Electronic Science and Technology ›› 2024, Vol. 37 ›› Issue (3): 10-17.doi: 10.16180/j.cnki.issn1007-7820.2024.03.002
Previous Articles Next Articles
WU Jiacheng1, YU Xiao2
Received:
2022-10-09
Online:
2024-03-15
Published:
2024-03-11
Supported by:
CLC Number:
WU Jiacheng, YU Xiao. A Review of Research on Cybersecurity Risk Assessment Methods[J].Electronic Science and Technology, 2024, 37(3): 10-17.
Table 1.
Risk assessment methods summary"
综合评估方法分类 | 具体方法 | 方法描述 | 优点 | 缺点 |
---|---|---|---|---|
基于指标体系的 风险评估方法 | 模糊综合分析法 | 将定性评价转为定量 评价 | 可解决不确定性问题 | 无法解决指标相互影 响带来的权重问题 |
D-S证据理论分析法 | 融合多源数据和信息 得到评估结果 | 所需先验数据易获得, 可表达不确定信息 | 证据必须相互独立,计 算上存在指数爆炸问题 | |
层次分析法 | 建立多层次分析结构 模型 | 系统性进行决策,所 需定量数据信息较少 | 评估结果主观性较强 | |
灰色理论评估法 | 处理不确定性和模糊 性的因素 | 适用于信息不完整、 数据量小的系统 | 评估结果准确性受制 于评估系数的确定 | |
基于模型的 风险评估方法 | 攻击树模型 | 以攻击者为中心,层次 化分析攻击行为 | 模型简单,图形化描述 便于量化评估 | 建模效率低,不够灵活 |
攻击图模型 | 描述系统脆弱点和攻 击行为的关联 | 将攻击行为和系统变 化结合,评估更全面 | 较为复杂,不利于后 续分析和量化 | |
Petri网模型 | 综合考虑攻防因素 | 直观表现系统的 状态变化 | 在评估大型系统时会出 现信息缺失的情况 | |
贝叶斯网络 | 概率论与图论相结 合评估网络 | 反映安全事件的 推理过程 | 存在组合爆炸问题, 不适用于复杂网络 | |
隐马尔科夫 | 动态的评估安全事件 和网络状态 | 建模复杂度可控,实时 性观测安全状态 | 需要对多种属性进行量化, 需要的先验知识多 |
[1] |
Yulia C, Pete B, Adfrew B, et al. A review of cyber security risk assessment methods for SCADA systems[J]. Computers & Security, 2016, 56(9):1-27.
doi: 10.1016/j.cose.2015.09.009 |
[2] | Jahl C. The information technology security evaluation criteria[C]. Ottobrunn: Proceedings of the Thirteenthth International Conference on Software Engineering IEEE Computer Society, 1991:892-901. |
[3] | Dotsenko S, Illiashenko O, Kamenskyi S, et al. Integrated model of knowledge management for security of information technologies: standards ISO/IEC 15408 and ISO/IEC 18045[J]. Information & Security, 2019, 43(1):305-317. |
[4] | 范红. 信息安全风险评估规范国家标准理解与实施[M]. 北京: 中国标准出版社, 2008:56-73. |
Fan Hong. Understanding and implementation of national standards for information security risk assessment[M]. Beijing: Standards Press of China, 2008:56-73. | |
[5] | 张利, 彭建芬, 杜宇鸽, 等. 信息安全风险评估的综合评估方法综述[J]. 清华大学学报(自然科学版), 2012, 52(10):1364-1369. |
Zhang Li, Peng Jianfen, Du Yuge, et al. Information security risk assessment survey[J]. Journal of Tsinghua University(Science and Technology), 2012, 52(10):1364-1369. | |
[6] | 孙雨生, 廖盼. 国内知识服务评价核心技术研究进展[J]. 计算机与数字工程, 2019, 47(12):3045-3052. |
Sun Yusheng, Liao Pan. Research development on core technology of knowledge service evaluation in China[J]. Computer & Digital Engineering, 2019, 47(12):3045-3052. | |
[7] | 李金城. 故障树分析及其应用[J]. 电气时代, 1992(11):18-19. |
Li Jincheng. Fault tree analysis and its application[J]. Electric Age, 1992(11):18-19. | |
[8] | Brday S R. Utilizing and adapting the delphi method for use in qualitative research[J]. International Journal of Qualitative Methods, 2015, 14(5):1-6. |
[9] | 王增光, 卢昱, 陈立云. 网络安全风险评估方法综述[J]. 飞航导弹, 2018(4):62-66,73. |
Wang Zengguang, Lu Yu, Chen Liyun. A review of network security risk assessment methods[J]. Aerospace Technology, 2018(4):62-66,73. | |
[10] | 刘东伟. 基于入侵监测的网络信息安全管理技术[J]. 电子科技, 2019, 32(12):68-71. |
Liu Dongwei. Network information security management technology based on intrusion monitoring[J]. Electronic Science and Technology, 2019, 32(12):68-71. | |
