CN101470779A - Fuzzy risk evaluation system and method for computer information security - Google Patents
Fuzzy risk evaluation system and method for computer information security Download PDFInfo
- Publication number
- CN101470779A CN101470779A CN 200710303984 CN200710303984A CN101470779A CN 101470779 A CN101470779 A CN 101470779A CN 200710303984 CN200710303984 CN 200710303984 CN 200710303984 A CN200710303984 A CN 200710303984A CN 101470779 A CN101470779 A CN 101470779A
- Authority
- CN
- China
- Prior art keywords
- risk
- fuzzy
- matrix
- key element
- assessment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a fuzzy risk evaluation system and a method of a computer message system, wherein the method comprises calculating out the fuzzy grade subjection degree of evaluation factors according to the risk judgment to the evaluation factors by users, combing the subjection procedure vectors of all the evaluation factors to be a fuzzy risk matrix calculator of a fuzzy risk matrix, calculating out a comprehensive risk counter of fuzzy risks of an integral system according to the fuzzy risk matrix of all the evaluation factors and weight vectors of the evaluation factors, and calculating out a system risk quantizer of risk deterministic vector values of the integral system according to the comprehensive fuzzy risk and risk level standard of the system. The invention has the advantages that fully considering the relationship among the evaluation factors, a subjection relationship table and a weight table of each factor are established through introducing a fuzzy calculating technique, thereby reducing subjective factors, and improving objective fairness of evaluation results.
Description
Technical field
The present invention relates to a kind of computer information safe fuzzy risk evaluating system and method, belong to information security field, be specifically related to a kind of information security risk evaluation.
Background technology
Existing information system security assessment mode can roughly be summed up as four classes such as security audit, venture analysis, system safety engineering Capability Maturity Model (SSE2CMM) and security evaluation.Risk analysis model carries out safety assessment from the risk control angle, and it draws the tolerance of network system security by probability statistics; Security evaluation carries out the safety assessment of system more from safety technique, functional perspective; Security audit, SSE2CMM model equivalent risk appraisal procedure also all are from security of system in a certain respect, only focus on the standard of putting into practice of assessment network system security aspect.In the evaluation process of reality, the appraiser usually is the method for adopt resolving, and the evaluation object of complexity is divided into several relatively simply assesses key element, then by the assessment result of each assessment key element, extrapolates the risk of evaluation object.Owing on the element parse operation, there is subjective randomness, lack unified, systematized safety assessment framework, in these evaluation methods, assessment level and index are difficult to quantize.
In order to reduce human factor as far as possible, the present invention proposes a kind of safety evaluation method of quantification, fully take into account the relation between the assessment key element, by introducing the Fuzzy Calculation technology, set up the membership table and the weight table of each key element, thereby the minimizing subjective factor is accomplished the objective and fair that assessment result is tried one's best.
Summary of the invention
In order to overcome the deficiency of prior art structure, the invention provides a kind of computer information safe fuzzy risk evaluating system and method.
The technical solution adopted for the present invention to solve the technical problems is:
The present invention is directed to an evaluation object and can be broken down under the situation of several assessment key elements (or subobject), provide the method that a kind of assessment result by each assessment key element (or subobject) obtains the fuzzy risk of evaluation object.Concrete summary of the invention comprises:
A kind of computer information system fuzzy risk evaluating system comprises:
According to the user risk of assessment key element is judged, calculated the fuzzy rank subjection degree of this assessment key element.With all assessment key elements be subordinate to routine vector altogether, form fuzzy risk matrix norm and stick with paste the risk Metrics counter;
The weight vectors of the fuzzy risk matrix of all assessment key elements that output obtains according to the fuzzy risk matrix calculator and the assessment key element of user's input, the integrated risk counter of the fuzzy risk of calculating total system;
According to the comprehensive fuzzy risk of integrated risk calculator system output, and the risk level standard of user's foundation, the system risk quantizer of the risk determinacy value of calculating total system.
