摘要
针对现有信息系统风险评估工作中对脆弱性的评估未考虑各脆弱性间的相关性,评估结果受到较多人为主观因素的影响,提出"被利用难易程度"和"被选择概率"两个指标将现有对脆弱性的"被利用难易程度"评价转换为更为科学的"被利用概率"评价,并用贝叶斯网络的正向推理计算脆弱性节点的累积"被选择概率"。通过理论和实验分析,与相关的研究成果相比,提出的脆弱性被利用概率计算方法更准确、合理。
The evaluation results are impacted by many subjective factors since the existing risk assessment for information systems does not take the correlation of vulnerabilities into account. By combining two assessment vectors, i.e. access complexity and chosen probability, we transfer the so called "accessed complexity" evaluation method into an "exploited probability" evaluation approach, and use Bayesian networks' forward inference to accumulation each of vulnerability's chosen probability. Theoretical and experimental analysis show that the proposed "exploited probability" evaluation method is more accurate and reasonable than associated existing research work.
作者
柴继文
王胜
梁晖辉
胡兵
向宏
CHAI Jiwen;WANG Sheng;LIANG Huihui;HU Bing;XlANG Hong(State Gid Sichuan Electric Power Research Institute,Chengdu 610072, P.R.China;Key Laboratory of Dependable Service Computing in Cyber Physical Society, Ministry of Education, Chongqing University,Chongqing 400030, P.R.China)
出处
《重庆大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2017年第12期35-42,共8页
Journal of Chongqing University
基金
国网四川省电力公司科技项目(5219991351VR)
国家自然科学基金资助项目(61472054)~~
关键词
风险评估
脆弱性
贝叶斯网络
被利用概率
risk assessment
vulnerability
Bayesian network
exploited probability
