Information System Security Risk Analysis Based on Evidence Distance Theory

doi:10.3969/j.issn.1671-1122.2019.09.003

Abstract

Abstract:

Aiming at the diversity of expert evaluation opinions in the process of information security risk assessment and the difficulty in quantifying uncertain information, this paper proposes a risk assessment method based on evidence distance theory. Firstly, according to the level protection requirements and on-site inspection data, the matrix norm is used to solve the vulnerability evidence distance of the system assets. Secondly, the D-S evidence theory synthesis rules are applied to solve the evidence distance that threat may act on system assets. Finally, The result of the fusion of the vulnerability evidence distance and the evidence distance that threat may act on system asset is taken as the risk value of the system. Practice has proved that this method can effectively reduce the subjectivity and randomness of multi-source risk assessment, make the assessment results more scientific and reasonable, and provide a scientific and effective way for information security risk assessment.

Key words: matrix norm, D-S evidence theory, evidence distance, risk

CLC Number:

TP309

Jinhua LINGHU, Ping PAN, Yaoyao DU. Information System Security Risk Analysis Based on Evidence Distance Theory[J]. Netinfo Security, 2019, 19(9): 11-15.

Figures/Tables 2

References 12

[1]	WEN Weiping, GUO Ronghua, MENG Zheng, et al.Research and Implementation on Information Security Risk Assessment Key Technology[J]. Netinfo Security, 2015, 15(2): 7-14.
	文伟平,郭荣华,孟正,等.信息安全风险评估关键技术研究与实现[J].信息网络安全,2015,15(2):7-14.
[2]	TENG Xilong, QU Haipeng.Research on Information Security Risk Assessment Method Based on Similarity of Interval-valued Intuitionistic Fuzzy Sets[J]. Netinfo Security, 2015,15(5): 62-68.
	滕希龙,曲海鹏.基于区间值直觉模糊集相似性的信息安全风险评估方法研究[J].信息网络安全,2015,15(5):62-68.
[3]	GB/T 20984-2007 20984-2007. Information Security Technology-Risk Assessment Specification for Information Security[S]. Beijing: China Standard Press, 2007.
	GB/T 20984-2007 20984-2007.信息安全技术信息安全风险评估规范[S].北京:中国标准出版社,2007.
[4]	ZHOU Chao, PAN Ping, HUANG Liang.Risk Assessment of Information Security Based on Quantum Gate Circuit Neural Networks[J]. Computer Engineering, 2018, 44(12): 45-51.
	周超,潘平,黄亮.基于量子门线路神经网络的信息安全风险评估[J].计算机工程,2018,44(12):45-51.
[5]	WANG Haoran, YAN Binyuan.Information Security Risk Assessment Method Based on Wavelet Neural Network Algorithm[J]. Information Technology, 2018, 42(12): 101-104.
	王皓然,严彬元.依赖小波神经网络算法的信息安全风险评估方法[J].信息技术,2018,42(12):101-104.
[6]	LIU Guocheng, WANG Huijin.Evaluation Research on and Empirical Analysis of Risks in Information System Audit Based on AHP and Entropy Weight[J]. Audit Research, 2016(1): 53-59.
	刘国城,王会金.基于AHP和熵权的信息系统审计风险评估研究与实证分析[J].审计研究,2016(1):53-59.
[7]	LIU Jian, ZHAO Gang, ZHENG Yunpeng.Information Security Risk Situation Analysis Model Based on AHP-Bayesian Network[J]. Journal of Beijing University of Information Science and Technology: Natural Science, 2015(3): 68-74.
	刘健,赵刚,郑运鹏.基于AHP-贝叶斯网络的信息安全风险态势分析模型[J].北京信息科技大学学报:自然科学版,2015(3):68-74.
[8]	DONG Xiaoning, ZHAO Huarong, LI Dianwei, et al.Research on Information Systems Security Risk Assessment Based on Fuzzy Theory of Evidence[J]. Netinfo Security, 2017, 17(5): 69-73
	董晓宁,赵华容,李殿伟,等.基于模糊证据理论的信息系统安全风险评估研究[J].信息网络安全,2017,17(5):69-73.
[9]	WANG Jiao, FAN Kefeng, MO Wei.Method for Information Security Risk Assessment Based on Fuzzy Set Theory and DS Evidence Theory[J]. Journal of Computer Applications, 2017(11): 234-241.
	王姣,范科峰,莫玮.基于模糊集和DS证据理论的信息安全风险评估方法[J].计算机应用研究,2017(11):237-241.
[10]	SHAFER G A.Mathematical Theory of Evidence[M]. Princeton: Princeton University Press, 1967.
[11]	FIRTH S.Combination of Evidence in Dempster-Shafer Theory[J]. Contemporary Pacific, 2002, 11(2): 416-426.
[12]	WU Jianhua, WANG Zheng.A Zero-watermark Algorithm Based on Matrix Norm[J]. Microprocessor, 2009, 30(5): 75-77.
	吴建华,王铮.一种基于矩阵范数的零水印算法[J].微处理机,2009,30(5):75-77.

