陈秀真,郑庆华,管晓宏,林晨光

DOI: https://doi.org/10.3321/j.issn:0253-987X.2004.12.005

2004-01-01

Abstract:Aiming at the weakness of being unable to evaluate the threat of combination of vulnerabilities on network security for most systems of security evaluation, a novel model of security evaluation based on rough set theory was put forward. This model considered the vulnerability as a security factor and the security evaluation model was built from historical evaluation records by using attribute reduction. Further, the measurement model of hierarchical security risk with three levels: security factor, service and host computer, was built, which calculated the security risk of the host by weighting the importance of service and security factor, then the security situation of the system was analyzed and evaluated. Compared with other evaluation methods, this method can create a rule-based model of security evaluation automatically and has advantage of evaluating threat of isolated security factor and combination of security factors on the same host. It can also monitor the impact of changes of the system configuration on system security. Nine useful rules for security evaluation were discovered from 7 days' evaluation records and security situation curves were established through simulation experiment, which shows that evaluation results by our method are more accurate and intuitive than others.

Qiang YAN,Hua-ying SHU,Zhong CHEN,Yun-suo DUAN

DOI: https://doi.org/10.3969/j.issn.1007-5321.2005.04.017

2005-01-01

Abstract:Security evaluation is an important approach for the security risk management of the information system. But there are lack of effective methods and tools for security evaluation. To resolve the problem, an object model of security evaluation is established based on the object oriented technology. The concepts of correlation test and dependency test are introduced and a set of tools is also developed according to the model. The practical application indicates that the object oriented technology can improve the efficiency of security evaluation, and the correlation test and dependency test also improve the penetration testing effects.

黄益民,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2001.06.005

2001-01-01

Abstract:After study of existing security models; analysis of information flow model, Bell-LaPadula(BLP) access control model and Biba access control model; and collation and comparison of their advantages and disadvantages, an improved model is put forward that satisfies the actual demands of information security. An implementation strategy is put forward that ensures information security, reliability, practicality and compatibility in the designed security system. An implementation scheme of this security system and its components and functions is provided. This system combines the following functions: mandatory access contro1, privilege separation, security audit, identity authentication and self-protection. It achieves the level 3 of national information security standard and level B1 of TCSEC standard. It was implemented in the Windows NT and Linux operating system and has yielded good resultsin application.

LI Hetian,LIU Yun,HE Dequan

DOI: https://doi.org/10.3321/j.issn:1001-4632.2007.01.023

2007-01-01

Abstract:A security risk evaluation method based on fuzzy-set comprehensive evaluation theory is demonstrated in this paper to obtain the aim of quantitatively assessing security risk.The security risk is evaluated by making the fuzzy matrix for security risk and addressing risk factor set,security risk indicator sets and the weigh coefficient of security risk factors and applied to the railway passenger ticket system.The security targets provided by the railway passenger ticket system consist of system security,availability,identification authenticity and transaction reliability in order to protect the physical assets and information assets in face of the threats which come from system itself,personnel, environmental and natural disasters.The proposed model for security risk evaluation is used to calculate the security severity of Web server for the system.The numeric results for security risk also provide a method to decide the most critical component of the system which should arouse the system administrator enough attention to take the appropriate technical or administrative security measure or controls to enhance the security of the system.

Zhou Guoqiang,Lu Wei,Zeng Qingkai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.11.002

2007-01-01

Abstract:An information security evaluation model is proposed.Based on the analyses of contents and functions of security evolution,the architecture of the security evaluation model and platform is presented,and its implementation is given.The main functions of this model are to organize,manage and control the security test and evaluation.It also has features in generalization,integration and configuration.

Liang Liang,Peng Wang,Lin Tan

2013-01-01

Disaster Advances

Abstract:The comprehensive evaluation of information security risk is the key for executives in complex organizations to make macro decisions. Modern organizations have complicated structures and many levels. In addition, the influencing factors of organizing information security risk involve techniques, staffs and management. Under consideration of uncertainty on decision information, an improved fuzzy multi-criteria decision method is proposed. It combines fuzzy mathematics with partitioning method of space region, and provides a computing method for criteria weights by fusing criterion, thus to realize the comprehensive evaluation of organizing information security risk. Finally, an example of information security risk management for some large joint research project is taken to illustrate the guidance for actual work by the proposed method.

