[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN103996006A - Information system security risk assessment method and device - Google Patents

Information system security risk assessment method and device Download PDF

Info

Publication number
CN103996006A
CN103996006A CN201310050945.XA CN201310050945A CN103996006A CN 103996006 A CN103996006 A CN 103996006A CN 201310050945 A CN201310050945 A CN 201310050945A CN 103996006 A CN103996006 A CN 103996006A
Authority
CN
China
Prior art keywords
weight
behavior
threat
information system
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310050945.XA
Other languages
Chinese (zh)
Other versions
CN103996006B (en
Inventor
李斌
常乐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Shanxi Co Ltd
Original Assignee
China Mobile Group Shanxi Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Shanxi Co Ltd filed Critical China Mobile Group Shanxi Co Ltd
Priority to CN201310050945.XA priority Critical patent/CN103996006B/en
Publication of CN103996006A publication Critical patent/CN103996006A/en
Application granted granted Critical
Publication of CN103996006B publication Critical patent/CN103996006B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明公开了一种信息系统安全风险评估的方法,构造威胁行为模式库,将信息系统记录的调用行为与威胁行为模式库中的威胁行为进行匹配,获取匹配上的各调用行为的判定值,根据匹配上的各调用行为的判定值确定威胁行为权值;将威胁行为权值结合脆弱性的权值、弥补措施的权值获得风险等级;本发明同时还公开了一种信息系统安全风险评估的装置,通过本发明的方案,能够多维度的对信息系统安全风险进行度量,大大弥补现有风险评价量化的不足,提高威胁判断的精确性和可信程度,并能够解决信息系统风险量化的核心问题,使得用户能够比较方便客观的了解信息系统运行的风险状况,使信息系统安全风险可感知。

The invention discloses a method for assessing the security risk of an information system, constructing a threat behavior pattern library, matching the calling behavior recorded in the information system with the threat behavior in the threat behavior pattern library, and obtaining the judgment value of each matching calling behavior, Determine the weight of the threat behavior according to the judgment value of each call behavior on the match; combine the weight of the threat behavior with the weight of the vulnerability and the weight of the compensation measure to obtain the risk level; the invention also discloses an information system security risk assessment The device, through the solution of the present invention, can measure the security risk of the information system in multiple dimensions, greatly make up for the shortage of existing risk assessment and quantification, improve the accuracy and credibility of threat judgment, and can solve the problem of information system risk quantification The core problem enables users to understand the risk status of information system operation more conveniently and objectively, and makes information system security risks perceivable.

Description

一种信息系统安全风险评估的方法和装置Method and device for information system security risk assessment

技术领域technical field

本发明涉及信息安全技术,尤其涉及一种信息系统安全风险评估的方法和装置。The present invention relates to information security technology, in particular to a method and device for information system security risk assessment.

背景技术Background technique

随着IT技术的日新月异,整个国民经济发展都离不开信息系统的运行和支撑,如何保障这些信息系统安全运行成为重中之重;依据《2006-2020年国家信息化发展战略》要求,要全面加强国家信息安全保障体系建设,要求各组织坚持积极防御、综合防范,探索和把握信息化与信息安全的内在规律,主动应对信息安全挑战。With the rapid development of IT technology, the development of the entire national economy is inseparable from the operation and support of information systems. How to ensure the safe operation of these information systems has become a top priority; according to the requirements of the "2006-2020 National Informatization Development Strategy", Comprehensively strengthening the construction of the national information security guarantee system requires all organizations to adhere to active defense and comprehensive prevention, explore and grasp the inherent laws of informatization and information security, and actively respond to information security challenges.

要想实现信息安全主动化,关键要解决如何评价信息系统安全风险或早期感知风险的状况。风险状况又和诸多方面因素相关,主要包括:信息系统本身脆弱性因素、系统外威胁因素、控制措施和弥补措施等因素;这些因素又相互作用,相互影响。In order to realize the initiative of information security, the key is to solve how to evaluate the information system security risk or the situation of early perception of risk. The risk status is related to many factors, mainly including: the vulnerability factors of the information system itself, the threat factors outside the system, control measures and remedial measures and other factors; these factors interact and influence each other.

现有技术主要通过以下三种方式评价信息系统安全风险:一、从威胁角度出发,即对相关设备的安全事件量来判断,主要分析来自安全设备和IT设备的日志,并从中提取风险等级高的日志进行判断;二、从脆弱性角度出发,即对承载信息系统相关的网络设施、主机资源、代码资源等进行脆弱性评价,从而得出风险状况的高低;三、结合威胁、脆弱性及资产价值进行综合评价。The existing technology mainly evaluates information system security risks through the following three methods: 1. From the perspective of threats, that is, judging the security event volume of related equipment, mainly analyzing logs from security equipment and IT equipment, and extracting high-level risks from them. Second, from the perspective of vulnerability, that is, to evaluate the vulnerability of network facilities, host resources, code resources, etc. related to the carrying information system, so as to obtain the level of risk status; Comprehensive evaluation of asset value.