The fuzzy risk matrix calculator connects the integrated risk counter; Integrated risk counter connected system risk quantification device.
A kind of computer information system fuzzy risk evaluating method may further comprise the steps: set up the venture influence classification standard, object is resolved and is set up weight, sets up the fuzzy risk matrix, calculates the fuzzy synthesis risk and quantizes integrated risk.
A kind of computer information system fuzzy risk evaluating method comprises:
Fuzzy risk matrix computations step;
The integrated risk calculation procedure;
The system risk quantization step.
Beneficial effect of the present invention; The present invention fully takes into account the relation between the assessment key element, by introducing the Fuzzy Calculation technology, sets up the membership table and the weight table of each key element, thereby reduces subjective factor, has improved the justice of assessment result.
Description of drawings
Fig. 1 is a workflow synoptic diagram of the present invention.
Fig. 2 is a system architecture synoptic diagram of the present invention.
Below in conjunction with accompanying drawing the present invention is realized being described further.
Embodiment
Embodiment 1:
A kind of computer information system fuzzy risk evaluating system (as Fig. 2) has the fuzzy risk matrix calculator, according to the user risk of assessment key element is judged that calculate the fuzzy rank subjection degree of this assessment key element, it has following input:
1) assessment element identification (ID),
2) other discriminant vector of level (d under this assessment key element
1, d
2..., d
n).d
iExpression assessment key element belongs to the rank i estimation score value (0≤d of (0≤i≤n, n represent the risk criteria number of degrees that the user sets)
i≤ 10), for each assessment key element, its output is that a fuzzy rank of assessment key element is subordinate to vector.If k assessment key element arranged, then obtain the fuzzy matrix of a k * n, be designated as fuzzy risk matrix R.
If the risk level standard that the user sets be 7 fens position grade 0,0.1,0.3,0.5,0.7,0.9,1}, the embodiment of critical piece is as follows:
1, the embodiment of fuzzy risk matrix calculator:
If the risk class vector of user's input is { d
1, d
2..., d
7, d wherein
iExpression assessment key element is for estimating score value (0≤d being subordinate to of the rank i in 7 fens position risk classes of venture influence standard
i≤ 10).The fuzzy risk matrix that then should assess key element is { r
1, r
2..., r
7, r wherein
iCalculate by following method:
If k assessment key element arranged, then obtain the fuzzy matrix of k * 7, be designated as fuzzy risk matrix R;
2, integrated risk counter embodiment.Its calculating to integrated risk may further comprise the steps:
Calculate B=W * R;
Wherein B is the fuzzy synthesis assessment result, is matrix B={ b of one 1 * 7
1, b
2, b
3, b
4, b
5, b
6, b
7, b
iRepresent last comprehensive assessment result to be under the jurisdiction of the degree of i risk class; W is a weight vectors of respectively assessing key element, and R is the fuzzy risk matrix of the assessment key element of fuzzy risk matrix calculator output.
3, the embodiment of system risk quantizer.It may further comprise the steps the method that system risk quantizes:
Calculate U=B * S;
Wherein U is the numerical result of a final integrated risk.S={0 wherein, 0.1,0.3,0.5,0.7,0.9,1}
TIt is the risk level standard (column vector) that the user sets up; B is the fuzzy synthesis assessment result of integrated risk counter output, is matrix B={ b of one 1 * 7
1, b
2, b
3, b
4, b
5, b
6, b
7.
Embodiment 2:
As shown in Figure 1, a concrete evaluation process is as follows:
1. set up risk level standard.
At first define 7 fens position risk class as table 1: shown in.
