基于综合判定分析的信息系统安全检验技术研究
|
摘要
随着Internet技术的高速发展,信息系统逐渐成为国家信息化稳定发展的基本单元。但是,病毒、木马、恶意软件、拒绝服务攻击等具有破坏性的活动越来越多,严重影响了信息系统的正常运行。为了保障信息系统的安全与稳定,我国提出了信息安全等级保护概念并且将其作为了保障国家信息化建设安全的一项基本策略。因此,信息系统的等级保护建设工作成为了目前的重点与热点。
为了评价一个目标系统等级保护建设的达标与否,需要对其进行全面系统的安全检验,判断其实际情况与应满足的安全要求之间的符合性程度。因此,应当对各种不同的信息系统通过合理的方法分析检验对象并为其制定适当的检验项,以确定综合判定分析的原始数据来源和采集数据时应遵循的规则。在此基础上,通过一种高效准确的判定算法来计算该系统等级保护建设的符合性程度。综上所述,信息系统检验对象、检验项的确定方法的研究,综合判定算法的研究都是安全检验过程中亟需解决的问题。目前,该领域的相关研究较为有限,实用性成果较少。本文在研究等级保护各种标准、安全要求的基础上,进行了更为深入的探索。本文主要的研究内容和研究成果包括:
(1)基于k-core解析理论研究了信息系统的层次结构和网络拓扑关系,确定了综合判定分析所需原始数据的来源。研究了复杂网络中的k-core解析方法,对信息系统特性进行分析,并应用该理论对应用层软件结构和网络层路由结构进行了具体分析,揭示了信息系统各节点关系间的结构性和层次性及其变化规律,得到了系统中各层的关键节点,即安全检验的重点关注对象。
(2)深入研究了威胁建模理论,分析了信息系统面临的威胁,建立了检验指标体系,得到了综合判定分析采集数据时应当遵循的规则。通过威胁树、威胁信息表等可视化的方法对信息系统可能面临的威胁风险进行分析。运用STREAD模型对威胁类型进行划分,并运用DREAD模型对威胁的风险值进行计算。根据得到的威胁,设计与之对应的具体检验项,建立了具有递阶层次结构的安全检验指标体系。
(3)基于矩阵法、模糊综合评判法和证据理论三种不同的量化模型,研究了安全检验的综合判定分析算法。充分研究了目前综合判定分析领域的多种量化模型,深入分析了安全检验各层次的安全要求。引入三种量化模型,弥补了安全检验综合判定领域计算方法的不足。基于这三种方法,给出了各自的检验原理和实际步骤,提出了各自的检验算法,完成了对检验采集数据的融合。依据三种方法的判定结果,综合分析了三种模型的计算优势、不足和适用条件。
(4)提出了新型的证据理论合成法则,并基于此法则给出了综合判定改进算法。在研究证据理论合成法则的过程中发现其对于高度冲突的证据的合成难以取得较好的效果,而目前已有的多种改进方法效果也并不理想。因此,本文提出了证据间冲突变化程度平均性的概念,并根据此概念设计了一种新型的证据理论合成法则,建立了一套综合判定改进算法。此算法能够较好地解决证据间的高度冲突并较为合理地减轻不确定性因素的影响,从而得到较好的符合性判定结果。(5)设计并实现了一个信息系统等级保护符合性安全检验平台及其检验工具集,能够完成安全检验的执行工作。此平台以每个安全检验任务为处理的核心对象,通过检验对象分析引擎、检验方案生成引擎、检验工具选择引擎以及综合判定分析引擎对每个任务的流程进行管理。检验工具集包括了能够针对不同安全功能进行检验的多种实用工具。平台可以依据综合判定改进算法对采集到的原始数据进行融合,计算得出最终的符合性判定结果。此平台目前已经在实际的安全检验工作中进行了试运行,并取得了良好的效果。
Along with the rapid development of Internet technology, information systems have been the basic units of the stable development of national information. However, there are more and more destructive activities such as viruses, trojans, malware, denial of service attacks and so on. These seriously affect the normal running of information systems. In order to protect the security and stability of information systems, our country proposes the concept of information security classified protection and makes it as a basic strategy of construction of national information. Hence, the construction of information system classified protection has been the focus at present.
To evaluate whether the construction of classified protection reaches the standard, it is need to take systematic security detection in order to obtain the compliance result with security requirements. Therefore, we should take method to analyze the detection objects with proper detection items for different systems in order to ensure the original data and following rules of comprehensive decision. On this basis, we can take an efficient decision algorithm to calculate the final detection result. The research on ascertaining method of detection objects and items and comprehensive decision algorithm is needed in detection process. At present, the correlational research in this field is very limited so this paper further explores the problem based on the investigation of classified protection criterions and security requirments. The main research contents and results are shown as follows:
(1) Study the hierarchical structure and topology characteristics of system based on k-core decomposition to ascertain the source of original data in comprehensive decision. Study the k-core decomposition method in complex network to analyze the characteristics of system. Apply it to analyze the structure of software system in application layer and router system in network layer. Explain the property of constitutive and hierarchy of the relationship between every nodes of system. Obtain the key nodes which are the focus of security detection in system.
(2) Study deeply on threat modeling, analyze the threats which information system may face and establish a detection index system in order to obtain the data collection rules to be followed in comprehensive decision. Analyze the threats of system by threat trees and threat information sheets. Classify the threats of system by STREAD model and calculate the risk value of every threat by DREAD model. Design specific detection items according to the determined threat and establish a hierarchical multi-level security detection index system.
(3) Study the comprehensive decision algorithms of security detection based on three models of matrix method, fuzzy comprehensive evaluation approach and Dempster-Shafer theory. Study various kinds of quantitative models in the field of decision analysis clearly and fully and analyze the security requirements of every layer. Introduce three models to make up for the gap of decision method in security detection. Give the principles and operation steps of the three different quantitative models and propose the detection algorithms based on every model. According to the different results, summarize the advantages, disadvantages and application conditions of three methods.