现有的风险评价体系存在较大的缺陷和不足,主要体现在以下几个方面:The existing risk assessment system has major defects and deficiencies, which are mainly reflected in the following aspects:

一、评价指标要么依赖单一因素,要么太复杂,都无法反应真实的风险状况;从威胁角度出发可以较真实的反应外界攻击状况,但由于外界的威胁数量众多,来源复杂,既有新型攻击、又有非常老的攻击,且攻击适用性也需要精确甄别,因此普遍会出现风险状况偏高的评价,不利于威胁处置和弥补措施的开展;从脆弱性角度出发可以真实的反映信息系统的漏洞状况,但由于脆弱性是静态的,要形成风险是需要有威胁攻击参与的,因此往往出现风险状况评价失真,不利于将有效的资源投入到风险控制中,成本过大;从威胁、脆弱性和资产价值进行综合评价是比较能反映风险状况水平的,但这种综合评价由于涉及三维体系,且三个因素是多对多的关系,映射关系和计算异常复杂,在现实使用中很难实现。1. The evaluation index either relies on a single factor or is too complex to reflect the real risk situation; from the perspective of threats, it can reflect the real situation of external attacks. However, due to the large number of external threats and complex sources, there are new types of attacks, There are also very old attacks, and the applicability of the attacks needs to be accurately screened, so the evaluation of the risk status is generally high, which is not conducive to the development of threat handling and remedial measures; from the perspective of vulnerability, it can truly reflect the loopholes of the information system However, since the vulnerability is static, threats and attacks are required to form a risk, so the evaluation of the risk situation is often distorted, which is not conducive to investing effective resources in risk control, and the cost is too high; from threats, vulnerabilities A comprehensive evaluation with asset value can reflect the level of risk status, but since this comprehensive evaluation involves a three-dimensional system, and the three factors are many-to-many, the mapping relationship and calculation are extremely complicated, so it is difficult to achieve in actual use .

二、目前的评价体系往往仅关注风险威胁、脆弱性和资产价值,而往往忽视了很重要的弥补措施环节,而弥补措施环节实际上是风险控制的重要因素。2. The current evaluation system often only focuses on risk threat, vulnerability and asset value, but often ignores the very important link of remedial measures, which is actually an important factor in risk control.

发明内容Contents of the invention

有鉴于此,本发明的主要目的在于提供一种信息系统安全风险评估的方法和装置,能够多维度的对信息系统安全风险进行度量。In view of this, the main purpose of the present invention is to provide a method and device for information system security risk assessment, which can measure information system security risks in multiple dimensions.

为达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, technical solution of the present invention is achieved in that way:

本发明提供的一种信息系统安全风险评估的方法,该方法包括:A method for assessing information system security risks provided by the present invention, the method includes:

构造威胁行为模式库,将信息系统记录的调用行为与威胁行为模式库中的威胁行为进行匹配,获取匹配上的各调用行为的判定值,根据匹配上的各调用行为的判定值确定威胁行为权值;Construct a threat behavior pattern library, match the calling behavior recorded in the information system with the threat behavior in the threat behavior pattern library, obtain the judgment value of each matching calling behavior, and determine the threat behavior right according to the matching judgment value of each calling behavior value;

将威胁行为权值结合脆弱性的权值、弥补措施的权值获得风险等级。Combine the weight of threat behavior with the weight of vulnerability and the weight of remedial measures to obtain the risk level.

上述方案中,所述构造威胁行为模式库为:以具体的威胁行为作为分类原则,每一类型的威胁行为映射一个系统函数调用集,每个系统函数调用集都包括一个以上由三元组<模块号,函数号,细则号>来表示的系统应用程序编程接口API函数的调用行为,所有威胁行为组成威胁行为模式库。In the above solution, the construction of the threat behavior pattern library is as follows: with specific threat behaviors as the classification principle, each type of threat behavior is mapped to a system function call set, and each system function call set includes more than one triplet < The module number, function number, and detail number> represent the call behavior of the system application programming interface API function, and all threat behaviors form a threat behavior pattern library.

上述方案中,所述将信息系统记录的调用行为与威胁行为模式库中的威胁行为进行匹配为:转换信息系统记录的调用行为的格式为三元组<模块号,函数号,细则号>的格式,将转换后的调用行为与威胁行为模式库中的威胁行为进行匹配。In the above solution, the matching of the call behavior recorded by the information system with the threat behavior in the threat behavior pattern library is as follows: converting the format of the call behavior recorded by the information system into the triplet <module number, function number, detailed rule number> format to match the transformed invocation behaviors with threat behaviors in the Threat Behavior Patterns library.

