Key Laboratory of Dependable Service Computing in Cyber Physical Society, Ministry of Education, Chongqing University, Chongqing 400030, P. R. China 在期刊界中查找 在百度中查找 在本站中查找
Key Laboratory of Dependable Service Computing in Cyber Physical Society, Ministry of Education, Chongqing University, Chongqing 400030, P. R. China 在期刊界中查找 在百度中查找 在本站中查找
The evaluation results are impacted by many subjective factors since the existing risk assessment for information systems does not take the correlation of vulnerabilities into account. By combining two assessment vectors, i.e. access complexity and chosen probability, we transfer the so called "accessed complexity" evaluation method into an "exploited probability" evaluation approach, and use Bayesian networks' forward inference to accumulation each of vulnerability's chosen probability. Theoretical and experimental analysis show that the proposed "exploited probability" evaluation method is more accurate and reasonable than associated existing research work.
[2] NIST SP 800-30, Risk Management Guide for Information Technology Systems[S].
[3] Peter Mell, Karen Scarfone, Sasha Romanosky. A Complete Guide to the Common Vulnerability Scoring System Version 2.0.www. first. org/cvss.
[4] Phillips C, Laura S P. A graph-based system for network vulnerability analysis[C]//Proc of Workshop on New Security Paradigms. New York:ACM Press,1998:71-79.
[5] 谢丽霞,江典盛,张利,等.漏洞威胁的关联评估方法[J].计算机应用,2012,32(3):679-682. XIE Liixia, JIANG Diansheng, ZHANG Li, et al. Vulnerability threat correlation assessment method[J]. Journal of Computer Applications,2012,32(3):679-682.(in Chinese)
[6] 黄永洪,吴一凡,杨豪璞,等.基于攻击图的APT脆弱节点评估方法[J].重庆邮电大学学报(自然科学版),2017,29(4):535-541. HUANG Yonghong, WU Yifan, YANG Haopu, et al. Graph-based vulnerability assessment for APT attack[J]. Journal of Chongqing University of Posts and Telecommunications(Natural Science Edition),2017,29(4):535-541.(in Chinese)
[7] 陈锋.基于多目标攻击图的层次化网络安全风险评估方法研究[D].长沙:国防科技大学,2009. CHEN Feng. A Hierarchical Network Security Risk Evaluation Framework Based on Multi-Goal Attack Graphs[D]. Changsha:National University of Defense Technology,2009.(in Chinese)
[8] 叶云,徐锡山,齐治昌.大规模网络中攻击图的节点概率计算方法[J].计算机应用与软件,2011,28(11):137-192. YE Yun, XU Xishan, QI Zhichang. Attack graph's nodes probabilistic computing approach in a large-scale net-work[J]. Computer Applications and Software,2011,28(11):137-192.(in Chinese)
[9] Frigault M, Wang L. Measuring network security using Bayesian network-based attack graphs[C]//Proceedings of the 3rd IEEE International Workshop on Security, Trust, and Privacy for Software Applications. Turku, Finland,2008:698-703.
[10] Frigault M, Wang L. Measuring network security using dynamic bayesian network[C]//Proc.4th ACM Workshop on Quality of Protection. Alexandria VA, USA,2008:23-30.
[11] 冯月进,张凤斌.最大相关最小冗余限定性贝叶斯网络分类器学习算法[J].重庆大学学报,2014,37(6):71-77. FENG Yuejin, ZHANG Fengbin. Max-relevance min-redundancy restrictive BAN classifier learning algorithm[J]. Journal of Chongqing University,2014,37(6):71-77.(in Chinese)
[12] 张凤荔,冯波.基于关联性的漏洞评估方法[J].计算机应用研究,2014,31(3):812-814. ZHANG Fengli, FENG Bo. Vulnerability assessment based on correlation[J]. Application Research of Computers,2014,31(3):812-814.(in Chinese)
[13] 张玺,黄曙光,夏阳,等.一种基于攻击图的漏洞风险评估方法[J].计算机应用研究,2010,27(1):284-286. ZHANG Xi, HUANG Shuguang, XIA Yang, et al. Attack graph-based method for vulnerability risk evaluation[J]. Application Research of Computers,2010,27(1):284-286.(in Chinese)
[14] Ghosh N, Ghosh S K. An approach for security assessment of network configurations using attack graph[C]//Proc of the 1st International Conference on Networks & Communications. Washington DC:IEEE Computer Society,2009:283-288.