面向智能可穿戴设备的系统风险评估分析  被引量：2

作　　者：赵戈[1,2] 郑扬 陶泽林 ZHAO Ge;ZHENG Yang;TAO Zelin(The Third Research Institute of the Ministry of Public Security,Shanghai 200031,China;Shanghai Engineering Research Center of Cyber and Information Security Evaluation,Shanghai 200031,China;Wuxi Trusted Computing Technology Research Institute Co.,Ltd.,Wuxi 214187,China;Faculty of Information Technology,Beijing University of Technology,Beijing 100124,China)

机构地区：[1]公安部第三研究所,上海200031 [2]上海网络与信息安全测评工程技术研究中心,上海200031 [3]可信计算科技(无锡)有限公司,无锡214187 [4]北京工业大学信息学部,北京100124

出　　处：《信息网络安全》2024年第10期1595-1603,共9页Netinfo Security

基　　金：上海网络与信息安全测评工程技术研究中心开放课题[KFKT2023-007]。

摘　　要：现有的智能可穿戴设备普遍存在较多脆弱点,需要通过风险评估来科学判断其所面临的风险。当前智能可穿戴设备的安全风险评估方法多基于零散的脆弱点,没有充分考虑可穿戴设备应用场景的体系化特征,无法从整体上评估安全风险。因此,文章提出一种基于分层攻击路径图的可穿戴设备风险评估方法,该方法对可穿戴设备的脆弱性进行分类,绘制出多层脆弱性关系图,并在图中添加系统面临的直接威胁与数据资产目标,合并计算从直接威胁、外部脆弱性层、间接威胁、内部脆弱性层到攻击目标的攻击路径,进行风险评估。与传统方法相比,文章所提方法在风险评估过程中充分考虑了系统架构的特点,可以更方便、准确地评估风险,且有助于发现系统安全的瓶颈,并评估应对措施的效果。Existing smart wearable devices generally have more vulnerable points and need to scientifically determine the risks they face through risk assessment.The current security risk assessment methods for smart wearable devices are mostly based on fragmented vulnerability points,without fully considering the systematic characteristics of the application scenarios of wearable devices,and are unable to assess the security risks as a whole.Therefore,the article proposed a risk assessment method for wearable devices based on a layered attack path diagram,which categorized the vulnerabilities of wearable devices according to their vulnerabilities’location in the system,drew a multi-layer vulnerability relationship diagram,added direct threats and data asset targets facing the system to the diagram,and merged and calculated the attack paths from the direct threats,external vulnerability layer,indirect threats,to internal vulnerability layer attack target attack path for risk assessment.The proposed method takes the characteristics of system architecture into full consideration in the risk assessment process,which makes it easier and more accurate to assess the risk,and helps to find the bottlenecks of system security and evaluate the effectiveness of countermeasures.

关 键 词：风险评估分析 脆弱点 智能可穿戴设备 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]