信息系统脆弱性被利用概率计算方法
作者:
中图分类号:

TP309

基金项目:

国网四川省电力公司科技项目(5219991351VR);国家自然科学基金资助项目(61472054)。


A computing approach of information system vulnerability's exploited probability
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [14]
  • |
  • 相似文献 [20]
  • | | |
  • 文章评论
    摘要:

    针对现有信息系统风险评估工作中对脆弱性的评估未考虑各脆弱性间的相关性,评估结果受到较多人为主观因素的影响,提出"被利用难易程度"和"被选择概率"两个指标将现有对脆弱性的"被利用难易程度"评价转换为更为科学的"被利用概率"评价,并用贝叶斯网络的正向推理计算脆弱性节点的累积"被选择概率"。通过理论和实验分析,与相关的研究成果相比,提出的脆弱性被利用概率计算方法更准确、合理。

    Abstract:

    The evaluation results are impacted by many subjective factors since the existing risk assessment for information systems does not take the correlation of vulnerabilities into account. By combining two assessment vectors, i.e. access complexity and chosen probability, we transfer the so called "accessed complexity" evaluation method into an "exploited probability" evaluation approach, and use Bayesian networks' forward inference to accumulation each of vulnerability's chosen probability. Theoretical and experimental analysis show that the proposed "exploited probability" evaluation method is more accurate and reasonable than associated existing research work.

    参考文献
    [1] GB/T 20984-2007,信息安全技术信息安全风险评估规范[S].
    [2] NIST SP 800-30, Risk Management Guide for Information Technology Systems[S].
    [3] Peter Mell, Karen Scarfone, Sasha Romanosky. A Complete Guide to the Common Vulnerability Scoring System Version 2.0.www. first. org/cvss.
    [4] Phillips C, Laura S P. A graph-based system for network vulnerability analysis[C]//Proc of Workshop on New Security Paradigms. New York:ACM Press,1998:71-79.
    [5] 谢丽霞,江典盛,张利,等.漏洞威胁的关联评估方法[J].计算机应用,2012,32(3):679-682. XIE Liixia, JIANG Diansheng, ZHANG Li, et al. Vulnerability threat correlation assessment method[J]. Journal of Computer Applications,2012,32(3):679-682.(in Chinese)
    [6] 黄永洪,吴一凡,杨豪璞,等.基于攻击图的APT脆弱节点评估方法[J].重庆邮电大学学报(自然科学版),2017,29(4):535-541. HUANG Yonghong, WU Yifan, YANG Haopu, et al. Graph-based vulnerability assessment for APT attack[J]. Journal of Chongqing University of Posts and Telecommunications(Natural Science Edition),2017,29(4):535-541.(in Chinese)
    [7] 陈锋.基于多目标攻击图的层次化网络安全风险评估方法研究[D].长沙:国防科技大学,2009. CHEN Feng. A Hierarchical Network Security Risk Evaluation Framework Based on Multi-Goal Attack Graphs[D]. Changsha:National University of Defense Technology,2009.(in Chinese)
    [8] 叶云,徐锡山,齐治昌.大规模网络中攻击图的节点概率计算方法[J].计算机应用与软件,2011,28(11):137-192. YE Yun, XU Xishan, QI Zhichang. Attack graph's nodes probabilistic computing approach in a large-scale net-work[J]. Computer Applications and Software,2011,28(11):137-192.(in Chinese)
    [9] Frigault M, Wang L. Measuring network security using Bayesian network-based attack graphs[C]//Proceedings of the 3rd IEEE International Workshop on Security, Trust, and Privacy for Software Applications. Turku, Finland,2008:698-703.
    [10] Frigault M, Wang L. Measuring network security using dynamic bayesian network[C]//Proc.4th ACM Workshop on Quality of Protection. Alexandria VA, USA,2008:23-30.
    [11] 冯月进,张凤斌.最大相关最小冗余限定性贝叶斯网络分类器学习算法[J].重庆大学学报,2014,37(6):71-77. FENG Yuejin, ZHANG Fengbin. Max-relevance min-redundancy restrictive BAN classifier learning algorithm[J]. Journal of Chongqing University,2014,37(6):71-77.(in Chinese)
    [12] 张凤荔,冯波.基于关联性的漏洞评估方法[J].计算机应用研究,2014,31(3):812-814. ZHANG Fengli, FENG Bo. Vulnerability assessment based on correlation[J]. Application Research of Computers,2014,31(3):812-814.(in Chinese)
    [13] 张玺,黄曙光,夏阳,等.一种基于攻击图的漏洞风险评估方法[J].计算机应用研究,2010,27(1):284-286. ZHANG Xi, HUANG Shuguang, XIA Yang, et al. Attack graph-based method for vulnerability risk evaluation[J]. Application Research of Computers,2010,27(1):284-286.(in Chinese)
    [14] Ghosh N, Ghosh S K. An approach for security assessment of network configurations using attack graph[C]//Proc of the 1st International Conference on Networks & Communications. Washington DC:IEEE Computer Society,2009:283-288.
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

柴继文,王胜,梁晖辉,胡兵,向宏.信息系统脆弱性被利用概率计算方法[J].重庆大学学报,2017,40(12):35-42.

复制
分享
文章指标
  • 点击次数:972
  • 下载次数: 1473
  • HTML阅读次数: 850
  • 引用次数: 0
历史
  • 收稿日期:2017-07-14
  • 在线发布日期: 2018-01-03
文章二维码