基于灰色系统理论的信息安全风险评估方法研究
|
摘要
随着信息技术的高速发展,信息系统和网络的应用逐渐渗透到社会生活的各个角落。但是由于信息系统和网络自身的特点及局限性决定了信息系统的应用和发展经常会受到病毒、木马、故障和人为破坏等方面的威胁。如何保护信息系统的安全已经成为人们关注和研究的热点。通过采用科学有效的方法对信息系统进行全面评估,掌握信息系统的安全状况,分析各种潜在威胁,采取应对措施,才能提高整体的安全水平,建立可靠的信息安全管理体系,这些就是信息安全风险评估需要完成的工作。
本文在研究了当前已有的一些安全评估技术的基础上,提出了一个基于灰色系统理论的安全评估方法,具体工作如下:
1)系统地分析当前已有的一些评估方法,深入了解每种评估方法的特点,为设计提供了可靠的理论指导;
2)通过分析安全事件及其构成要素,建立了一个信息安全风险评估的指标体系。
3)应用层次分析法(AHP)分析确定风险评估指标的权重,应用灰色评估方法建立了信息系统的灰色评估模型。
4)针对实例数据应用灰色评估方法进行分析计算。
本文的重点在于将灰色评估方法应用在风险评估模型建立上,建立三角白化权函数,结合实例计算灰色评估系数和权向量,最终得出综合评估值。结果表明,该模型能够比较充分地利用评估指标所包含的信息,具有良好的操作性,对实际工作有一定的参考价值。
With the rapid development of information technology, the application of information technology pervades at every corner in the society. However, the applications of information system are frequently threatened by virus, Trojan house, malfunction, sabotage and so forth due to the characteristics and limitations of information and network system. The researches of ensuring information security have being considered as a central issue. In order to promote security controlling level and establish reliable information security management system, some measures, i.e. making the complete assessment of information system with scientific and effective methods, mastering safety conditions of systems, analyzing potential threaten and adopting the necessary measures, are needed. Those are the tasks of information security risk assessment.
In this paper, after the study of existing security assessment technology, a security assessment method was presented. The thesis includes the following main pursuit:
1) The existing assessment methods were analyzed systematically, which provided reliable theoretical instruction;
2) An information security risk assessment index system was established through analyzing security events and their constitute elements;
3) The weights of index were determined by AHP method, and the information security risk assessment model based on grey system theory was established;
4) Gray evaluation method was applied on the analysis and calculation of a concrete data.
This paper concentrates on the topic of applying grey assessment on establishing information security risk assessment. The final comprehensive assessment value was derived by establishing triangle albino function and calculating grey evaluation coefficients with examples. The results indicated that the established model can sufficiently utilize the information contained in evaluation index, and has good operability also. The model is helpful for practical work.
本文在研究了当前已有的一些安全评估技术的基础上,提出了一个基于灰色系统理论的安全评估方法,具体工作如下:
1)系统地分析当前已有的一些评估方法,深入了解每种评估方法的特点,为设计提供了可靠的理论指导;
2)通过分析安全事件及其构成要素,建立了一个信息安全风险评估的指标体系。
3)应用层次分析法(AHP)分析确定风险评估指标的权重,应用灰色评估方法建立了信息系统的灰色评估模型。
4)针对实例数据应用灰色评估方法进行分析计算。
本文的重点在于将灰色评估方法应用在风险评估模型建立上,建立三角白化权函数,结合实例计算灰色评估系数和权向量,最终得出综合评估值。结果表明,该模型能够比较充分地利用评估指标所包含的信息,具有良好的操作性,对实际工作有一定的参考价值。
With the rapid development of information technology, the application of information technology pervades at every corner in the society. However, the applications of information system are frequently threatened by virus, Trojan house, malfunction, sabotage and so forth due to the characteristics and limitations of information and network system. The researches of ensuring information security have being considered as a central issue. In order to promote security controlling level and establish reliable information security management system, some measures, i.e. making the complete assessment of information system with scientific and effective methods, mastering safety conditions of systems, analyzing potential threaten and adopting the necessary measures, are needed. Those are the tasks of information security risk assessment.
