基于模糊集和DS证据理论的信息安全风险评估方法*

在信息安全风险评估过程中,存在着很多不确定和模糊的因素,针对专家评价意见的不确定性和主观性问题,提出了一种将模糊集理论与DS证据理论进行结合的的风险评估方法。首先,根据信息安全风险评估的流程和要素,建立风险评估指标体系,确定风险影响因素；其次,通过高斯隶属度函数,求出专家对各影响因素的评价意见隶属于各个不同评价等级的程度；再次,将其作为DS理论所需的基本概率分配,引入基于矩阵分析和权值分配的融合算法综合多位专家的评价意见；最后,结合贝叶斯网络模型的推理算法,得出被测信息系统所面临的风险大小,并对其进行分析。结果显示,将模糊集理论和DS证据理论应用到传统贝叶斯网络风险评估的方法,在一定程度上能够提高评估结果的客观性。

A Method for Information Security Risk Assessment Based on the Fuzzy Set Theory and DS Evidence Theory

There are many uncertain and fuzzy factors in the information security risk assessment process. For the uncertainty and subjectivity of expert evaluation, we propose a risk assessment method on the basis of fuzzy set theory and DS Evidence Theory. Firstly, according to the processes and elements of the information security risk assessment, an index system is established and risk factors are confirmed. Secondly, calculate the degree of expert evaluation belonging to various levels through Gauss membership function. Thirdly, make the above results as basic probability assigment of DS theory and adopt a fusion arithmetic based on matrix analysis and weight distribution to synthesize views of some experts. Finally, combining with the Bayesian theory and inference procedure, we can calculate and analysis the probability of risk of the information system. The results show that the method which is based on the fuzzy set theory and DS evidence theory can improve the objectivity of the evaluation results.