黄益民,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2001.06.005

2001-01-01

Abstract:After study of existing security models; analysis of information flow model, Bell-LaPadula(BLP) access control model and Biba access control model; and collation and comparison of their advantages and disadvantages, an improved model is put forward that satisfies the actual demands of information security. An implementation strategy is put forward that ensures information security, reliability, practicality and compatibility in the designed security system. An implementation scheme of this security system and its components and functions is provided. This system combines the following functions: mandatory access contro1, privilege separation, security audit, identity authentication and self-protection. It achieves the level 3 of national information security standard and level B1 of TCSEC standard. It was implemented in the Windows NT and Linux operating system and has yielded good resultsin application.

Hui Guan,Weiru Chen,Lin Liu,Hongji Yang

2012-01-01

Abstract:Risk assessment has been getting increased attention as the new vulnerabilities and threats are emerging on daily basis. The popularity and complexity of web application present challenges to the security implementation for web engineering. It is well known that the earlier to perform risk assessment for software, the less cost needed to mitigate the security risks. However, quantitative estimation of security in the earlier stage of software development life cycle is largely missing. In this paper, we propose a quantitative approach to perform risk assessment at design stage for web application which is based on multiple security vectors of asset, threat and vulnerability. An environment-driven method is proposed to elicit threats to the system. In the end, the risk assessment methodology is applied on a customer goods case study.

Huiying Lv,Yuanda Cao

DOI: https://doi.org/10.1109/ISISE.2008.109

2008-01-01

Abstract:A risk situation evaluation model for network security is proposed based on analyzing security threat status. This method first perceived and identified the characteristics of critical risk factors, such as asset, vulnerability and threat, from multi-security-sensors. Then a quantitative evaluation algorithm was presented to estimate current threats and potential threats. By analyzing their threat degree, the real-time status and dynamic evolvement trend of security risk was revealed. Sequentially, the security administrator can comprehend the situation about both the single entity and the overall network then timely and effectively make security decisions. Finally this method was illustrated and validated in an emulated network environment. © 2008 IEEE.

YU Li-li,DU Meng-sha,ZHANG Ping,JI Ling-li

DOI: https://doi.org/10.3969/j.issn.1001-3695.2012.11.001

2012-01-01

Abstract:A thorough test for Web application programs can be beneficial to finding security vulnerabilities promptly and improving the security quality of Web application.This paper firstly introduced the classification of Web application security threat and summarized common Web application security vulnerabilities.Then it comprehensively surveyed the state of Web security testing technology research,respectively compared weaknesses and merits of the static technologies and the dynamic technologies.At the same time,it introduced and concluded the detail of fuzzing,which was the new emerging technology in Web security testing.At last,this paper presented the problem to be solved and the future research direction.

Muhammed Sabo,,Zake Muwanga,Manjula V.S.,Saleh Auwal,,,

DOI: https://doi.org/10.59568/jasic-2023-4-1-06

2023-07-10

Abstract:The security of information technology, specifically web applications, has become an area of concern today. Computer cybercrime is now a significant problem that affects more than just businesses and organizations. Higher education institutions also began to experience computer threats that revealed their information assets. Universities, polytechnics, colleges of education, research centers, and other postsecondary institutions are probably the most vulnerable because they house sensitive data on their faculty, staff, and students, as well as academic records of scientific and technological advancements and research. The first step in an information system security strategy is risk analysis management It helps in assessing the risk of information assets to know their security level or status, and assist in define a security control measures and implementation of technical plan to avoid threats that exploit some vulnerability that could cause severe damage to an asset or infrastructure of institutions higher education (IHEs). This article presents some recommendations to perform a risk analysis management in IHEs to accessed threats and vulnerability that helps to lower the risk of their information assets. This article presents existing educational threat and vulnerability on their web applications. Ensuring security is a goal of every organization regardless of its size or purpose and also proposed a risk management model. With the information technology, an organization may be considered secure when it ensures the confidentiality, integrity, and availability of information and IT assets. Confidentiality may be broken due to theft of sensitive information such as trade secrets, clients’ personal information.

Shi Jian,Guo Shanqing,Xie Li

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.01.034

2006-01-01

Abstract:Risk assessment is critical to establishing an effective Information Security Management System and it is the foundation of information system security systematism.After introducing information security risk assessment briefly,this paper provides a real-time risk assessment method using qualitative and quantitative assessment synthetically.By analyzing the assets,vulnerabilities and threats of information system,this method can evaluate the risk of the system in real time with the events produced by security devices.

LI Hetian,LIU Yun,HE Dequan

DOI: https://doi.org/10.3321/j.issn:1001-4632.2007.01.023

2007-01-01

Abstract:A security risk evaluation method based on fuzzy-set comprehensive evaluation theory is demonstrated in this paper to obtain the aim of quantitatively assessing security risk.The security risk is evaluated by making the fuzzy matrix for security risk and addressing risk factor set,security risk indicator sets and the weigh coefficient of security risk factors and applied to the railway passenger ticket system.The security targets provided by the railway passenger ticket system consist of system security,availability,identification authenticity and transaction reliability in order to protect the physical assets and information assets in face of the threats which come from system itself,personnel, environmental and natural disasters.The proposed model for security risk evaluation is used to calculate the security severity of Web server for the system.The numeric results for security risk also provide a method to decide the most critical component of the system which should arouse the system administrator enough attention to take the appropriate technical or administrative security measure or controls to enhance the security of the system.

