计算机应用研究2016,Vol.33Issue(12):3785-3790,6.DOI:10.3969/j.issn.1001-3695.2016.12.058
基于攻击树与CVSS的工业控制系统风险量化评估
Quantitative risk assessment of industrial control systems based on attack-tree and CVSS
摘要
Abstract
In order to quantify the risk of industrial control systems (ICS)and conduct a comprehensive and objective analy-sis,this paper proposed a new quantitative risk assessment method for ICS.This method first established the attack tree and at-tacker model.Then it conducted a comprehensive and objective quantification to leaf nodes by CVSS based on the special se-curity needs in ICS,after which calculated the attack sequence and target node’s risk probability and risk values respectively combined with imaginaries expressions of assets value and probabilistic risk assessment techniques.Finally,it analyzed the at-tack sequence and attack constraint with attacker model,extracting the maximum risk area and system component.Case analy-sis shows that this method can reduce the influence of subjective factors in the quantization process and get a comprehensive and objective quantitative description of the risks,to carry out rational and efficient risk mitigation and avoidance by finding the maximum risk areas and components that most in need of protection,which demonstrates the validity and feasibility of this method.关键词
工业控制系统/攻击树/通用漏洞评分系统/风险评估/攻击序列Key words
industrial control systems(ICS)/attack tree/common vulerability scoring system(CVSS)/risk assessment/at-tack sequence分类
信息技术与安全科学引用本文复制引用
王作广,魏强,刘雯雯..基于攻击树与CVSS的工业控制系统风险量化评估[J].计算机应用研究,2016,33(12):3785-3790,6.基金项目
国家“863”计划资助项目 ()