上述方案中,所述获取匹配上的各调用行为的判定值为:统计匹配上的各调用行为的出现均值,根据各调用行为的出现均值获得各调用行为的判定值。In the above scheme, the determination value of each calling behavior on the acquisition matching is: the average value of each calling behavior on the matching is calculated, and the judgment value of each calling behavior is obtained according to the average value of each calling behavior.

上述方案中,所述将威胁行为权值结合脆弱性的权值、弥补措施的权值获得风险等级为:按照包括威胁行为权值、脆弱性的权值、弥补措施的权值的风险等级公式,获得风险等级;In the above scheme, the risk level obtained by combining the weight of the threat behavior with the weight of the vulnerability and the weight of the remedial measures is: according to the risk level formula including the weight of the threat behavior, the weight of the vulnerability, and the weight of the remedial measures , to obtain the risk level;

风险等级(V)==Round1{Log2[(A×2The+B×2Vul+C×2Con)/3]}×Asset(value)Risk level (V)==Round1{Log2[(A×2 The +B×2 Vul +C×2 Con )/3]}×Asset(value)

其中,The代表威胁行为权值;Vul代表脆弱性的权值;Con代表弥补措施的权值;Round函数是按制定位数,对数值四舍五入的函数,Round1表示保留1位小数;Asset(value)代表资产价值;A为威胁行为权值的系数;B为脆弱性的权值的系数;C为弥补措施的权值的系数。Among them, The represents the weight of threat behavior; Vul represents the weight of vulnerability; Con represents the weight of remedial measures; the Round function is a function of rounding the logarithmic value according to the specified number of digits, and Round1 means retaining 1 decimal place; Asset(value) Represents asset value; A is the coefficient of the weight of threat behavior; B is the coefficient of the weight of vulnerability; C is the coefficient of the weight of remedial measures.

本发明提供的一种信息系统安全风险评估的装置,该装置包括:构造模块、匹配模块、判定值获取模块、确定模块、风险等级获取模块;其中,An information system security risk assessment device provided by the present invention includes: a construction module, a matching module, a determination value acquisition module, a determination module, and a risk level acquisition module; wherein,

所述构造模块,用于构造威胁行为模式库;The construction module is used to construct a threat behavior pattern library;

所述匹配模块,用于将信息系统记录的调用行为与威胁行为模式库中的威胁行为进行匹配,并将匹配上的各调用行为发送给判定值获取模块;The matching module is used to match the call behavior recorded by the information system with the threat behavior in the threat behavior pattern library, and send each matching call behavior to the judgment value acquisition module;

所述判定值获取模块,用于获取匹配上的各调用行为的判定值;The judgment value acquisition module is used to obtain the judgment value of each call behavior on the match;

所述确定模块,用于根据所述判定值确定威胁行为权值;The determining module is configured to determine a threat behavior weight value according to the determination value;

所述风险等级获取模块,用于将威胁行为权值结合脆弱性的权值、弥补措施的权值获得风险等级。The risk level acquisition module is used to combine the weight of threat behavior with the weight of vulnerability and the weight of remedial measures to obtain the risk level.

上述方案中,所述构造模块,具体用于以具体的威胁行为作为分类原则,每一类型的威胁行为映射一个系统函数调用集,每个系统函数调用集都包括一个以上由三元组<模块号,函数号,细则号>来表示的系统API函数的调用行为,所有威胁行为组成威胁行为模式库。In the above solution, the construction modules are specifically used to use specific threat behaviors as classification principles, and each type of threat behavior maps a system function call set, and each system function call set includes more than one triple < module number, function number, detailed rules number> to represent the call behavior of the system API function, and all threat behaviors form a threat behavior pattern library.

上述方案中,所述匹配模块,具体用于转换信息系统记录的调用行为的格式为三元组<模块号,函数号,细则号>的格式,将转换后的调用行为与威胁行为模式库中的威胁行为进行匹配。In the above solution, the matching module is specifically used to convert the call behavior recorded by the information system in the format of triplet <module number, function number, detailed rule number>, and convert the converted call behavior to the threat behavior pattern library. threatening behaviors.

上述方案中,所述风险等级获取模块,具体用于按照包括威胁行为权值、脆弱性的权值、弥补措施的权值的风险等级公式,获得风险等级;In the above solution, the risk level acquisition module is specifically used to obtain the risk level according to the risk level formula including the weight of threat behavior, the weight of vulnerability, and the weight of remedial measures;

风险等级(V)==Round1{Log2[(A×2The+B×2Vul+C×2Con)/3]}×Asset(value)Risk level (V)==Round1{Log2[(A×2 The +B×2 Vul +C×2 Con )/3]}×Asset(value)

其中,The代表威胁行为权值;Vul代表脆弱性的权值;Con代表弥补措施的权值;Round函数是按制定位数,对数值四舍五入的函数,Round1表示保留1位小数;Asset(value)代表资产价值;A为威胁行为权值的系数;B为脆弱性的权值的系数;C为弥补措施的权值的系数。Among them, The represents the weight of threat behavior; Vul represents the weight of vulnerability; Con represents the weight of remedial measures; the Round function is a function of rounding the logarithmic value according to the specified number of digits, and Round1 means retaining 1 decimal place; Asset(value) Represents asset value; A is the coefficient of the weight of threat behavior; B is the coefficient of the weight of vulnerability; C is the coefficient of the weight of remedial measures.

