基于标准化安全指标体系的云服务安全等级评估模型
Assessment Model of Cloud Service Security Level Based on Standardized Security Metric Hierarchy
作者:李想(四川大学 计算机学院, 四川 成都 610065;四川大学 网络空间安全研究院, 四川 成都 610065);杨瑞(四川大学 网络空间安全学院, 四川 成都 610065);陈兴蜀(四川大学 网络空间安全研究院, 四川 成都 610065;四川大学 网络空间安全学院, 四川 成都 610065);刘垚磊(四川大学 计算机学院, 四川 成都 610065);王启旭(四川大学 网络空间安全研究院, 四川 成都 610065;四川大学 网络空间安全学院, 四川 成都 610065)
Author:LI Xiang(College of Computer Sci., Sichuan Univ., Chengdu 610065, China;Cybersecurity Research Inst., Sichuan Univ., Chengdu 610065, China);YANG Rui(College of Cybersecurity, Sichuan Univ., Chengdu 610065, China);CHEN Xingshu(Cybersecurity Research Inst., Sichuan Univ., Chengdu 610065, China;College of Cybersecurity, Sichuan Univ., Chengdu 610065, China);LIU Yaolei(College of Computer Sci., Sichuan Univ., Chengdu 610065, China);WANG Qixu(Cybersecurity Research Inst., Sichuan Univ., Chengdu 610065, China;College of Cybersecurity, Sichuan Univ., Chengdu 610065, China)
收稿日期:2019-05-08 年卷(期)页码:2020,52(3):159-167
期刊名称:工程科学与技术
Journal Name:Advanced Engineering Sciences
关键字:云服务;安全指标;安全等级评估;客观权重分配;逼近理想解排序法
Key words:cloud service;security metric;security level assessment;objective weight assignment;TOPSIS
基金项目:国家自然科学基金项目(61802270;61802271);中央高校基本科研业务费专项资金(SCU2018D018;SCU2018D022)
中文摘要
针对传统云服务安全评估方法中存在的评估指标粒度粗且难以量化以及评估方法主观依赖度高且效率低等问题,提出了一种基于标准化安全指标体系的云服务安全等级评估模型。首先,依据评估指标体系设计原则,以中国云计算服务安全能力要求标准为基础,借鉴国外机构有关云服务的安全控制框架及服务水平协议标准,提出了一种细粒度及可量化的标准化安全指标体系构建方法;然后,基于此指标体系提出了云服务安全等级评估模型,该模型在评估云服务的安全等级时,考虑到安全指标体系中指标类型的差异化及其属性对云服务安全性的影响,设计了一种基于客观指标权重分配的安全等级评估方法,对评估对象的安全等级进行量化评估;最后,分别通过应用案例和性能分析实验,验证了本文所提出的评估模型的有效性以及评估方法的效率。实验结果表明,本文提出的基于标准化安全指标体系的云服务安全等级评估模型不仅能有效、准确地评估不同云服务商的安全能力,而且其安全等级评估方法在性能方面优于传统的基于层次分析法的云服务安全评估方法。
英文摘要
In order to cope with the issues existing in the traditional literature that assessment metrics are coarse-grained and non-quantitative as well as assessment methods are subjective and low efficiency, an assessment model of could service security level based on the standardized security metric hierarchy was proposed. First, a fine-grained, quantifiable and standardized cloud service security metric hierarchy was structured according to the principle of evaluation metric system. The content of cloud service security metric hierarchy was composed of both domestic and foreign standards related to the cloud service security. Second, a cloud service security level evaluation model was proposed based on the metric hierarchy. Considering the difference of metric’ types and impact of attributes on the security features of cloud services, a security level assessment method was designed based on the objective weights assignment of the metrics to evaluate the security level of cloud services. Finally, a case study and a performance comparison experiment were respectively conducted to validate effectiveness of the proposed assessment model and efficiency of its evaluation method. Experimental results show that the proposed assessment method is efficient and accurate in the cloud service security level assessment, and the evaluation method outperforms the traditional cloud service security assessment methods.
【关闭】