| Information system security should strategically be based on risk management in which risk evaluation is a crucial step. There are comparatively low reliability in the current risk evaluation method, which mainly embody that these method can not identify all the risk and include too many subjective factors. The main reason lies in these method either only evaluate network risk or though evaluate all risk but can not effectively identify network risk, moreover, current method only consider safety properties except liveness properties, in additional, the risk characteristic of information system security determine that it is very difficulty to gain the objective data.This paper provides a scenario-graph-based risk quantitative evaluation method of information system, and specifies evaluation procedure and crucial technology including a Markov-based and mutil-attribute-decision based risk quantitative computing. Since this method is repeatable, comparable, objective, it is higher reliability.This method's key step is to utilize Buchi automaton to model information system security. This paper detailedly models network part of information system security, and evaluate a concrete case by the method. The work proves the feasibility and superiority of the method in some degree.Moreover, this paper puts forward the optimization problem of security measure, the conclusion of which can apply to all the attack-graph applications so that it enriches scenario graph theory. |
PDF Full Text Request