信息网络安全 ›› 2024, Vol. 24 ›› Issue (10): 1595-1603.doi: 10.3969/j.issn.1671-1122.2024.10.014

• 入选论文 • 上一篇    下一篇

面向智能可穿戴设备的系统风险评估分析

赵戈1,2(), 郑扬3, 陶泽林3,4   

  1. 1.公安部第三研究所,上海 200031
    2.上海网络与信息安全测评工程技术研究中心,上海 200031
    3.可信计算科技(无锡) 有限公司,无锡 214187
    4.北京工业大学信息学部,北京 100124
  • 收稿日期:2024-06-01 出版日期:2024-10-10 发布日期:2024-09-27
  • 通讯作者: 赵戈, zhaoge@mctc.org.cn
  • 作者简介:赵戈(1979—),女,陕西,副研究员,硕士,主要研究方向为移动终端安全、物联网安全、网络安全等级保护和风险分析评估|郑扬(1994—),男,江苏,工程师,主要研究方向为可信计算技术和数据安全|陶泽林(2000—),男,湖北,硕士研究生,主要研究方向为可信计算和可信执行环境
  • 基金资助:
    上海网络与信息安全测评工程技术研究中心开放课题(KFKT2023-007)

Systematic Risk Assessment Analysis for Smart Wearable Devices

ZHAO Ge1,2(), ZHENG Yang3, TAO Zelin3,4   

  1. 1. The Third Research Institute of the Ministry of Public Security, Shanghai 200031, China
    2. Shanghai Engineering Research Center of Cyber and Information Security Evaluation, Shanghai 200031, China
    3. Wuxi Trusted Computing Technology Research Institute Co., Ltd., Wuxi 214187, China
    4. Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China
  • Received:2024-06-01 Online:2024-10-10 Published:2024-09-27

摘要:

现有的智能可穿戴设备普遍存在较多脆弱点,需要通过风险评估来科学判断其所面临的风险。当前智能可穿戴设备的安全风险评估方法多基于零散的脆弱点,没有充分考虑可穿戴设备应用场景的体系化特征,无法从整体上评估安全风险。因此,文章提出一种基于分层攻击路径图的可穿戴设备风险评估方法,该方法对可穿戴设备的脆弱性进行分类,绘制出多层脆弱性关系图,并在图中添加系统面临的直接威胁与数据资产目标,合并计算从直接威胁、外部脆弱性层、间接威胁、内部脆弱性层到攻击目标的攻击路径,进行风险评估。与传统方法相比,文章所提方法在风险评估过程中充分考虑了系统架构的特点,可以更方便、准确地评估风险,且有助于发现系统安全的瓶颈,并评估应对措施的效果。

关键词: 风险评估分析, 脆弱点, 智能可穿戴设备

Abstract:

Existing smart wearable devices generally have more vulnerable points and need to scientifically determine the risks they face through risk assessment. The current security risk assessment methods for smart wearable devices are mostly based on fragmented vulnerability points, without fully considering the systematic characteristics of the application scenarios of wearable devices, and are unable to assess the security risks as a whole. Therefore, the article proposed a risk assessment method for wearable devices based on a layered attack path diagram, which categorized the vulnerabilities of wearable devices according to their vulnerabilities’ location in the system, drew a multi-layer vulnerability relationship diagram, added direct threats and data asset targets facing the system to the diagram, and merged and calculated the attack paths from the direct threats, external vulnerability layer, indirect threats, to internal vulnerability layer attack target attack path for risk assessment. The proposed method takes the characteristics of system architecture into full consideration in the risk assessment process, which makes it easier and more accurate to assess the risk, and helps to find the bottlenecks of system security and evaluate the effectiveness of countermeasures.

Key words: risk assessment analysis, vulnerable point, smart wearables

中图分类号: