A Fuzzy Set-Based Approach for Model-Based Internet-Banking System Security Risk Assessment

A fuzzy set-based evaluation approach is demonstrated to assess the security risks for internet-banking System. The Internet-banking system is semi-formally described using Unified Modeling Language （UML） to specify the behavior and state of the system on the base of analyzing the existing qualitative risk assessment methods. And a quantitative method based on fuzzy set is used to measure security risks of the system, A case study was performed on the WEB server of the Internet-banking System using fuzzy-set based assessment algorithm to quantitatively compute the security risk severity. The numeric result also provides a method to decide the most critical component which should amuse the system administrator enough attention to take the appropriate security measure or controls to alleviate the risk severity. The experiments show this method can be used to quantify the security properties for the Internet-banking System in practice.     

Path probability for a Brownian motion

This work reports on numerical simulations of Brownian motion in the non-dissipative limit. The objective was to prove the existence of path probability and to compute probability values for some sample paths. By simulating a large number of particles moving from point to point under Gaussian noise and conservative forces, we numerically determine that the path probability decreases exponentially with increasing Lagrangian action of the paths.     

Fuzzy Multiple Attribute Decision Making for Evaluating Aggregate Risk in Green Manufacturing

Industrial risk and the diversification of risk types both increase with industrial development. Many uncertain factors and high risk are inherent in the implementation of new green manufacturing methods. Because of the shortage of successful examples and complete and certain knowledge, decision-making methods using probabilities to represent risk, which need many examples, cannot be used to evaluate risk in the implementation of green manufacturing projects. Therefore, a fuzzy multiple attribute decision-making （FMADM） method was developed with a three-level hierarchical decision-making model to evaluate the aggregate risk for green manufacturing projects. A case study shows that the hierarchical decision-making model of the aggregate risk and the FMADM method effectively reflect the characteristics of the risk in green manufacturing projects.     

Assessing the Risk Situation of Network Security for Active Defense

The risk situation assessment and forecast technique of network security is a basic method of active defense techniques. In order to assess the risk of network security two methods were used to define the index of risk and forecast index in time series, they were analytical hierarchy process （AHP） and support vector regression （SVR）. The module framework applied the methods above was also discussed. Experiment results showed the forecast values were so close to actual values and so it proved the approach is correct.     

Approach to Weighted Geometric Evaluation Based on Projection Pursuit

Weighted geometric evaluation approach based on Projection pursuit （PP） model is presented in this paper to optimize the choice of schemes. By using PP model, the multi-dimension evaluation index values of schemes can be synthesized into projection value with one dimension. The scheme with a bigger projection value is much better, so the schemes sample can be an optimized choice according to the projection value of each scheme. The modeling of PP based on accelerating genetic algorithm can predigest the realized process of projection pursuit technique, can overcome the shortcomings of large computation amount and the difficulty of computer programming in traditional projection pursuit methods, and can give a new method for application of projection pursuit technique to optimize choice of schemes by using weighted geometric evaluation. The analysis of an applied sample shows that applying PP model driven directly by samples data to optimize choice of schemes is both simple and feasible, that its projection values are relatively decentralized and profit decision-making, that its applicability and maneuverability are high. It can avoid the shortcoming of subjective weighing method, and its results are scientific and objective.     

Synthetic security assessment based on variable consistency dominance-based rough set approach

<正> Security assessment can help understand the security conditions of an information system and yieldresults highly conducive to the solution of security problems in it.Taking the computer networks in a certainuniversity as samples,this paper,with the information system security assessment model as its foundation,proposes a multi-attribute group decision-making (MAGDM) security assessment method based ona variable consistency dominance-based rough set approach (VC-DRSA).This assessment method combinesVC-DRSA with the analytic hierarchy process (AHP),uncovers the inherent information hidden indata via the quality of sorting (QoS),and makes a synthetic security assessment of the information systemafter determining the security attribute weight.The sample findings show that this methoil can effectivelyremove the bottleneck of MAGDM,thus assuming practical significance in information system security assessment.     

Signcryption-Based Key Management for MANETs Applications in Mobile Commerce

Mobile commerce uses wireless device and wireless link to result in the transfer of values in exchange of information, services or goods. Wireless mobile ad hoc networks （MANETs） will bring a revolution to the business model of mobile commerce if such networks are used as the underlying network technology for mobile commerce. Mobile commerce will remain in a niche market until the security issue is properly addressed. Hence, security is also very important for MANET applications in mobile commerce. Robust key management is one of the most crucial technologies for security of MANETs. In this paper, a new solution for key management is proposed using identity-based （ID-based） signcryption and threshold secret sharing. It enables flexible and efficient key management while respecting the constraints of MANETs. In our solution, each mobile host uses its globally unique identity as its public key. It greatly decreases the computation and storage costs of mobile hosts, as well as communication cost for system key management.     