Table 1: risk level standard
The grade factor | The grade symbol | Describe |
0 | S 1 | Can ignore.The generation of risk case is to almost not influence of system |
0.1 | S 2 | Small.Influential but very little.Risk case is in case generation causes 10% Value Loss at the most. |
0.3 | S 3 | Obvious slightly.Can feel the variation that causes system, but not really serious. |
Risk case is in case generation causes 30% Value Loss at the most. | ||
0.5 | S 4 | Medium.Can cause the infringement of system's popularity, or, need payment valuable source upkeep cost the reduction of system resource or service trust degree.Risk case is in case generation can cause 50% Value Loss. |
0.7 | S 5 | Seriously.Can cause the interruption of important system, commercial trust is impaired.Risk case is in case generation may cause 70% Value Loss. |
0.9 | S 6 | Very serious.Can cause the important system interruption, or customer service or commercial trust heavy losses.Risk case is in case generation may cause 90% Value Loss. |
1 | S 7 | Crucial.Can cause that system continues to interrupt or forever close.Can cause the heavy losses of proxy information or service.In a single day risk case takes place, and Value Loss is near 100%. |
2. weight vectors is resolved and set up to object
Generally speaking, the infosystem that assess is a system ensemble of being made up of a plurality of modules.By principle from simple to complexity, when assessment, earlier evaluation object is decomposed, be broken down into several relatively independent assessment key elements.In general, when an evaluation object being parsed into several assessment key elements, each significance level of assessing between the key element should be unable to be identical.At this moment just need determine the weight between the different assessment key elements.In the assessment of each assessment key element, calculate the importance weight of these assessment key elements by analytical hierarchy process.If k assessment key element arranged, then obtain the weight vectors W={w of a k dimension
1, w
2..., w
k, wherein
3. set up the fuzzy risk matrix.
Each single key element is assessed separately,, determined that this assessment key element is respectively for 7 other degrees of membership of level of risk criteria according to the assessment result of each assessment key element.If the risk class vector of user's input is { d
1, d
2..., d
7, d wherein
iExpression assessment key element is for estimating score value (0≤d being subordinate to of rank i in 7 fens position risk level standard
i≤ 10).The fuzzy risk matrix that then should assess key element is { r
1, r
2..., r
7, r wherein
iCalculate by following method:
Like this,, then obtain the fuzzy matrix of k * 7, be designated as fuzzy risk matrix R for k assessment key element.
4. calculating integrated risk.
After carrying out the individual event evaluation and being equipped with weight, can obtain a fuzzy risk matrix R and a weight vectors W about all assessment key elements.Then model of fuzzy synthetic evaluation is: B=W * R, wherein B is the fuzzy synthesis assessment result, is matrix B={ b of one 1 * 7
1, b
2, b
3, b
4, b
5, b
6, b
7, b
jRepresent last comprehensive assessment result to be under the jurisdiction of the degree of i risk class.To obtain the result of a fuzzy evaluation form like this, at last.
5. quantification integrated risk.
If the comprehensive assessment result is quantized, then calculate U=B * S, as the numerical result of a final integrated risk, S={0 wherein, 0.1,0.3,0.5,0.7,0.9,1}
TIt is risk class definition (column vector is referring to Fig. 2).
If want to obtain thinner grade classification, the classification standard definition can adopt the method for 9 fens positions to carry out.
In the superincumbent definition,, considered relevant dependence and significance level between each evaluation object, synthesized the evaluation result of comprehensive object by fuzzy risk matrix and weight matrix.
Claims (8)
1, a kind of computer information system fuzzy risk evaluating system is characterized in that comprising:
According to the user risk of assessment key element is judged, is calculated the fuzzy rank subjection degree of this assessment key element, with all assessment key elements be subordinate to routine vector altogether, form a fuzzy risk matrix norm paste risk Metrics counter;
According to the fuzzy risk matrix of all assessment key elements and the weight vectors of assessment key element, calculate the integrated risk counter of the fuzzy risk of total system;
According to the comprehensive fuzzy risk and the risk level standard of system, calculate the system risk quantizer of the risk determinacy value of total system;
The fuzzy risk matrix calculator connects the integrated risk counter; Integrated risk counter connected system risk quantification device.