本发明提供了一种信息系统安全风险评估的方法和装置,构造威胁行为模式库,将信息系统记录的调用行为与威胁行为模式库中的威胁行为进行匹配,获取匹配上的各调用行为的判定值,根据匹配上的各调用行为的判定值确定威胁行为权值;将威胁行为权值结合脆弱性的权值、弥补措施的权值获得风险等级;如此,能够多维度的对信息系统安全风险进行度量,大大弥补现有风险评价量化的不足,提高威胁判断的精确性和可信程度,同时解决信息系统风险量化的核心问题,使得用户能够比较方便客观的了解信息系统运行的风险状况,使信息系统安全风险可感知。The present invention provides a method and device for information system security risk assessment, which constructs a threat behavior pattern library, matches the calling behavior recorded in the information system with the threat behavior in the threat behavior pattern library, and obtains the judgment of each matching calling behavior value, and determine the threat behavior weight according to the judgment value of each matching call behavior; combine the threat behavior weight with the vulnerability weight and the weight of the remedial measures to obtain the risk level; Measurement can greatly make up for the lack of existing risk assessment quantification, improve the accuracy and credibility of threat judgment, and solve the core problem of information system risk quantification, so that users can understand the risk status of information system operation more conveniently and objectively. Information system security risks are perceivable.

附图说明Description of drawings

图1为本发明提供的信息系统安全风险评估的方法流程示意图;Fig. 1 is a schematic flow chart of the method for information system security risk assessment provided by the present invention;

图2为本发明提供的威胁行为模式库的结构示意图;Fig. 2 is a schematic structural diagram of a threat behavior pattern library provided by the present invention;

图3为本发明提供的信息系统安全风险评估的装置的结构示意图。FIG. 3 is a schematic structural diagram of an information system security risk assessment device provided by the present invention.

具体实施方式Detailed ways

本发明的基本思想是:构造威胁行为模式库,将信息系统记录的调用行为与威胁行为模式库中的威胁行为进行匹配,获取匹配上的各调用行为的判定值,根据匹配上的各调用行为的判定值确定威胁行为权值;将威胁行为权值结合脆弱性的权值、弥补措施的权值获得风险等级。The basic idea of the present invention is to construct a threat behavior pattern library, match the calling behaviors recorded in the information system with the threat behaviors in the threat behavior pattern library, obtain the judgment value of each matching calling behavior, and The judgment value of the threat behavior determines the weight of the threat behavior; the risk level is obtained by combining the weight of the threat behavior with the weight of the vulnerability and the weight of the remedial measures.

下面通过附图及具体实施例对本发明做进一步的详细说明。The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.

本发明实现一种信息系统安全风险评估的方法,如图1所示,该方法包括以下几个步骤:The present invention realizes a method for information system security risk assessment, as shown in Figure 1, the method includes the following steps:

步骤101:构造威胁行为模式库;Step 101: constructing a threat behavior pattern library;

具体的,以具体的威胁行为作为分类原则,如图2所示,每一类型的威胁行为A映射一个系统函数调用集S,每个系统函数调用集S都包括一个以上由三元组<模块号,函数号,细则号>来表示的系统API函数的调用行为,所述系统函数调用集S中包括的调用行为已知的威胁行为,所有威胁行为A组成威胁行为模式库;Specifically, the specific threat behavior is used as the classification principle, as shown in Figure 2, each type of threat behavior A maps a system function call set S, and each system function call set S includes more than one triple < module number, function number, detailed rules number > to represent the call behavior of the system API function, the call behavior included in the system function call set S is a known threat behavior, and all threat behaviors A form a threat behavior pattern library;

所述具体的威胁行为包括:窃听类、远程间谍类、蓄意泄密类、黑客入侵类、系统/网络过载类等。The specific threats include: eavesdropping, remote espionage, deliberate disclosure, hacking, system/network overload, and the like.

步骤102:将信息系统记录的调用行为与威胁行为模式库中的威胁行为进行匹配;Step 102: matching the call behavior recorded by the information system with the threat behavior in the threat behavior pattern library;

具体的,转换信息系统记录的调用行为的格式为三元组<模块号,函数号,细则号>的格式,将转换后的调用行为与威胁行为模式库中的威胁行为进行匹配。Specifically, the format of the calling behavior recorded by the conversion information system is the format of the triplet <module number, function number, detail number>, and the converted calling behavior is matched with the threat behavior in the threat behavior pattern library.