杨洋,姚淑珍

DOI: https://doi.org/10.3778/j.issn.1002-8331.2009.03.027

2009-01-01

Computer Engineering and Applications Journal

Abstract:In the field of information security,risk assessment is the core of the risk management and control,also is the founda- tion and premises that builds up the safe system of the information system.This paper analyses the standards and process of in- formation security risk assessment,and proposes a quantitative security risk method ISSREM(Information System Security Risk E- valuation Method),based on threat analysis.ISSREM has features such as easily operative,independent,practical and the evalua- tion results comparable.And the sensitivity analysis of threaten frequency is presented,which makes the evaluation results more objective.This paper gives the calculation model of the method and the main procedures of risk evaluation using the method.Fi- nally,with examples to analyze the quantitative assessment method,this paper validates the rationality and effectiveness of the method.

ZHANG Li,TANG Jun

DOI: https://doi.org/10.3969/j.issn.1009-3044.2010.06.022

2010-01-01

Abstract:With the development of the Internet,the network environment,the database system faces hacker attacks,virus infections and a series of threats,how to ensure data confidentiality,integrity,reliability and availability is a complex issue.In this paper,the status quo from the network database security research analyzes the windows 2000 Server system security settings,including network security settings,MS SQL Server security settings,information security evaluation,and many other safety knowledge.And made a number of security measures and strategies.

Yao Ye,Cai Wandong,Fang Nan

DOI: https://doi.org/10.1109/ibcast.2016.7429909

2016-01-01

Abstract:There is an increasing demand for security risk assessment of network & information system where assessment usually is comprised of all kinds of Internal or external threat. Now there is also another problem to be solved, that is, when the information system increased another many risk parts, if the system is still under a security state. In order to answer this question, the paper adopted an incremental factor analysis method to assess information system risk. This method used influence of assets on system risk and risk coefficient to compute the risk increment coefficient, so as to judge information system risk levels. Experiment results indicated that this method is available as well as effective.

Hui Yuan,Lei Zheng,Liang Dong,Xiangli Peng,Yan Zhuang,Guoru Deng

DOI: https://doi.org/10.1007/978-3-030-15235-2_66

2019-04-25

Abstract:With the rapid development of Internet technology, Web applications are widely used in all walks of life, and their security requirements are increasing. Unfortunately, at present, the development of Web security technology still lags behind the development of Web application technology itself. The Web application itself and its operating environment are still relatively fragile, and its operating environment is easily forged or modified, making Web applications gradually become malicious. The object of the attack is frequently attacked. This paper investigates and analyzes the common vulnerabilities in web applications, deeply studies the basic characteristics of these vulnerabilities, and understands the principles and solutions of vulnerabilities. The static analysis method is used to analyze the vulnerabilities, and the static analysis methods are used to solve the security vulnerabilities in the Java web project.

WANG Wei,LI Chun-ping,LI Jian-bin

DOI: https://doi.org/10.16208/j.issn1000-7024.2007.14.060

2007-01-01

Abstract:Safe field in the information,the risk assessment is foundation and premises that builds up the safe system of the information system,but the risk assessment method rises to the usefulness of the assessment prominent function.The risk assessment method contain a lot of kinds,each method have it the place of the shortage.The risk assessment method adopted threat tree model and analytical hierarchy process that method combine together,made use of two kinds of vantages that assessment method,made up the shortage of the one risk assessment method,the aim is search into a kind of more valid,more reasonable and more accurate risk assessment method.

WU Ming-feng,ZHANG Yong-sheng,LI Yuan-yuan,HAN Yan-mei

DOI: https://doi.org/10.3969/j.issn.1673-629x.2012.01.055

2012-01-01

Abstract:Web service is characterized by its platform-independence,dynamic,openness and loose coupling.These characteristics greatly facilitate the application-to-application integration based on heterogeneous platform,that an increasing number of enterprise use it.Along with the development of Web services,its safe problem is more and more important.Web service art is attracting attackers and hackers to attack the Web services and the servers on which they run.Organizations are therefore facing the challenge of implementing adequate security for Web services.It detailedly analyzed the characteristics and principle of various attacks on Web service,and pointed out the corresponding detection and prevention countermeasures.On the basis of current research achievements,also presented a discussion on the future research directions and the challenges of Web service defenses against attacks.

