摘要
随着计算机技术的发展,网络规模不断扩大,实现信息安全保障也越来越复杂和困难。信息安全风险评估能够识别和度量网络系统所面临的安全风险,并进一步指导网络系统的安全改进工作。因此,开展网络系统信息安全风险评估理论及其关键技术研究具有重要的理论意义和实用价值。
已有的风险评估方法存在将网络系统信息安全风险分析与评估同具体的系统环境和业务背景相割裂的情况,缺乏对风险形成过程的准确、高效、自动化建模,量化评估方法难以解决风险的不确定性问题,使得评估结果无法全面表现系统信息安全状况,难以有效支持安全改进措施的选择。针对上述问题,本文进行了信息安全风险过程建模与评估方法的研究,并对其中的关键问题进行了深入研究。全文的主要研究工作和创新点如下:
(一)提出了一种信息安全风险过程建模与评估框架
为了准确、全面和动态地评估网络系统的信息安全风险,提出了信息安全风险过程建模与评估方法框架。该框架以规划渗透图模型(PEG)和信息安全风险概率计算模型(PEG-BN)为核心,从安全防御者的角度出发,采用“白盒”式的风险识别方法,利用规划渗透图模型形象刻画信息安全风险形成的动态过程,利用信息安全风险概率计算模型定量计算信息安全风险概率,并进一步量化评估系统风险,其具体执行流程由13个具体过程构成,可为风险评估的实施提供一套规范的程序。
(二)提出了一种基于智能规划的信息安全风险过程建模方法
为高效地自动化构建PEG模型,将智能规划的思想引入信息安全风险过程建模领域,提出了基于智能规划的信息安全风险过程建模方法PISRPMA。PISRPMA方法将网络系统风险过程建模看作脆弱性利用在目标网络中的规划问题,采用规划域定义语言PDDL规范描述并使用高效的规划求解方法获取网络系统的信息安全风险过程。该方法对信息安全风险过程科学建模,将脆弱性利用描述为风险领域、目标网络描述为风险问题,对风险过程建模问题的描述清晰直观,易于理解。高效的风险过程建模算法可扩展性强,适用于大规模网络系统的风险过程建模。规划渗透图模型PEG图形化展现网络系统的信息安全风险演化过程,既利于安全管理者理解和分析网络系统的安全风险状况,又为后续的信息安全风险量化评估及安全改进工作提供基础。实验表明,本文提出的PISRPAM方法能规范且直观地进行风险形成过程的形式化描述,具有可行性和较高的计算效率。
(三)将风险概率因素引入PEG模型,构建了基于贝叶斯网络的信息安全风险概率计算模型PEG-BN
为全面、动态地量化评估信息安全风险,提出了一种基于贝叶斯网络的信息安全风险概率计算模型PEG-BN:即在PEG模型中引入风险的概率因素,并将其转化为可计算风险概率的贝叶斯网络模型。首先分析了贝叶斯网络模型在信息安全风险概率计算问题中的适用性。其次采用贝叶斯方法两阶段构建PEG-BN模型:(1)基于PEG模型的结构确定了PEG-BN的模型结构;(2)在PEG模型结构特点基础上结合专家知识确定PEG-BN的模型参数的先验分布;(3)借助贝叶斯网络模型的参数学习能力不断更新PEG-BN模型的网络参数以确保建立的PEG-BN符合系统客观实际,且针对完整的实验数据和存在缺失的实验数据分别讨论模型参数的更新方法,保证PEG-BN模型可以真实反应系统实际风险状况,不断提高后续评估结果的可信度。
(四)实现了基于PEG-BN的网络系统信息安全风险量化计算
系统信息安全风险量化计算的两个基本要素是安全事件的发生概率及可能造成的损失。PEG-BN模型能基于现有知识进行多角度的信息安全风险概率预测和实时计算,并对系统安全风险实施灵敏度分析,为优化安全措施提供有力的信息支持。结合风险概率计算及风险发生可能造成的损失,进行网络系统各安全目标的风险量化评估,并对系统风险状况进行全面描述。
(五)为验证本文所提出的相关方法和理论,论文以基于智能规划的信息安全风险过程建模与评估方法为指导,构建了信息安全风险评估系统ISRAS,并以某科研所的管理信息系统为例,应用ISRAS系统对其进行安全风险评估,以此进一步验证了基于智能规划的信息安全风险过程建模与评估方法的可行性和有效性。
With the continued expansion of the scale of the computer network, the security protection has become more and more complex and difficult to achieve. Information security risk assessment can identify vulnerabilities and evaluate risk of network information security. Therefore, studies on the theories and key technologies of risk assessment for information security have great theoretical significance and practical values.