(4) Design a novel combination rule of D-S theory and establish a modified algorithm of comprehensive decision based on the rule. In the process of studying Dempster's rule of combination, find that the original rule isn't very effective in handling the evidence with high degree of conflict. There have been several improvement methods but their effects aren't very ideal. Therefore, this paper proposes the concept of average of conflict's volatility between evidence. Design a novel combination rule of D-S theory based on it and establish a modified algorithm of comprehensive decision. This algorithm can solve the problem of the high degree conflict between evidence and reduce the affection of uncertainty factors more effectively than others so that it can obtain a better compliance decision result.
(5) Design and implement a platform of information system classified protection compliance security detection and detection toolset which are helpful for the integral implementation of security detection. The platform takes every security detection task as the core object and manages its flow by the detection object analysis engine, detection scheme generation engine, detection tool selection engine and comprehensive decision analysis engine. The toolset includes many kinds of detection tools for different security functions. The platform combines the original data on the basis of modified algorithm of comprehensive decision and it can receive the final security detection compliance result of target system. This platform is already carried out on test run in the actual work of security detection and it has achieved good results.
为了评价一个目标系统等级保护建设的达标与否,需要对其进行全面系统的安全检验,判断其实际情况与应满足的安全要求之间的符合性程度。因此,应当对各种不同的信息系统通过合理的方法分析检验对象并为其制定适当的检验项,以确定综合判定分析的原始数据来源和采集数据时应遵循的规则。在此基础上,通过一种高效准确的判定算法来计算该系统等级保护建设的符合性程度。综上所述,信息系统检验对象、检验项的确定方法的研究,综合判定算法的研究都是安全检验过程中亟需解决的问题。目前,该领域的相关研究较为有限,实用性成果较少。本文在研究等级保护各种标准、安全要求的基础上,进行了更为深入的探索。本文主要的研究内容和研究成果包括:
(1)基于k-core解析理论研究了信息系统的层次结构和网络拓扑关系,确定了综合判定分析所需原始数据的来源。研究了复杂网络中的k-core解析方法,对信息系统特性进行分析,并应用该理论对应用层软件结构和网络层路由结构进行了具体分析,揭示了信息系统各节点关系间的结构性和层次性及其变化规律,得到了系统中各层的关键节点,即安全检验的重点关注对象。
(2)深入研究了威胁建模理论,分析了信息系统面临的威胁,建立了检验指标体系,得到了综合判定分析采集数据时应当遵循的规则。通过威胁树、威胁信息表等可视化的方法对信息系统可能面临的威胁风险进行分析。运用STREAD模型对威胁类型进行划分,并运用DREAD模型对威胁的风险值进行计算。根据得到的威胁,设计与之对应的具体检验项,建立了具有递阶层次结构的安全检验指标体系。
(3)基于矩阵法、模糊综合评判法和证据理论三种不同的量化模型,研究了安全检验的综合判定分析算法。充分研究了目前综合判定分析领域的多种量化模型,深入分析了安全检验各层次的安全要求。引入三种量化模型,弥补了安全检验综合判定领域计算方法的不足。基于这三种方法,给出了各自的检验原理和实际步骤,提出了各自的检验算法,完成了对检验采集数据的融合。依据三种方法的判定结果,综合分析了三种模型的计算优势、不足和适用条件。
(4)提出了新型的证据理论合成法则,并基于此法则给出了综合判定改进算法。在研究证据理论合成法则的过程中发现其对于高度冲突的证据的合成难以取得较好的效果,而目前已有的多种改进方法效果也并不理想。因此,本文提出了证据间冲突变化程度平均性的概念,并根据此概念设计了一种新型的证据理论合成法则,建立了一套综合判定改进算法。此算法能够较好地解决证据间的高度冲突并较为合理地减轻不确定性因素的影响,从而得到较好的符合性判定结果。(5)设计并实现了一个信息系统等级保护符合性安全检验平台及其检验工具集,能够完成安全检验的执行工作。此平台以每个安全检验任务为处理的核心对象,通过检验对象分析引擎、检验方案生成引擎、检验工具选择引擎以及综合判定分析引擎对每个任务的流程进行管理。检验工具集包括了能够针对不同安全功能进行检验的多种实用工具。平台可以依据综合判定改进算法对采集到的原始数据进行融合,计算得出最终的符合性判定结果。此平台目前已经在实际的安全检验工作中进行了试运行,并取得了良好的效果。
Along with the rapid development of Internet technology, information systems have been the basic units of the stable development of national information. However, there are more and more destructive activities such as viruses, trojans, malware, denial of service attacks and so on. These seriously affect the normal running of information systems. In order to protect the security and stability of information systems, our country proposes the concept of information security classified protection and makes it as a basic strategy of construction of national information. Hence, the construction of information system classified protection has been the focus at present.
To evaluate whether the construction of classified protection reaches the standard, it is need to take systematic security detection in order to obtain the compliance result with security requirements. Therefore, we should take method to analyze the detection objects with proper detection items for different systems in order to ensure the original data and following rules of comprehensive decision. On this basis, we can take an efficient decision algorithm to calculate the final detection result. The research on ascertaining method of detection objects and items and comprehensive decision algorithm is needed in detection process. At present, the correlational research in this field is very limited so this paper further explores the problem based on the investigation of classified protection criterions and security requirments. The main research contents and results are shown as follows:
(1) Study the hierarchical structure and topology characteristics of system based on k-core decomposition to ascertain the source of original data in comprehensive decision. Study the k-core decomposition method in complex network to analyze the characteristics of system. Apply it to analyze the structure of software system in application layer and router system in network layer. Explain the property of constitutive and hierarchy of the relationship between every nodes of system. Obtain the key nodes which are the focus of security detection in system.
(2) Study deeply on threat modeling, analyze the threats which information system may face and establish a detection index system in order to obtain the data collection rules to be followed in comprehensive decision. Analyze the threats of system by threat trees and threat information sheets. Classify the threats of system by STREAD model and calculate the risk value of every threat by DREAD model. Design specific detection items according to the determined threat and establish a hierarchical multi-level security detection index system.
(3) Study the comprehensive decision algorithms of security detection based on three models of matrix method, fuzzy comprehensive evaluation approach and Dempster-Shafer theory. Study various kinds of quantitative models in the field of decision analysis clearly and fully and analyze the security requirements of every layer. Introduce three models to make up for the gap of decision method in security detection. Give the principles and operation steps of the three different quantitative models and propose the detection algorithms based on every model. According to the different results, summarize the advantages, disadvantages and application conditions of three methods.
