期刊文献+

面向智能汽车的信息安全漏洞评分模型 被引量:4

Information security vulnerability scoring model for intelligent vehicles
下载PDF
导出
摘要 随着汽车智能化、网联化的发展,汽车中集成了越来越多的电子器件,数量庞大的硬件、固件和软件中隐藏着各种设计缺陷和漏洞,这从根本上导致了智能汽车信息安全问题。大量汽车漏洞的披露,严重影响了汽车安全,制约了智能汽车的广泛应用。漏洞管理是降低漏洞危害、改善汽车安全的有效手段。在漏洞管理流程中,漏洞评估是决定漏洞处置优先级的重要一环。但是,现有的漏洞评分系统不能合理地评估智能汽车安全漏洞。为了解决智能汽车漏洞评估不合理的问题,提出面向智能汽车的信息安全漏洞评分模型。基于通用漏洞评分系统(CVSS)漏洞评分原理,根据智能汽车的特点,优化了CVSS的攻击向量和攻击复杂度,并添加了财产安全、隐私安全、功能安全和生命安全4个指标来刻画漏洞可能对智能汽车造成的影响;结合机器学习的方法,对CVSS评分公式参数进行了调整,以使其更好地刻画智能汽车信息安全漏洞特点,适应调整后的指标权重。通过实例评估和统计系统特征分布发现,模型拥有更好的多样性和更稳定连续的特征分布,表明模型可以更好地对不同漏洞进行评分;并且基于模型评估得到的漏洞评分,应用层次分析法给出整车脆弱性评估,表征整车风险水平。所提模型相比现有模型可以更为合理地评价智能汽车中信息安全漏洞的严重程度,科学地评估整车或者部分系统的安全风险,为汽车漏洞的修复与加固提供依据。 More and more electronic devices are integrated into the modern vehicles with the development of intelligent vehicles.There are various design flaws and vulnerabilities hidden in a large number of hardware,firmware and software.Therefore,the vulnerabilities of intelligent vehicles have become the most important factor affecting the vehicle safety.The safety of vehicles is seriously affected by the disclosure of a large number of vulnerabilities,and the wide application of smart cars is also restricted.Vulnerability management is an effective method to reduce the risk of vulnerabilities and improve vehicle security.And vulnerability scoring is one the important step in vulnerability management procedure.However,current method have no capability assessing automotive vulnerabilities reasonably.In order to handle this problem,a vulnerability scoring model for intelligent vehicles was proposed,which was based on CVSS.The attack vector and attack complexity were optimized,and property security,privacy security,functional safety and life safety were added to characterize the possible impact of the vulnerabilities according to the characteristics of intelligent vehicles.With the machine learning method,the parameters in CVSS scoring formula were optimized to describe the characteristics of intelligent vehicle vulnerabilities and adapt to the adjusted and new added weights.It is found in case study and statistics that the diversity and distribution of the model are better than CVSS,which means the model can better score different vulnerabilities.And then AHP is used to evaluate the vulnerability of the whole vehicle based on the vulnerability score of the model,a score is given representing the risk level of whole vehicle.The proposed model can be used to evaluate the severity of information security vulnerabilities in intelligent vehicles and assess the security risks of the entire vehicle or part of the system reasonably,which can provide an evidence for fixing the vulnerabilities or reinforcing the entire vehicle.
作者 于海洋 陈秀真 马进 周志洪 侯书凝 YU Haiyang;CHEN Xiuzhen;MA Jin;ZHOU Zhihong;HOU Shuning(Institute of Cyber Science and Technology,Shanghai Jiao Tong University,Shanghai 200240,China;Shanghai Municipal Key Lab of Integrated Management Technology for Information Security,Shanghai 200240,China)
出处 《网络与信息安全学报》 2022年第1期167-179,共13页 Chinese Journal of Network and Information Security
基金 国家自然科学基金联合基金(U2003206) 上海市工业强基专项(GYQJ-2018-3-03)。
关键词 智能汽车 通用漏洞评分系统 漏洞评分 风险评估 非线性回归 层次分析法 intelligent vehicle CVSS vulnerability scoring system risk assessment nonlinear regression AHP
  • 相关文献

参考文献4

二级参考文献27

  • 1刘奇旭,张翀斌,张玉清,张宝峰.安全漏洞等级划分关键技术研究[J].通信学报,2012,33(S1):79-87. 被引量:36
  • 2杨磊,郭志博.信息安全等级保护的等级测评[J].中国人民公安大学学报(自然科学版),2007,13(1):50-53. 被引量:16
  • 3蒋诚.信息安全漏洞等级定义标准及应用[J].信息安全与通信保密,2007,29(6):148-149. 被引量:15
  • 4RISTENPART T,TROMER E, SHACHAM H, et al. Hey,you,get offof my cloud: exploring information leakage in third-party computeclouds[C]//ACM Conference on Computer and Communications Se-curity.c2009:199-212.
  • 5BELLOVIN S. On the brittleness of software and the infeasibility ofsecurity metrics[J]. IEEE Security and Privacy, 2006,4(4): 96.
  • 6BOZORGI M, SAUL L, SAVAGE, et al. Beyond heuristics: learningto classify vulnerabiiities and predict exploits[C]//ACM Sigkdd Inter-national Conference on Knowledge Discovery & Data Mining. ACM,c2010:105-114.
  • 7IBM. IBM Internet Security Systems X-Force 2008 Trend and RiskReport[R], White paper, 2009.
  • 8A complete guide to the common vulnerability scoring system[S].
  • 9OWASP Top Ten[EB/OL].http://www.owasp,org/,2013.
  • 10SANS Top-20 Security Risks[EB/OL], http:// www. sans, org/ top20,2009.

共引文献12

同被引文献52

引证文献4

二级引证文献3

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部