However, there are some common problems in existing network system information security risk assessment method. For example, these methods often separate the risk analysis and assessment of information security from the concrete organization environment and business background; or lack the scalable modeling and accurate formalization of the risk process; or evaluation result can not reflect the risk state of information security, neither can give valuable advice to security improvement. To solve these problems, this thesis researches on network information security risk process modeling and assessment method, lucubrates the pivotal question of this research. The main contents and fruits of this thesis are outlined as follows:
(1) A method of the information security risk assessment is presented
To evaluate information security risk accurately, dynamically and comprehensivly, a method of the information security risk assessment is presented. The method measures information security in a defender view, adopts "white box" type risk identification method, models the risk process with PEG model, and evaluates risk frequency with PEG-BN model. ISRAM provides a suit of normative practical procedure composed by 13 processes to implements risk assessment on information system.
(2) An AI planning based method of information security risk process modeling is presented
An AI planning based method named PISRPMA is proposed to model the risk process of information Security with large scale automatically. PISRPMA describes the network as risk domain and rule of vulnerability-use as risk problem in planning domain definition language PDDL, searches out all exploitation paths by correlative advanced planning algorithms, and builds a planning Exploitation graph to model the risk process with Graphviz toolkit. The result of this PISRPMA is PEG which not only describes the risk process but also give basis of PEG-BN model construction and security improvement decision. Experiment shows this method has the features of formalization and scalability,and is a good solution for risk process modeling for large scale network.
(3) With the probability feature of risk combined in PEG model, a PEG-BN model of calculating information security risk probability based on BN is proposed
Calculating network security risk probability is the core work of quantization appraising works. This thesis brought up the risk calculated Model PEG-BN. At first, we analysis the features of information security and the BN model, draws a conclusion that BN model suit the risk calculating problem well. Then probability data are combined with the PEG model and PEG-BN model is constructed: (1) The model graph structure is determined by PEG; (2) The local conditional probability distributions are computed by Bayesian method which takes expertise knowledge as prior probability distribution; (3) The model parameters are updated with training data by Bayesian Networks learning, which containes the full data situation and part data situation also. The analysis of the example shows the model could evaluate the information security risk successfully.
(4) A method of calculating information security risk events frequency based on PEG-BN is presented
Two basic elements of calculating information security risk are risk events frequency and influence of risk events. Based on known data, PEG-BN can forecast and real-time evaluate not only information risk events frequency but also information risk, make sensitivity ananlysis of all elements in risk process, reflect the network information risk all-around.
(5) An information security risk assessment system named ISRAS based on ISRAM is designed and developed. And a real network system is used to illustrate key methodologies presented in this thesis.
引文
[1]冯登国.我国信息安全技术发展趋势的分析[J].网络信息安全, 2006,(11): 6-7.
[2] ISC, Internet Domain Survey[EB/OL]. http://www.isc.org/ds/. 2008.
[3] Cnic.中国互联网络发展状况统计报告[R].北京:中国互联网络信息中心, 2008.
[4]鲍旭华.基于并发机制的报警关联方法研究[D].北京:中科院研究生院, 2007.
[5] CERT/CC,CERT/CC Statistics 1995-2007[EB/OL]. http://www.cert. org/sta ts/cert-stats. 2007.
[6] Cncert/Cc. 2007年上半年网络安全工作报告[R].北京:国家计算机网络应急技术处理协调中心, 2007.
[7]范红,冯登国,吴亚非.信息安全风险评估方法与应用[M].北京:清华大学出版社,2006.
[8] Neumann. Computer-related risks[M]. ACM Press,Addison-Wesley Publishing Company,1995.
[9]克利斯多夫.阿尔伯兹,奥黛丽.多诺非.信息安全风险管理:OCTAVESM方法[M].北京:清华大学出版社,2003.
[10]吴亚非.基于风险的信息安全保障的研究[D].成都:四川大学数学学院, 2002.
[11]陈光.信息系统信息安全风险管理方法研究[D].长沙:国防科学技术大学, 2006.