Li Hetian,Liu Yun,He Dequan

DOI: https://doi.org/10.1007/bf02831895

2006-01-01

Wuhan University Journal of Natural Sciences

Abstract:A fuzzy set-based evaluation approach is demonstrated to assess the security risks for Internet-banking System. The Internet-banking system is semi-formally described using Unified Modeling Language (UML) to specify the behavior and state of the system on the base of analyzing the existing qualitative risk assessment methods. And a quantitative method based on fuzzy set is used to measure security risks of the system. A case study was performed on the WEB server of the Internet-banking System using fuzzy-set based assessment algorithm to quantitatively compute the security risk severity. The numeric result also provides a method to decide the most critical component which should arouse the system administrator enough attention to take the appropriate security measure or controls to alleviate the risk severity. The experiments show this method can be used to quantify the security properties for the Internet-banking System in practice.

Shi Jian,Guo Shanqing,Xie Li

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.01.034

2006-01-01

Abstract:Risk assessment is critical to establishing an effective Information Security Management System and it is the foundation of information system security systematism.After introducing information security risk assessment briefly,this paper provides a real-time risk assessment method using qualitative and quantitative assessment synthetically.By analyzing the assets,vulnerabilities and threats of information system,this method can evaluate the risk of the system in real time with the events produced by security devices.

YAN Qiang,SHU Huaying,CHEN Zhong,DUAN Yunsuo

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.02.045

2006-01-01

Abstract:Security elements evaluation is a primary problem of information system security evaluation. However the security elements defined in evaluation standard GB 17859 are abstract and hard to measure directly. It has become an urgent task to establish an understandable and practicable evaluation method for security elements. Based on the research and development process of security evaluation tools, this paper introduces the factor-criteria-metrics-evidence (FCME) model, which is used in security elements evaluation process, and discusses the implementation of the model.

Haiwen Li

DOI: https://doi.org/10.3969/j.issn.1004-7530.2016.03.015

2016-01-01

Abstract:Risk indicators’ importance weight calculation is the core part in the engineering projects risk assessment, which is of important guiding significance for the formulation of risk management plans and measures. Based on rough sets theory information entropy analysis methods, applying the objective weight of risk indicator counted based on the rough sets theory, combining the subjective weight from experts ’ evaluation, this article tries to realize the unity of the subjective experience and objective historical data and get the more comprehensive and reasonable index weights, so as to work out a more reasonable risk control measures and plans and provide a reference for subsequent projects risk assessment.

CHEN Lei-ting,WEN Li-Yu,LI Zhi-gang

DOI: https://doi.org/10.3969/j.issn.1001-0548.2005.03.023

2005-01-01

Abstract:This paper introduces the definition, standard and development on evaluation of information security; emphasis on Class of B2 in TCSEC, especially the security policy of B2, such as discretionary access control, object reuse, Labels (label integrity and exportation of labeled information) and mandatory access control. this paper also studies and analyses the other requirements for class B2, such as identification and authentication in the requirement of accountability; operational assurance (system architecture, system integrity, covert channel analysis and trusted facility management) and life-cycle assurance (security testing, design specification and verification and configuration management) in the requirement of assurance; security features user’s guide, trusted facility manual, test documentation and design documentation in the requirement of documentation. in the end of this paper, we study and comparatively analyses the class of B2 with the class of EAL5 in CC.

JIANG Rui,LI Jianhua,PAN Li

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.14.051

2005-01-01

Abstract:This paper establishes a new security model of information network system in the way of systematically analyzing the security threatsto the information network system, and determines the relative independent fundamental factors and corresponding sub-factors on security functionsfor information network system. Then it makes a new mathematical model and the method of fuzzy similarity selection on evaluation of securitywith the fuzzy theory. It applies the model quantitatively in evaluating security functions for five example systems, and obtains the quantitativesecurity grades and sequences of the five information network systems. In this way the availability and the novelty of the system security model andthe mathematical evaluation theory are verified.

Zhao Liang,Xue Zhi

DOI: https://doi.org/10.3772/j.issn.1006-6748.2010.04.014

2010-01-01

Abstract:Security assessment can help understand the security conditions of an information system and yield results highly conducive to the solution of security problems in it. Taking the computer networks in a certain university as samples, this paper, with the information system security assessment model as its foundation, proposes a multi-attribute group decision-making (MAGDM) security assessment method based on a variable consistency dominance-based rough set approach (VC-DRSA). This assessment method combines VC-DRSA with the analytic hierarchy process (AHP) , uncovers the inherent information hidden in data via the quality of sorting (QoS) , and makes a synthetic security assessment of the information system after determining the security attribute weight. The sample findings show that this method can effectively remove the bottleneck of MAGDM, thus assuming practical significance in information system security assessment.