Ying-Chiang Cho,Jen-Yi Pan

DOI: https://doi.org/10.1371/journal.pone.0117180

IF: 3.7

2015-03-13

PLoS ONE

Abstract:Internet application technologies, such as cloud computing and cloud storage, have increasingly changed people's lives. Websites contain vast amounts of personal privacy information. In order to protect this information, network security technologies, such as database protection and data encryption, attract many researchers. The most serious problems concerning web vulnerability are e-mail address and network database leakages. These leakages have many causes. For example, malicious users can steal database contents, taking advantage of mistakes made by programmers and administrators. In order to mitigate this type of abuse, a website information disclosure assessment system is proposed in this study. This system utilizes a series of technologies, such as web crawler algorithms, SQL injection attack detection, and web vulnerability mining, to assess a website's information disclosure. Thirty websites, randomly sampled from the top 50 world colleges, were used to collect leakage information. This testing showed the importance of increasing the security and privacy of website information for academic websites.

multidisciplinary sciences

XING Zhi

DOI: https://doi.org/10.3969/j.issn.1008-2077.2009.02.026

2009-01-01

Abstract:Network information security has been a threat of modern society security.Different level of threats to social security consists in campus network,email,e-government,and so on.The paper explains the problem and the countermeasure of network Information security.The government management,formulated lash-up draft is to be reinforced so as to continuously increase the information security awareness and guarantee.

CHEN Lei-ting,WEN Li-Yu,LI Zhi-gang

DOI: https://doi.org/10.3969/j.issn.1001-0548.2005.03.023

2005-01-01

Abstract:This paper introduces the definition, standard and development on evaluation of information security; emphasis on Class of B2 in TCSEC, especially the security policy of B2, such as discretionary access control, object reuse, Labels (label integrity and exportation of labeled information) and mandatory access control. this paper also studies and analyses the other requirements for class B2, such as identification and authentication in the requirement of accountability; operational assurance (system architecture, system integrity, covert channel analysis and trusted facility management) and life-cycle assurance (security testing, design specification and verification and configuration management) in the requirement of assurance; security features user’s guide, trusted facility manual, test documentation and design documentation in the requirement of documentation. in the end of this paper, we study and comparatively analyses the class of B2 with the class of EAL5 in CC.

Yiyang Jia,Hanyan Wu,Dongxing Jiang

DOI: https://doi.org/10.1109/CyberC.2015.47

2015-01-01

Abstract:Security situation assessment is an effective way to analyze the situation of an information system, which helps administrator understand the current system risk status and make policy to response in time. However, the existing researches for security situation assessment mostly focus on network. The proposed methods for network are not so suitable for information systems. This paper proposes a hierarchical security situation analysis framework for information system, based on a classical NSSA [1] (network security situation analysis) model. The framework provides a standard flow for analyzing the security situation of information system. It consists a security situation analysis model of information system, an index system used in the model proposed, and a quantitative index fusion method to calculate a security situational value. We divided information system into 3 levels: sub-system level, composition level and index level. The collected information from the index level can be combined with grey model to determine the correlation degree between each major index and secondary index. Finally we calculate the whole system security situational value level by level. We use data from Tsinghua University information system to verify the proposed model and method. The result shows that this model can reflect the current security situation of information system comprehensively.

LONG Xin-zheng,XING Cheng-jie,OUYANG Rong-bin,WANG Qian-yi,LI Li,LIU Yun-feng

DOI: https://doi.org/10.3969/j.issn.1000-436x.2014.z1.034

2014-01-01

Abstract:Aiming at the university management information system security threats and challenges, a security architec-ture named 1C4GS was proposed. First connotation and function of five important components of 1C4GS was expounded, which named security management center, security communication network, security region boundary, security comput-ing environment and security application. Then we used “basic personal data reporting system” as an example to con-struct the management information system security arrangement application based on 1C4AS, this arrangement applica-tion integrated a variety of security technologies and strategies such as transparent data encryption, user Identify, form edit cache as a whole to, and achieved the management information system’s network security, border security, computing environment security and application security.

Xie Jialong,Qiu Weidong

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.05.042

2006-01-01

Abstract:The current Web services architecture have standard limits and must supply to the multi-type client ends. How to protect the Web security services become very difficult. With the reference to core-components and protocols of the Web services, this thesis explains how to use the existing security technology to solve the hazard of the Web services security and it indicates the WS-security mechanisms that how to act in the Web services environment. Based on this, it analyses how to meet enterprise's require under the direction of the current secured framework.

Yue Zhang,Wang Zhao

DOI: https://doi.org/10.1109/icngn59831.2023.10396667

2023-01-01

Abstract:The rapid development of information technology has greatly improved the level of enterprise informatization. However, while providing a variety of services to users, there may also be security issues such as data breaches, denial of service attacks, and extortion attempts. To address the aforementioned issues and enhance the security of information systems, multiple security devices have implemented protective measures. However, relying solely on the configuration and construction of security facilities cannot fundamentally resolve network security issues. Therefore, an important challenge currently faced is how to quantitatively assess, evaluate, and guide security personnel to optimize the configuration of the network security system. This is a significant matter that requires careful consideration.Currently, most existing quantitative security evaluation schemes focus on assessing security risks, but the entire security protection system has not been utilized as an evaluation criterion, and its protective effectiveness has not been quantitatively evaluated. Simultaneously, establishing quantitative connections between security impact factors and the security protection system, linking the protection effectiveness of individual security devices to overall security protection effectiveness, and then optimizing and improving the protection effectiveness have become critical bottlenecks in measuring the protection effectiveness of the network security protection system.