步骤103:获取匹配上的各调用行为的判定值;Step 103: Obtain the judgment value of each call behavior on the match;

具体的,统计匹配上的各调用行为的出现均值,根据各调用行为的出现均值获得各调用行为的判定值;这里,所述判定值为攻击成功次数或攻击失败次数;Specifically, count the occurrence mean value of each call behavior on the matching, and obtain the judgment value of each call behavior according to the appearance average value of each call behavior; here, the judgment value is the number of successful attacks or the number of failed attacks;

所述根据各调用行为的出现均值获得各调用行为的判定值为:在各调用行为的出现均值内,统计各调用行为的攻击结果,将所述攻击结果作为判定值;The judgment value of each call behavior obtained according to the appearance average value of each call behavior is: within the appearance average value of each call behavior, the attack result of each call behavior is counted, and the attack result is used as the judgment value;

所述攻击结果为攻击成功次数或攻击失败次数。The attack result is the number of successful attacks or the number of failed attacks.

步骤104:根据匹配上的各调用行为的判定值确定威胁行为权值;Step 104: Determine the threat behavior weight value according to the judgment value of each matching calling behavior;

具体的,当匹配上的调用行为的判定值大于预先设置的阈值时,标注所述调用行为为威胁行为,统计所有标注为威胁行为的调用行为数量,确定威胁行为权值。Specifically, when the determination value of the matching invocation behavior is greater than a preset threshold, the invocation behavior is marked as a threatening behavior, the number of all invocation behaviors marked as threatening behaviors is counted, and the weight of the threatening behavior is determined.

步骤105:将威胁行为权值结合脆弱性的权值、弥补措施的权值获得风险等级;Step 105: Combining the weight of the threat behavior with the weight of the vulnerability and the weight of the remedial measures to obtain the risk level;

具体的,按照包括威胁行为权值、脆弱性的权值、弥补措施的权值的风险等级公式,获得风险等级;Specifically, the risk level is obtained according to the risk level formula including the weight of threat behavior, the weight of vulnerability, and the weight of remedial measures;

风险等级(V)==Round1{Log2[(A×2The+B×2Vul+C×2Con)/3]}×Asset(value)Risk level (V)==Round1{Log2[(A×2 The +B×2 Vul +C×2 Con )/3]}×Asset(value)

其中,The代表威胁行为权值;Vul代表脆弱性的权值;Con代表弥补措施的权值;Round函数是按制定位数,对数值四舍五入的函数,Round1表示保留1位小数;Asset(value)代表资产价值;A为威胁行为权值的系数;B为脆弱性的权值的系数;C为弥补措施的权值的系数;根据国际上对权值评判的依据,这里可以设定为:A=0.7,B=0.5,C=0.8;Among them, The represents the weight of threat behavior; Vul represents the weight of vulnerability; Con represents the weight of remedial measures; the Round function is a function of rounding the logarithmic value according to the specified number of digits, and Round1 means retaining 1 decimal place; Asset(value) Represents asset value; A is the coefficient of the weight of threatening behavior; B is the coefficient of the weight of vulnerability; C is the coefficient of the weight of compensation measures; according to the international basis for weight evaluation, it can be set as: A =0.7, B=0.5, C=0.8;

所述脆弱性的权值一般根据国际漏洞库(CVE)中评定的漏洞级别确定;The weight of the vulnerability is generally determined according to the vulnerability level assessed in the International Vulnerability Database (CVE);

所述弥补措施的权值一般根据弥补措施的强壮程度(规避风险的有效性)进行赋值,数值越高,规避风险的效果越好。The weight of the remedial measures is generally assigned according to the strength of the remedial measures (the effectiveness of risk avoidance), and the higher the value, the better the effect of risk avoidance.

为了实现上述方法,本发明还提供一种信息系统安全风险评估的装置,该装置一般设置在使用Linux Server提供API服务的硬件设备上,如图3所示,该装置包括:构造模块31、匹配模块32、判定值获取模块33、确定模块34、风险等级获取模块35;其中,In order to realize the above method, the present invention also provides a device for information system security risk assessment, which is generally set on a hardware device that uses Linux Server to provide API services, as shown in Figure 3, the device includes: a construction module 31, a matching Module 32, judgment value acquisition module 33, determination module 34, risk level acquisition module 35; wherein,

所述构造模块31,用于构造威胁行为模式库;The construction module 31 is configured to construct a threat behavior pattern library;

所述匹配模块32,用于将信息系统记录的调用行为与威胁行为模式库中的威胁行为进行匹配,并将匹配上的各调用行为发送给判定值获取模块33;The matching module 32 is configured to match the call behavior recorded by the information system with the threat behavior in the threat behavior pattern library, and send each matching call behavior to the judgment value acquisition module 33;

