Computer Science

Computer Science ›› 2016, Vol. 43 ›› Issue (Z6): 322-327.doi: 10.11896/j.issn.1002-137X.2016.6A.077

Previous Articles     Next Articles

Research on Comprehensive Assessment Method of Information System Security Based on System Attack and Defense

WAN Xue-lian and ZHANG Jing-he   

  • Online:2018-11-14 Published:2018-11-14

PDF (PC)

442

Abstract: This paper studied a comprehensive assessment method of information system security according to the two perspectives of system attack and defense.From the perspective of system attack,we proposed a quantitative assessment of system vulnerability risk assessment model based on CVE standard,association rules algorithm and vulnerability connection network model.From the perspective of system defense,we established assessment information system customi-zed security model which simplies evaluating information system assets.Combining the system information and security,we put forward that “information” is the smallest unit of information system,and established the AHP and three-dimensional assessment model according to GB/T 22239-2008.On the basis of system attack and defense assessment results,comprehensive assessment method realizes comprehensive system security quantitative analysis,system vulnerability risk analysis and system security short plate analysis.The application example shows that the comprehensive assessment method realizes objective,scientific and comprehensive quantitative assessment on information system security.

Key words: Information system,Quantitative assessment,Vulnerability connection,Association rules,Analytic hierarchy process (AHP),Three-dimensional assessment

[1] 冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报,2004,5(7):10-18
[2] 张凤荔,冯波.基于关联性的漏洞评估方法[J].计算机应用研究,2014,1(3):811-814
[3] 周亮,李俊娥,陆天波,等.信息系统漏洞风险定量评估模型研究[J].通信学报,2009,0(2):71-76
[4] 谢丽霞,江典盛,张利,等.漏洞威胁的关联评估方法[J].计算机应用,2012,2(3):679-682
[5] 李晨,张晓梅,李媛.一种基于层次分析法的大规模信息系统风险评估方法[J].计算机应用与软件,2013,0(10):322-325
[6] 李杨,韦伟,刘永忠,等.一种基于AHP的信息安全威胁评估模型研究[J].计算机科学,2012,9(1):61-64
[7] 李鑫,李京春,郑雪峰,等.一种基于层次分析法的信息系统漏洞量化评估方法[J].计算机科学,2012,9(7):58-63
[8] 严晓华.现代通信技术基础[M].北京:清华大学出版社,2010
[9] Peltier T R.Information security risk analysis [M].USA:CRC press,2005
[10] Ritchey R W,Ammann P.Using model checking to analyze network vulnerabilities[C]∥2000 IEEE Symposium on Security and Privacy,2000(S&P 2000).IEEE,2000:156-165
[11] 翟继强,唐远新,黄李龙.利用网络服务关联性评估网络漏洞风险[J].哈尔滨理工大学学报,2013,8(4):79-83
[12] 信息技术-信息安全管理实施细则:ISO/IEC 17799-20000[S].日内瓦:ISO/IEC,1999,0
[13] 全国信息安全标准化技术委员会.信息系统安全等级保护基本要求:GB/T 22239-2008[S]
[14] 刘雪娇,马念,肖德宝,等.基于风险理论的网络脆弱性评估[J].武汉理工大学学报,2009(18):39-42
[15] 蔡伟杰,张晓辉.关联规则挖掘综述[J].计算机工程,2001,27(5):31-33
[16] 张怡,赵凯,来犇.警报关联图:一种网络脆弱性量化评估的新方法[J].国防科技大学学报,2012,4(3):109-112
[17] Ashenden D.Information Security management:A human challenge?[J].Information Security Technical Report,2008,3(4):195-201
[18] 陈亮.信息系统安全风险评估模型研究[J].中国人民公安大学学报:自然科学版,2008,3(4):50-53
[19] L Hui-ying,C Yuan-da.Research on Network Risk Situation Assessment Based on Threat Analysis[C]∥International Symposium on Information Science and Engineering,2008(ISISE’08).IEEE,2008,2:252-257
[20] 高志民.漏洞关联图在风险评估中的应用[J].电讯技术,2009,9(10):26-30
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.