[12]张永铮.计算机安全弱点及其对应关键技术研究[D].哈尔滨:哈尔滨工业大学, 2006.
[13]毛捍东.基于逻辑渗透图模型的网络安全风险评估方法研究[D].长沙:国防科学技术大学, 2008.
[14]维基百科[EB/OL]. http://en.weikipedia.org.
[15]互动百科[EB/OL]. http:// www.hudong.com.
[16]百度百科[EB/OL]. http://baike.baidu.com.
[17]吕帅刘磊,石莲等.基于自动推理技术的智能规划方法[J].软件学报, 2009,20(5): 1226-1240.
[18]姜云飞吴康恒.人工智能理论及其应用[M].高等教育出版社,2005.
[19]张钹.网络时代的人工智能[J].计算机世界, 1997,1: 105-107.
[20] Malik Ghallab Dana Nau, Paolo Traverso.自动规划:理论和实践[M]. Elsevier,2008.
[21]殷明浩.自动推理和智能规划中若干问题研究[D].吉林:吉林大学, 2008.
[22] Russell Stuart, Peter Norvig.人工智能[M].人民邮电出版社,2004.
[23]宋泾舸查建中,陆一平.智能规划研究综述--一个面向应用的视角[J].智能系统学报, 2007,2(2): 18-25.
[24]吴向军.智能规划中领域知识的提取、推理和应用策略的研究[D].广州:中山大学, 2007.
[25] D Mcdermott. PDDL-The planning domain definition language[EB/OL]. www.cs.yale.edu/homes/dvm,1985-05-10.
[26] Alfonso Genevini Derek Long. Preferences and Soft Contraints in PDDL3. Proceedings of the ICAPS-2006 Workshop on Preference and Soft Contraints in Planning[C], Cumbria UK: AAAI, 2006. 46-54.
[27]李响.动态不确定性环境下的实时规划系统研究[D].合肥:中国科学技术大学, 2004.
[28] Xiaoping Chen. Very-large scale real-time planning: Background ,models and some advances. 11th Chinese conference on Machine Learning[C], DaLian: 2008.
[29] Xiaoping Chen. A Continual planning system in dynamic nondeterministic enviroment[J]. Chinese Journal of Computer, 2005,28(7):
[30]蔡敦波.基于启发式搜索的智能规划方法研究[D].长春:吉林大学, 2009.
[31] Bonet B Geffner H. Planning as heuristic search[J]. Artificial Intelligence, 2001,129(1): 5-33.
[32]蔡自兴,徐光佑.人工智能及其应用[M].北京:清华大学出版社,2003.
[33]部分智能规划器列表[EB/OL]. http://www.sisi.ed.ac.uk/links/planning.htm. 2007.
[34]吴向军,姜云飞,凌应标.智能规划器SetpByStep的研究和开发[J].软件学报, 2008,19(9): 2243-2264
[35]赖志锋,姜云飞.智能规划中基于遗传算法的动作模型学习[J].计算机学报, 2007,30(6): 945-953.
[36]韩毅,谷文祥,殷明浩等.一种引入推理规则的快速规划识别算法[J].东北师大学报(自然科学版), 2007,39(1): 32-36.
[37]范长杰,陈小平.实时动态规划的最优行动判据及算法改进[J].软件学报, 2009,19(11): 2869-2878.
[38]闵京华等.信息系统安全风险的概念模型和评估模型.中国信息协会信息安全专业委员会年会文集[C],北京: 2004.
[39] Peltier Thomas R. Information Security Risk Analysis[M]. Boca Raton,FL: Auerbasc,2001.
[40] Krsul. Computer vulnerability analysis thesis proposal ,Technical Report CSD2TR2972026,Coast TR 97205 [R]. West Lafayette Department of Computer Sciences , Purdue University, 1998.
[41] Bishop M Bailey D. A Critical Analysis of Vulnerbality Taxonomies,CSE-96-11 [R]. Californlia USA: University of Californlia at Davis 1996.
[42] D.E.Denning. Cryptography and Data Security[M]. Addison-Wesley Publishing Company,1983.
[43] Longley D. Shain M. , Caelli W. . Information Security :Dictionary of Concepts , Standards and Terms[M]. New York: Palgrave Macmillan,1992.
[44]汪立东.操作系统安全评估与审计增强[D].哈尔滨:哈尔滨工业大学, 2002.