Fuzzy Set-Based Risk Evaluation Model for Real Estate Projects

With the rapid development of residential real estate market, risk evaluation has been an important task in the process of project. This paper describes a risk evaluation method for residential real estate projects based on fuzzy set theory which uses linguistic variables and respective fuzzy numbers to evaluate the factors. The primary weights of factors and evaluation of alternatives are determined by applying linguistic variables and fuzzy numbers. The notion of Shapley value is used to determine the global value of each factor in accomplishing the overall objective of the risk evaluation process, so the primary weights are revised, thus the importance of factors can be reflected more precisely. A major advantage of the method is that it allows experts and engineers to express their opinions on project risk evaluation in linguistic variables rather than crisp values. An illustration is presented to demonstrate the application of the method in risk evaluation. The results are consistent with the results calculated by conventional risk evaluation method. The research demonstrates that the method is objective and accurate, and is of an application value in the risk evaluation for residential real estate project.     

A hierarchical algorithm for cyberspace situational awareness based on analytic hierarchy process

The existing network security management systems are unable either to provide users with useful security situation and risk assessment, or to aid administrators to make right and timely decisions based on the current state of network. These disadvantages always put the whole network security management at high risk. This paper establishes a simulation environment, captures the alerts as the experimental data and adopts statistical analysis to seek the vulnerabilities of the services provided by the hosts in the network. According to the factors of the network, the paper introduces the two concepts： Situational Meta and Situational Weight to depict the total security situation. A novel hierarchical algorithm based on analytic hierarchy process （AHP） is proposed to analyze the hierarchy of network and confirm the weighting coefficients. The algorithm can be utilized for modeling security situation, and determining its mathematical expression. Coupled with the statistical results, this paper simulates the security situational trends. Finally, the analysis of the simulation results proves the algorithm efficient and applicable, and provides us with an academic foundation for the implementation in the security situation     

Exploring Attack Graphs for Security Risk Assessment: A Probabilistic Approach

The attack graph methodology can be used to identify the potential attack paths that an attack can propagate. A risk assessment model based on Bayesian attack graph is presented in this paper. Firstly, attack graphs are generated by the MULVAL (Multi-host, Multistage Vulnerability Analysis) tool according to sufficient information of vulnerabilities, network configurations and host connectivity on networks. Secondly, the probabilistic attack graph is established according to the causal relationships among sophisticated multi-stage attacks by using Bayesian Networks. The probability of successful exploits is calculated by combining index of the Common Vulnerability Scoring System, and the static security risk is assessed by applying local conditional probability distribution tables of the attribute nodes. Finally, the overall security risk in a small network scenario is assessed. Experimental results demonstrate our work can deduce attack intention and potential attack paths effectively, and provide effective guidance on how to choose the optimal security hardening strategy.     

基于安全域的输电系统概率安全评估系统框架

针对输电系统概率安全评估问题,提出了一种基于安全域的输电系统概率安全分析系统的模型.介绍了该模型的构成、实用动态安全域和割集电压稳定域在概率安全评估中的应用,以及概率安全评估的计算步骤.该系统应用最新的安全域的研究成果,在能量管理系统数据的基础上,通过对安全域、随机潮流的计算,实现了输电系统在线概率安全评估.给出的动态和静态不安全概率指标,可用于指导运行人员进行预防性控制决策.     

攻击图和HMM结合的网络安全风险评估方法研究

为了解决传统网络安全风险评估不能有效评价网络安全风险动态变化的缺点,根据网络安全的特性,提出了攻击图和隐马尔可夫模型(HMM)相结合的网络安全风险评估方法.采用攻击图生成网络攻击路径,从复杂度和防御能力等方面量化攻击威胁等级,利用隐马尔可夫模型计算攻击路径的攻击成功率,结合网络资产的重要程度确定网络安全风险值.通过实例分析表明,该方法能够提高网络安全风险评估的准确性,能够有效地对网络安全状况进行分析,具有较高的实用性.     

基于密码学理论的私密信息安全风险评估方法

为了解决传统方法没有考虑针对私密信息的防控措施,得到评估结果不准确的问题,通过密码学理论研究了私密信息安全风险评估方法。在将资产-威胁-脆弱性作为核心对风险值进行计算的基础上,引入安全防控措施功能进行分析。按照相关原则,建立阶梯层次式私密信息安全风险评估指标体系,通过熵系数对各评估指标的权重进行计算。在不考虑防控措施的情况下计算风险值,通过密码学理论对私密信息安全性进行保护后风险值进行计算,将二者结合在一起,获取考虑密码学理论下防控措施后,私密信息风险值,实现私密信息安全风险评估。结果表明：所提方法可有效实现私密信息安全风险评估;所提方法风险评估结果准确合理。可见所提方法评估性能准确。     

