摘要
依照信息安全风险评估流程,结合威胁、脆弱性和控制措施等风险评估基本要素,以加强要素关联性分析和提高评估结果客观性为目标,提出一种层次分析法与贝叶斯网络相结合的信息安全风险态势分析模型。该模型通过层次分析法计算出各威胁指标的权重,根据各风险评估要素之间的因果关系构造贝叶斯网络,结合贝叶斯网络计算出的风险发生概率得出系统风险等级。针对威胁分析,利用贝叶斯推理,通过定义威胁、脆弱性概率的变化量,进行系统的综合风险分析,从全局角度把握风险态势并给出有效解决方案,实现风险的可控性。该方法可以有效地降低评价主观性,实现更准确的风险态势分析。实例表明,该方法不仅可以针对控制措施提供有效的建议,还能在降低并转移风险上给出合理的判断,为信息安全风险态势分析提供了一个新的思路。
According to information security risk assessment processes, combining threats, vulnerabilities, controls and other basic elements of the risk assessment, this paper proposes an information security risk assessment model based on AHP method and Bayesian network to conclude security risk rating and improve the objectivity of the risk assessment result. The model utilizes AHP method to derive the threat indexes weights, and builds the Bayesian network on the basis of the causality of the basic elements of risk assessment, combines with the risk probability which gets from Bayesian network to conclude security risk rate. Aiming at the threat analysis, using Bayesian inference, by defining the threat and vulnerability probability variation, this model can be used to carry integrated risk analysis on system, and grasp the risk situation from the overall situation and gives effective solutions, to achieve the controllability of risk. This method can effectively reduce assessment subjectivity, achieve more accurate analysis of the risk variety situation. Practical simulation results show that this method can not only give effective advice on controls, but also give correct judgment on reducing and transferring the risk, which provides a new thought of risk situation variety analysis.
出处
《北京信息科技大学学报(自然科学版)》
2015年第3期68-74,共7页
Journal of Beijing Information Science and Technology University
基金
国家"十二五"科技支撑计划课题基金资助项目(2012BAH08B02)
关键词
风险评估
层次分析法
贝叶斯网络
风险态势
risk assessment
analytic hierarchy process
Bayesian network
risk variety situation
