Jin Cheng,Hao Lv,Rong Wang,Jianrong Tan

DOI: https://doi.org/10.1117/12.2642070

2022-01-01

Abstract:The performance of 3D CAD software is usually evaluated based on a lot of test data. However, the complex uncertainties intrinsic in the test data has not been investigated so far, the influence of which on the reliability of performance evaluation result has not been considered either. To address the problem, this paper analyses the complex uncertainties in test data and proposes a visualized evaluating method for the performance of 3D CAD software based on the characterization of test data by cloud model. First, the initial weight of each performance index is determined by analytic hierarchy process (AHP) and the test data are standardized. Then the standardized test data are input into the backward cloud generator to calculate the digital characteristics of the cloud model for each performance index, based on which the reliability of each performance index is calculated and the corresponding weight is adjusted accordingly. Finally, the overall performance of 3D CAD software is scored by AHP and the reliability of the evaluation result is also rated. An analytic hierarchy diagram is produced for illustrating the whole evaluating process and the cloud map of the overall performance is generated by the forward cloud generator to provide the intuitive and reliable evaluation process and result for users.

Meng Yan,Xin Xia,Xiaohong Zhang,Ling Xu,Dan Yang,Shanping Li

DOI: https://doi.org/10.1007/s11432-018-9608-3

2019-01-01

Science China Information Sciences

Abstract:Quality model is regarded as a well-accepted approach for assessing, managing and improving software product quality. There are three categories of quality models for software products, i.e., definition model, assessment model, and prediction model. Quality assessment model(QAM) is a metric-based approach to assess the software quality. It is typically regarded as of high importance for its clear method on how to assess a system. However, the current state-of-the-art in QAM research is under limited investigation.To address this gap, the paper provides an organized and synthesized summary of the current QAMs. In detail, we conduct a systematic mapping study(SMS) for structuring the relevant articles. We obtain a total of 716 papers from the five databases, and 31 papers are selected as relevant studies at last. In summary, our work focuses on QAMs from the following aspects: software metrics, quality factors, aggregation methods,evaluation methods and tool support. According to the analysis results, our work discovers five needs that researchers in this area should continue to address:(1) new method and criteria to tailor a quality framework(i.e., structure of software metrics and quality factors) according to different specifics,(2) systematic investigations on the effectiveness, strength and weakness of different aggregation methods to guide the method selection in different context,(3) more investigations on evaluating QAMs in the context of industrial cases,(4) further investigations or real-world case studies on the QAMs related tools, and(5) building a public and diverse software benchmark which can be adopted in different application context.

张鑫,顾庆,陈道蓄

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.09.032

2009-01-01

Computer Science

Abstract:Quality of protection can be seen as the security target of security modules when doing their security treatments,which can be judged by quantitative criteria.The question of how to evaluate whether the current software system has fulfills the quality of protection target objectively and effectively has become one of the hotspots of research.Currently,however,most security professionals use the qualitative method for security evaluation,which is highly subjective and makes the evaluation result dependent on the individual experience and thus unreliable.So what needed are substantive and quantitative security metrics.Because of the complexity and the difficulty of implementing the security metrics,a novel security evaluation model was presented in this paper,which analyzed the relative security level of given systems from the views of attack surface,denial of service and attack graph.At last,a general discussion for the process and the result of the evaluation were given.

Xingyuan Chen,Yong Deng

DOI: https://doi.org/10.3390/math10132325

IF: 2.4

2022-07-03

Mathematics

Abstract:Software risk management is an important factor in ensuring software quality. Therefore, software risk assessment has become a significant and challenging research area. The aim of this study is to establish a data-driven software risk assessment model named DDERM. In the proposed model, experts' risk assessments of probability and severity can be transformed into basic probability assignments (BPAs). Deng entropy was used to measure the uncertainty of the evaluation and to calculate the criteria weights given by experts. In addition, the adjusted BPAs were fused using the rules of Dempster–Shafer evidence theory (DST). Finally, a risk matrix was used to get the risk priority. A case application demonstrates the effectiveness of the proposed method. The proposed risk modeling framework is a novel approach that provides a rational assessment structure for imprecision in software risk and is applicable to solving similar risk management problems in other domains.

mathematics

Zhou Guoqiang,Lu Wei,Zeng Qingkai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.11.002

2007-01-01

Abstract:An information security evaluation model is proposed.Based on the analyses of contents and functions of security evolution,the architecture of the security evaluation model and platform is presented,and its implementation is given.The main functions of this model are to organize,manage and control the security test and evaluation.It also has features in generalization,integration and configuration.