2, a kind of computer information system fuzzy risk evaluating system as claimed in claim 1, it is characterized in that the fuzzy risk matrix calculator, according to the user risk of assessment key element is judged that calculate the fuzzy rank subjection degree of this assessment key element, it has following input:
1) assessment element identification (ID),
2) other discriminant vector of level (d under this assessment key element
1, d
2..., d
n), d
iExpression assessment key element belongs to the rank i estimation score value (0≤d of (0≤i≤n, n represent the risk criteria number of degrees that the user sets)
i≤ 10),
For each assessment key element, its output is that a fuzzy rank of assessment key element is subordinate to vector; If k assessment key element arranged, then obtain the fuzzy matrix of a k * n, be designated as fuzzy risk matrix R.
3, a kind of computer information system fuzzy risk evaluating system as claimed in claim 1, it is characterized in that the integrated risk matrix calculator, according to the fuzzy risk matrix of all assessment key elements and the weight vectors of assessment key element, calculate the fuzzy risk of total system, it has following input:
1) fuzzy risk matrix R,
2) the weight vectors W of the key element of assessing,
Its output is 1 * n matrix (b
1, b
2..., b
n), b
iThe expression system risk belongs to the rank i (degree of 0≤i≤n).
4, a kind of computer information system fuzzy risk evaluating system as claimed in claim 1 is characterized in that the system risk quantizer, according to the comprehensive fuzzy risk and the risk level standard of system, calculates the risk determinacy value of total system; Its input is the fuzzy risk matrix (b of system
1, b
2..., b
n) and risk level standard S, output is the risk determinacy value of system.
5, a kind of computer information system fuzzy risk evaluating method may further comprise the steps: set up the venture influence classification standard, object is resolved and is set up weight, sets up the fuzzy risk matrix, calculates the fuzzy synthesis risk and quantizes integrated risk.
6, a kind of computer information system fuzzy risk evaluating method as claimed in claim 5 is characterized in that the fuzzy risk matrix computations, sets up the fuzzy risk matrix by following step:
If the risk class vector of user's input is { d
1, d
2..., d
n, d wherein
iExpression assessment key element divides estimate score value (0≤d being subordinate to of rank i in the risk class of position for the n of venture influence standard
i≤ 10); The fuzzy risk matrix that then should assess key element is { r
1, r
2..., r
n, r wherein
iCalculate by following step:
If k assessment key element arranged, then obtain the fuzzy matrix of a k * n, be designated as fuzzy risk matrix R.
7, a kind of computer information system fuzzy risk evaluating method as claimed in claim 5 is characterized in that integrated risk is calculated to calculate comprehensive fuzzy risk by following step:
If after carrying out the individual event evaluation and being equipped with weight, the fuzzy risk matrix that obtains is R, weight vectors is W, and then model of fuzzy synthetic evaluation is:
B=W×R;
Wherein B is the fuzzy synthesis assessment result, is matrix B={ b of a 1 * n
1, b
2, b
3, b
4, b
5, b
6, b
n, b
iRepresent last comprehensive assessment result to be under the jurisdiction of the degree of i risk class; W is a weight vectors of respectively assessing key element, and R is a comprehensive fuzzy risk matrix of respectively assessing key element.
