Research On Product Information Security Risk Assessment Method Based On Attack Graph

While various information products have facilitated people's lives,they are increasingly exposed to the risk of cyber attacks.The current mainstream method of product information security risk evaluation is the method which based on the index system,which lacks of objectivity and real-time.The paper researches on product information security risk evaluation methods based on attack graph,and analyzes attack behaviors and vulnerability information to establish attack graphs.The model simulates the attack path to evaluate the impact of the vulnerability being successfully used,and finally evaluates the product information security risk.The main work carried out is as follows:(1)A risk assessment framework for product information security based on attack graphs is proposed.Transform the product information security risk evaluation problem into a vulnerability severity calculation problem.For the current vulnerability severity calculation method can only solve the risk evaluation problem of a single vulnerability,a risk overlay method based on attack graph is proposed,and a risk assessment framework for product information security based on attack graphs is proposed,and describes the risk calculation process.(2)Establish a vulnerability knowledge base based on vulnerability category association.Proposed the impact of vulnerability categories on vulnerability exploitability scores.In view of the current status and deficiencies of each vulnerability database,a vulnerability knowledge base based on vulnerability categories was established.The vulnerability entries and vulnerability categories of each vulnerability database were integrated,and standardized description of vulnerability data.(3)A vulnerability score calculation method based on WRank algorithm is proposed.Vulnerability is divided into several vulnerability categories,and a vulnerability category severity propagation algorithm WRank is proposed,which can effectively calculate the severity score and availability score of each vulnerability category,according to the calculated vulnerability category exploitability score,Calculate the final risk value of the product,so as to evaluate the information security risk of the product.The experimental results show that the method of the paper improves the effectiveness,objectivity and accuracy of product information security risk assessment,and plays an early warning role in product information security quality risks.