In this paper, after the study of existing security assessment technology, a security assessment method was presented. The thesis includes the following main pursuit:
1) The existing assessment methods were analyzed systematically, which provided reliable theoretical instruction;
2) An information security risk assessment index system was established through analyzing security events and their constitute elements;
3) The weights of index were determined by AHP method, and the information security risk assessment model based on grey system theory was established;
4) Gray evaluation method was applied on the analysis and calculation of a concrete data.
This paper concentrates on the topic of applying grey assessment on establishing information security risk assessment. The final comprehensive assessment value was derived by establishing triangle albino function and calculating grey evaluation coefficients with examples. The results indicated that the established model can sufficiently utilize the information contained in evaluation index, and has good operability also. The model is helpful for practical work.
引文
[1]肖新平,宋中民,李峰.灰技术基础及其应用.科学出版社.2005.
[2]吴亚非,李新友,禄凯.信息安全风险评估.清华大学出版社.2007.
[3]王国华,梁棵.决策理论与方法.中国科技大学出版社.2006
[4]胡勇,漆刚,陈麟,杨炜.信息系统风险量化评估指标体系.四川大学学报.2006,43(5):1048-1052.
[5]胡勇,方勇,肖龙等.信息系统风险分析的工程方法研究.计算机工程.2006,32(13):29-31.
[6]王洪利,冯玉强.基于灰云的改进白化模型及其在灰色决策中的应用.黑龙江大学自然科学学报.2006,23(6):740-745.
[7]曾春,薛质.AHP法在信息系统风险评估中的应用.学术研究.2004,34-36.
[8]王奕,费洪晓,蒋蘋.FAHP方法在信息安全风险评估中的应用.计算机工程与科学.2006,28(9):4-6
[9]邓聚龙.灰理论基础.华中科技大学出版社.2002.
[10]华光.基于层次分析法的信息安全风险评估研究.现代计算机.2008,80-83.
[11]张磊,向德全,胥杰.基于灰色理论的军用信息系统安全效能评估.弹箭与制导学报.2006,27(1):223-225
[12]张泽虹.基于评估流程的信息安全风险的综合评估.计算机工程与应用.2008,44(10):111-115.
[13]周英,曲海鹏,冯庆云,郭忠文.信息安全风险评估中权重优化方法研究.信息安全与通信保密.2008,63-64.
[14]肖龙,戴宗坤.信息系统的多级模糊综合评判模型.四川大学学报(工程科学版).20042004,36(5):98-102.
[15]全国信息安全标准化技术委员会.GB/T 20984-2007信息安全技术信息安全风险评估规范.中国标准出版社.2007
[16]程建华.信息安全风险管理、评估与控制研究.[博士学位论文]吉林大学.2008
[17]United States General Accounting Office,Accounting and Information Management Division.Information Security Risk Assessment.1999
[18]Butler S A,Fischbeck P.Multi-Attribute Risk Assessment.Technical Report CMD-CS-01-169.2001
[19]洪宏.CC标准及相关风险评估系统关键技术研究.[硕士学位论文]西安电子科技大学.2004.
[20]张菊玲.基于SSE-CMM的定量信息安全风险评估模型研究.[硕士学位论文]新疆大学.2007.
[21]彭泽伟.信息系统安全风险量化模型研究及风险评估系统的实现.[硕士学位论文]重庆大学.2006.
[22]王海军.基于灰色系统理论的信息隐藏技术研究.[硕士学位论文]西北工业大学.2007.
[23]GB/T 18336-2001,信息技术安全技术信息技术安全性评估准则[S].中华人民共和国国家标准,2001.
[24]GB17895-1999,计算机信息系统安全保护等级划分准则[S].北京:中国标准出版社.1999.
[25]Trusted Computer System Evaluation Criteria(TCSEC),US DoD 5200.28-STD.December 1985.
[26]ISO/IEC 17799:2000,Information Technology-code of Practice for Information Security Management[S].2000.
[27]ISO/IEC 15408-1(1999-12),Information Technology-Security Techniques-Common Criteria for IT Security Evaluation(CCITSE).1999.