Qiang YAN,Hua-ying SHU,Zhong CHEN,Yun-suo DUAN

DOI: https://doi.org/10.3969/j.issn.1007-5321.2005.04.017

2005-01-01

Abstract:Security evaluation is an important approach for the security risk management of the information system. But there are lack of effective methods and tools for security evaluation. To resolve the problem, an object model of security evaluation is established based on the object oriented technology. The concepts of correlation test and dependency test are introduced and a set of tools is also developed according to the model. The practical application indicates that the object oriented technology can improve the efficiency of security evaluation, and the correlation test and dependency test also improve the penetration testing effects.

SHEN Guo-Hua,HUANG Zhi-Qiu,XIE Bing,ZHU Yi-Quan,LIAO Li-Li,WANG Fei,LIU Yin-Ling

DOI: https://doi.org/10.13328/j.cnki.jos.005024

2016-01-01

Abstract:The failure of safety-critical software could result in death, injury and damage to people or loss of equipment or property. Therefore, it is important to evaluate whether software trustworthiness fulfills the user needs (i.e., trustworthiness evaluation). This paper first compares the definition of software trustworthiness and its evaluation. Then, it surveys the software trustworthiness evaluation from three different aspects: Standards, models, and CASE tools. This work studies these aspects from the view of domain-independent as well as domain-dependent. In summary, there is great progress being made for software trustworthiness evaluation theoretically and practically while its universality and scalability are still need to be improved.

Y Hu,XR Xie,YZ Xin

DOI: https://doi.org/10.1109/pes.2004.1372957

2005-01-01

Abstract:This paper presents a modeling language and a quantitative evaluation approach for the security of power information systems. We firstly design a security architecture design trace language to universally describe system structures, services, security policies, attack behaviors and countermeasures. Next an automated risk analysis algorithm is proposed to get attack traces of power information systems. Then, based on the concept of relative security degree, security architecture can be quantitatively evaluated. Finally, with a case study in a real power information system, the effectiveness of the presented approach is demonstrated. In practice, the approach can be employed for assessing various kinds of countermeasures, such as increasing a new security function, adjusting system self structure, and changing customer operation requirements. And it can greatly decrease the subjectivity of counter-measure selection.

YAN Qiang,SHU Huaying,CHEN Zhong,DUAN Yunsuo

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.02.045

2006-01-01

Abstract:Security elements evaluation is a primary problem of information system security evaluation. However the security elements defined in evaluation standard GB 17859 are abstract and hard to measure directly. It has become an urgent task to establish an understandable and practicable evaluation method for security elements. Based on the research and development process of security evaluation tools, this paper introduces the factor-criteria-metrics-evidence (FCME) model, which is used in security elements evaluation process, and discusses the implementation of the model.

Huishan Song,Yanbin Yuan,Yuhe Wang,Jianbai Yang,Hang Luo,Shiming Li

DOI: https://doi.org/10.3390/s24227135

IF: 3.9

2024-11-07

Sensors

Abstract:With the rapid advancements in information technology and industrialization, the sustainability of industrial production has garnered significant attention. Industrial control systems (ICS), which encompass various facets of industrial production, are deeply integrated with the Internet, resulting in enhanced efficiency and quality. However, this integration also introduces challenges to the continuous operation of industrial processes. This paper presents a novel security assessment model for ICS, which is based on evidence-based reasoning and a library of belief rules. The model consolidates diverse information within ICS, enhancing the accuracy of assessments while addressing challenges such as uncertainty in ICS data. The proposed model employs evidential reasoning (ER) to fuse various influencing factors and derive security assessment values. Subsequently, a belief rule base is used to construct an assessment framework, grounded in expert-defined initial parameters. To mitigate the potential unreliability of expert knowledge, the chaotic mapping adaptive whale optimization algorithm is incorporated to enhance the model's accuracy in assessing the security posture of industrial control networks. Finally, the model's effectiveness in security assessment was validated through experimental results. Comparative analysis with other assessment models demonstrates that the proposed model exhibits superior performance in ICS security assessment.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Zhi-wen WANG,Zhi-huan SONG

