[author_cn_name].[cn_title][J].空军工程大学学报:自然科学版,[year_id],[volume]([issue]):[start_page]-[end_page] 一种面向任务的网络风险评估模型-A Network Risk Assess ment Model Geared to the Needs of Tasks
文章摘要
孙奥,殷肖川,李小青.一种面向任务的网络风险评估模型[J].空军工程大学学报:自然科学版,2019,20(5):105-110
一种面向任务的网络风险评估模型
A Network Risk Assess ment Model Geared to the Needs of Tasks
  
DOI:
中文关键词: 面向任务  风险评估  威胁建模  风险预测
英文关键词: task oriented  risk assessment  threat modeling  risk prediction
基金项目:国家自然科学基金
作者单位
孙奥,殷肖川,李小青 空军工程大学信息与导航学院西安710077 
摘要点击次数: 17
全文下载次数: 26
中文摘要:
      针对网络业务安全风险评估问题,提出了一种基于STRIDE威胁建模和隐式马尔科夫模型理论的STRIDE HMM风险评测方法,该方法以网络业务为切入点,给出了任务描述模型、任务资产模型、任务风险评估模型的构建方法及其联系。任务描述模型给出了任务阶段划分及相应的资产集、漏洞集和威胁集;任务资产模型给出了任务各阶段所依赖的资产集合,在此基础上采用隐式马尔科夫模型方法给出了资产安全状态量化计算方法;任务风险评估模型按照资产分类集合的结果,采用聚合分析方法给出了任务风险值计算方法,进而实现面向网络业务的风险评测。为了验证提出方法的有效性,采用TMT威胁建模工具典型web应用给出的资产、漏洞、威胁示例,利用提出的模型和方法对该示例进行了仿真验证,实验结果表明:该方法可为面向任务的安全计划制定和调度提供决策支持。
英文摘要:
      In view of network business security risk assessment problems, a STRIDE HMM network risk assessment and prediction method based on STRIDE threat modeling and HMM theory is proposed. Taking the network service as an entry point, the construction method of the task description model, the task asset model and the task risk assessment model and the relationship are given among them. The task description model gives the task phase partitioning and corresponding asset sets, vulnerability sets, and threat sets; The task asset model gives a set of assets depended on each stage of the task. On the basis of this, HMM is used to give the quantitative calculation method of asset security status. The task risk assessment model realizes the risk assessment for network business by using aggregation analysis method to achieve the task risk value calculation method according to the results of the asset classification set. To verify the effectiveness of the proposed method, a typical web application example of assets, vulnerabilities and threats combined with threat modeling tool TMT is given. The result proves that the proposed method can provide decision support for the security planning and scheduling oriented to the needs of tasks.
查看全文   查看/发表评论  下载PDF阅读器
关闭