所述判定值获取模块33,用于获取匹配上的各调用行为的判定值;The judgment value acquisition module 33 is used to obtain the judgment value of each calling behavior on the match;

所述确定模块34,用于根据所述判定值确定威胁行为权值;The determining module 34 is configured to determine a threat behavior weight value according to the determination value;

所述风险等级获取模块35,用于将威胁行为权值结合脆弱性的权值、弥补措施的权值获得风险等级。The risk level acquisition module 35 is configured to combine the weight of the threat behavior with the weight of the vulnerability and the weight of the remedial measures to obtain the risk level.

所述构造模块31,具体用于以具体的威胁行为作为分类原则,每一类型的威胁行为映射一个系统函数调用集,每个系统函数调用集都包括一个以上由三元组<模块号,函数号,细则号>来表示的系统API函数的调用行为,所述系统函数调用集中包括的调用行为已知的威胁行为,所有威胁行为组成威胁行为模式库。The construction module 31 is specifically used to use a specific threat behavior as a classification principle, and each type of threat behavior maps a system function call set, and each system function call set includes more than one triple < module number, function number, detailed rules number > to indicate the calling behavior of the system API function, the calling behavior of the system function call set includes known threat behaviors, and all the threat behaviors form a threat behavior pattern library.

所述匹配模块32,具体用于转换信息系统记录的调用行为的格式为三元组<模块号,函数号,细则号>的格式,将转换后的调用行为与威胁行为模式库中的威胁行为进行匹配。The matching module 32 is specifically used to convert the calling behavior recorded by the information system into the format of the triplet <module number, function number, detailed rules number>, and compare the converted calling behavior with the threat behavior in the threat behavior pattern library. to match.

所述风险等级获取模块35,具体用于按照包括威胁行为权值、脆弱性的权值、弥补措施的权值的风险等级公式,获得风险等级;The risk level acquisition module 35 is specifically configured to obtain the risk level according to the risk level formula including the weight of threat behavior, the weight of vulnerability, and the weight of remedial measures;

风险等级(V)==Round1{Log2[(A×2The+B×2Vul+C×2Con)/3]}×Asset(value)Risk level (V)==Round1{Log2[(A×2 The +B×2 Vul +C×2 Con )/3]}×Asset(value)

其中,The代表威胁行为权值;Vul代表脆弱性的权值;Con代表弥补措施的权值;Round函数是按制定位数,对数值四舍五入的函数,Round1表示保留1位小数;Asset(value)代表资产价值;A为威胁行为权值的系数;B为脆弱性的权值的系数;C为弥补措施的权值的系数;根据国际上对权值评判的依据,这里可以设定为:A=0.7,B=0.5,C=0.8。Among them, The represents the weight of threat behavior; Vul represents the weight of vulnerability; Con represents the weight of remedial measures; the Round function is a function of rounding the logarithmic value according to the specified number of digits, and Round1 means retaining 1 decimal place; Asset(value) Represents asset value; A is the coefficient of the weight of threatening behavior; B is the coefficient of the weight of vulnerability; C is the coefficient of the weight of compensation measures; according to the international basis for weight evaluation, it can be set as: A =0.7, B=0.5, C=0.8.

以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims (9)

