基于损失量的G-O漏洞预测模型及其改进

doi:10.11959/j.issn.1000-0801.2015393

摘要/Abstract

摘要：

摘要：分析了度量漏洞的各个指标，提出了强安全性的数学定义，并使用损失量度量和预测漏洞，解决了软件可信性统一量纲问题。同时，讨论了损失量出现规律和漏洞数量发现规律之间的相似性，确定使用预测软件缺陷的模型来预测损失量。通过借鉴经典的G-O模型，建立了软件损失量的预测模型，即提出了基于损失量的G-O漏洞预测模型，并通过使用实际漏洞库中的数据检验了模型的准确性和实用性。

关键词: 安全漏洞, 损失量度量, G-O模型, 预测模型

Abstract:

Each index to measure the vulnerability was analyzed.A mathematical definition of strong security was proposed,and the loss measurement and forecasting of vulnerability were used to solve the problem of software dependability uniform dimension.At the same time,loss occurrence law and the number of vulnerabilities found similarities between the law were discussed,to determine whether the use of software defect prediction model to predict the amount of loss.By referring to the classical G-O model,the predictive model of software loss was established,namely model was developed to predict the loss of G-O based vulnerabilities,and the accuracy of the model and the practicability of the test by using the actual data in the vulnerability database.

Key words: security vulnerability, loss measurement, G-O model, prediction model

彭轼,郭昊,王涛. 基于损失量的G-O漏洞预测模型及其改进[J]. 电信科学, 2015, 31(Z1): 99-105.

Shi PENG,Hao GUO,Tao WANG. G-O vulnerability forecasting model and its improvement based on loss[J]. Telecommunications Science, 2015, 31(Z1): 99-105.

图/表 10

图1

图2

表1

表2

表3

图3

表4

表5

表6

图4

参考文献 15

[1]	SCHULTZ J E , BROWN D S , LONGSTAFF T A . Responding to computer security incidents[EB/OL].( 1990-07-23)[ 2015-09-20]. .
[2]	PFLEEGER C P . Security in computing[M]. Upper Saddle River: Prentice-Hall, 1997: 46-48.
[3]	SHIN Y , WILLIAMS L . Is complexity really the enemy of software security[C]// The 4th ACM Workshop on Quality of Protection October27-31, Alexandria,VA,USA.. New York: ACM Press, 2008:47-50.
[4]	ANDERSON R . Security in open VeTSUS closed systems-the dance of boltzmann,coase and moore[C]// The Conference on Open Source Software Economics Jul9, 2002, London,UK. Cambridge: MIT Press, 2002:1-15.
[5]	MUSA J D , IANNINO A , OKUMOTO K . Software reliability engineering[M]. New York: McGraw-Hill, 1999: 193-223.
[6]	MUSA J D , OKUMOTO K . A logarithmic Poisson execution time model for software reliability measurement[C]// The 7th Int'l Conference on Software Engineering Orlando: IEEE Press, 1984:230-238.
[7]	RESCORLA E . Is fining security holes a good idea[J]. IEEE Security&Privacy, 2005,3(1):14-19.
[8]	BECKER S , HASSELBRING W , PAUL A , et al. Trustworthy software systems:a discussion of basic concept and terminology[J]. ACM Sigsoft Software Engineering Notes, 2006,31(6):1-18.
[9]	杨光宇，曾东方，罗平 . 考虑短板效应的一种度量模型及其在软件可信性中的应用[J]. 计算机应用研究， 2012(1)：165-167. YANG G Y , ZENG D F , LUO P . Metric model considering effect of short board and its application in software trustworthiness[J]. Application Research of Computers, 2012(1):165-167.
[10]	王怀民，刘旭东，郎波，等. 软件可信分级规范 v2.0[R/OL].[ 2009-05-30]. . WANG H M , LIU X D , LANG B , et al. Research on method of emergency aid decision-making based on CBR[J]. Software trustworthiness classification specification v2.0[R/OL].[ 2009-05-30]. .
[11]	王怀民，唐扬斌，尹刚，等. 互联网软件的可信机理[J]. 中国科学E辑， 2006,36(10)：1156-1169. WANG H M , TANG Y B , YIN G , et al. he trusted mechanism of Internet software[J]. Science in China（E）, 2006,36(10):1156-1169.
[12]	LIU Y Z , ZHANG L , LUO P , et al. Research of trustworthy software system in the network[C]// The 5th International Symposium on Parallel Architectures,Algorithms and Programming, Dec17-20, 2012, Taipei,China. New Jersey: IEEE Press, 2012:287-294.
[13]	VOAS J . Why is it so hard to predict software system trustworthiness from software component trustworthiness[C]// The 20th IEEE Symposium on Reliable Distributed Systems, October28-31, 2001, New Orleans,Louisiana,USA. New Jersey: IEEE Press, 2001:179-179.
[14]	MUSA J D . A theory of software reliability and its application[J]. IEEE Transactions on Software Engineering,Los Alamitos, 1975,1(3):312-372.
[15]	MUSA J D , OKUMOTO K . A logarithmic Possion excution time model for software reliability measurement[C]// The 7th International Conference on Software Engineering. [S.l.]:Whippany Bell Laboratories, 1984:230-238.