DOI: https://doi.org/10.3969/j.issn.1009-6094.2010.01.048

2010-01-01

Applied Mechanics and Materials

Abstract:To improve the objectivity and comprehensiveness of the safety assessments of the thermal power plant, a renovated method of safety assessment for thermal power plants has been proposed here in this paper based on the three dimensions: the maximum limits, the minimum limits and the restrictions on the middle region, as well as the data envelopment analysis (DEA) module. As each indicator can then be subdivided into some sub-indicators, the potential safety degree can be guaranteed by using scores evaluated by the specialists. Thus, the three-dimensional original data can then be uniformly processed into intervals [0,1], in which weight-related indicators relate to the safety parameters so that the potential safety can be determined by the analytic hierarchical parameters. The final results of the safety assessment can thus be denoted by four evaluation grades: the danger grade, slight danger grade, the slight safety and full safety grades by using the graded fuzzy membership functions. The method here mentioned takes full advantage of the power plants' existant quantitative indicators and non-quantifiable indicators by using real-time operating parameters of the equipment installations and human experience, all of which can form a comprehensive organic system to make the evaluation results both comprehensive and objective. The distinguished features of such an evaluation method lies in that it provides a new research idea for safety evaluation both of the objective data and subjective factors organically so that it can serve as a good reference to the other safety assessments of complex systems. And, finally, an example has been given to demonstrate the way on how to use the three-dimensional computational procedure. Thus, it can be concluded that the safety assessment method is fully feasible for the target it is aimed at.

Asif Imran

DOI: https://doi.org/10.1007/978-3-031-36597-3

2023-10-23

Abstract:Software security requirements have been traditionally considered as a non-functional attribute of the software. However, as more software started to provide services online, existing mechanisms of using firewalls and other hardware to secure software have lost their applicability. At the same time, under the current world circumstances, the increase of cyber-attacks on software is ever increasing. As a result, it is important to consider the security requirements of software during its design. To design security in the software, it is important to obtain the views of the developers and managers of the software. Also, it is important to evaluate if their viewpoints match or differ regarding the security. Conducting this communication through a specific model will enable the developers and managers to eliminate any doubts on security design and adopt an effective strategy to build security into the software. In this paper, we analyzed the viewpoints of developers and managers regarding their views on security design. We interviewed a team of 7 developers and 2 managers, who worked in two teams to build a real-life software product that was recently compromised by a cyber-attack. We obtained their views on the reasons for the successful attack by the malware and took their recommendations on the important aspects to consider regarding security. Based on their feedback, we coded their open-ended responses into 4 codes, which we recommended using for other real-life software as well.

Software Engineering,Cryptography and Security,Computers and Society

Luca Allodi,Marco Cremonini,Fabio Massacci,Woohyun Shim

DOI: https://doi.org/10.48550/arXiv.1808.06547

2018-08-20

Computers and Society

Abstract:In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered the problem of assessing the severity of software vulnerabilities by means of a structured analysis methodology widely used in industry (i.e. the Common Vulnerability Scoring System (\CVSS) v3), and designed a study to compare how accurately individuals with background in information technology but different professional experience and education in cyber security are able to assess the severity of software vulnerabilities. Our results provide some structural insights into the complex relationship between education or experience of assessors and the quality of their assessments. In particular we find that individual characteristics matter more than professional experience or formal education; apparently it is the \emph{combination} of skills that one owns (including the actual knowledge of the system under study), rather than the specialization or the years of experience, to influence more the assessment quality. Similarly, we find that the overall advantage given by professional expertise significantly depends on the composition of the individual security skills as well as on the available information.

陈秀真,郑庆华,管晓宏,林晨光

DOI: https://doi.org/10.3321/j.issn:0253-987X.2004.12.005

2004-01-01

Abstract:Aiming at the weakness of being unable to evaluate the threat of combination of vulnerabilities on network security for most systems of security evaluation, a novel model of security evaluation based on rough set theory was put forward. This model considered the vulnerability as a security factor and the security evaluation model was built from historical evaluation records by using attribute reduction. Further, the measurement model of hierarchical security risk with three levels: security factor, service and host computer, was built, which calculated the security risk of the host by weighting the importance of service and security factor, then the security situation of the system was analyzed and evaluated. Compared with other evaluation methods, this method can create a rule-based model of security evaluation automatically and has advantage of evaluating threat of isolated security factor and combination of security factors on the same host. It can also monitor the impact of changes of the system configuration on system security. Nine useful rules for security evaluation were discovered from 7 days' evaluation records and security situation curves were established through simulation experiment, which shows that evaluation results by our method are more accurate and intuitive than others.

SHEN Guohua,HUANG Zhiqiu,QIAN Ju,XU Yongjun,HAO Jin,ZHAO Wenyun,PENG Xin

DOI: https://doi.org/10.3778/j.issn.1673-9418.2011.06.008

2011-01-01

Abstract:Software trustworthiness evaluation is an important aspect of software quality assurance.There are some weaknesses in the current research,such as facing special software modality,fixed trustworthiness attribute,lack of software trustworthiness evaluation tools.This paper presents a general model of software trustworthiness evalua-tion,discusses its implementation process systematically,develops a trustworthiness evaluation management system based on this model,and verifies the feasibility of the model by analyzing a detailed case in a real taxation domain.This approach will be beneficial to trustworthiness evaluation practices by using the evaluation system.

