Research On Key Technologies Of Information System Security Evaluation

With the rapid development of information technologies such as big data and the Internet of Things,network security evaluation has become the basic technology to ensure the normal operation of information systems.Network security evaluation is an important means to correctly analyze the security quality,operation status,and compliance of information systems and other target systems,and to achieve continuous improvement.The existing target system is faced with the current situation that the evaluation indicator system is difficult to abstract,the granularity of refinement is uncontrollable,and the evaluation results of different models cannot be compared,which results in "insufficient rationality" in the information system security evaluation.In addition,the "evaluation uncertainty" and other problems brought by massive information have brought great challenges to security evaluation.Moreover,the heterogeneity and dynamics of information systems and the complexity of their operating environment further increase the difficulty of system security evaluation.How to design an effective and reasonable security evaluation model based on the existing standards,laws,and regulations is an urgent problem to be solved.The traditional network security evaluation methods,such as relevance analysis and analytic hierarchy process,are more suitable for single products or information systems with low coupling and simple network structure.Those are no longer applicable to increasingly complex heterogeneous information systems.Therefore,this paper has researched the key technologies of information system network security evaluation.The main work and innovations include the following four aspects.(1)A security evaluation model supporting the standardization indicator systemGiven the problem of "insufficient rationality" caused by the difficulty in abstracting the evaluation indicator system and the uncontrollable granularity of the existing information system security evaluation,a security evaluation model supporting the standardized indicator system is proposed.Above all,according to the common criteria and national standards,the proposed model constructs a standardized evaluation indicator system including security attributes such as confidentiality,identifiability,controllability,and availability.Further,an optimization algorithm for measurement indicator systems supporting differentiation is developed to realize indicator screening and improve the differentiation of indicator systems.Finally,the objective evaluation of the system is realized by using the fuzzy comprehensive evaluation algorithm which combines subjective and objective evaluation with weight confirmation.The experimental results show that the proposed model can evaluate confidential and stable complex systems and improve the rationality of the security evaluation.(2)A feedback-based security evaluation model based on model adaptationGiven the " insufficient rationality " caused by the failure of horizontal comparison of the evaluation results of different security evaluation models,according to the classification and characteristics of the security evaluation model,a system security evaluation framework based on model adaptation is constructed.Furthermore,a comprehensive evaluation model of information security based on multi-level decomposition feedback is proposed to refine the indicator system of the evaluation object.And then the security evaluation is carried out according to the Improved Technique for Order Preference by Similarity to an Ideal Solution comprehensive evaluation method.To verify the rationality of the evaluation model,a method for verifying the rationality of the security evaluation model based on head-to-tail sequential consistency is proposed.The evaluation effect of different models is analyzed according to the parameters such as the headto-tail sequential consistency,the ratio of decline,and the standard deviation,and the adaptation evaluation model of the target object is obtained.Experimental results show that this method can compare the effects of different types of evaluation models,enhance the contrast between different models,and improve the rationality of security evaluation according to the adaptation evaluation model.(3)A sequential dynamic security evaluation method based on security-critical componentsAiming at the problems of "a large amount of data,low-value density,and uncertainty in evaluation" in the quantitative analysis of information system security by network situational awareness technology,a sequential dynamic security evaluation method based on security-critical components is proposed.Specifically,the threat attack tree analysis method is used to select the security-critical components in the information system.The security-critical components in the information system are formally described,and the evaluation algorithm based on the variation coefficient method is used to evaluate the security of critical components.Finally,the description of the state from local security to global security is realized.Based on the data collected in the network,the selection and evaluation experiments of critical components are carried out.Experiments show that the evaluation method can reduce the evaluation uncertainty caused by massive information.(4)A security resilience evaluation method based on the Fuzzy Choquet integralInformation systems adopt endogenous security mechanism,which has the ability of resilient defense and brings uncertainty to the security evaluation of information systems.Given the problem that the traditional security evaluation model cannot accurately describe the endogenous security defense transformation information system,a security resilience evaluation method based on the Fuzzy Choquet integral is proposed.Combined with the characteristics of endogenous security mechanism,the indicator system of information system performance,system service capability,attack activities,and system vulnerability are designed,and the Fuzzy Choquet integral is adopted to realize the extension from the connotation of security to resilient security.Finally,based on the attack and defense scenario modeling,the security resilience evaluation of the dynamic defense Web information system is carried out.Experiments show that this method realizes the security evaluation of information systems with resilient defense ability,and increases the application scope of security evaluation.Given all of that,the work of this paper breaks through the difficulties of the construction of an evaluation indicator system and the rationality of the security evaluation model,applies the theories and methods of fuzzy mathematics,mathematical statistics,and optimization analysis,and adopts technical means such as indicator system optimization,model adaptation,selection of security-critical components,and security resilience evaluation,which improves the rationality of security evaluation and provides support for the security evaluation of information systems.