1. A method for information system security risk assessment, the method comprising:
constructing a threat behavior pattern library, matching the calling behaviors recorded by the information system with the threat behaviors in the threat behavior pattern library, acquiring the judgment values of the matched calling behaviors, and determining the weight of the threat behaviors according to the judgment values of the matched calling behaviors;
and combining the weight of the threat behavior with the weight of the vulnerability and the weight of the remedy measure to obtain the risk level.
2. The method of claim 1, wherein the library of threat behavior patterns is constructed by: the specific threat behaviors are used as a classification principle, each type of threat behavior is mapped to a system function call set, each system function call set comprises more than one call behavior of a system Application Programming Interface (API) function represented by a triple (a module number, a function number and a rule number), and all the threat behaviors form a threat behavior pattern library.
3. The method of claim 2, wherein matching the invocation behavior of the information system record with the threat behavior in the threat behavior pattern library is: and converting the format of the call behavior recorded by the information system into the format of a triple < module number, function number and rule number >, and matching the converted call behavior with the threat behavior in the threat behavior pattern library.
4. The method of claim 1, wherein the decision value for each call behavior on the get match is: and counting the occurrence average value of each matched calling behavior, and obtaining the judgment value of each calling behavior according to the occurrence average value of each calling behavior.
5. The method according to claim 1, wherein the risk level obtained by combining the weight of the threat behavior with the weight of the vulnerability and the weight of the remedy is: obtaining a risk level according to a risk level formula comprising a threat behavior weight, a vulnerability weight and a remedy weight;
risk rating (V) ═ Round1{ Log2[ (ax2) }The+B×2Vul+C×2Con)/3]}×Asset(value)
Wherein, The represents a threat behavior weight; vul represents the weight of vulnerability; con represents the weight of the compensation measure; round function is a function rounded to the numerical value by the number of digits specified, Round1 denotes the reserved 1-digit decimal number; asset (value) represents asset value; a is the coefficient of the weight of the threat behavior; b is the coefficient of the weight of the vulnerability; and C is the coefficient of the weight of the compensation measure.
6. An apparatus for information system security risk assessment, the apparatus comprising: the system comprises a construction module, a matching module, a judgment value acquisition module, a determination module and a risk grade acquisition module; wherein,
the construction module is used for constructing a threat behavior pattern library;
the matching module is used for matching the calling behaviors recorded by the information system with the threat behaviors in the threat behavior pattern library and sending the matched calling behaviors to the judgment value acquisition module;
the judgment value acquisition module is used for acquiring the judgment value of each matched calling behavior;
the determining module is used for determining a threat behavior weight according to the judging value;
and the risk level acquisition module is used for combining the weight of the threat behavior with the weight of the vulnerability and the weight of the remedy measure to obtain the risk level.
7. The apparatus according to claim 6, wherein the configuration module is specifically configured to use the specific threat behaviors as a classification rule, and each type of threat behavior maps a system function call set, and each system function call set includes more than one call behavior of a system API function represented by a triple < module number, function number, and rule number >, and all the threat behaviors constitute the threat behavior pattern library.
8. The apparatus according to claim 7, wherein the matching module is specifically configured to convert the format of the call behavior recorded by the information system into a format of a triple < module number, function number, rule number >, and match the converted call behavior with the threat behavior in the threat behavior pattern library.
9. The device according to claim 6, wherein the risk level obtaining module is specifically configured to obtain a risk level according to a risk level formula that includes a threat behavior weight, a vulnerability weight, and a remedy weight;
risk rating (V) ═ Round1{ Log2[ (ax2) }The+B×2Vul+C×2Con)/3]}×Asset(value)
Wherein, The represents a threat behavior weight; vul represents the weight of vulnerability; con represents the weight of the compensation measure; round function is a function rounded to the numerical value by the number of digits specified, Round1 denotes the reserved 1-digit decimal number; asset (value) represents asset value; a is the coefficient of the weight of the threat behavior; b is the coefficient of the weight of the vulnerability; and C is the coefficient of the weight of the compensation measure.
CN201310050945.XA 2013-02-17 2013-02-17 A kind of method and apparatus of Evaluation of Information System Security Risk Active CN103996006B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310050945.XA CN103996006B (en) 2013-02-17 2013-02-17 A kind of method and apparatus of Evaluation of Information System Security Risk

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310050945.XA CN103996006B (en) 2013-02-17 2013-02-17 A kind of method and apparatus of Evaluation of Information System Security Risk

Publications (2)

Publication Number Publication Date
CN103996006A true CN103996006A (en) 2014-08-20
CN103996006B CN103996006B (en) 2018-09-04

Family

ID=51310168

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310050945.XA Active CN103996006B (en) 2013-02-17 2013-02-17 A kind of method and apparatus of Evaluation of Information System Security Risk

Country Status (1)