[45]邢栩嘉,林闯,蒋屹新.计算机系统脆弱性评估研究[J].计算机学报, 2004,27(1): 1-11.
[46] GJB 2256-94:军用计算机安全术语[EB/OL]. http://www.lzs.gxsti.net.cn/CXY/jyaqsy.htm,2002-10.
[47] I. Krsul. Computer vulnerability analysis thesis proposal ,Technical Report CSD2TR2972026,Coast TR 97205 [R]. West Lafayette Department of Computer Sciences , Purdue University,
[48] MITRE Corporation: Common Vulnerabilities and Exposures [EB/OL]. http://www.cve.mitre.org/. 2004.
[49] B Beizer. Software Testing Techniques[M]. International Thomson Computer Press,1990.
[50]谷勇浩.信息系统风险管理理论及关键技术研究[D].北京:北京邮电大学, 2007.
[51]刘芳.信息系统安全评估理论及其关键技术研究[D].长沙:国防科学技术大学, 2005.
[52] http://www.cisraf.infosec.org.cn/index/NeewsInfo.asp?NewsId=103[EB/OL]. 2006.
[53] Cramm. A Practitioner's View of CRAMM[EB/OL]. http://www.gammass l.co.uk/.
[54] Introduction to Security Risk Analysis[EB/OL]. http://www.security- risk-analysis.com/ introcob.htm.
[55] Cora. International Security Technology[EB/OL]. http://www.ist-usa.com.
[56] Office General Accounting. AIMD-99-139 [R]. 1999.
[57] Wright. Third generation risk management practices[J]. Computer fraud and security. Elsevier, 1992,2: 9-12.
[58] Y Haimes. Risk Modeling, Assessment, and Management, 3rd Edition[M]. New York: Wiley Series in Systems Engineering,August 1998.
[59] Hoffman L.J. Computer security risk analysis[J]. in L.A.Cox and P.F. Ricci (eds), New Risks: Issues and Management, Plenum Press, New York, 1990,371-377.
[60] Tregear J. Consultant., S. Risk Assessment. Information Security Technical Report[J]. 2001,6(3): 19-27.
[61] Davies Gareth. Risk Analysis Generations-The evolution of Risk Analy sis[EB/OL]. http://csweb.rau.ac.za/deth/research/article_page.htm. 1999.
[62] S.P.Bennett M.P.Kailay. An application of qualitative risk analysis to computer security for the commercial sector[J]. Information Security Technical Report, 2001,6(3): 28-36.
[63] Kwok L F D, L. Information Security Management and Modeling[J]. Information Management and Computer Security, 1999,7(1): 30-39.
[64] D. Parker. Why the Due Care Security Review Method is Superior to Risk Assessment[J]. CSI ALERT Newsletter, November 2000,
[65] Jung C. Risk Analysis for Electronic Commerce Using Case-Based Reasoning[J]. International Journal of Intelligent Systems in Accounting, Finance & Management, 1999,8(1): 61-73.
[66] Theo Dimitrakos Juan Bicarregui, Ketil Stolen. CORAS - a framework for risk analysis of security critical systems[J]. ERCIM news, 2002,49: 25-26.
[67] CORAS IST-2000-25031 Web Site[EB/OL]. http://www.nr.no/coras. 2006.
[68] Reactive System Design Support,“RSDS”[EB/OL]. http://www.kcl.ac.uk. 2002.
[69] Mao Handong Chenfeng, Zhang Weiming. An Approach for Network Security Analysis using Logic Exploitation Graph. IEEE 7th International Conference on Computer and Information Technology(CIT 2007)[C], 2007. 761-766.
[70] Noel S., S. Jajodia, B. O’berry, and M. Jacobs. Efficient minimum-cost network hardening via exploit dependency graphs. the 19th Annual Computer Security Applications Conference[C], Silver Spring, MD:Applied Computer Security Associates, 2003. 86-95.
[71] R.Ortalo Y.Deswarte, M.Kaaniche. Experimenting with quantitative evaluation tools for monitoring operational security[J]. IEEE Transactions On Software Engeneering, 1999,25(5): 633-650.
[72] Wang L Singhal a, Jajodia S. Measuring the overall security of network configurations using attack graphs. Proceedings of 21st IFIP WG 11.3 Working Conference on Data and Applications Security[C], Montreal USA.Springer Berlin, 2007. 98-112.