[11] | 文志诚, 陈志刚, 唐军. 基于聚类分析的网络安全态势评估方法[J]. 上海交通大学学报, 2016, 50(9):1407-1414. |
Wen Zhicheng, Chen Zhigang, Tang Jun. Network security assessment method based on cluster analysis[J]. Journal of Shanghai Jiaotong University, 2016, 50(9):1407-1414. | |
[12] | 杨武俊. 多层次模糊综合评判法在信息安全风险评估中的应用[J]. 网络安全技术与应用, 2013(11):33-34. |
Yang Wujun. Applying multilevel fuzzy comprehensive evaluation in information security risk assessment[J]. Network Security Technology & Application, 2013(11):33-34. | |
[13] | Li W, Liang Y, Wang W, et al. Research on security risk assessment based on the improved FAHP[C]. Wuhan:IOP Conference Series: Materials Science and Engineering, 2020:753-760. |
[14] | 吴文刚, 张志文, 王庆生. 基于模糊综合评判和AHP信息安全风险评估模型[J]. 重庆理工大学学报(自然科学), 2017, 31(7):156-161. |
Wu Wengang, Zhang Zhiwen, Wang Qingsheng. A information security risk assessment model based on AHP and fuzzy comprehensive evaluation[J]. Journal of Chongqing Institute of Technology, 2017, 31(7):156-161. | |
[15] | Yi B, Cao Y P, Song Y. Network security risk assessment model based on fuzzy theory[J]. Journal of Intelligent & Fuzzy Systems, 2020, 38(4):3921-3928. |
[16] | 王姣, 范科峰, 莫玮. 基于模糊集和DS证据理论的信息安全风险评估方法[J]. 计算机应用研究, 2017, 34(11):3432-3436. |
Wang Jiao, Fan Kefeng, Mo Wei. Method for information security risk assessment based on fuzzy set theory and DS evidence theory[J]. Application Researchof Computers, 2017, 34(11):3432-3436. | |
[17] |
Dempster A P. Upper and lower probabilities inducedby a multivalued mapping[J]. Annals of Mathematical Statistics, 1967, 38(2):325-339.
doi: 10.1214/aoms/1177698950 |
[18] | Zhao X, Pei M, Wu M, et al. A method of network security risk measurement based on improved DS evidence theory[C]. Beijing:Journal of Physics:Conference Series, 2020:116-127. |
[19] | 汤永利, 李伟杰, 于金霞, 等. 基于改进D-S证据理论的网络安全态势评估方法[J]. 南京理工大学学报, 2015, 39(4):405-411. |
Tang Yongli, Li Weijie, Yu Jinxia, et al. Network security situational assessment method based on improved D-S evidence theory[J]. Journal of Nanjing University of Science and Technology, 2015, 39(4):405-411. | |
[20] | Dong H, Zhao J, Yang X, et al. Combination of D-AHP and grey theory for the assessment of the information security risks of smart grids[J]. Mathematical Problems in Engineering, 2020(10):1-14. |
[21] | 黎学斌, 范九伦, 刘意先. 基于AHP和CVSS的信息系统漏洞评估[J]. 西安邮电大学学报, 2016, 21(1):42-46. |
Li Xuebin, Fan Jiulun, Liu Yixian. On information system vulnerabilities assess based on analytic hierarchy process and common vulnerability score system[J]. Journal of Xi'an University of Posts and Telecommunications, 2016, 21(1):42-46. | |
[22] | 江洋, 李成海. 基于灰色层次模型的计算机网络安全评估[J]. 测控技术, 2017, 36(10):109-113. |
Jiang Yang, Li Chenghai. Computer network security assessment based on grey hierarchy model[J]. Measurement & Control Technology, 2017, 36(10):109-113. | |
[23] | 高阳, 罗军舟. 基于灰色关联决策算法的信息安全风险评估方法[J]. 东南大学学报(自然科学版), 2009, 39(2):225-229. |
Gao Yang, Luo Junzhou. Information security risk assessment based on grey relational decision-making algorithm[J]. Journal of Southeast University(Natural Science Edition), 2009, 39(2):225-229. | |
[24] | Schneier B. Attack trees[J]. Doctor Dobbs Journal, 1999, 24(12):21-29. |
[25] |
王赛娥, 刘彩霞, 刘树新, 等. 一种基于攻击树的4G网络安全风险评估方法[J]. 计算机工程, 2021, 47(3):139-146,154.
