201010010.htm
[12] 时云峰, 张金祥, 冯建华. 基于异常捕获的强脆弱性分析与利用[J]. 软件学报, 2010, 21(11): 2944-2958. SHI Yunfeng, ZHANG Jinxiang, FENG Jianhua. Critical vulnerability analysis and exploitation based on exception capture[J]. Journal of Software, 2010, 21(11): 2944-2958. (in Chinese)
[13] 赵刚, 况晓辉, 李津, 等. 一种基于权值的大规模分布式系统结构脆弱性分析算法[J]. 计算机研究与发展, 2011, 48(5): 906-912. ZHAO Gang, KUANG Xiaohui, LI Jin, et al.A structural vulnerability analysis algorithm for large-scale distributed system[J]. Journal of Computer Research and Development, 2011, 48(5): 906-912. (in Chinese)
url: http://www.cnki.com.cn/Article/CJFDTotal-JFYZ201105030.htm
[14] 周亮, 李俊峨, 陆天波, 等. 信息系统漏洞风险定量评估模型研究[J]. 通信学报, 2009, 30(2): 71-76. ZHOU Liang, LI June, LU Tianbo, et al.Research on quantitative assessment model on vulnerability risk for information system[J]. Journal on Communications, 2009, 30(2): 71-76. (in Chinese)
url: http://www.cnki.com.cn/Article/CJFDTotal-TXXB200902016.htm
[15] Gabow H N, Myers E W. Finding all spanning trees of directed and undirected graph[J]. Society for Industrial and Applied Mathematics, 1978, 7(3): 280-287.
[1] DU Yuji, FU Ming, DUANMU Weike, HOU Longfei, LI Jing. Risk assessment method of gas pipeline networks based on fuzzy analytic hierarchy process and improved coefficient of variation[J]. Journal of Tsinghua University(Science and Technology), 2023, 63(6): 941-950.
[2] HU Jun, SHU Xueming, XIE Xuecai, YAN Jun, ZHANG Lei. Building fire insurance premium rate based on quantitative risk assessment[J]. Journal of Tsinghua University(Science and Technology), 2023, 63(5): 775-782.
[3] SHEN Kaixin, HE Zhichao, WENG Wenguo. Synergistic physical effects of domino accidents in the chemical industry[J]. Journal of Tsinghua University(Science and Technology), 2022, 62(10): 1559-1570.
[4] SHU Xueming, YAN Jun, HU Jun, WU Jinjin, DENG Boyu. Risk assessment model for building fires based on a Bayesian network[J]. Journal of Tsinghua University(Science and Technology), 2020, 60(4): 321-327.
[5] CHEN Yu, WANG Na, WANG Jindong. An n-fold reduction of linguistic variables based on the triangular fuzzy numbers[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(8): 892-896.
[6] LONG Dawei, HUANG Hongxuan, WANG Mengyue, YANG Yongsen. Transaction prices of overseas mergers and acquisitions with a redemption provision[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(8): 851-859.
[7] LI Zhoujun, WU Chunming, WANG Xiao. Assessment of Android application's risk behavior based on a sandbox system[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(5): 453-460.
[8] MA Gang, DU Yuge, YANG Xi, ZHANG Bo, SHI Zhongzhi. Risk assessment expert system for the complex system[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 66-76,82.
[9] SU Boni, HUANG Hong, ZHANG Nan. Dynamic urban waterlogging risk assessment method based on scenario simulations[J]. Journal of Tsinghua University(Science and Technology), 2015, 55(6): 684-690.
[10] ZHAO Jinlong, TANG Qing, HUANG Hong, SU Boni, LI Yuntao, FU Ming. Quantitative risk assessment of external floating roof tank areas based on the numerical simulations[J]. Journal of Tsinghua University(Science and Technology), 2015, 55(10): 1143-1149.
[11] Yi LIU,Long LIU,Wangfeng LI,Yebin DONG,Xiuqing ZHANG. Modeling regional atmospheric risks of petrochemical park planning[J]. Journal of Tsinghua University(Science and Technology), 2015, 55(1): 80-86.
[12] Dejin WANG, Changqing JIANG, Yong PENG. Attack graph generation method based the security domain on industrial control systems[J]. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 44-52.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
Copyright © Journal of Tsinghua University(Science and Technology), All Rights Reserved.
Powered by Beijing Magtech Co. Ltd