基于博弈模型和风险矩阵的漏洞风险分析方法  被引量:9

Vulnerability risk analysis method based on game model and risk matrix

在线阅读下载全文

作  者:张恒巍[1] 张健[1] 韩继红[1] 王晋东[1] 

机构地区:[1]信息工程大学,河南郑州450001

出  处:《计算机工程与设计》2016年第6期1421-1427,共7页Computer Engineering and Design

基  金:国家自然科学基金项目(61303074;61309013);国家973重点基础研究发展计划基金项目(2012CB315900)

摘  要:针对信息系统安全漏洞的风险定量分析问题,建立非合作非零和的漏洞攻防博弈模型,利用均衡局势下的收益期望对漏洞价值进行量化赋值。结合攻击图和风险矩阵对漏洞的连通关系进行定量分析,提出两种矩阵算子,实现对漏洞间综合连通度的计算。借助漏洞价值和综合连通度,设计系统漏洞风险评估算法。在量化分析漏洞的自身风险和传播风险的基础上,完成对漏洞全局风险的综合评价,评价结果可用于识别关键漏洞,提高系统安全防御的效能。实例分析结果表明了该模型和该算法的有效性。To quantificationally analyze the vulnerability risk of information system,the non-cooperative nonzero-sum attack-defense game model was built.The vulnerabilities worth was evaluated by the expectation profit on Nash equilibrium.Attack graph and risk matrix were considered to quantificationally analyze connectivity of the system vulnerabilities,and two matrix operators were proposed which were used to calculate the comprehensive connectivity degree among the vulnerabilities.With the vulnerabilities worth and comprehensive connectivity degree,a vulnerability risk evaluation algorithm was designed.The algorithm gained the global risk of system vulnerabilities based on quantification analysis of the self-risk and transmission-risk.Through the global risk,the managers can find the critical vulnerabilities and improve the security management efficiency.The example analysis verifies the effectiveness of the model and the algorithm.

关 键 词:攻防博弈 风险矩阵 矩阵算子 综合连通度 漏洞风险 

分 类 号:TP309[自动化与计算机技术—计算机系统结构]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象