(4) Design a novel combination rule of D-S theory and establish a modified algorithm of comprehensive decision based on the rule. In the process of studying Dempster's rule of combination, find that the original rule isn't very effective in handling the evidence with high degree of conflict. There have been several improvement methods but their effects aren't very ideal. Therefore, this paper proposes the concept of average of conflict's volatility between evidence. Design a novel combination rule of D-S theory based on it and establish a modified algorithm of comprehensive decision. This algorithm can solve the problem of the high degree conflict between evidence and reduce the affection of uncertainty factors more effectively than others so that it can obtain a better compliance decision result.
(5) Design and implement a platform of information system classified protection compliance security detection and detection toolset which are helpful for the integral implementation of security detection. The platform takes every security detection task as the core object and manages its flow by the detection object analysis engine, detection scheme generation engine, detection tool selection engine and comprehensive decision analysis engine. The toolset includes many kinds of detection tools for different security functions. The platform combines the original data on the basis of modified algorithm of comprehensive decision and it can receive the final security detection compliance result of target system. This platform is already carried out on test run in the actual work of security detection and it has achieved good results.
引文
[1]范红.信息安全风险管理评估规范国家标准理解与实施.中国国家标准出版社,2007.
[2]中华人民共和国计算机信息系统安全保护条例.国务院,1994.
[3]国家质量技术监督局.GB 17859-1999计算机信息系统安全保护等级划分准则[S].北京,中国标准出版社,1999.
[4]国家信息化领导小组关于加强信息安全保障工作的意见(中办发[2003]27号).中央办公厅,2003.
[5]信息安全等级保护的实施意见(公通字2004第66号),2004.
[6]信息安全等级保护管理办法(公通字[2007]43号),2007.
[7]关于开展全国重要信息系统安全等级保护定级工作的通知(公信安[2007]861号),2007.
[8]US National Computer Security Center. Trusted Computer System Evaluation Criteria [S]. NCSC 5200.28-STD,1985.
[9]Common Criteria Project Sponsoring Organisations. Common Criteria for Information Security Evaluation Part 1-3, Version2.1. Augest,1999.
[10]International Organization for Standardization. Code for Practice for Information Security Management. ISO/IEC 17799:2000. December,2000.
[11]SSE-CMM. System Security Engineering Capability Maturity Model Appraisal Method version2.0 [EB/OL]. http://www.sse-cmm.org,1999.
[12]刘芳.信息系统安全评估理论及其关键技术研究.[博士学位论文],长沙,国防科学技术大学,2005.
[13]国家质量技术监督局.GB/T 18336-2001信息技术安全性评估准则[S].北京,中国标准出版社,2001.
[14]国家质量监督检验检疫总局.GB/T 20270-2006信息安全技术网络基础安全技术要求[S].北京,中国标准出版社,2006.
[15]国家质量监督检验检疫总局.GB/T 20271-2006信息安全技术信息系统通用安全技术要求[S].北京,中国标准出版社,2006.
[16]国家质量监督检验检疫总局.GB/T 20272-2006信息安全技术操作系统安全技术要求[S].北京,中国标准出版社,2006.
[17]国家质量监督检验检疫总局.GB/T 20273.2006信息安全技术数据库管理系统安全技术要求[S].北京,中国标准出版社,2006.
[18]国家质量监督检验检疫总局.GB/T 22239-2008信息系统安全保护等级基本要求[S].北京,中国标准出版社,2008.
[19]国家质量监督检验检疫总局.GB/T 22240-2008信息系统安全保护等级定级指南[S].北京,中国标准出版社,2008.
[20]国家质量监督检验检疫总局GB/T XXXX—XXXX信息系统安全等级保护测评准则[S].送审稿_修订版V1.1,200x.
[21]国家质量监督检验检疫总局.GB/T 25058-2010信息系统安全等级保护实施指南[S].北京,中国标准出版社,2010.
[22]国家质量监督检验检疫总局.GB/T 25070—2010信息系统等级保护安全设计技术要求[S].北京,中国标准出版社,2010.
[23]公安部信息安全等级保护评估中心.信息系统等级保护安全设计技术要求测评规范.初稿,200x.
[24]关于开展信息系统等级保护安全建设整改工作的指导意见(公信安[2009]1429号,2009.
[25]朱方洲.基于BS7799的信息系统安全风险评估研究[D].[硕士学位论文],合肥,合肥工业大学,2007.
[26]Alberts, Christopher J. and Dorofee A.J. OCTAVE Method Implementation Guide, v2.0. Pittsburgh,PA:Software Engineering Institute, Carnegie Mellon University.2001.
[27]宋晓莉,王劲松,陈源.信息安全风险评估方法研究.网络安全技术与应用.Dec.2006,67-69.
[28]Saaty T.L. The Analytic Hierarchy Process. New YorkL:McGrae-Hill,1980.
[29]蔡煜,张玉清,冯登国.基于GB 17859-1999标准体系的风险评估方法.计算机工程与应用.2005,12:134-137.
[30]段云所,刘欣,陈钟等.信息系统组合安全强度和脆弱性分析.北京大学学报(自然科学版).2005,41(3):484-490.
[31]阎强等.一种面向对象的信息系统安全评估方法.北京邮电大学学报.2005,28(4):70-73.
[32]国家质量监督检验检疫总局.GB/T 20984-2007信息安全技术信息安全风险评估规范[S].北京,中国标准出版社,2007.
[33]宋晓莉,余静,孙海传等.模糊综合评价法在风险评估中的应用[J].微计算机信息,2006,22(12):71-79.
[34]C&A. Systems Security:The COBRA Risk Consultant MethodologyTM. July 1999.
[35]马健丽.信息系统安全功能符合性检验关键技术研究[D].[博士学位论文],北京,北京邮电大学,2010.
[36]张君,赵海,康敏等.基于k—核解析的Internet路由级拓扑的分形特征[J].东北大学学报(自然科学版).2010,31(4):511-512.
[37]Alvarez-Hamelin, J.I. et al. k-core decomposition:a tool for the visualization of large scale networks. Arxiv preprint cs. NI/0504107,2005.
[38]Alvarez-Hamelin J.I., Dall'Asta L., Barrat A., et al. Large scale networks fingerprinting and visualization using the k-core decomposition [C]// Advances in Neural Information Processing Systems 18. Cambridge:MIT Press,2006:41-50.
