| 面向漏洞生命周期的安全风险度量方法 |
| |
| 引用本文: | 胡浩,叶润国,张红旗,常德显,刘玉岭,杨英杰.面向漏洞生命周期的安全风险度量方法[J].软件学报,2018,29(5):1213-1229. |
| |
| 作者姓名: | 胡浩 叶润国 张红旗 常德显 刘玉岭 杨英杰 |
| |
| 作者单位: | 信息工程大学, 三院, 河南 郑州 450001;河南省信息安全重点实验室, 河南 郑州 450001,中国电子技术标准化研究院, 北京 100007,信息工程大学, 三院, 河南 郑州 450001;河南省信息安全重点实验室, 河南 郑州 450001,信息工程大学, 三院, 河南 郑州 450001;河南省信息安全重点实验室, 河南 郑州 450001,中国科学院, 软件研究所, 可信计算与信息保障实验室, 北京 100190,信息工程大学, 三院, 河南 郑州 450001;河南省信息安全重点实验室, 河南 郑州 450001 |
| |
| 基金项目: | 国家”863”高技术研究发展计划基金项目(2012AA012704,2015AA016006);国家重点研发计划课题(2016YFF0204003);郑州市科技领军人才项目(131PLJRC644);“十三五”装备预研领域基金(61400020201);CCF-启明星辰“鸿雁”科研计划(2017003);公安部信息网络安全重点实验室开放课题((C15604);蚂蚁金服科研基金项目 |
| |
| 摘 要: | 为了反映信息系统安全漏洞的风险随时间动态变化的规律,构建基于吸收Markov链的漏洞生命周期模型,计算先验历史漏洞信息作为模型输入,构造漏洞生命周期的状态转移概率矩阵,在时间维度上利用矩阵对状态演化过程进行推导.借鉴通用漏洞评分标准分析漏洞威胁影响,给出安全漏洞的时间维度风险量化方法,并对漏洞生命周期各状态发生概率的演化规律进行总结和分析.最后以典型APT攻击场景中“WannaCry”勒索病毒的漏洞利用过程为例,验证了模型及方法的合理性和有效性.
|
| 关 键 词: | 风险度量|漏洞生命周期|随机模型|吸收Markov链|动态评估 |
| 收稿时间: | 2017/7/5 0:00:00 |
| 修稿时间: | 2017/8/29 0:00:00 |
Vulnerability Life Cycle Oriented Security Risk Metric Method |
| |
| HU Hao,YE Run-Guo,ZHANG Hong-Qi,CHANG De-Xian,LIU Yu-Ling and YANG Ying-Jie.Vulnerability Life Cycle Oriented Security Risk Metric Method[J].Journal of Software,2018,29(5):1213-1229. |
| |
| Authors: | HU Hao YE Run-Guo ZHANG Hong-Qi CHANG De-Xian LIU Yu-Ling and YANG Ying-Jie |
| |
| Affiliation: | The 3rd School, Information Engineering University, Zhengzhou 450001, China;Henan Key Laboratory of Information Security, Zhengzhou 450001, China,China Electronics Standardization Institute, Beijing 100007, China,The 3rd School, Information Engineering University, Zhengzhou 450001, China;Henan Key Laboratory of Information Security, Zhengzhou 450001, China,The 3rd School, Information Engineering University, Zhengzhou 450001, China;Henan Key Laboratory of Information Security, Zhengzhou 450001, China,Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China and The 3rd School, Information Engineering University, Zhengzhou 450001, China;Henan Key Laboratory of Information Security, Zhengzhou 450001, China |
| |
| Abstract: | In order to reflect the dynamic change of vulnerability security risk over time in an information system,this paper developed a life cycle stochastic model based on the absorbing Markov.The prior historical vulnerability information is used as the input.Then the state transition probability matrix of vulnerability life cycle is constructed.Specifically,the state evolution process is simulated in the dimension of time using matrix deduction.Meanwhile,the common vulnerability scoring system (CVSS) is utilized to measure the threat impact of vulnerabilities in the network system.Furthermore,a quantitative risk method to measure security vulnerability in terms of time dimension is provided to analyze some probability evolution rules with respect to the states of vulnerability life cycle.Finally,the exploits by the ransomware "WannaCry" in a typical APT attack scenario are taken as an example to verify the rationality and validity of the presented model and method. |
| |
| Keywords: | security metric|vulnerability life cycle|stochastic model|absorbing Markov chain|dynamic evaluation |
|
| 点击此处可从《软件学报》浏览原始摘要信息 |
|
点击此处可从《软件学报》下载全文 |
|