8, a kind of computer information system fuzzy risk evaluating method as claimed in claim 5 is characterized in that system risk quantizes to quantize integrated risk by following step:
Calculate U=B * S;
Wherein U is the numerical result of a final integrated risk, wherein S={s
1, s
2, s
3, s
4, s
5, s
6, s
n}
TBe risk level standard (column vector); B is the fuzzy synthesis assessment result, is matrix B={ b of a 1 * n
1, b
2, b
3, b
4, b
5, b
6, b
n.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200710303984 CN101470779A (en) | 2007-12-24 | 2007-12-24 | Fuzzy risk evaluation system and method for computer information security |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200710303984 CN101470779A (en) | 2007-12-24 | 2007-12-24 | Fuzzy risk evaluation system and method for computer information security |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101470779A true CN101470779A (en) | 2009-07-01 |
Family
ID=40828245
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 200710303984 Pending CN101470779A (en) | 2007-12-24 | 2007-12-24 | Fuzzy risk evaluation system and method for computer information security |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101470779A (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102354355A (en) * | 2011-09-30 | 2012-02-15 | 北京神州绿盟信息安全科技股份有限公司 | Security risk assessment method and device for computers |
CN102609778A (en) * | 2012-02-17 | 2012-07-25 | 广东省电力调度中心 | Method and device for assessing risk of electric power communication network |
CN102629296A (en) * | 2012-02-29 | 2012-08-08 | 浙江工商大学 | Enterprise credit evaluation method based on gray fuzzy |
CN102722634A (en) * | 2012-04-20 | 2012-10-10 | 湖南省防雷中心 | Regional lightning disaster risk evaluation method |
CN103366096A (en) * | 2013-07-22 | 2013-10-23 | 广东电网公司电力调度控制中心 | Power communications equipment risk assessment method |
WO2015018266A1 (en) * | 2013-08-07 | 2015-02-12 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for determining health state of information system |
CN105404736A (en) * | 2015-11-17 | 2016-03-16 | 南昌航空大学 | Multi-source confidence fuzzy information based severity calculation method |
CN105488344A (en) * | 2015-11-26 | 2016-04-13 | 中国电力科学研究院 | Universal evaluation method for health index of power distribution equipment |
CN106685921A (en) * | 2016-11-14 | 2017-05-17 | 中国人民解放军信息工程大学 | Network equipment risk assessment method |
CN107239651A (en) * | 2017-04-17 | 2017-10-10 | 国网辽宁省电力有限公司电力科学研究院 | A kind of method that power network birds droppings class failure risk grade is assessed |
CN108764481A (en) * | 2018-05-04 | 2018-11-06 | 国家计算机网络与信息安全管理中心 | A kind of information security ability evaluating method and system based on mobile terminal behavior |
CN114157628A (en) * | 2021-10-18 | 2022-03-08 | 中国科学院信息工程研究所 | Dynamic divulgence risk assessment method and device based on FCE algorithm |
-
2007
- 2007-12-24 CN CN 200710303984 patent/CN101470779A/en active Pending
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102354355B (en) * | 2011-09-30 | 2014-01-29 | 北京神州绿盟信息安全科技股份有限公司 | Security risk assessment method and device for computers |
CN102354355A (en) * | 2011-09-30 | 2012-02-15 | 北京神州绿盟信息安全科技股份有限公司 | Security risk assessment method and device for computers |
CN102609778A (en) * | 2012-02-17 | 2012-07-25 | 广东省电力调度中心 | Method and device for assessing risk of electric power communication network |
CN102609778B (en) * | 2012-02-17 | 2015-02-11 | 广东省电力调度中心 | Method and device for assessing risk of electric power communication network |
CN102629296A (en) * | 2012-02-29 | 2012-08-08 | 浙江工商大学 | Enterprise credit evaluation method based on gray fuzzy |
CN102722634A (en) * | 2012-04-20 | 2012-10-10 | 湖南省防雷中心 | Regional lightning disaster risk evaluation method |
CN103366096A (en) * | 2013-07-22 | 2013-10-23 | 广东电网公司电力调度控制中心 | Power communications equipment risk assessment method |
CN103366096B (en) * | 2013-07-22 | 2016-12-28 | 广东电网公司电力调度控制中心 | Electric power communication device methods of risk assessment |
US10182067B2 (en) | 2013-08-07 | 2019-01-15 | Tencent Technology (Shenzhen) Company Limited | Method, device and storage medium for determining health state of information system |