[39]Bollobas B. Random graphs [M].2nd ed. Cambridge:Cambridge University Press,2001:447-457.
[40]Seidman S B. Network structure and minimum degree [J]. Social Networks, 1983,5(3):269-287.
[41]Bollobas B. The evolution of sparse graphs [C]//Graph Theory and Combinalorics. London:Academic Press,1984:35-37.
[42]S. Kirkpatrick, Jellyfish and other interesting creatures of the Internet, http://www.cs.huji.ac.il/-kirk/Jellyfish Dimes.ppt. cond-mat/0601240.
[43]S. Wuchty and E. Almaas. BMC Evol Biol.5,2005,24.
[44]Alvarez-Hamelin J.I., Dall'Asta L., Barrat A., et al. k-core decomposition of Internet graphs:hierarchies, self-similarity and measurement biases [J]. Networks and Heterogeneous Media,2008,3(2):371-393.
[45]H. H. Zhang, H. Zhao, W. Cai and M. Zhao, "Visualization and Cognition of Large-Scale Software Structure Using the k-Core Analysis", Proceedings of the 2008 International Conference on Intelligent Information Hiding and Multimedia Signal Processing, Aug.2008, pp.954-957.
[46]C. R. Myers, "Software systems as complex networks:Structure, function, and evolvability of software collaboration graphs", J. Ohys. Rev. R,68,046116, 2003.
[47]G. Concas, M. Marchesi, S. Pinna, Power-laws in a large object-oriented software system, IEEE Transactions on Softwre Engineering, vol.33, pp. 687-708,2007.
[48]C. R. Myers, Software systems as complex networks:Structure, function, and evolvability of software collaboration graphs, Physical Review E, vol.68, pp. 046116,2003.
[49]G. A. Xu, Y. Gao, Y. N. Qi, J. H. Peng, X. J. Tang, Contrastive Analysis of Software Networks Based on Different Coupling Relationships, China Communications, Oct.2010, pp.74-80.
[50]Y. Gao, G. A. Xu, Y. X. Yang, X. X. Niu, S. Z. Guo, Empirical Analysis of Software Coupling Networks in Object-oriented Software Systems,2010 IEEE International Conference on Software Engineering and Service Science,2010, pp.178-181.
[51]G. A. Xu, Y. Gao, F. F. Liu, A. G. Chen, M. Zhang, Statistical Analysis of Software Coupling Measurement Based on Complex Networks,2008 International Seminar on Future Information Technology and Management Engineering,2008, pp.577-581.
[52]Haohua Zhang, Hai Zhao, Wei Cai, Jie Liu, et al. Using the k-core decomposition to analyze the static structure of large-scale software systems. The Journal of Supercomputing 2010,53(2):352-369.
[53]冯博.软件安全开发关键技术的研究和实现[D].[博士学位论文],北京, 北京邮电大学,2010.
[54]Wikipedia. "Cooperative Association for Internet Data Analysis", http://en.wikipedia.org/wiki/Cooperative_Association_for_Internet_Data_Anal ysis.
[55]Jun Zhang, Hai Zhao, Jiu-qiang Xu, et al. The K-Core Decomposition and Visualization of Internet Router-Level Topology,2009 World Congress on Computer Science and Information Engineering, pp.231-236,2009.
[56]Satnam S., Tu H., Allanach J., et al. Modeling threats [J]. Potentials, IEEE, 23(3):18-21,2004.
[57]Walden Charles James, Frank Rose E., et al. Teaching software security with threat modeling:conference workshop [M]. Vol.22:Consortium for Computing Sciences in Colleges, pp:119-120,2006.
[58]Torr P. Demystifying the threat modeling process [J]. Security & Privacy Magazine, IEEE,3(5):66-70,2005.
[59]Scott D.S., Eugene P.P., Lyn R.W. Case study in modeling and simulation validation methodology [A]. Proceedings of the 33nd conference on Winter simulation [C]. Arlington, Virginia:IEEE Computer Society,2001.
[60]Threat Modeling [Z]. http://msdn.microsoft.com/security/securecode/ threatmodeling/.
[61]DeCusatis C. Developing a Threat Model for Enterprise Storage Area Networks [A].2006.9-14.
[62]Johansson J.M. Network threat modeling [A].10.2003.
[63]Michael Howard, David LeBlanc. Writing Secure Code [M].2nd ed. Microsoft Press,2003.
[64]中华人民共和国信息产业部.YDT 1730-2008电信网和互联网安全风险评估实施指南[S].北京,人民邮电出版社,2008.
[65]Unified Modeling Language:Superstructure version 2.1 ptc/2006-04-02 [Z]. http://www.uml.org/.
[66]Unified Modeling Language:Infrastructure version 2.1 ptc/2006-04-03 [Z]. http://www.uml.org/.
[67]J. Arlow, I. Neustadt. UML2 and the Unified Porcess:Practical Object-Oriented Analysis and Design [M].2nd ed. Addison Wesley Press. 2005.
[68]Jan Jurjens. Sound methods and effective tools for model-based security engineering with UML [A]. Proceedings of the 27th international conference on Software engineering [C]. St. Louis, MO, USA,2005.
[69]Microsoft“威胁建模”,http://www.microsoft.com/china/technet/ security/guidance/secmod76.mspx#EPF.
[70]Microsoft“评估安全威胁”,http://msdn.microsoft.com/zh-cn/ library/ms172104(v=vs.80).aspx.
[71]Schneier B. Attack trees [J]. Dr. Dobbs Journal,1999,24(12):21-29.
[72]Braendeland G., St(?)len K., et al. Using model-based security analysis in component-oriented system development [A]. Proceedings of the 2nd ACM workshop on Quality of protection [C]. Alexandria, Virginia, USA:ACM Press, 2006.
[73]卢继军.网络攻击及其形式化建模的研究[D].[硕士学位论文],安徽,中国科学技术大学,2003.
[74]Moore A.P., Ellison R.J., Linger R.C. Attack Modeling for Information Security and Survivability [R].2001.
[75]张跃,邹寿平.模糊数学方法及应用[M].北京:煤炭工业出版社.1992.
