| With rapid development of information technology, the information system has been widely applying in government, national defence and economic sphere etc., and the operation of the society has been more and more depended on information system. The security problem of information system is more and more related to the economic development and national defence etc.. Therefore, evaluating risk effectively, selecting effective defence measures and defending information threats actively are the key points of resolving security problems of information system.Based on the actual requirements and status of risk assessment of information security, we integrate the research results of AHP(analytic hierarchy process), Fuzzy mathematics, artificial neural network(ANN) and wavelet analysis etc. to apply them in studying risk assessment of information security supported by "863" National high technology development program, "Study on risk analysis and assessment methods of system security"(No. 2002AA142151),and the science and technology key program of Hebei province, "Study on model of risk assessment of information system security" (No. 042135127). We start with the key problems during the process of risk assessment of information security first, and then study the quantitative methods of risk assessment of information security, finally, test these methods by means of case analysis, to provide theoretical and technical supporting for risk assessment of information security.The main contributions of this dissertation are shown as follows:(1) Key problems and solving methods during risk assessment process: Some points of views are given. In order to keep the integrity of information system, the safe frame model is constructed. For identifying information asset, asset group is taken as a unit so as to decrease the workload of identifying asset. For asset assignment, spilt assignment method etc. based on the assignment of weight of the confidentiality, integrity, and availability (CIA) are different for dissimilar assets, and split assignment method of CIA are proposed. To identify threat, how to obtain threats and how to determine the possibility of threats are put forward. For vulnerability evaluation, the potential new risks during vulnerability evaluation are analyzed and relative anti-measures are brought forward.(2) Risk assessment method based on Fuzzy-AHP: Based on the uncertainty of risk assessment of information security and subjectivity of current methods, the Fuzzy-AHP method is proposed to integrate subjective with objective evaluating methods of risk factors. By improving the AHP and the fuzzy evaluation method and combine them together, the probability and effect of risk are analysed so that risk level of each risk factor can be determined and the risk control advice can be given. The simulation examples show that evaluation results are in accord with reality and the method is effectively and operable.(3) Risk assessment method based on information entropy: Because there is short of effective assessment ways for risk level of whole information system at present, we apply information entropy in risk assessment of information security.The definition of risk degree is given firstly, which is the nymphlike estimate of probability and impact of risk, to scale risk degree of whole information system. Since the evaluation on the probability and impact of risk are fuzzy, the risk factors are evaluated by means of fuzzy comprehensive evaluation method. For this method, the weight of each risk can be gained by entropy-weight coefficient; the subjective of expert assignment can be overcome. The risk degree can be gained by combining fuzzy comprehensive evaluation with information entropy, to measure off the risk degree of information system. The given examples show the application of this method.(4) Risk assessment method based on Fuzzy-wavelet neural network: Focused on the uncertainty and complexity of risk assessment of information security and limitation of current methods, the ANN is applied in risk assessment. A risk assessment method based on fuzzy-ANN is proposed. First, the ANN is applied in evaluating risk factors of information system, in this step, the input of ANN are pre-treated, i.e. taking the output of fuzzy system as the input of ANN. The trained ANN can estimate the degree of risk factor real time. Then, a wavelet neural network (WNN) model for risk assessment of information system is put forward. In this model, the nonlinear wavelet basis are taken as nervous cells function, and the wavelet basis function for each nervous cell are determined by contraction-expansion factor and translation factor, so that the WNN can be formed. After trained, this model can evaluate the risk factors of information security. The experiments show that WNN has better learning ability and more precision than that of ANN.(5) Risk assessment Case: By case analysis, application of risk assessment in practice is shown, so are the test and the comparison of each method studied in this dissertation. Case analysis shows that all methods studied accord with actual evaluation results.
|
PDF Full Text Request