Liang Zhao,Zhi Xue

DOI: https://doi.org/10.1007/978-3-642-27323-0_3

2012-01-01

Abstract:For the complete or incomplete preference information system, this paper proposes the multi-attribute group decision-making (MAGDM) security assessment method based on the variable consistency dominance-based rough set approach (VC-DRSA).By using the quality of sorting (QoS), this method combines VC-DRSA with the analytic hierarchy process (AHP), determines the security attribute weight and decision makers’ weight, and makes the security assessment of preference information system. Through the experiment about the stoke exchange network system and the comparison with other methods, the rationality and feasibility of the proposed method are validated.

GUO Lifeng,WANG Junbiao,JIANG Jianjun

DOI: https://doi.org/10.3969/j.issn.1005-2402.2008.05.037

2008-01-01

Abstract:Lots of information systems are invested blindly in the process of enterprise informationization, but there is no effective method to evaluate their benefit. Accordingly, a fuzzy synthesized evaluation method based on critical success factor (CSF) and business process value is proposed. It analyses and quantifies the value of business process and the value which information system effect on the business process. The method is useful for analyzing the implementation benefit and weakness of information system.

张鑫,顾庆,陈道蓄

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.09.032

2009-01-01

Computer Science

Abstract:Quality of protection can be seen as the security target of security modules when doing their security treatments,which can be judged by quantitative criteria.The question of how to evaluate whether the current software system has fulfills the quality of protection target objectively and effectively has become one of the hotspots of research.Currently,however,most security professionals use the qualitative method for security evaluation,which is highly subjective and makes the evaluation result dependent on the individual experience and thus unreliable.So what needed are substantive and quantitative security metrics.Because of the complexity and the difficulty of implementing the security metrics,a novel security evaluation model was presented in this paper,which analyzed the relative security level of given systems from the views of attack surface,denial of service and attack graph.At last,a general discussion for the process and the result of the evaluation were given.

闫强,陈钟,段云所,唐礼勇

DOI: https://doi.org/10.3969/j.issn.1000-3428.2003.06.001

2003-01-01

Abstract:This paper reviews the history of information system security evaluation criteria, introduces criteria which have important effect on security evaluation such as TCSEC and CC, clarifies the evaluation method and its implementation model, and introduces recent researches of other countries in this field.

刘芳,戴葵,王志英,吴丹

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.18.007

2004-01-01

Abstract:In this paper, the necessity and feasibility of quantitative security evaluation are analyzed, in particular with regard to nowadays security requirements. Based on the probability and statistics, the quantitative security model is brought forward. And then a complete quantitative evaluating system is introduced, which is based on the modularization and the quantitative security model. Finally, the rationality and validity of this system are verified through experiments.

Chunxin Wang,Feng Dai,Lei Ge

DOI: https://doi.org/10.1109/IITA.2009.446

2009-01-01

Abstract:Informationization must enhance risk awareness, and decision of modern management need the data that is the reference and support. A lot of factors which influence the informationization risk are fuzzy and variable, therefore, it is difficult to make the quantitative analysis. So, it has a certain research value and Practical significance that study and applcate the way to evaluation risk of informationization using digital result. using the grey fuzzy theory, based on the background of a project, built up a set of multilayer index system for informationization risk and the evoluation model of risk degree. it can judge informationization risk e logically and can point out the advantages and disadvantages of the project that can give a direction to Improvements for the next stepexample show that the result applicating this method is credible, so, It can be used in the risk evolution of informatinization and others field.

Yu Zhiwei,Tang Rengzhong,Jia Dongjiao,Ye Fanbo

DOI: https://doi.org/10.3321/j.issn:1004-132X.2007.04.021

2007-01-01

Abstract:To identify the security requirements of information systems, a business process-based security requirement analysis method was presented. Focused on the business process security, the related assets which affect the business process security were identified by security tree model. The security requirements of assets were identified by risk packet and risk transferring model, and then the security requirements list was formed after coverage analysis. Finally, a case was studied to illustrate the proposed method.