[73] P. Ammann D Wijesekera, S Kaushik. Scalable, Graph-based Network Vulnerability Analysis. Proceedings of the 9th ACM Conference on Computer and Communications Security[C], Washington DC USA: ACM Press, 2002. 217-224.
[74] Sheyner Oleg Mikhail. Scenarios Graphs and Attack Graphs [D]. Pittsburgh, Pennsylvania, USA: Department of Computer Science, Carnegie Mellon University, 2004.
[75] S. Jha O. Sheyner, and J. Wing. Two Formal Analyses of Attack Graphs. 15th IEEE Computer Security Foundations Workshop[C], Cape Breton, Nova Scotia, Canada: IEEE Computer Society, 2002. 49-63.
[76]陈思思,连一峰,贾炜.基于贝叶斯网络的脆弱性状态评估方法[J].中国科学院研究生院学报, 2008,25(5): 639-648.
[77]贾炜,连一峰,冯登国等.基于贝叶斯网络近似推理的网络脆弱性评估方法[J].通信学报, 2008,29(10): 191-198.
[78]张海霞,苏璞睿,冯登国.基于攻击能力增长的网络安全分析模型[J].计算机研究与发展, 2007,44(12): 2012-2019.
[79]冯萍慧连一峰,戴英侠.面向网络系统的脆弱性利用成本估算模型[J].计算机学报, 2006,8(29): 1375-1382.
[80]陆余良夏阳.主机安全量化融合模型研究[J].计算机学报, 2005,5(28): 914-920.
[81]李昀李伟华.安全脆弱点描述语言[J].计算机工程与应用, 2002.10,38(12): 10-12.
[82] Jay Beale Haroon Meer, Roelof Temmingh, Charl Van Der Walt, Renaud Deraison. Nessus Network Auditing[M]. Syngress Publishing,1998.
[83] Risk analysis in @RISK [EB/OL]. http://www.palisade.com/html/risk.asp.
[84] H. T. Tian L. S. Huang, Z. Zhou. Common Vulnerability Language. Proceedings of the First International Conference on Cryptography and Network Security, Lecture Notes in Computer[C], Kunming, China: Springer Verlag, 2003. 228-240
[85]诸葛建伟.网络入侵检测与行为关联分析技术研究[D].北京:北京大学, 2006.
[86]刘楠罗军勇,问斌.基于XML的安全漏洞通用描述语言[J].计算机应用与软件, 2005,22(6): 9-11.
[87]杨阔朝蒋凡.安全漏洞XML描述及应用[J].计算机辅助工程, 2005,14(1): 44-47.
[88] L. P. Swiler C. Phillips, and T. Gaylor. A Graph-Based Network- Vulnerability Analysis System, Technical Report SAND97-3010/1 [R]. Albuquerque, New Mexico and Livermore, California: Sandia National Laboratories, 1996.
[89]诸葛建伟徐辉,潘爱民.基于面向对象方法的攻击知识建模[J].计算机研究与发展, 2004,41(7): 1110-1116.
[90] L. P. Swiler C. Phillips, and T. Gaylor. Graph-Based Network-Vulnerability Analysis[R]. Albuquerque, New Mexico and Livermore, California: Sandia National Laboratories, 1998.
[91] L Swiler C Philips, D Ellis. Computer-Attack Graph Generation Tool. DARPA Information Survivability Conference and Exposition Proceedings[C], Anaheim, CA, USA: IEEE, 2002. 307-321.
[92] R. Ritchey P.Ammann. Using Modeling Check to Analyze Network Vulnerabilities. Proceedings of IEEE Symposium on Security and Privacy[C], 2000. 156-165.
[93] O. Sheyner S. Jha, J. M. Wing, R. P. Lippmann. Automated Generation and Analysis of Attack Graphs. 2002 IEEE Symposium on Security and Privacy[C], Oakland, California: 2002.
[94] Noel Jajodia, S., S., O'berry. Topological analysis of network attack vulnerability,In:Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats: Issues, Approaches and Challenges[M]. Dordrecht: Kluwer Academic Publishers,2003.
[95] Noel Sushil Jajodia and Steven. Topological Vulnerability Analysis: A Powerful New Approach For Network Attack Prevention, Detection, and Response[J]. 2008,
[96] Liwei. An Approach to Model Network Exploitations Using Exploitation Graph[J]. SIMULATION, 2006,82(8): 523-541.
