期刊文献+

基于威胁树的IT产品安全关键件识别研究 被引量:2

Research on recognition of security key component of IT products based on threat trees
下载PDF
导出
摘要 针对信息安全认证中产品更新换代周期短与安全需求增加之间矛盾突出的问题,提出基于威胁树分析的产品安全关键件识别方法。首先确定产品的资产列表,并对资产进行威胁树分析确定基本事件,对基本事件进行权重赋值和量化,计算威胁发生的概率;结合威胁发生的损失严重程度,计算资产的安全重要度并排序,从而识别出产品的安全关键件。以智能卡芯片为例进行了实例验证,识别出了其安全关键件,验证了此方法合理可行,对信息安全产品认证中变更控制实施具有重要参考意义。 In view of the contradiction between the short update cycle of product and the increasing security requirements in information security certification,this paper proposes a method for recognizing security key components based on threat tree analysis. Firstly,the asset list of products is determined,and the basic events are determined by threat tree analysis. The basic events are weighted and quantified to calculate the probability of threat occurrence. Combined with the severity of the loss caused by the threat,the security importance of assets is calculated and ranked,so as to recognize the security key components of products. Taking smart card chip as an example,its security key components are identified,and the method is proved to be reasonable and feasible. It has great significance for alteration control in information security product certification.
作者 陶文卿 张俊彦 陈清明 Tao Wenqing;Zhang Junyan;Chen Qingming(Shanghai Information Security Testing Evaluation and Certification Center,Shanghai 200011,China)
出处 《信息技术与网络安全》 2019年第3期4-8,共5页 Information Technology and Network Security
基金 科技部国家重点研发计划项目(2016YFF0204003)
关键词 安全关键件 威胁树 信息安全产品认证 security key component threat tree information security product certification
  • 相关文献

参考文献5

二级参考文献39

  • 1刘文红,王占武,吴欣.故障树分析技术在软件测试中的应用[J].系统工程与电子技术,2004,26(7):985-987. 被引量:9
  • 2孙红梅,高齐圣,朴营国.关于故障树分析中几种典型重要度的研究[J].电子产品可靠性与环境试验,2007,25(2):39-42. 被引量:37
  • 3关北海 付勇锋 田相玉.故障树分析法在齿轮传动装置中的应用.中国水运(学术版),2006,(2):1-2.
  • 4Preyssl C.Safety Risk Assessment and Management-the ESA Approach[J].Reliability Engineering and System Safety,1995,49 (3):303-309.
  • 5SCHNEIER B.Attack trees:modeling security threats[J].Dr Dobb's Journal,1999,24(12):21-29.
  • 6DAWKINS J,HALE J.A systematic approach to multi-stage network attack analysis[C]//Proc of the 2nd IEEE International Information Assurance Workshop.Washington D C:IEEE Computer Society Press,2004:48-56.
  • 7EVANS S,WALLER J.Risk-based security engineering through the eyes of the adversary[C]//Proc of the 6th IEEE Systems,Man and Cybernetics Information Assurance Workshop.New York:IEEE Computer Society Press,2005:158-165.
  • 8ISO.ISO/IEC 17799,Information technology security techniques:code of practice for information security management[S].[S.l.]:International Organization for Seandardization,2005.
  • 9STONEBURNER G,GOGUEN A,FERINGA A.Risk management guide for information technology systems[K].Gaithersburg:NIST Special Publication,2002.
  • 10BSI.BS 7799,Code of practice for information security management[S].London:British Standards Institute,1999.

共引文献64

同被引文献22

引证文献2

二级引证文献2

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部