序号	损失/万元	天数/日	累计损失/万元	估计值/万元	是否准确
1	3	1 327	128	127.441 6	否
2	3	1 328	131	128.451 5	否
3	2	1 363	133	133.100 7	是
4	3	1 371	136	134.141 5	否
5	1	1 385	137	138.696 4	否
6	1	1 407	138	139.270 1	否
7	2	1 442	140	141.359 8	否
8	2	1 448	142	141.674 0	是
9	2	1 449	144	142.881 9	否
10	4	1 457	148	143.903 8	否

序号	损失/万元	天数/日	累计损失/万元	估计值/万元	是否准确
1	3	2 347	143	142.061 4	否
2	4	2 372	147	146.123 5	否
3	3	2 382	150	148.652 6	否
4	3	2 448	153	154.285 6	否
5	4	2 454	157	156.803 4	是
6	2	2 467	159	159.331 1	是
7	3	2 488	162	161.869 1	是
8	4	2 505	166	164.399 7	否

序号	损失/万元	天数/日	累计损失/万元	估计值/万元	是否准确
1	3	728	103	103.760 9	否
2	2	729	105	104.297 7	否
3	2	745	107	106.927 7	是
4	2	766	109	109.059 0	是
5	2	770	111	111.600 9	否
6	2	820	113	113.367 6	是
7	2	826	115	114.381 6	否
8	3	828	118	115.816 1	否
9	2	832	120	118.633 1	否
10	2	835	122	119.640 7	否

序号	损失/万元	天数/日	累计损失/万元	估计值/万元	是否准确
1	3	1 327	128	128.344 0	是
2	3	1 328	131	131.702 1	是
3	2	1 363	133	134.526 5	否
4	3	1 371	136	135.497 6	是
5	1	1 385	137	137.919 2	否
6	1	1 407	138	138.091 6	是
7	2	1 442	140	140.522 7	是
8	2	1 448	142	141.280 2	否
9	2	1 449	144	141.881 9	否
10	4	1 457	148	142.943 3	否

序号	损失/万元	天数/日	累计损失/万元	估计值/万元	是否准确
1	3	1 327	128	128.344 0	是
2	3	1 328	131	131.702 1	是
3	2	1 363	133	134.526 5	否
4	3	1 371	136	135.497 6	是
5	1	1 385	137	137.919 2	否
6	1	1 407	138	138.091 6	是
7	2	1 442	140	140.522 7	是
8	2	1 448	142	141.280 2	否
9	2	1 449	144	141.881 9	否
10	4	1 457	148	142.943 3	否