威胁种类	现场访谈	现场勘查	威胁综合可能值
T₁	3%	100%	71%
T₃	1%	15%	11%
T₄	70%	50%	56%
T₅	0%	0%	0%
T₆	4%	100%	70%
T₇	5%	52%	37%
T₈	5%	0%	2%
T₉	0%	50%	35%
T₁₀	0%	0%	0%
T₁₁	0%	80%	56%
T₂	0%	100%	70%

[1]	Yonglei LIU, Zhigang JIN, KUN HAO, Weilong ZHANG. Risk Assessment of Mobile Payment System Based on STRIDE and Fuzzy Comprehensive Evaluation [J]. Netinfo Security, 2020, 20(2): 49-56.
[2]	QIU Yue. Network Security Risk Analysis and Assessment of Large-scale Sports Events [J]. Netinfo Security, 2019, 19(9): 61-65.
[3]	A-yong YE, Junlin JIN, Lingyu MENG, Ziwen ZHAO. Research on Access Control for Privacy Protection of Mobile Terminals [J]. Netinfo Security, 2019, 19(8): 51-60.
[4]	Bin DUAN, Lan LI, Jun LAI, Jun ZHAN. Research on Hardware Vulnerabilities Mining Method for Industrial Control Device Based on Dynamic Taint Analysis [J]. Netinfo Security, 2019, 19(4): 47-54.
[5]	Ran ZI, Jia LIU. Research on Construction of Risk and Trust Architecture Based on Lean Trust [J]. Netinfo Security, 2019, 19(10): 32-41.
[6]	SUN Ziwen, LI Fu. Gesture Authentication Method Based on HMM and D-S Evidence Theory [J]. 信息网络安全, 2018, 18(10): 17-23.
[7]	GENG Xin. Research on the Industrial Control Systems Security Architecture of Chinese Tobacco Industry [J]. 信息网络安全, 2017, 17(9): 34-37.
[8]	HE Shuo, HUANG Zili, YANG Yang, CHEN Zhou. Research on Online Transaction Risk Detection Based on IP Reputation [J]. 信息网络安全, 2017, 17(9): 77-80.
[9]	LIU Hao, CHEN Zhigang, ZHANG Lianming. A Task-based Access Control Model of Peer-to-Peer Network Based on Admission Degree [J]. 信息网络安全, 2017, 17(6): 22-29.
[10]	WANG Qing, TU Chenyang, SHEN Jiahui. Design and Application of General Framework for Side Channel Attack [J]. 信息网络安全, 2017, 17(5): 57-62.
[11]	DONG Xiaoning, ZHAO Huarong, LI Dianwei, WANG Jiasheng. Research on Information Systems Security Risk Assessment Based on Fuzzy Theory of Evidence [J]. 信息网络安全, 2017, 17(5): 69-73.
[12]	LIANG Zhiqiang, LIN Dansheng. Information Security Risk Assessment Mechanism Research Based on Power System [J]. 信息网络安全, 2017, 17(4): 86-90.
[13]	LI Tao, ZHANG Chi. Research on Network Security Risk Model Based on the Information Security Level Protection Standards [J]. 信息网络安全, 2016, 16(9): 177-183.
[14]	WANG Haitao. Research and Design of the Next Generation of Operation Security Audit System [J]. 信息网络安全, 2016, 16(6): 81-85.
[15]	LUO Xiaofeng, WANG Wenxian, LUO Wanbo. The Retrospect and Prospect of Access Control Technology [J]. 信息网络安全, 2016, 16(12): 19-27.