WO2015018266A1 (en) * | 2013-08-07 | 2015-02-12 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for determining health state of information system |
US10303577B2 (en) | 2013-08-07 | 2019-05-28 | Tencent Technology (Shenzhen) Company Limited | Method, device and storage medium for determining health state of information system |
CN105404736A (en) * | 2015-11-17 | 2016-03-16 | 南昌航空大学 | Multi-source confidence fuzzy information based severity calculation method |
CN105488344B (en) * | 2015-11-26 | 2019-02-05 | 中国电力科学研究院 | A kind of general evaluation method of controller switching equipment health index |
CN105488344A (en) * | 2015-11-26 | 2016-04-13 | 中国电力科学研究院 | Universal evaluation method for health index of power distribution equipment |
CN106685921A (en) * | 2016-11-14 | 2017-05-17 | 中国人民解放军信息工程大学 | Network equipment risk assessment method |
CN106685921B (en) * | 2016-11-14 | 2019-06-21 | 中国人民解放军信息工程大学 | Network equipment methods of risk assessment |
CN107239651A (en) * | 2017-04-17 | 2017-10-10 | 国网辽宁省电力有限公司电力科学研究院 | A kind of method that power network birds droppings class failure risk grade is assessed |
CN108764481A (en) * | 2018-05-04 | 2018-11-06 | 国家计算机网络与信息安全管理中心 | A kind of information security ability evaluating method and system based on mobile terminal behavior |
CN114157628A (en) * | 2021-10-18 | 2022-03-08 | 中国科学院信息工程研究所 | Dynamic divulgence risk assessment method and device based on FCE algorithm |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101470779A (en) | Fuzzy risk evaluation system and method for computer information security | |
CN100501695C (en) | Performance prediction method for application software in manufacturing environment | |
Mafrolla et al. | Tax aggressiveness in family firms and the non-linear entrenchment effect | |
Emirmahmutoglu et al. | Testing for Granger causality in heterogeneous mixed panels | |
Martin et al. | MCMCpack: Markov chain monte carlo in R | |
Hartson et al. | Criteria for evaluating usability evaluation methods | |
Kleijnen et al. | Validation of regression metamodels in simulation: Bootstrap approach | |
CN106408141A (en) | Abnormal expense automatic extraction system and method | |
CN101488168B (en) | Integrated risk computing method and system of computer information system | |
CN111652280B (en) | Behavior-based target object data analysis method, device and storage medium | |
CN106447403A (en) | User priority classification method in large-user direct power purchase environment | |
CN112668822B (en) | Scientific and technological achievement transformation platform sharing system, method, storage medium and mobile phone APP | |
Powers et al. | 7. multivariate decomposition for hazard rate models | |
Cervan et al. | Cluster-based stratified sampling for fast reliability evaluation of composite power systems based on sequential Monte Carlo simulation | |
CN113379318A (en) | Method and device for evaluating operation service quality of public transport system and computer equipment | |
CN109727116A (en) | Credit analysis method, device, equipment and computer readable storage medium | |
CN102708298B (en) | A kind of Vehicular communication system electromagnetic compatibility index distribution method | |
CN105303194A (en) | Power grid indicator system establishing method, device and computing apparatus | |
Santoso et al. | Analysis Of The Socio-Economic Effect On Unemployment In Gorontalo Province | |
Busu et al. | Modeling the predictive power of the singular value decomposition-based entropy. Empirical evidence from the Dow Jones Global Titans 50 Index | |
Hussain et al. | Dynamic linkages of exchange rate and stock return volatility evidence from Pakistan, India and China (PIC) | |
Genriha et al. | Entrepreneurship insolvency risk management: a case of Latvia | |
Edelstein et al. | Bank branch grouping strategy, an unusual DEA application | |
Eastoe et al. | Nonparametric estimation of the spectral measure, and associated dependence measures, for multivariate extreme values using a limiting conditional representation | |
Shibata | Are labor market indicators telling the truth? Role of measurement error in the US Current Population Survey |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Open date: 20090701 |