Revista de la Facultad de Ingeniería

As an information security technology that can make the system more secure and robust, network security assessment not only can integrate various security assessment elements such as information assets, vulnerability and threats, but also can help users actively identify potential security threats that the system is encountering. Current network security assessment theories and methods require large amount of historical data to conduct statistics analysis or machine learning. Besides, the means of network threats change with each passing day, which implies that new network security assessment theories and methods should be formed by considering from network information’s own characteristics and finding out its behavior patterns of vulnerability and threats. Cloud model is an uncertainty analysis method, which can be used for the grading of network security status. Based on access graph model, this paper proposed the assessment method based on threat event occurrence probability and the assessment method based on information assets, and calculate the integrated security value of network information system. Then, the paper combined the network security assessment value with cloud model, obtained the eigenvalue of the cloud model after sampling and calculation, and established a certain cloud model. At last, the paper took the random sampling value as the input of the cloud model, and confirm the network security grade after judging the cloud model.

Andrew P., Moor E. (2001). Attack Modeling for Information Security and Survivability.Technical Notes, Carnegie Mellon University.

Anselm L.S. (1987). Qualitative analysis for social scientists. New York:Cambridge University Press.

Buede D.M, Maxwell D.T. (1995). Rank disagreement: A comparison of multi-criteria methodologies. Journal of Multi-Criteria Decision Analysis, 4(1), 1-21.

Dacier M. (1994). Towards quantitative evaluation of computer security, PH.D. dissertation. Institute National Polytechnique de Toulouse.

Dacier M., Deswarte Y., Kaaniche M. (1996). Quantitative assessment of operational security models and tools.Technical Report,96493,LAAS.

Fred C. (1985). Computer virus-theory and experiments. Computer&Security,6(1):22-35.Computer System Evaluation Criteria (TCSEC) [S], US:DoD.

ITSEC. (1991). Information Technology Security Evaluation Criteria (version 1.2), Office for Official.Publications of the European Communities.

Jack A.J. (2006). An Introduction to Factor Analysis of Information Risk (FAIR):A framework for understanding,analyzing,and measuring information risk. Norwich University Journal of Information Assurance,2(1).

John P.K.,John L.D. (2000). Risk Factor Analysis-A New Qualitative Risk Management Tool. Proceedings of the Project Management Institute Annual Seminars&Symposium,Houston,Texas,USA.

May C.C. (1998). Common Criteria for Information Technology Security Evaluation (version 2.0). Common Criteria Editing Board.

Miles M.B,Huberman A.M. (1994). Qualitative data analysis,2nd ed•,Newbury Park, Cal:Sage.

Millet I., Wedley W.C. (2002). Modeling risk and uncertainty with the analytic hierarchy process. Journal of Multi-Criteria Decision Analysis, 11(2): 97-107.

MustafaM.A.,Fai-BaharJ. (1991). Project risk accessment using the analytic hierarehy Proeess. IEEE Transactions on Engineering Management,38(l):46-52.

Ortalo R.,Deswarte Y. (1997). Information systems security: Specification and quantitative Evaluation. Technical Report DeVa ESPRIT Long Term Research Project No.20072, the 2nd Year Report,LAAS-CNRS&INRIA.561-584.

Ortalo R.0.,Deswarte Y., Kaaniche M. (1999). Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans on Software Engineering,25(5), 633-650.

Phillips C., Painton L.S. (1998). A graph-based system for network vulnerability analysis.Proceedings of the 1998 workshop on New security ParadigmS,P.71-79, September 22-26,Charlottesville,Virginia, United State

Saaty T.L. (1980) The analytic hierarchy Process:Planning, Priority Setting,Resource Allocation. New York: MeGraw-Hill.

Salo A.A., Hdmaliiinen R.P. (1997). On the measurement of preferences in the Analytic hierarchy Process. Journal of Multi-Criteria Decision Analysis, 11(6), 309-319.

Schneier, Sehneier B.(2000). Secrets and Lies [M]. John Wiley and Sons

Thomas R.P. (2001). Information Security Risk Analysis.Florida: Auerb Publications,2001 Probabilistic Risk Analysis:Foundations and Methods.UK:Cambridge University Press.

Tüysüz F., Kahraman C. (2006). Project risk evaluation using a fuzzy analytic hierarehy proeess: An application to information technology projects. International Journal of Intelligent Systems, 21(6): 559-584.

Wiggins J. (2006). ESA Safety Optimization Study. Texas: Hemandez Engineering 1985. [EB/OL].http://www.isra.infosec.org.cn/jfxpg/fxpgln/2006ll/6516.html.

William S. (2005) Cryptography and Network Security Principles and Practices (4th Edition). New Jersey:Prentice Hall:l-2.

Ye Y., Barry B., Betsy C. (2006). Assessing COTS integration risk using cost estimation inputs. Proceeding of the 28th international conference on Software engineering, Shanghai, China ACM Press, 431-438.

Ye Y.,Boehm B.,Wu D. (2006). COCOTS risk analyzer. Fifth International Conference on Commercial-off-the-Shelf (COTS)-Based Software Systems,Pages 8.