[76]Smets P. The combination of evidence in the transferable belief model [J]. IEEE Transaction on Pattern Analysis and Machine Intelligence,1990,12(5): 447-458.
[77]Sentz K. Combination of Evidence in Dempster-Shafer Theory [M]. Binghamton University,2002.
[78]Liu Yanqiong, Chen Yingwu, Gao Feng, et al. Risk evaluation using evidence reasoning theory [C]//Proc of Proceedings of the Fourth International Conference on Machine Learning and Cybernetics. Guangzhou:IEEE,2005: 18-21.
[79]Gao Huisheng, Zhu Jing. Security risk assessment model of network based on D-S evidence theory [J]. Computer Engineering and Application, Beijing,2008, 44:754-759.
[80]张锼,慕德俊,任帅等.一种基于风险矩阵法的信息安全风险评估模型[J].计算机工程与应用,2010,46(5):93-95.
[81]Paul R., Garvey P.R., Lansdowne Z.F. Risk matrix:An approach for identifying, assessing, and ranking program risks [J]. Air Force Jourhal of Logistics.1998(25):16-19.
[82]Lansdowne Z.F., Woodward B.S. Applying the Borda method [J]. Air Force Journal of Logistics.1996,20:27-29.
[83]高凤丽.基于风险矩阵方法的风险投资项目风险评估研究[D].南京,南京理工大学,2004.
[84]Son H, Seong P. A software safety evaluation method based on fuzzy colored petrinets [C]//Proc of International Conference on Fuzzy Systems. Seoul Korea,1999,2:830-834.
[85]Wang J. A subjective modeling tool applied to formal ship safety assessment [J]. Ocean Engineering,200,27:1019-1035.
[86]顾孟钧.基于D-S证据理论的信息系统风险评估方法研究[D].[硕士学位论文],浙江,浙江工业大学,2008.
[87]刘芳.信息系统安全评估理论及其关键技术研究[D].国防科学技术大学.2005.
[88]彭祖赠.模糊(Fuzzy)数学及其应用[M].武汉:武汉大学出版社,2002:122-176
[89]肖龙,戴宗坤.信息系统风险的多级模糊综合评判模型[J].四川大学学报(工程科学版),2004,36(5):98-102.
[90]贺仲雄.模糊数学及其应用[M].天津:天津科学技术出版社,1985.
[91]汪楚娇,林果园.网络安全风险的模糊层次综合评估模型[J].武汉大学学 报:理学版.2006,52(5):622-626.
[92]G. Shafer, A Mathematical Theory of Evidence [M]. Princeton University Press, Princeton, New Jersey,1976.
[93]Prepared by:P. Ballal. "Dempster Shafer Theory," EE 5322:Intelligent Control Systems, Copyright F. F. Lewis 2004.
[94]Srivastava, R.P., Lu, H. Structural analysis of audit evidence using belief functions [J]. Fuzzy Sets and Systems,2002,131:107-120.
[95]Srivastava, R.P., Liu, L. Applications of belief functions in business decisions: A review [J]. Information Systems Frontiers,2003,5(4):359-378.
[96]Krishnamoorthy, G., Mock, T.J., Washington, M.T. A comparative evaluation of belief revision models in auditing [J]. Auditing:A Journal of Practice&Theory,1999,18(2):105-127.
[97]Denoeux T. Modelling vague belief using fuzzy-valued belief structures. Fuzzy Sets and Systems,2000,116:167-199.
[98]Denoeux T., Zouhal L.M. Handling possibilistic labels in pattern classification using evidential reasoning [J]. Fuzzy Sets and Systems,2001,122(3):409-424.
[99]段新生.证据理论与决策、人工智能[M].北京:中国人民大学出版社,1993:95-112.
[100]Dempster, A.P. A generalization of Bayesian inference (with discussion). Journal of the Royal Statistical Society Series B,1968,30(2):205-247.
[101]Bae H.R., Grandhi R.V., Canfield R.A. Sensitivity analysis of structural response uncertainty propagation using evidence theory [J]. Structural and Multidisciplinary Optimization.2006(4):P270-279.
[102]Wierman M. J. Measuring Conflict in Evidence Theory [C].//Proc of IFSA World Congress and 20th NAFIPS International Conference. Vancouver:IEEE, 2001:1741-1745.
[103]Smets P. The application of the matrix calculus to belief functions [J]. International Journal of Approximate Reasoning,2002,31:1-30.
[104]肖人彬,王雪,费奇等.相关证据合成方法的研究[J].模式识别与人工智能.9:227—234,1993.
[105]孙怀江,杨静宇.一种相关证据合成方法[J].计算机学报.9:1004-1007,1999.
[106]肖志宏,罗志增,叶明.用证据理论实现多信息融合的一种改进算法[J].机器人.1:7-11,2000.
[107]R.R.Yager. On the Dempster-Shafer framework and new combination rules. Information Science,41,1987,93-137.
[108]T.Inagaki. Interdependence between safety-control police and multiple-sensor schemes via Dempster-Shafer theory. IEEE Transactions on Reliability,40(2), 1991,182-188.
[109]向阳,史习智.证据理论合成发展的一点修正[J].上海交通大学学报.1999,33(3):P357-360.
[110]邓勇,施文康.一种改进的证据推理组合规则[J].上海交通大学学报.2003,37(8):P1275-1278.
[111]杜峰,施文康,邓勇.证据特征提取及其在证据理论改进中的应用[J].上海交通大学学报.2004,38(增刊):P164-168.
[112]孙全,叶秀清,顾伟康.一种新的基于证据理论的合成公式[J].电子学报,2000,28(8):P117-119.
[113]刁联旺,李勇智,杨静宇.证据推理的决策问题[J].计算机工程与应用.2003,82-85.
[114]罗志增,叶明.用证据理论实现相关信息的融合明.电子与信息学报.2001,23(10):970-974.
[115]Leefvre E., Colot O. Belief function combination and conflict management [J]. Information Fusion.2002,3(2):P149-162.
[116]朱静.基于D-S证据理论的网络安全风险评估模型[D].[硕士学位论文],河北,华北电力大学,2008.
[117]李弼程,王波,魏俊等.一种有效的证据理论合成公式[J].数据采集与处理.2002,(17):33-36.
[118]余二永,王润生,徐学文.基于预处理模式的D-S证据理论改进方法[J].模式识别与人工智能.2007,20(5):711-715.
