請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/16930
標題: | 資訊安全弱點管理之決策方法 Decision Making Approaches for Security Vulnerability Management |
作者: | Chien-Cheng Huang 黃健誠 |
指導教授: | 林永松 |
關鍵字: | 資訊安全弱點,資訊安全評估,模糊層級分析法,模糊綜合決策,模糊積分決策,防禦資源配置, security vulnerability,security evaluation,fuzzy analytic hierarchy process,fuzzy synthetic decision making,fuzzy integral decision making,defense resource allocation, |
出版年 : | 2014 |
學位: | 博士 |
摘要: | 本研究主要建立能反映弱點資訊安全程度之分析模式,據以作為評估資訊系統危險程度、篩選危險弱點及改善資訊系統危險因子之基礎。本研究提出應用模糊層級分析法,將影響資訊安全之弱點的交叉因素系統化並建立評估架構。首先,經由模糊德菲法篩選出主要影響資訊安全的層面及其相對影響因素,然後建立各因素之隸屬函數,組成弱點資訊安全程度之模糊綜合決策模式,可以瞭解各弱點在主要影響層面的資訊安全表現程度,藉以瞭解資訊系統安全潛在危險因子,作為改善方案之參考依據。其次,提出改進傳統模糊綜合決策模式假設各評估層面及評估準則間之加法性與獨立性的糢糊測度方式,建立弱點資訊安全程度模糊積分決策模式,考量現實人類主觀評價之特性。本研究結果顯示評估模式具有實用性,並且可應用於評量新發現的弱點之資訊安全程度;在模糊積分決策於模式建立過程中顯示,可充分反應出重要影響資訊安全層面間之加乘影響的特性。另一方面,根基於前述研究結果之權重及資訊安全程度,在有限的防禦資源限制下,提出資訊安全弱點管理之防禦資源配置策略,來最大化資訊安全效益,以提高防禦能力。分析此問題為非線性規劃的數學最佳化問題,本研究經由求解找出較佳的防禦資源配置,並進行分析與探討。 The aim of this study is to formulate an analysis model that can express security vulnerability grades and serve as a basis for the evaluation of information program danger levels or for filtering hazardous system vulnerabilities, and to improve it to counter various security threats. Using a fuzzy analytic hierarchy process, this paper organizes crossover factors of system blind spots, and builds an evaluation framework. First, via the fuzzy Delphi method, aspects and relative determinants affecting security are screened. It then identifies the value equation of each factor, and settles the fuzzy synthetic vulnerability decision-making model. This model can analyze the various degrees to which vulnerabilities affect system security, and this information will serve as a basis for future ameliorations of the system itself. This study also proposes an improvement from the traditional fuzzy synthetic decision-making model for measuring the fuzziness between the enhancement and independence of various aspects and criteria. Furthermore, taking human subjectivity into consideration, this paper constructs a fuzzy integral decision-making model. The case study demonstrates that the evaluation model in question is practical and can be applied to new vulnerabilities to measure their degree of penetration. In addition, the fuzzy integral decision-making model emphasizes the multiply-add effect between various factors influencing information security. On the other hand, based on the above results’ weight and security level, with limited defense resources, this research proposes defense resource allocation strategies for security vulnerability management in order to maximize security utility and improve defense capability. As the problem is a mathematical optimization problem of nonlinear programming, this study finds the near optimal defense resource allocations for analysis and discussion through the problem-solving process. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/16930 |
全文授權: | 未授權 |
顯示於系所單位: | 資訊管理學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-103-1.pdf 目前未授權公開取用 | 5.25 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。