[97] Schneier B. Attack Trees[J]. Dr. Dobbs Journal, 1999,
[98] Swiler C. Phillips and L. A graph-based system for network vulnerability analysis. ACM New Security Paradigms Workshop[C], 1998. 71-79.
[99] STAT scanner [EB/OL]. http://www.stat.harris.com/solutions/vuln_assess/ scanner_ index.asp. 2004.
[100] Mcdermott J. Attack Net Penetration Testing. 2000 New Security Paradigms Workshop (NSPW'00)[C], Cork, Ireland: 2000. 15-21.
[101] Schumacher J. Steffan and M. Collaborative Attack Modeling. Proceedings: 2002 ACM Symposium on Applied Computing (SAC 2002)[C], Madrid, Spain: ACM/SIGAPP, 2002. 253-259.
[102] Guy Helmer Johnny Wong, Mark Slagell. A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System. Symposium on Requirements Engineering for Information Security (SREIS)[C], Indiana USA: 2001.
[103] Moore Andrew Ellison Robert, Linger Richard. . Attack Modeling for Informational Security and Survivability.CMU/SEI-2001-TN-001[EB/OL].http://www.cert.org/archive/pdf /01tn001.pdf. March 2001.
[104] Internet Security Systems Scanner[EB/OL]. http://www.iss.net. 2007.
[105]张森强.计算机网络攻击自动化关键技术研究[D].长沙:国防科学技术大学, 2007.
[106] Li.Wei. An Approach to Graph-Based Modeling of Network Exploitations [D]. Mississippi State: Mississippi State University, 2005.
[107] Li.Wei. An Approach to Model Network Exploitations Using Exploitation Graph[J]. SIMULATION, 2006,82(8): 523-541.
[108] Xinming.Ou. A Scalable Approach to Attack Graph Generation. CCS[C], Alexandria, Virginia, USA: ACM, 2006.
[109] Lippmann.R. K.W.Ingols. An Annotated Review of Past Papers on Attack Graphs:Project Report IA-1 [R]. Lexington, Massachusetts: Lincoln Laboratory of Massachusetts Institute of Technology, 2005.
[110] Liwei. An Approach to Graph-Based Modeling of Network Exploitations [D]. Mississippi State: Mississippi State University, 2005.
[111] L.Wang S. Neol, and S. Jajodia. Minimum-cost network hardening using attack graphs[J]. Computer Communications, 2006,29(18): 3812-3824.
[112] Liwei R. Vaughn. Using Exploitation Graphs toModel Network Exploitations. 2005 Symposium on RiskManagement and Cyber-Informatics (RMCI’05):Proceedings of the 9th World Multi-Conference on Systemics, Cybernetics and Informatics,Volume X[C], Orlando, Florida: International Institute of Informatics and Systemics, 2005. 404-409.
[113] Xinming Ou Wayne F.Boyer, and Miles A.Mcqueen. A Scalable Approach to Attack Graph Generation. Proceedings of the 13th ACM conference on Computer and communications security[C], Alexandria Virginia, USA: ACM Press, 2006. 336-345.
[114]王卓.基于智能规划的网络安全风险管理方法研究[D].北京:装备指挥学院, 2008.
[115]陈锋,苏金树,韩文报.一种基于智能规划的攻击图快速构建方法[J].解放军理工大学学报(自然科学版), 2008,9(5): 460-465.
[116]诸葛建伟,韩心慧,叶志远等.基于扩展目标规划图的网络攻击规划识别算法[J].计算机学报, 2006, 29(8): 1356-1366.
[117] Bilar D. Quantitative Risk Analysis of Computer Networks [D]. Thayer School of Engineering, Hanover, New Hampshire Dartmouth College, 2003.
[118] R. Ritchey B. O'berry, and S. Noel. Representing TCP/IP Connectivity for Topological Analysis of Network Security. Proceedings of the 18th Annual Computer Security Applications Conference[C], Las Vegas, Nevada: 2002. 25-31.
[119] M. Artz Net. A Network Security Planning Architecture [D]. Cambridge:Massachusetts Institute of Technology, May 2002.
[120] Hale J. Dawkins and J. A Systematic Approach to Multi-Stage Network Attack Analysis. Proceedings of the Second IEEE International Information Assurance Workshop (IWIA'04), IEEE Computer Society[C], Tulsa Univ USA: 2004. 48-56.