[119]桑圣玉.信息系统安全等级符合性检验系统的设计与实现[D].[硕士学位论文],北京,北京邮电大学,2011.
[120]徐国爱,郭燕慧,马健丽等.国家发明专利:基于硬盘的主机防客体重用性能的检测装置及其检测方法.专利申请号:201010133772.4.
[121]NIST. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. Special Publication 800-22 Revision 1a.2010.
[122]徐国爱,张淼,马健丽等.国家发明专利:一种基于随机性分析的数据加密功能的检验方法.专利申请号:201010158231.7.
[2]中华人民共和国计算机信息系统安全保护条例.国务院,1994.
[3]国家质量技术监督局.GB 17859-1999计算机信息系统安全保护等级划分准则[S].北京,中国标准出版社,1999.
[4]国家信息化领导小组关于加强信息安全保障工作的意见(中办发[2003]27号).中央办公厅,2003.
[5]信息安全等级保护的实施意见(公通字2004第66号),2004.
[6]信息安全等级保护管理办法(公通字[2007]43号),2007.
[7]关于开展全国重要信息系统安全等级保护定级工作的通知(公信安[2007]861号),2007.
[8]US National Computer Security Center. Trusted Computer System Evaluation Criteria [S]. NCSC 5200.28-STD,1985.
[9]Common Criteria Project Sponsoring Organisations. Common Criteria for Information Security Evaluation Part 1-3, Version2.1. Augest,1999.
[10]International Organization for Standardization. Code for Practice for Information Security Management. ISO/IEC 17799:2000. December,2000.
[11]SSE-CMM. System Security Engineering Capability Maturity Model Appraisal Method version2.0 [EB/OL]. http://www.sse-cmm.org,1999.
[12]刘芳.信息系统安全评估理论及其关键技术研究.[博士学位论文],长沙,国防科学技术大学,2005.
[13]国家质量技术监督局.GB/T 18336-2001信息技术安全性评估准则[S].北京,中国标准出版社,2001.
[14]国家质量监督检验检疫总局.GB/T 20270-2006信息安全技术网络基础安全技术要求[S].北京,中国标准出版社,2006.
[15]国家质量监督检验检疫总局.GB/T 20271-2006信息安全技术信息系统通用安全技术要求[S].北京,中国标准出版社,2006.
[16]国家质量监督检验检疫总局.GB/T 20272-2006信息安全技术操作系统安全技术要求[S].北京,中国标准出版社,2006.
[17]国家质量监督检验检疫总局.GB/T 20273.2006信息安全技术数据库管理系统安全技术要求[S].北京,中国标准出版社,2006.
[18]国家质量监督检验检疫总局.GB/T 22239-2008信息系统安全保护等级基本要求[S].北京,中国标准出版社,2008.
[19]国家质量监督检验检疫总局.GB/T 22240-2008信息系统安全保护等级定级指南[S].北京,中国标准出版社,2008.
[20]国家质量监督检验检疫总局GB/T XXXX—XXXX信息系统安全等级保护测评准则[S].送审稿_修订版V1.1,200x.
[21]国家质量监督检验检疫总局.GB/T 25058-2010信息系统安全等级保护实施指南[S].北京,中国标准出版社,2010.
[22]国家质量监督检验检疫总局.GB/T 25070—2010信息系统等级保护安全设计技术要求[S].北京,中国标准出版社,2010.
[23]公安部信息安全等级保护评估中心.信息系统等级保护安全设计技术要求测评规范.初稿,200x.
[24]关于开展信息系统等级保护安全建设整改工作的指导意见(公信安[2009]1429号,2009.
[25]朱方洲.基于BS7799的信息系统安全风险评估研究[D].[硕士学位论文],合肥,合肥工业大学,2007.
[26]Alberts, Christopher J. and Dorofee A.J. OCTAVE Method Implementation Guide, v2.0. Pittsburgh,PA:Software Engineering Institute, Carnegie Mellon University.2001.
[27]宋晓莉,王劲松,陈源.信息安全风险评估方法研究.网络安全技术与应用.Dec.2006,67-69.
[28]Saaty T.L. The Analytic Hierarchy Process. New YorkL:McGrae-Hill,1980.
[29]蔡煜,张玉清,冯登国.基于GB 17859-1999标准体系的风险评估方法.计算机工程与应用.2005,12:134-137.
[30]段云所,刘欣,陈钟等.信息系统组合安全强度和脆弱性分析.北京大学学报(自然科学版).2005,41(3):484-490.
[31]阎强等.一种面向对象的信息系统安全评估方法.北京邮电大学学报.2005,28(4):70-73.
[32]国家质量监督检验检疫总局.GB/T 20984-2007信息安全技术信息安全风险评估规范[S].北京,中国标准出版社,2007.
[33]宋晓莉,余静,孙海传等.模糊综合评价法在风险评估中的应用[J].微计算机信息,2006,22(12):71-79.
[34]C&A. Systems Security:The COBRA Risk Consultant MethodologyTM. July 1999.
[35]马健丽.信息系统安全功能符合性检验关键技术研究[D].[博士学位论文],北京,北京邮电大学,2010.
[36]张君,赵海,康敏等.基于k—核解析的Internet路由级拓扑的分形特征[J].东北大学学报(自然科学版).2010,31(4):511-512.
[37]Alvarez-Hamelin, J.I. et al. k-core decomposition:a tool for the visualization of large scale networks. Arxiv preprint cs. NI/0504107,2005.
[38]Alvarez-Hamelin J.I., Dall'Asta L., Barrat A., et al. Large scale networks fingerprinting and visualization using the k-core decomposition [C]// Advances in Neural Information Processing Systems 18. Cambridge:MIT Press,2006:41-50.
[39]Bollobas B. Random graphs [M].2nd ed. Cambridge:Cambridge University Press,2001:447-457.
[40]Seidman S B. Network structure and minimum degree [J]. Social Networks, 1983,5(3):269-287.
[41]Bollobas B. The evolution of sparse graphs [C]//Graph Theory and Combinalorics. London:Academic Press,1984:35-37.
[42]S. Kirkpatrick, Jellyfish and other interesting creatures of the Internet, http://www.cs.huji.ac.il/-kirk/Jellyfish Dimes.ppt. cond-mat/0601240.