doi: 10.19678/j.issn.1000-3428.0057483 |
Wang Sai'e, Liu Caixia, Liu Shuxin, et al. A method of 4G network security risk assessment based on attack tree[J]. Computer Engineering, 2021, 47(3):139-146,154.
doi: 10.19678/j.issn.1000-3428.0057483 |
|
[26] | Wang S, Ding L, Sui H, et al. Cybersecurity risk assessment method of ICS based on attack-defense tree model[J]. Journal of Intelligent and Fuzzy Systems, 2021(10):1-14. |
[27] | 潘刚, 米士超, 郭荣华, 等. 基于攻击树和CVSS的网络攻击效果评估方法[J]. 电子技术应用, 2022, 48(4):76-80. |
Pan Gang, Mi Shichao, Guo Ronghua, et al. Evaluation method of network attack effect based on attack tree and CVSS[J]. Application of Electronic Technique, 2022, 48(4):76-80. | |
[28] | Maciel R, Araujo J, Dantas J, et al. Impact of a DDoS attack on computer systems: An approach based onan attack tree model[C]. Vancouver: Annual IEEE International Systems Conference, 2018:1023-1028. |
[29] | Phillips C, Swiler L P, Galyor T, et al. A graph-based system for network-vulnerability analysis[C]. Albuquerque: Proceedings of the Workshop on New Security Paradigms, 1998:2118-2125. |
[30] | Sheyner O, Haines J, Jha S, et al. Automated generation and analysis of attack graphs[C]. Berkeley: Proceedings IEEE Symposium on Security and Privacy, 2002:98-105. |
[31] | Wang L, Yao C, Singhal A, et al. Interactive analysis of attack graphs using relational queries[C]. Berlin:IFIP Annual Conference on Data and Applications Security and Privacy, 2006:308-313. |
[32] | Zhang Fan, Bu Bing. A cyber security risk assessment method ology for CBTC systems based on complex network theory and attack graph[C]. Guiyang: The Seventh Annual International Conference on Network and Information Systems for Computers, 2021:39-45. |
[33] | Semertzis I, Rajkumar V S, Stefanov A, et al. Quantitative risk assessment of cyber attacks on cyber-physical systems using attack graphs[C]. Milan: The TenthWorkshop on Modelling and Simulation of Cyber-Physical Energy Systems, 2022:124-136. |
[34] | 王虎, 柳岩妮. 基于模糊Petri网的电力信息系统网络安全态势评估[J]. 电力安全技术, 2020, 22(8):5-8. |
Wang Hu, Liu Yanni. Security situation assessment of power information system based on fuzzy Petri net[J]. Electric Safety Technology, 2020, 22(8):5-8. | |
[35] | 高翔, 祝跃飞, 刘胜利, 等. 基于模糊Petri网的网络风险评估模型[J]. 通信学报, 2013, 34(S1):126-132. |
Gao Xiang, Zhu Yuefei, Liu Shengli, et al. Risk assessment model based on fuzzy Petri nets[J]. Journal on Communications, 2013, 34(S1):126-132. | |
[36] | Chen Y Y, Xu B, Long J. Information security assessment of wireless sensor networks based on Bayesian attack graphs[J]. Journal of Intelligent & Fuzzy Systems, 2021, 41(3):4511-4517. |
[37] |
Poolsappasit N, Dewri R, Ray I. Dynamic security risk management using Bayesian attack graphs[J]. IEEE Transactions on Dependable and Secure Computing, 2011, 9(1):61-74.
doi: 10.1109/TDSC.2011.34 |
[38] |
Flores M, Heredia D, Andrade R, et al. Smart home IoT network risk assessment using Bayesian networks[J]. Entropy, 2022, 24(5):668-673.