[121] Liwei R. Vaughn An Approach to Model Network Exploitations Using Exploitation Graphs. Military, Government, and Aerospace Simulation Symposium: Proceedings of the 2005 Spring Simulation Multiconference(SMC’05)[C], San Diego, California: The Society for Modeling and Simulation International, 2005. 237-244.
[122]毛捍东张维明,陈锋等.一种基于图论的网络安全风险量化评估模型[J].国防科技大学学报, 2008,30(2): 97-101.
[123]毛捍东陈锋,张维明.网络脆弱性建模方法研究[J].计算机工程与应用, 2007,43(15): 1-5.
[124] Noel Jajodia, S., S., O'berry. Topological analysis of network attack vulnerability[M]. Dordrecht: Springer,2005.
[125] Williams L. R. Lippmann and K. Ingols. An interactive attack graph cascade and reachability display. IEEE Workshop on Visualization for conputer security(VizSEC 2007)[C], IEEE publisher, 2007.
[126] J Homer. A comprehensive approach to enterprise network security management [D]. Kansas State: Kansas State University, 2008.
[127]陈国栋,杨光临,段晓辉.网络攻击图在自动渗透测试中的应用[J].计算机工程, 2008,34(13): 115-117.
[128] Neol. S M. Jacobs, P. Kalapa and Etc. Multiple coordinated views for network attack graph. IEEE Workshop on visualization for computer security(VizSEC 2005)[C], New York: IEEE publisher, 2005. ??
[129] Noel S., and S. Jajodia. Managing attack graph complexity through visual hierarchical aggregation. the ACM CCS Workshop on Visualization and Data Mining for Computer Security[C], NewYork: ACM Press, 2004. 109-118.
[130] M. Dacier Y. Deswarte and M. Kaaniche. Models and Tools for Quantitative Assessment of Operational Security[M]. Greece: Chapman & Hall,1996.
[131] Dacier M., Deswarte, Y., Ka?Aniche, M. Quantitative Assessment of Operational Security: Models and Tools [R]. Laboratory for Analysis and Architecture of Systems, National Center for Scientific Research (LAAS-CNRS), 1996.
[132]马琳茹.网络安全告警信息处理技术研究[D].长沙:国防科学技术大学, 2007.
[133]陈秀真.层次化网络安全威胁态势量化评估方法[J].软件学报, 2006,17(4): 885-897.
[134] K. Clark J. Dawkins, J. Hale. Security Risk Metrics: Fusion Enterp -rise Objectives and Vulnerabilities. Proceedings of the 2005 IEEE Workshop on Information Assurance and Security[C], United States Military Academy, West Point, NY: 2005.
[135] Marcel Frigault Wang L. Measuring Network Security Using Bayesian Network-Based Attack Graphs. Annual IEEE International Computer Software and Applications Conference[C], Washington, DC, USA: IEEE Computer Society, 2008. 698- 703.
[136] Y. Liu H. Man. Network Vulnerability Assessment Using Bayesian Networks. SPIE'05[C], Orlando, FL, USA: 2005.
[137]赵俊阁,张琪,付钰.贝叶斯网络推理在信息系统安全风险评估中的应用[J].海军工程大学学报, 2007,19: 67-70.
[138]付钰,吴晓平,严承华.基于贝叶斯网络的信息安全风险评估方法[J].武汉大学学报(理学版), 2006,52(5): 631-634.
[139] Une M Matsumoto T. A framework to evaluate security and cost of timestamping schemes. IEICE transactions on fundamentals of electronics communications and computer sciences E85A (1)[C], JAN 2002. 125-139.
[140] T David A. David. Assessing Risk Probability: Alternative Approaches. Proc. 2004 PMI Global Congress Proceedings[C], 2004.
[141] Yong Chen C. Jensen. A General Risk Assessment of Security in Pervasive Computing, [R]. Trinity College Dublin: Technical Report TCD-CS-2003 -45, Department of Computer Science, November 2003.
[142]李涛.基于免疫的网络安全风险检测[J].中国科学E辑:信息科学, 2005,35(8): 798-816.
[143]王益丰,李涛,胡晓勤等.一种基于人工免疫的网络安全实时风险检测方法[J].电子学报, 2005,33(5): 945-949.
[144] Wh Sanders. Stochastic methods for dependability, performability, and security evaluation. Lecture Notes In Computer Science[C], Springer Berlin Heidelberg, 2004. 3097-3099.
