计算机科学 ›› 2015, Vol. 42 ›› Issue (9): 134-138.doi: 10.11896/j.issn.1002-137X.2015.09.025
唐成华,田吉龙,汤申生,张 鑫,王 璐
TANG Cheng-hua, TIAN Ji-long, TANG Shen-sheng, ZHANG Xin and WANG Lu
摘要: 针对软件系统中漏洞的风险等级确定等问题,提出了一种利用遗传模糊层次分析法(GA-FAHP)评估软件漏洞风险的方法。该方法首先利用改进的模糊层次分析法求出各风险因素权重,并建立模糊判断矩阵;其次将模糊判断矩阵的一致性检验与修正计算过程转化为带约束的非线性系统优化问题,并利用遗传算法求解;最后,通过GA-FAHP算法求出软件漏洞的风险值。实验结果表明,该方法具有较好的准确性和有效性,为软件漏洞风险评估提供了一种可行的途径。
[1] Sedaghat S,Adibniya F,Sarram M A.The investigation of vulnerability test in application software[C]∥Proceeding of the 2009 International Conference on the Current Trends in Information Technology.2009:1-5 [2] Martin B,Remi B,Olivier F.Vulnerability assessment in autonomic networks and services:a Survey[J].IEEE Communications Surveys & Tutorials,2014,16(2):988-1004 [3] Jason L W,Jason W L,Miles A M.Estimating software vulnerabilities a case study based on the misclassification of bugs in MySQL server[C]∥Proceeding of the 2013 Eighth InternationalConference on Availability,Reliability and Security.Regensburg,Germany,2013:72-81 [4] 陈波,师惠忠.一种新型Web应用安全漏洞统一描述语言[J].小型微型计算机系统,2011,32(10):1994-2001 Chen Bo,Shi Hui-zhong.Novel uniform vulnerability description language of Web application[J].Journal of Chinese Computer System,2011,32(10):1994-2001 [5] Jiang F,Dong Dao-yi,Cao Long-bing,et al.Agent-based self-adaptable context-aware network vulnerability assessment[J].IEEE Transaction on Network and Service Management,2013,10(3):255-270 [6] 陆余良,夏阳.主机安全量化融合模型研究[J].计算机学报,2005,28(5):914-920 Lu Yu-liang,Xia Yang.Research on target-computer secure quantitative fusion model[J].Chinese Journal of Computers,2005,28(5):914-920 [7] 周亮,李俊娥,陆天波,等.信息系统漏洞风险定量评估模型研究[J].通信学报,2009,30(2):71-76 Zhou Liang,Li Jun-e,Lu Tian-bo,et al.Research on quantitative assessment model on vulnerability risk for information system[J].Journal of Communications,2009,30(2):71-76 [8] 杨宏宇,朱丹,谢丽霞.网络信息系统漏洞可利用性量化评估研究[J].清华大学学报(自然科学版),2009,49(S2):2157-2163 Yang Hong-yu,Zhu Dan,Xie Li-xia.Quantitative evaluation of vulnerability exploitability in network information systems[J].Journal of Tsinghua University(Science and Technology),2009,49(S2):2157-2163 [9] 宋舜宏,陆余良,杨国正,等.一种应用主机访问图的网络漏洞评估模型[J].小型微型计算机系统,2011,32(3):483-488 Song Shun-hong,Lu Yu-liang,Yang Guo-zheng,et al.Network vulnerability assessment model applying host-based access graphs [J].Journal of Chinese Computer Systems,2011,32(3):483-488 [10] 李鑫,李京春,郑雪峰,等.一种基于层次分析法的信息系统漏洞量化评估方法[J].计算机科学,2012,39(7):58-63 Li Xin,Li Jing-chun,Zheng Xue-feng,et al.Analytic hierarchy process(AHP)-based vulnerability quantitative assessment method for information systems[J].Computer Science,2012,39(7):58-63 [11] 王新喆,许榕生.基于CVE漏洞库的生存性量化分析数据库和量化算法的设计[J].计算机应用,2008,28(2):415-417,1 Wang Xin-zhe,Xu Rong-sheng.Design of survivability quantum analysis database and quantum algorithm based on CVE database[J].Computer Applications,2008,28(2):415-417,1 [12] Liu Qi-xu,Zhang Yu-qing.VRSS:A new system for rating and scoring vulnerabilities[J].Computer Communications,2011,34(3):264-273 [13] Martin R A.Making security measurable and manageable[C]∥Proceeding of the 2008 IEEE Military Communications Confe-rence.San Diego,CA,2008:1-9 [14] Microsoft security response center security bulletin severity ra-tingsystem[EB/OL].http://www.microsoft.com/technet/security/ bulletin/rating.mspx,2012 [15] Vupen security[EB/OL].http://www.vupen.com/english,2012 [16] US-CERT.Vulnerability notes database field descriptions[EB/OL].http://www.kb.cert.org/vuls/html/fieldhelp#metric,2012 [17] IBM IIS X-Force[EB/OL].http://xforce.iss.net,2012 [18] China National Vulnerability Database of Information Security[DB/OL].http://www.cnnvd.org.cn/vulnerability,2014 |
No related articles found! |
|