[28]BS7799-2:1999,Information Security Management.Specification for Information Security Management Systems,British Standards Institute.1999.
[29]ITSEC,Information Technology Security Evaluation Criteria,Version 1.2[S],Office for Official Publications of the European Communities.June 1991.
[30]Alberts,Christopher and Dorofee,Audrey.OCTAVE Method Implementation Guide v2.0.Pittsburgh,PA:Software Engineering Institute,Carnegie Mellon University,2001.
[2]吴亚非,李新友,禄凯.信息安全风险评估.清华大学出版社.2007.
[3]王国华,梁棵.决策理论与方法.中国科技大学出版社.2006
[4]胡勇,漆刚,陈麟,杨炜.信息系统风险量化评估指标体系.四川大学学报.2006,43(5):1048-1052.
[5]胡勇,方勇,肖龙等.信息系统风险分析的工程方法研究.计算机工程.2006,32(13):29-31.
[6]王洪利,冯玉强.基于灰云的改进白化模型及其在灰色决策中的应用.黑龙江大学自然科学学报.2006,23(6):740-745.
[7]曾春,薛质.AHP法在信息系统风险评估中的应用.学术研究.2004,34-36.
[8]王奕,费洪晓,蒋蘋.FAHP方法在信息安全风险评估中的应用.计算机工程与科学.2006,28(9):4-6
[9]邓聚龙.灰理论基础.华中科技大学出版社.2002.
[10]华光.基于层次分析法的信息安全风险评估研究.现代计算机.2008,80-83.
[11]张磊,向德全,胥杰.基于灰色理论的军用信息系统安全效能评估.弹箭与制导学报.2006,27(1):223-225
[12]张泽虹.基于评估流程的信息安全风险的综合评估.计算机工程与应用.2008,44(10):111-115.
[13]周英,曲海鹏,冯庆云,郭忠文.信息安全风险评估中权重优化方法研究.信息安全与通信保密.2008,63-64.
[14]肖龙,戴宗坤.信息系统的多级模糊综合评判模型.四川大学学报(工程科学版).20042004,36(5):98-102.
[15]全国信息安全标准化技术委员会.GB/T 20984-2007信息安全技术信息安全风险评估规范.中国标准出版社.2007
[16]程建华.信息安全风险管理、评估与控制研究.[博士学位论文]吉林大学.2008
[17]United States General Accounting Office,Accounting and Information Management Division.Information Security Risk Assessment.1999
[18]Butler S A,Fischbeck P.Multi-Attribute Risk Assessment.Technical Report CMD-CS-01-169.2001
[19]洪宏.CC标准及相关风险评估系统关键技术研究.[硕士学位论文]西安电子科技大学.2004.
[20]张菊玲.基于SSE-CMM的定量信息安全风险评估模型研究.[硕士学位论文]新疆大学.2007.
[21]彭泽伟.信息系统安全风险量化模型研究及风险评估系统的实现.[硕士学位论文]重庆大学.2006.
[22]王海军.基于灰色系统理论的信息隐藏技术研究.[硕士学位论文]西北工业大学.2007.
[23]GB/T 18336-2001,信息技术安全技术信息技术安全性评估准则[S].中华人民共和国国家标准,2001.
[24]GB17895-1999,计算机信息系统安全保护等级划分准则[S].北京:中国标准出版社.1999.
[25]Trusted Computer System Evaluation Criteria(TCSEC),US DoD 5200.28-STD.December 1985.
[26]ISO/IEC 17799:2000,Information Technology-code of Practice for Information Security Management[S].2000.
[27]ISO/IEC 15408-1(1999-12),Information Technology-Security Techniques-Common Criteria for IT Security Evaluation(CCITSE).1999.
[28]BS7799-2:1999,Information Security Management.Specification for Information Security Management Systems,British Standards Institute.1999.
[29]ITSEC,Information Technology Security Evaluation Criteria,Version 1.2[S],Office for Official Publications of the European Communities.June 1991.
[30]Alberts,Christopher and Dorofee,Audrey.OCTAVE Method Implementation Guide v2.0.Pittsburgh,PA:Software Engineering Institute,Carnegie Mellon University,2001.