[145] F Pearl J. Propagation and structuring in belief networks[J]. Artificial Intelligence, 1986,29(3): 241-288.
[146] Wang L., Tania Islam, Tao Long. An Attack Graph-Based Probabilistic Security Metric. Proceedings of 22nd International Federation for Information Processing, DAS, LNCS 5094[C], Springer-Verlag, Berlin, 2008. 283-296.
[147]赵冬梅.信息安全风险评估量化方法研究[D].西安:西安电子科技大学, 2007.
[148] Butler Shawn A. Security Attribute Evaluation Method [D]. Carnegie Mellon University, May 2003.
[149] Butler Shawn A. Security Attribute Evaluation Method: A Cost-Benefit Approach. Proc. International Conference on Software Engineering[C], Pittsburgh, PA, USA: May 2002. 232-240.
[150] Foss J. A., Barbosa.S. Assessing Computer Security Vulnerability[J]. Operating System Review, 1995,29(3): 3-13.
[151] Jelen G. F., Williams, J. R. A Practical Approach to Measuring Assurance. 14th Annual Computer Security Applications Conference[C], Phoenix, AZ, USA: December, 1998. 333-343.
[152]冯萍慧连一峰.基于可靠性理论的分布式系统脆弱性模型[J].软件学报, 2006,17(7): 1633-1640.
[153]张金槐,刘琦,冯静. Bayes试验分析方法[M].长沙:国防科大出版社,2007.
[154]张连文,郭海鹏.贝叶斯网引论[M].北京:科学出版社,2006.
[155]周忠宝.基于贝叶斯网络的概率安全评估方法及应用研究[D].长沙:国防科技大学研究生院, 2006.
[156]黄友平.贝叶斯网络研究[D].北京:中科院研究生院, 2005.
[157]蒋国萍.软件项目风险管理的贝叶斯网络模型研究[D].长沙:国防科学技术大学, 2005.
[158]厉海涛,金光,周经纶等.贝叶斯网络推理算法综述[J].系统工程与电子技术, 2008,30(5): 935-939.
[159] Abdelbar a M Hedetniemi S M. Approximating MAPs for Belief Networks is NP-hard and Other Theorems[J]. Artificial Intelligence, 1998,(102):21-38.
[160] E Shimony S. Finding MAPs for Belief Networks is NP-hard[J]. Artificial Intelligence, 1994,(68): 399-410.
[161] Jensen Finn V, S H Aldenryd, K B Jensen. Sensitivity analysis in Bayesian networks[M]. Berlin: Springer 1995.
[162] ISO/IEC 17799. Information technology-Code of practice for information security management [S].
[163]韩权印等.风险评估中的信息获取.中国信息协会信息安全专业委员会年会文集[C], 2004.3.
[164] Lutz Robyn R. Software Engineering for Safety : A Roadmap. Future of Software Engineering(FoSE) at ICSE'00[C], Ireland: ACM, 2000. 213-226.
[165] Shaw Robyn R. Lutz and Hui-Yin. Applying Adaptive Safety Analysis Techniques. Proceedings of the Tenth International Symposium on Software Reliability Engineering[C], 1999. 42.
[166] John Mcdermott Chris Fox. Using Abuse Case Models for Security Requirements Analysis. Proceedings of the 15th Annual Computer Security Applications Conference[C], Phoenix, AZ, USA: 1998.
[167] Icat. A CVE Based Vulnerability Database[EB/OL]. http://icat.nist.gov. 2007.
[168]鲍旭华,戴英侠,冯萍慧等.基于入侵意图的复合攻击检测和预测算法[J].软件学报, 2005,16(12): 2132-2138.
[169] Labs-Research at&T. Graphviz Toolkit[EB/OL]. http://www.graphviz.org. 2007.
[170]王英梅.基于概率影响图的信息安全风险评估研究[D].北京科技大学, 2005.
[171] R. Raiffa H. And Schlaifer. Applied Statistical Dicision Theory[M]. Boston: Harvard University,1961.
[172]茆诗松,王静龙,濮晓龙.高等数理统计[M].北京:高等教育出版社,1998.
[173] Jha S. Sheyner O. , Wing J. Minimization and reliability analyses of attack graphs [R]. School of Computer Science, Carnegie Mellon University, 2002.
