PDF(1397 KB)
PDF(1397 KB)
PDF(1397 KB)
基于威胁传播的复杂信息系统安全风险评估
Risk assessment of complex information system security based on threat propagation
为评估复杂信息系统安全风险,该文提出了一种基于资产间威胁传播的风险评估方法。该方法将复杂信息系统各资产间的威胁传播路径定义为一棵威胁传播树,通过计算威胁传播树中各结点的期望损失以及威胁传播树出现的概率来对整个复杂信息系统进行风险安全评估。为验证本文所提方法的正确性、可行性,该文选取了一个具有代表性的实例阐述了所提方法在复杂信息系统安全风险评估中的应用。通过实例分析表明基于威胁传播的复杂信息系统安全风险评估方法强调不同结点受到威胁作用概率的不同性,威胁在结点之间的传播性,并且能够提示在不同时间段的重点保护结点。比起传统的孤立结点分析方法更具客观性与准确性,能够很好地指导安全风险管理者为复杂信息系统制定合理的安全保护策略。
This paper presents a risk assessment method based on threat propagation between assets for assessing the risks related to complex information system security. This method describes the threat propagation route between assets as a threat propagation tree, with the risk to the complex information system security assessed by the expected value loss of each node in the threat propagation tree with the probability of each step in the threat propagation tree. The accuracy of this model is evaluated by applying the model to a representative complex information system. The analysis shows that this method represents the different probabilities for different threatened nodes and the threat propagation between nodes to identiby the key protected nodes during different periods. The system is more objective and accurate than the traditional isolated node analysis method and is able to guide security risk managers to formulate reasonable security protection strategies for complex information systems.
| [1] | Jamin S, Raz D, Shavitt Y, et al.Guest editorial Internet and WWW measurement, mapping, and modeling [J]. IEEE Journal on Selected Areas in Communications, 2003, 21(6): 877-878. |
| [2] | Jeong H, Tonbor B, Albert R, et al. The large-scale organization of metabolic networks [J]. Nature, 2000, 407(6804): 651-654. |
| [3] | 王占山, 王军义, 梁洪晶. 复杂网络的相关研究及其进展[J]. 自动化学会通讯, 2013, 34(170): 4-16. WANG Zhanshan, WANG Junyi, LIANG Hongjing. Research and progress of complex networks[J]. Communications of CAA, 2013, 34(170): 4-16. (in Chinese) |
| [4] | Watts D J, Strogatz S H. Collective dynamics of “small-world” networks[J]. Nature, 1998, 393(6684): 440-442. |
| [5] | 何大韧, 刘宗华, 汪秉宏. 复杂系统与复杂网络 [M]. 北京: 高等教育出版社, 2009. HE Daren, LIU Zonghua, WANG Binghong. Complex Systems and Complex Networks [M]. Beijing: Higher Education Press, 2009. (in Chinese) |
| [6] | 吴晓平, 付钰. 信息安全风险评估教程 [M]. 武汉: 武汉大学出版社, 2011. WU Xiaoping, FU Yu. Textbook for Information Security Risk Assessment [M]. Wuhan: Wuhan University Press, 2011. (in Chinese) |
| [7] | 张利, 彭建芬, 杜宇鸽, 等. 信息安全风险评估的综合评估方法综述[J]. 清华大学学报: 自然科学版, 2012, 52(10): 1364-1368. ZHANG Li, PENG Jianfen, DU Yuge, et al.Information security risk assessment survey[J]. Journal of Tsinghua University: Science and Technology, 2012, 52(10): 1364-1368. (in Chinese) |
| [8] | 张永铮, 方滨兴, 迟悦, 等. 用于评估网络信息系统的风险传播模型[J]. 软件学报, 2007, 18(1): 137-145. ZHANG Yongzheng, FANG Bingxing, CHI Yue, et al.Risk propagation model for assessing network information systems[J]. Journal of Software, 2007, 18(1): 137-145. (in Chinese) |
| [9] | 李晓蓉, 庄毅, 许斌. 基于危险理论的信息安全风险评估模型[J]. 清华大学学报: 自然科学版, 2011, 51(10): 1231-1235. LI Xiaorong, ZHUANG Yi, XU Bin. Risk assessment model for information security based on danger theory[J]. Journal of Tsinghua University: Science and Technology, 2011, 51(10): 1231-1235. (in Chinese) |
| [10] | 金鸿章, 韦琦, 郭建, 等. 复杂系统的脆性理论及应用 [M]. 西安: 西北工业大学出版社, 2010. JIN Hongzhang, WEI Qi, GUO Jian, et al.Vulnerability Theory and Application of Complex System [M]. Xi'an: Northwestern Polytechnical University Press, 2010. (in Chinese) |
| [11] | 穆成坡, 黄厚宽, 田盛丰. 入侵进程的层次化在线风险评估[J]. 计算机研究与发展, 2010, 47(10): 1724-1732. MU Chengpo, HUANG Houkuan, TIAN Shengfeng. Hierarchical online risk assessment for intrusion scenarios[J]. Journal of Computer Research and Development, 2010, 47(10): 1724-1732. (in Chinese) |
| [12] | 时云峰, 张金祥, 冯建华. 基于异常捕获的强脆弱性分析与利用[J]. 软件学报, 2010, 21(11): 2944-2958. SHI Yunfeng, ZHANG Jinxiang, FENG Jianhua. Critical vulnerability analysis and exploitation based on exception capture[J]. Journal of Software, 2010, 21(11): 2944-2958. (in Chinese) |
| [13] | 赵刚, 况晓辉, 李津, 等. 一种基于权值的大规模分布式系统结构脆弱性分析算法[J]. 计算机研究与发展, 2011, 48(5): 906-912. ZHAO Gang, KUANG Xiaohui, LI Jin, et al.A structural vulnerability analysis algorithm for large-scale distributed system[J]. Journal of Computer Research and Development, 2011, 48(5): 906-912. (in Chinese) |
| [14] | 周亮, 李俊峨, 陆天波, 等. 信息系统漏洞风险定量评估模型研究[J]. 通信学报, 2009, 30(2): 71-76. ZHOU Liang, LI June, LU Tianbo, et al.Research on quantitative assessment model on vulnerability risk for information system[J]. Journal on Communications, 2009, 30(2): 71-76. (in Chinese) |
| [15] | Gabow H N, Myers E W. Finding all spanning trees of directed and undirected graph[J]. Society for Industrial and Applied Mathematics, 1978, 7(3): 280-287. |
/
| 〈 |
|
〉 |