[43]S. Wuchty and E. Almaas. BMC Evol Biol.5,2005,24.
[44]Alvarez-Hamelin J.I., Dall'Asta L., Barrat A., et al. k-core decomposition of Internet graphs:hierarchies, self-similarity and measurement biases [J]. Networks and Heterogeneous Media,2008,3(2):371-393.
[45]H. H. Zhang, H. Zhao, W. Cai and M. Zhao, "Visualization and Cognition of Large-Scale Software Structure Using the k-Core Analysis", Proceedings of the 2008 International Conference on Intelligent Information Hiding and Multimedia Signal Processing, Aug.2008, pp.954-957.
[46]C. R. Myers, "Software systems as complex networks:Structure, function, and evolvability of software collaboration graphs", J. Ohys. Rev. R,68,046116, 2003.
[47]G. Concas, M. Marchesi, S. Pinna, Power-laws in a large object-oriented software system, IEEE Transactions on Softwre Engineering, vol.33, pp. 687-708,2007.
[48]C. R. Myers, Software systems as complex networks:Structure, function, and evolvability of software collaboration graphs, Physical Review E, vol.68, pp. 046116,2003.
[49]G. A. Xu, Y. Gao, Y. N. Qi, J. H. Peng, X. J. Tang, Contrastive Analysis of Software Networks Based on Different Coupling Relationships, China Communications, Oct.2010, pp.74-80.
[50]Y. Gao, G. A. Xu, Y. X. Yang, X. X. Niu, S. Z. Guo, Empirical Analysis of Software Coupling Networks in Object-oriented Software Systems,2010 IEEE International Conference on Software Engineering and Service Science,2010, pp.178-181.
[51]G. A. Xu, Y. Gao, F. F. Liu, A. G. Chen, M. Zhang, Statistical Analysis of Software Coupling Measurement Based on Complex Networks,2008 International Seminar on Future Information Technology and Management Engineering,2008, pp.577-581.
[52]Haohua Zhang, Hai Zhao, Wei Cai, Jie Liu, et al. Using the k-core decomposition to analyze the static structure of large-scale software systems. The Journal of Supercomputing 2010,53(2):352-369.
[53]冯博.软件安全开发关键技术的研究和实现[D].[博士学位论文],北京, 北京邮电大学,2010.
[54]Wikipedia. "Cooperative Association for Internet Data Analysis", http://en.wikipedia.org/wiki/Cooperative_Association_for_Internet_Data_Anal ysis.
[55]Jun Zhang, Hai Zhao, Jiu-qiang Xu, et al. The K-Core Decomposition and Visualization of Internet Router-Level Topology,2009 World Congress on Computer Science and Information Engineering, pp.231-236,2009.
[56]Satnam S., Tu H., Allanach J., et al. Modeling threats [J]. Potentials, IEEE, 23(3):18-21,2004.
[57]Walden Charles James, Frank Rose E., et al. Teaching software security with threat modeling:conference workshop [M]. Vol.22:Consortium for Computing Sciences in Colleges, pp:119-120,2006.
[58]Torr P. Demystifying the threat modeling process [J]. Security & Privacy Magazine, IEEE,3(5):66-70,2005.
[59]Scott D.S., Eugene P.P., Lyn R.W. Case study in modeling and simulation validation methodology [A]. Proceedings of the 33nd conference on Winter simulation [C]. Arlington, Virginia:IEEE Computer Society,2001.
[60]Threat Modeling [Z]. http://msdn.microsoft.com/security/securecode/ threatmodeling/.
[61]DeCusatis C. Developing a Threat Model for Enterprise Storage Area Networks [A].2006.9-14.
[62]Johansson J.M. Network threat modeling [A].10.2003.
[63]Michael Howard, David LeBlanc. Writing Secure Code [M].2nd ed. Microsoft Press,2003.
[64]中华人民共和国信息产业部.YDT 1730-2008电信网和互联网安全风险评估实施指南[S].北京,人民邮电出版社,2008.
[65]Unified Modeling Language:Superstructure version 2.1 ptc/2006-04-02 [Z]. http://www.uml.org/.
[66]Unified Modeling Language:Infrastructure version 2.1 ptc/2006-04-03 [Z]. http://www.uml.org/.
[67]J. Arlow, I. Neustadt. UML2 and the Unified Porcess:Practical Object-Oriented Analysis and Design [M].2nd ed. Addison Wesley Press. 2005.
[68]Jan Jurjens. Sound methods and effective tools for model-based security engineering with UML [A]. Proceedings of the 27th international conference on Software engineering [C]. St. Louis, MO, USA,2005.
[69]Microsoft“威胁建模”,http://www.microsoft.com/china/technet/ security/guidance/secmod76.mspx#EPF.
[70]Microsoft“评估安全威胁”,http://msdn.microsoft.com/zh-cn/ library/ms172104(v=vs.80).aspx.
[71]Schneier B. Attack trees [J]. Dr. Dobbs Journal,1999,24(12):21-29.
[72]Braendeland G., St(?)len K., et al. Using model-based security analysis in component-oriented system development [A]. Proceedings of the 2nd ACM workshop on Quality of protection [C]. Alexandria, Virginia, USA:ACM Press, 2006.
[73]卢继军.网络攻击及其形式化建模的研究[D].[硕士学位论文],安徽,中国科学技术大学,2003.
[74]Moore A.P., Ellison R.J., Linger R.C. Attack Modeling for Information Security and Survivability [R].2001.
[75]张跃,邹寿平.模糊数学方法及应用[M].北京:煤炭工业出版社.1992.
[76]Smets P. The combination of evidence in the transferable belief model [J]. IEEE Transaction on Pattern Analysis and Machine Intelligence,1990,12(5): 447-458.
[77]Sentz K. Combination of Evidence in Dempster-Shafer Theory [M]. Binghamton University,2002.
[78]Liu Yanqiong, Chen Yingwu, Gao Feng, et al. Risk evaluation using evidence reasoning theory [C]//Proc of Proceedings of the Fourth International Conference on Machine Learning and Cybernetics. Guangzhou:IEEE,2005: 18-21.
[79]Gao Huisheng, Zhu Jing. Security risk assessment model of network based on D-S evidence theory [J]. Computer Engineering and Application, Beijing,2008, 44:754-759.