基于层次分析法的信息安全风险评估要素量化方法

信息安全风险评估是保障信息系统安全的重要基础性工作,但现有风险评估标准和相关研究提供的评估模型和计算方法的评估结果不能有效体现信息系统资产在保密性、完整性、可用性上的不同安全需求和面临的不同风险。利用层次分析法建立风险评估层次分析模型,在借鉴通用脆弱性评分系统指标评价体系基础上改进脆弱性要素量化方法,利用构建的层次分析模型偏量判断矩阵计算"安全事件损失""安全事件可能性"和"风险值"。通过实验验证,与现有方法相比,所提方法的评估结果能够直观体现资产在保密性、完整性和可用性上面临的不同风险,能为制定风险控制措施提供更加准确、合理的建议。     

基于模糊集和改进DS证据理论的危化品道路运输体系贝叶斯网络风险分析

针对危化品道路运输体系中影响因素信息的不确定性和专家知识推断贝叶斯网络中条件概率表时存在的主观性,提出了一种将模糊集和改进Dempster/Shafer证据理论（DS证据理论）、贝叶斯网络结合在一起的危化品道路运输体系的风险评价方法。根据危化品道路运输体系的影响因素建立了相应的风险评价体系,确定各层级的评价指标。将专家对各评价指标的评价意见代入高斯型隶属度函数构造隶属度矩阵,进行改进DS证据理论数据融合,得到多位专家评价意见融合后的概率值分布。利用贝叶斯网络的推理功能,得出危化品道路运输体系的风险等级和其中各评价指标的概率值分布,找出体系薄弱环节并进行分析。以沈阳某危险货物托运有限公司为例进行研究,结果表明该公司中危化品道路运输体系的风险值为0.611 8,风险等级为较危险（V₂）,其中人员因素概率（60%）和管理因素概率（52%）所占权重较大,需要公司重点关注并加强管理。     

基于贝叶斯决策理论的NSHV分段建模威胁评估

临空高超声速飞行器（Near Space Hypersonic Vehicle,NSHV）具备复杂的运动模式和高动态特点,传统的威胁评估方法运用于NSHV时在评估要素选取和评估动态性等方面存在不足。从NSHV的飞行路径入手,将其划分为3个主要的飞行阶段,通过分析其各阶段运动特点和预警探测、拦截能力等因素,基于贝叶斯推理、决策理论建立起NSHV多阶段威胁评估模型,并通过先验概率将各阶段进行关联,保证了评估的继承性,最终建立典型场景进行仿真验证,仿真结果反映的威胁变化符合NSHV的作战特点和所给观测数据,证明该方法更适应NSHV的动态特性,能够为指挥员进行防御作战辅助决策提供支持。     

资产关联拓扑结构的信息系统安全评估模型

提出了基于资产关联拓扑结构的信息系统安全评估模型。以资产关联拓扑结构图为原型表示资产间的关联,量化计算判定各资产间关联以及关联性对整个信息系统风险的影响。该信息系统安全评估模型改进了传统的信息系统风险评估方法,添加资产关联性作为评估过程中的重要信息,实现了量化的信息安全评估。最后给出实例验证了模型对传统评估方法的改进。     

一种面向任务的网络风险评估模型

针对网络业务安全风险评估问题,提出了一种基于STRIDE威胁建模和隐式马尔科夫模型理论的STRIDE HMM风险评测方法,该方法以网络业务为切入点,给出了任务描述模型、任务资产模型、任务风险评估模型的构建方法及其联系。任务描述模型给出了任务阶段划分及相应的资产集、漏洞集和威胁集;任务资产模型给出了任务各阶段所依赖的资产集合,在此基础上采用隐式马尔科夫模型方法给出了资产安全状态量化计算方法;任务风险评估模型按照资产分类集合的结果,采用聚合分析方法给出了任务风险值计算方法,进而实现面向网络业务的风险评测。为了验证提出方法的有效性,采用TMT威胁建模工具典型web应用给出的资产、漏洞、威胁示例,利用提出的模型和方法对该示例进行了仿真验证,实验结果表明：该方法可为面向任务的安全计划制定和调度提供决策支持。     

信息系统脆弱性被利用概率计算方法

针对现有信息系统风险评估工作中对脆弱性的评估未考虑各脆弱性间的相关性,评估结果受到较多人为主观因素的影响,提出"被利用难易程度"和"被选择概率"两个指标将现有对脆弱性的"被利用难易程度"评价转换为更为科学的"被利用概率"评价,并用贝叶斯网络的正向推理计算脆弱性节点的累积"被选择概率"。通过理论和实验分析,与相关的研究成果相比,提出的脆弱性被利用概率计算方法更准确、合理。