Liang Chen,Ping Cheng,Wei Liu

DOI: https://doi.org/10.1109/icnc.2010.5583290

2010-01-01

Abstract:With the wide application of trustworthy software, the trustworthiness and trustworthiness level have become the important issues concerned by users and software manufacturers. After analyzing the connotation of software trustworthiness and extending the trustworthy attribute model from the perspective of trustworthiness measurement, this paper builds a trustworthiness evaluation model for software product with four-layer structure, and analyzes the key parameters in model and the trustworthiness level of software product. Based on the evaluation model, the paper proposes an evaluation process model of trustworthiness for software product, which can automatically realize the trustworthiness level evaluation for software product, and describes the detailed evaluation flow. The paper takes the trustworthiness level evaluation of monitoring software product of aircraft engine for example to explain the application of the model and method.

Ulfar Erlingsson

DOI: https://doi.org/10.1109/csf.2016.40

2016-06-01

Abstract:For computer software, our security models, policies, mechanisms, and means of assurance were primarily conceived and developed before the end of the 1970's. However, since that time, software has changed radically: it is thousands of times larger, comprises countless libraries, layers, and services, and is used for more purposes, in far more complex ways. It is worthwhile to revisit our core computer security concepts. This paper outlines what a data-driven model for software security could look like, and describes how the above three questions can be answered affirmatively. Specifically, this paper briefly describes methods for efficient, detailed software monitoring, as well as methods for learning detailed software statistics while providing differential privacy for its users, and, finally, how machine learning methods can help discover users expectations for intended software behavior, and thereby help set security policy. Those methods can be adopted in practice, even at very large scales, and demonstrate that data-driven software security models can provide real-world benefits.

CHEN Xiu-Zhen,ZHENG Qing-Hua,GUAN Xiao-Hong,LIN Chen-Guang

DOI: https://doi.org/10.1360/jos170885

2006-01-01

Journal of Software

Abstract:Evaluating security threat status is very important in network security management and analysis. A quantitative hierarchical threat evaluation model is developed in this paper to evaluate security threat status of a computer network system and the computational method is developed based on the structure of the network and the importance of services and hosts. The evaluation policy from bottom to top and from local to global is adopted in this model. The threat indexes of services, hosts and local networks are calculated by weighting the importance of services and hosts based on attack frequency, severity and network bandwidth consumption, and the security threat status is then evaluated. The experiment results show that this model can provide the intuitive security threat status in three hierarchies: services, hosts and local networks so that system administrators are freed from tedious analysis tasks based on the alarm datasets to have overall security status of the entire system. It is also possible for them to find the security behaviors of the system, to adjust the security strategies and to enhance the performance on system security. This model is valuable for guiding the security engineering practice and developing the tool of security risk evaluation.

ZHANG Yao,BAI Xiao-ying,ZHANG Ren-wei,LU Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2013.02.034

2013-01-01

Computer Science

Abstract:Test adequacy analysis usually uses coverage criteria to evaluate test design with respect to specific software characteristics.Conventional adequacy methods have following problems to address test evaluation of large software systems.First,code-based coverage cannot ensure sufficient verification and validation of software requirements.Se-condly,software testing adequacy needs to take into consideration the contribution of different features.Important features deserve more test effort.The paper proposed a model-based approach for test adequacy analysis.An interface modelwas defined,representing executable software requirements for software components.Coverage of test case design was analyzed at two levels including service and service-compositions.Adequacy was calculated as weighted sum of coverage on various software features.Experiments were exercised to illustrate the proposed approach.

Kilsup Lee,Sung Jong Lee

DOI: https://doi.org/10.1007/11751632_99

2006-01-01

Abstract:Recently, software quality evaluation based on ISO/IEC 9126 and ISO/IEC 14598 has been widely accepted in various areas. However, these standards for software quality do not provide practical guidelines to apply the quality model and the evaluation process of software products. Thus, we present a quantitative evaluation model using the ISO/IEC 9126 quality model in the Component Based Development (CBD) process. Particularly, our evaluation model adopts a quantitative quality model which uses the weights of quality characteristics obtained through carefully selected questionnaires for stakeholder and Analytic Hierarchical Process (AHP). Moreover, we have also examined the proposed evaluation model with applying the checklists for the artifacts of the CBD to a small-scale software project. As a result, we believe that the proposed model will be helpful for acquiring the high quality software.