[80]张锼,慕德俊,任帅等.一种基于风险矩阵法的信息安全风险评估模型[J].计算机工程与应用,2010,46(5):93-95.
[81]Paul R., Garvey P.R., Lansdowne Z.F. Risk matrix:An approach for identifying, assessing, and ranking program risks [J]. Air Force Jourhal of Logistics.1998(25):16-19.
[82]Lansdowne Z.F., Woodward B.S. Applying the Borda method [J]. Air Force Journal of Logistics.1996,20:27-29.
[83]高凤丽.基于风险矩阵方法的风险投资项目风险评估研究[D].南京,南京理工大学,2004.
[84]Son H, Seong P. A software safety evaluation method based on fuzzy colored petrinets [C]//Proc of International Conference on Fuzzy Systems. Seoul Korea,1999,2:830-834.
[85]Wang J. A subjective modeling tool applied to formal ship safety assessment [J]. Ocean Engineering,200,27:1019-1035.
[86]顾孟钧.基于D-S证据理论的信息系统风险评估方法研究[D].[硕士学位论文],浙江,浙江工业大学,2008.
[87]刘芳.信息系统安全评估理论及其关键技术研究[D].国防科学技术大学.2005.
[88]彭祖赠.模糊(Fuzzy)数学及其应用[M].武汉:武汉大学出版社,2002:122-176
[89]肖龙,戴宗坤.信息系统风险的多级模糊综合评判模型[J].四川大学学报(工程科学版),2004,36(5):98-102.
[90]贺仲雄.模糊数学及其应用[M].天津:天津科学技术出版社,1985.
[91]汪楚娇,林果园.网络安全风险的模糊层次综合评估模型[J].武汉大学学 报:理学版.2006,52(5):622-626.
[92]G. Shafer, A Mathematical Theory of Evidence [M]. Princeton University Press, Princeton, New Jersey,1976.
[93]Prepared by:P. Ballal. "Dempster Shafer Theory," EE 5322:Intelligent Control Systems, Copyright F. F. Lewis 2004.
[94]Srivastava, R.P., Lu, H. Structural analysis of audit evidence using belief functions [J]. Fuzzy Sets and Systems,2002,131:107-120.
[95]Srivastava, R.P., Liu, L. Applications of belief functions in business decisions: A review [J]. Information Systems Frontiers,2003,5(4):359-378.
[96]Krishnamoorthy, G., Mock, T.J., Washington, M.T. A comparative evaluation of belief revision models in auditing [J]. Auditing:A Journal of Practice&Theory,1999,18(2):105-127.
[97]Denoeux T. Modelling vague belief using fuzzy-valued belief structures. Fuzzy Sets and Systems,2000,116:167-199.
[98]Denoeux T., Zouhal L.M. Handling possibilistic labels in pattern classification using evidential reasoning [J]. Fuzzy Sets and Systems,2001,122(3):409-424.
[99]段新生.证据理论与决策、人工智能[M].北京:中国人民大学出版社,1993:95-112.
[100]Dempster, A.P. A generalization of Bayesian inference (with discussion). Journal of the Royal Statistical Society Series B,1968,30(2):205-247.
[101]Bae H.R., Grandhi R.V., Canfield R.A. Sensitivity analysis of structural response uncertainty propagation using evidence theory [J]. Structural and Multidisciplinary Optimization.2006(4):P270-279.
[102]Wierman M. J. Measuring Conflict in Evidence Theory [C].//Proc of IFSA World Congress and 20th NAFIPS International Conference. Vancouver:IEEE, 2001:1741-1745.
[103]Smets P. The application of the matrix calculus to belief functions [J]. International Journal of Approximate Reasoning,2002,31:1-30.
[104]肖人彬,王雪,费奇等.相关证据合成方法的研究[J].模式识别与人工智能.9:227—234,1993.
[105]孙怀江,杨静宇.一种相关证据合成方法[J].计算机学报.9:1004-1007,1999.
[106]肖志宏,罗志增,叶明.用证据理论实现多信息融合的一种改进算法[J].机器人.1:7-11,2000.
[107]R.R.Yager. On the Dempster-Shafer framework and new combination rules. Information Science,41,1987,93-137.
[108]T.Inagaki. Interdependence between safety-control police and multiple-sensor schemes via Dempster-Shafer theory. IEEE Transactions on Reliability,40(2), 1991,182-188.
[109]向阳,史习智.证据理论合成发展的一点修正[J].上海交通大学学报.1999,33(3):P357-360.
[110]邓勇,施文康.一种改进的证据推理组合规则[J].上海交通大学学报.2003,37(8):P1275-1278.
[111]杜峰,施文康,邓勇.证据特征提取及其在证据理论改进中的应用[J].上海交通大学学报.2004,38(增刊):P164-168.
[112]孙全,叶秀清,顾伟康.一种新的基于证据理论的合成公式[J].电子学报,2000,28(8):P117-119.
[113]刁联旺,李勇智,杨静宇.证据推理的决策问题[J].计算机工程与应用.2003,82-85.
[114]罗志增,叶明.用证据理论实现相关信息的融合明.电子与信息学报.2001,23(10):970-974.
[115]Leefvre E., Colot O. Belief function combination and conflict management [J]. Information Fusion.2002,3(2):P149-162.
[116]朱静.基于D-S证据理论的网络安全风险评估模型[D].[硕士学位论文],河北,华北电力大学,2008.
[117]李弼程,王波,魏俊等.一种有效的证据理论合成公式[J].数据采集与处理.2002,(17):33-36.
[118]余二永,王润生,徐学文.基于预处理模式的D-S证据理论改进方法[J].模式识别与人工智能.2007,20(5):711-715.
[119]桑圣玉.信息系统安全等级符合性检验系统的设计与实现[D].[硕士学位论文],北京,北京邮电大学,2011.
[120]徐国爱,郭燕慧,马健丽等.国家发明专利:基于硬盘的主机防客体重用性能的检测装置及其检测方法.专利申请号:201010133772.4.
[121]NIST. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. Special Publication 800-22 Revision 1a.2010.
[122]徐国爱,张淼,马健丽等.国家发明专利:一种基于随机性分析的数据加密功能的检验方法.专利申请号:201010158231.7.