Country Link
CN (1) CN103996006B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105844169A (en) * 2015-01-15 2016-08-10 中国移动通信集团安徽有限公司 Method and device for information safety metrics
CN106407813A (en) * 2016-05-17 2017-02-15 北京智言金信信息技术有限公司 Data normalization processing apparatus and method for heterogeneous vulnerability scanner
CN106656996A (en) * 2016-11-09 2017-05-10 航天科工智慧产业发展有限公司 Information safety risk assessment method
CN107239707A (en) * 2017-06-06 2017-10-10 国家电投集团河南电力有限公司技术信息中心 A kind of threat data processing method for information system
CN108776861A (en) * 2018-04-27 2018-11-09 中国铁路总公司 Railway Communication safety risk estimating method and device
CN109684366A (en) * 2018-12-20 2019-04-26 国家计算机网络与信息安全管理中心 A kind of knowledge base group volume method for industrial control system risk assessment
CN110839000A (en) * 2018-08-15 2020-02-25 中国信息通信研究院 Method and device for determining security level of network information system
CN112565296A (en) * 2020-12-24 2021-03-26 深信服科技股份有限公司 Security protection method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101017458A (en) * 2007-03-02 2007-08-15 北京邮电大学 Software safety code analyzer based on static analysis of source code and testing method therefor
CN101374051A (en) * 2008-08-22 2009-02-25 中国航天科工集团第二研究院七○六所 Method for evaluating information system risk base on multi-element fusion
US20110173146A1 (en) * 2006-06-12 2011-07-14 John Harris Hnatio Complexity systems management method
CN102238038A (en) * 2011-07-26 2011-11-09 北京神州绿盟信息安全科技股份有限公司 Network equipment security evaluation method and device
CN102799954A (en) * 2012-07-18 2012-11-28 中国信息安全测评中心 Method and system for multi-objective optimization applied to risk assessment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110173146A1 (en) * 2006-06-12 2011-07-14 John Harris Hnatio Complexity systems management method
CN101017458A (en) * 2007-03-02 2007-08-15 北京邮电大学 Software safety code analyzer based on static analysis of source code and testing method therefor
CN101374051A (en) * 2008-08-22 2009-02-25 中国航天科工集团第二研究院七○六所 Method for evaluating information system risk base on multi-element fusion
CN102238038A (en) * 2011-07-26 2011-11-09 北京神州绿盟信息安全科技股份有限公司 Network equipment security evaluation method and device
CN102799954A (en) * 2012-07-18 2012-11-28 中国信息安全测评中心 Method and system for multi-objective optimization applied to risk assessment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李江涛: "基于行为的病毒检测系统的设计与实现", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 *
黄水清等: "数字图书馆信息安全风险评估", 《现代图书情报技术》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105844169B (en) * 2015-01-15 2019-09-13 中国移动通信集团安徽有限公司 Method and device for measuring information security
CN105844169A (en) * 2015-01-15 2016-08-10 中国移动通信集团安徽有限公司 Method and device for information safety metrics
CN106407813A (en) * 2016-05-17 2017-02-15 北京智言金信信息技术有限公司 Data normalization processing apparatus and method for heterogeneous vulnerability scanner
CN106407813B (en) * 2016-05-17 2020-04-07 北京摄星科技有限公司 Heterogeneous vulnerability scanner data normalization processing device and method
CN106656996B (en) * 2016-11-09 2020-09-15 航天科工智慧产业发展有限公司 Information security risk assessment method
CN106656996A (en) * 2016-11-09 2017-05-10 航天科工智慧产业发展有限公司 Information safety risk assessment method
CN107239707A (en) * 2017-06-06 2017-10-10 国家电投集团河南电力有限公司技术信息中心 A kind of threat data processing method for information system
CN107239707B (en) * 2017-06-06 2020-09-29 国家电投集团河南电力有限公司 Threat data processing method for information system
CN108776861A (en) * 2018-04-27 2018-11-09 中国铁路总公司 Railway Communication safety risk estimating method and device
CN110839000A (en) * 2018-08-15 2020-02-25 中国信息通信研究院 Method and device for determining security level of network information system
CN110839000B (en) * 2018-08-15 2022-02-08 中国信息通信研究院 Method and device for determining security level of network information system
CN109684366A (en) * 2018-12-20 2019-04-26 国家计算机网络与信息安全管理中心 A kind of knowledge base group volume method for industrial control system risk assessment
CN112565296A (en) * 2020-12-24 2021-03-26 深信服科技股份有限公司 Security protection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN103996006B (en) 2018-09-04

Similar Documents

Publication Publication Date Title
CN103996006B (en) A kind of method and apparatus of Evaluation of Information System Security Risk
CN106789955B (en) A network security situation assessment method
CN107204876B (en) Network security risk assessment method
Wang et al. Cyber security during the COVID-19 pandemic
CN105868629B (en) Security threat situation assessment method suitable for electric power information physical system
CN110378487A (en) Laterally model parameter verification method, device, equipment and medium in federal study
CN110825757B (en) Equipment behavior risk analysis method and system
CN103136255B (en) The method and apparatus of information management
CN103149549B (en) Method and system of data processing based on electric energy metering device
CN104394015B (en) A kind of network security situation evaluating method
CN108833416A (en) A SCADA system information security risk assessment method and system
CN113434866B (en) Unified risk quantitative evaluation method for instrument function safety and information safety strategies
CN111600842B (en) Internet of Things terminal security control method and system based on trusted threat intelligence
CN109376537B (en) An asset scoring method and system based on multi-factor fusion
CN103023889A (en) Safety margin risk quantification method
CN111863280A (en) Health detection method, system, terminal device and storage medium
CN106446638A (en) Cloud computing operation system security access method and device
CN108111348A (en) A kind of security policy manager method and system for enterprise&#39;s cloud application
CN111669365A (en) Network security testing method and device
CN114157484A (en) Data security storage system based on cloud computing
CN105208009B (en) Account security detection method and device
CN112671724B (en) Terminal security detection analysis method, device, equipment and readable storage medium
CN107360047A (en) Network safety evaluation method based on CIA attributes
CN118445814A (en) Information security risk discovery system
Land et al. Building a Taxonomy for Cybercrimes.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant