| The structure of business information system and the complexity of its operation environment have raised multiple challenges to the system operation security evaluation.What's more, the heterogenetic and dynamic characters that business system has make the security evaluation more difficult. Traditional evaluation approaches are suitable for the better-structured information system with simple and controllable network bearer service,but following the increase of business diversity and system accessibility, application problem exerts influence on system operation, and lifts greater threats to its security. Therefore,studies relating to the evaluation of system business security are highly required.In the existing research findings, problems such as the ineffective connection between evaluation target and business flow, the imperfection of the indicator system concerning the measurement of the security condition of business application, the deficiency of evaluation approach regarding the user-operation traceability and data auditability, and the incomprehensibility of evaluation results are shown. These problems are originated from, for one thing, not seeing business system and its characters as the principal research target, and for another, not paying enough attention to the security support for the improvement of system business capability, which leads to the incompleteness concerning the construction and analysis of evaluation factors, the ineffective connection between business bearer service and security support, and the failure of giving security evaluation to the system's entire applications.Aiming at the security of business operation system, this dissertation launched studies with regard to business logic security, business system security, and business authority security. Taking the network environment of complex information system as research background and business flow which based on service as research target, it studied the application security model targeting business operation and the evaluation of user authority attribute; constructed an evaluation model by collecting evidence of user behavior according to engineering feasibility, which brings security service provided by system-deployed security components into combined service; in the premise of ensuring the accuracy of system's business, explored how to construct security service transitional operation set and to conduct analysis of business user's behavior, so as to identify the security efficiency of system's business; raised the index of application security, on which basis practiced the modelling and algorithm of the quantized calculation concerning each evaluation element.Meanwhile, this dissertation studied the quantized evaluation of system's entire operation and provided a security evaluation system targeting system's business operation, which have established a solid foundation for the analysis of system's application security and the dynamic adjustment of security strategy's suitability, therefore reached the ultimate goal of improving business capability.First of all.in order to study the system's security evaluation elements and relative methods targeting business operation, this dissertation raised a business-flow-based application security model founded on BPEs. By analyzing the business-flow elements, an information system model based on business flow is established, and security attributes are assigned to business-flow elements according to the security requirements of business targets.Moreover, a consistency check regarding the elements' security targets is conducted, so as to ensure the security target value of business. Since the system's infrastructure bears the operation elements, the security strategies it provides are manifested as an interaction of elements targeting business flow, therefore constructing an application security model by formalized description, which sets a foundation for the following chapters.Secondly, this dissertation researched on the security of business authority, the targets of which are business user behavior and dynamic evidence-collection. Seeing cloud-model theory as the basis, it constructed an evaluation model concerning business user behavior and finished a quantitative description and evaluation. Also, by applying Trojan technology, it raised an evaluation model of dynamic evidence collection, which can record business user behavior simultaneously and covertly, and make sure that the acquired information is fed back to the collection controller. According to the simulated tests, it has verified that this model can execute rational evaluation with regard to the business user behavior of complex information system, record business user behavior simultaneously and covertly, and make sure that the acquired information is fed back to the collection controller. Here, to sum up,the evaluation model of dynamic evidence collection based on business user behavior is the foundation of analyzing the system's business operation standardization.Thirdly, this dissertation chose the business flow in business system as research target and studied the transit security evaluation of business flow based on the service mix. It explored the functioning principle of the service mix, and made an associative analysis between the mix's service quality and the system business efficiency. Knowing the characteristics of business flow and focusing on the analysis of the system-deployed security facilities, it assigned the security service behavior into business service, which solved the security evaluation problem of business operation. In the premise of making sure the structural accuracy of business flow, importance has paid on the construction of security service's transit operation set in order to make adjustment of security strategies. By using the existing execution records of service mix and the appropriate component service redundancy route produced by logical structure, it studied the rational reconstructing of security components, built a security service transit operation set to identify the security efficiency of system's business, raised an approach to ensure the rational reconstructing of security components, and specified the business efficiency index of applied security and the security measurement of business flow-path facilities.At last, this dissertation focused on the scaling and quantitates evaluation of applied security. For reaching the completeness of security situation in system operation, it brought business efficiency index into the existing index evaluation system of information security situation, and raised a comprehensive evaluation approach with regard to the applied security of information system targeting business operation. This approach comprises three parts:first, analyzing the existing business efficiency index, using a great many indeterminate descriptive data, such as real type, interval data and language type, to prevent the effective data from loss,and acquiring the system's business efficiency index by BECM; second,paying attention to the characterization demands of massive systems, constructing the network applied security risk index system targeting business flow by using tradition methodology,calculating the system unit risk by fuzzy hierarchyand information entropy so as to monitor the network applied security risk, and combining multiple systems for producing the applied information security index; third, considering the incomparability of the system's security risk situation,operation stability situation, etc.,which are the key factors that lead to the uncertainty of the system's entire security situation, a language-value security calculation model applying linguistic truth valued lattice valued logic system is designed to evaluate the constructed index system, and it obtained a result of the system security situation values of mixed index with multiple elements, such as user behavior,business efficiency, and applied security risk. Therefore, a complete information system security situation is gained, which improves the accuracy of system situation changes, and the straightforward conclusion of which provides a great help for the analysis and decision-making concerning the massive system security situation. |
PDF Full Text Request