Research Of Automatic Recognition And Quantification Method Of Security Risk Of Information System

China is speeding up the information system construction in various field, the requirements of protecting information security are emergent. Currently, the understandings of information security of most organizations are reside on the technical level, they think that fire wall will prevent hacker, antivirus software will help to solve the security problems of intranet. In fact, the investments of these security measures have not got the expected results, the main course is lacking of the necessary consideration of risk management.Risk management consists of three processes including risk assessment, risk elimination and result evaluation. Risk assessment is the foundation stone of risk management, it include the processes of assets recognition, threats and vulnerabilities recognition and risk quantification, and it's the most complicated part in risk management and very difficult to perform. Risk assessment of information system is a process of analyzing the threats and vulnerabilities confronting with the information system, evaluating the degree of hazard, providing a suggestion for proper protection against the existing threats.There exist many perfect criterions on processes and contents of assessment in current information security risk assessment system, but lack of operable tools and methods in practical application, so there are still many problems in the implementation of risk assessment. Traditional risk assessment is often once and for all, commonly performed at the beginning of a project to direct the configuration of security equipments. Actually, the risks that information system confronts are highly dynamic, its diversification and complexity originate from the dynamic network environments, personnel and resources. So the assessment result of one time has no long-term instruction meaning.To solve the problems listed above, a periodical risk assessment model is proposed in this paper. Machine learning method is used to recognize the threats and vulnerabilities, a quantification model for complex risks and VaR-based risk measure method are provided. The major research works and initiative points in this paper are as follows:(1) A periodical risk assessment model is proposed. An Assessment period consists of inspection period and assessment period. Data are collected during the inspection period; the tasks of assets recognition, threats and vulnerabilities recognition and quantification of complex risk are performed in assessment period. The assessment results are used as warrant to risk control and elimination.(2) Theory of statistical learning is used to the recognition and classification of risk. The features of risk are extracted, which includes event type, frequency, vulnerabilities, hazard level etc. and formulate to the required data format. The data from IDS, system log and some standard data are used as data source, which form the training dataset, test dataset and prediction dataset. SVM is used to recognize the risk, it can perform automatic recognition of large amount of access data, improve the automation level of risk assessment and reduce the cost.(3) A quantification model for complex risk and a VaR-based risk measure are proposed. This risk quantification model considers the combined effect of various risk and quantify the risk to the loss of capital value. VaR-based risk measure represents risks as the perspective maximum loss in an intuitive way, and simplifies the selection of best security measure to a standard cost-benefit analysis process, which has a significant meaning in the construction of information security.(4) A practical instance is used to substantiate the reasonability of our method. We use a government website as assessment objective, SVM are used to classify the data from the system, complex risk quantification model and VaR-based risk measure are used to evaluate the risk of this website.