doi: 10.3390/e24050668 |
[39] | Wei L. Application of Bayesian algorithm in risk quantification for network security[J]. Computational Intelligence and Neuroscience, 2022(7):1-10. |
[40] | Lv X, Shi N, Wei J, et al. Information system security risk assessment based on entropy weight method-Bayesian network[C]. Haikou: International Conference on Frontiers in Cyber Security, 2021:689-695. |
[41] | Luo Z, Xu R, Wang J, et al. A dynamic risk assessment method based on Bayesian attack graph[J]. International Journal of Network Security, 2022, 24(5):787-796. |
[42] | 李世斌, 李婧, 唐刚, 等. 基于HMM的工业控制系统网络安全状态预测与风险评估方法[J]. 信息网络安全, 2020, 20(9):57-61. |
Li Shibin, Li Jing, Tang Gang, et al. Method of network security states prediction and risk assessment for industrial control system based on HMM[J]. Netinfo Security, 2020, 20(9):57-61. | |
[43] | Hu J, Guo S, Kuang X, et al. I-HMM-based multidime-nsional network security risk assessment[J]. IEEE Access, 2019(8):1431-1442. |
[44] | 王增光, 卢昱, 赵东昊. 基于隐马尔科夫模型的网络安全风险评估方法[J]. 空军工程大学学报(自然科学版), 2019, 20(3):71-76. |
Wang Zengguang, Lu Yu, Zhao Donghao. Network security risk assessment method based on hidden Markov model[J]. Journal of Air Force Engineering University(Natural Science Edition), 2019, 20(3):71-76. | |
[45] |
Wang C, Li K, He X. Network risk assessment based on Baum welch algorithm and HMM[J]. Mobile Networks and Applications, 2021, 26(4):1630-1637.
doi: 10.1007/s11036-019-01500-7 |
[46] | Zhang T, Zhao K, Yang M, et al. Research on privacy security risk assessment method of mobile commerce based on information entropy and Markov[J]. Wireless Communications and Mobile Computing, 2020(7):1-11. |
[1] | MAO Hang, ZHANG Fengdeng, LU Yu, ZHU Jiawei. Energy Saving Scheduling Algorithm of Mixed-Criticality System Based on Probability Analysis [J]. Electronic Science and Technology, 2024, 37(3): 91-97. |
[2] | NAN Jiao,SUN Zhanquan. Sorting Method of Multi Leads ECG Based on Mutual Information [J]. Electronic Science and Technology, 2024, 37(2): 55-60. |
[3] | LAN Ruijie,MENG Weigao,GENG Jinqiang. Research on Real Estate Price Index Based on Sparrow Search Optimization SVR Model [J]. Electronic Science and Technology, 2024, 37(1): 1-8. |
[4] | ZHANG Dagui,ZHOU Zhifeng,ZHANG Yi,WANG Liduan. TDOA Sound Source Localization Method Based on Particle Swarm Optimization Algorithm [J]. Electronic Science and Technology, 2023, 36(9): 21-28. |
[5] | LIN Zhipeng,SUN Xiaohui,WEN Chenglin. An Extended Dimension Kalman Filter Method Based on Additive Hidden Variables [J]. Electronic Science and Technology, 2023, 36(5): 47-54. |
[6] | ZHENG Yuheng,FU Dongxiang. UAV Detection Based on Slim-YOLOv4 with Embedded Device [J]. Electronic Science and Technology, 2023, 36(5): 55-61. |
[7] | LU Yu,ZHANG Li,ZHANG Fengdeng. Fault-Tolerant Clock Synchronization Algorithm Based on Grey Prediction [J]. Electronic Science and Technology, 2023, 36(3): 29-35. |
[8] | ZHANG Haitao,ZHANG Tong,ZHANG Yuhui,GUAN Yinfeng,ZHANG Fengdeng. Task Partitioning Optimization Algorithm Based on MrsP Protocol [J]. Electronic Science and Technology, 2023, 36(3): 36-41. |
[9] | WANG Yumei,ZHENG Yi. Harmonic Detection Technology Based on Improved Wavelet Threshold Denoising and CEEMDAN-HT Fusion [J]. Electronic Science and Technology, 2023, 36(1): 60-66. |
[10] | LI Meng,MA Lixin. Research on Predictive Ammonia Desulfurization Control System [J]. Electronic Science and Technology, 2022, 35(5): 60-65. |
[11] | Sunyun YANG,Xiu KAN. Design of Biological Behavior Analysis System Based on Vision and IMU Sensors [J]. Electronic Science and Technology, 2022, 35(4): 28-34. |
[12] | Jinxian YANG,Yuxin HAN,Pengwei LIU. Drift Processing of Gyro While Drilling Based on Synaptic Plasticity Pulsed Neural Network [J]. Electronic Science and Technology, 2022, 35(4): 60-66. |
[13] | HU Wenqiang,HU Jianpeng. WiFi/PDR Fusion Real-Time Localization Algorithm Based on Region Constraint [J]. Electronic Science and Technology, 2022, 35(10): 21-26. |
[14] | YU Zihan,JIAN Xianzhong. Software Design for Calibration of Gas Flow Standard Facility with Master Meter Method [J]. Electronic Science and Technology, 2022, 35(10): 27-32. |
[15] | WU Xu,LIU Xiang. Copy-Move Forgery Detection Algorithm Based on Non-Local Self-Correlation [J]. Electronic Science and Technology, 2022, 35(10): 59-64. |
|