指導教授：林永松臺灣大學：資訊管理學研究所黃健誠Huang, Chien-ChengChien-ChengHuang2014-11-292018-06-292014-11-292018-06-292014http://ntur.lib.ntu.edu.tw//handle/246246/263477本研究主要建立能反映弱點資訊安全程度之分析模式，據以作為評估資訊系統危險程度、篩選危險弱點及改善資訊系統危險因子之基礎。本研究提出應用模糊層級分析法，將影響資訊安全之弱點的交叉因素系統化並建立評估架構。首先，經由模糊德菲法篩選出主要影響資訊安全的層面及其相對影響因素，然後建立各因素之隸屬函數，組成弱點資訊安全程度之模糊綜合決策模式，可以瞭解各弱點在主要影響層面的資訊安全表現程度，藉以瞭解資訊系統安全潛在危險因子，作為改善方案之參考依據。其次，提出改進傳統模糊綜合決策模式假設各評估層面及評估準則間之加法性與獨立性的糢糊測度方式，建立弱點資訊安全程度模糊積分決策模式，考量現實人類主觀評價之特性。本研究結果顯示評估模式具有實用性，並且可應用於評量新發現的弱點之資訊安全程度；在模糊積分決策於模式建立過程中顯示，可充分反應出重要影響資訊安全層面間之加乘影響的特性。另一方面，根基於前述研究結果之權重及資訊安全程度，在有限的防禦資源限制下，提出資訊安全弱點管理之防禦資源配置策略，來最大化資訊安全效益，以提高防禦能力。分析此問題為非線性規劃的數學最佳化問題，本研究經由求解找出較佳的防禦資源配置，並進行分析與探討。The aim of this study is to formulate an analysis model that can express security vulnerability grades and serve as a basis for the evaluation of information program danger levels or for filtering hazardous system vulnerabilities, and to improve it to counter various security threats. Using a fuzzy analytic hierarchy process, this paper organizes crossover factors of system blind spots, and builds an evaluation framework. First, via the fuzzy Delphi method, aspects and relative determinants affecting security are screened. It then identifies the value equation of each factor, and settles the fuzzy synthetic vulnerability decision-making model. This model can analyze the various degrees to which vulnerabilities affect system security, and this information will serve as a basis for future ameliorations of the system itself. This study also proposes an improvement from the traditional fuzzy synthetic decision-making model for measuring the fuzziness between the enhancement and independence of various aspects and criteria. Furthermore, taking human subjectivity into consideration, this paper constructs a fuzzy integral decision-making model. The case study demonstrates that the evaluation model in question is practical and can be applied to new vulnerabilities to measure their degree of penetration. In addition, the fuzzy integral decision-making model emphasizes the multiply-add effect between various factors influencing information security. On the other hand, based on the above results’ weight and security level, with limited defense resources, this research proposes defense resource allocation strategies for security vulnerability management in order to maximize security utility and improve defense capability. As the problem is a mathematical optimization problem of nonlinear programming, this study finds the near optimal defense resource allocations for analysis and discussion through the problem-solving process.Chapter 1 Introduction 1 1.1 Research Background and Motivation 1 1.2 Research Objectives 3 1.3 Organization of the Dissertation 5 Chapter 2 Literature Reviews 6 2.1 Information Security Healthcare 6 2.2 Scoring Systems 8 2.3 Security Evaluation Factor of Vulnerabilities 9 2.4 Vulnerability Lifecycle and Patch Management 12 Chapter 3 Security Vulnerability Evaluation Methods 14 3.1 Model Logic and Structure 14 3.1.1 Model Logic 14 3.1.2 Model Structure 15 3.1.3 Formulation Procedure 16 3.2 Fuzzy Synthetic Decision Making 18 3.2.1 Definition of Evaluation Criteria Set and Evaluation Grade Set 18 3.2.2 Define the Weight of Various Evaluation Criteria 20 3.2.3 Define the Performance Appraisal Membership Function of Each Evaluation Criterion 21 3.2.4 Overall Evaluation 24 3.2.5 Defuzzification 25 3.3 Fuzzy Integral Decision Making 26 3.3.1 Deciding the λ Measure and Obtaining the Importance Level 27 3.3.2 Fuzzy Integral 28 3.3.3 Prioritization of Vulnerability Security Level 29 Chapter 4 Implementations of Security Vulnerability Prioritization 31 4.1 Formulation of Analysis Structure 31 4.1.1 Analysis Structure and Evaluation Criteria 31 4.1.2 Filter of Evaluation Criteria 31 4.2 Define the Relative Weight of the Evaluation Criterion 33 4.2.1 Design of Questionnaires and Investigation 33 4.2.2 Evaluating the Relative Weight of Evaluation Criteria 34 4.3 Formulation of Membership Function 37 4.4 Defining the λ Fuzzy Measure 45 4.5 Case Studies 47 4.5.1 Implementations of Fuzzy Synthetic Decision Making 49 4.5.2 Implementations of Fuzzy Integral Decision Making 53 4.6 Discussions 54 Chapter 5 Defense Resource Allocation Strategies for Security Vulnerability Management 56 5.1 Problem Formulation 56 5.1.1 Problem Description and Assumptions of Problem 1 56 5.1.2 Mathematical Formulation of Problem 1 59 5.1.3 Problem Description and Assumptions of Problem 2 62 5.1.4 Mathematical Formulation of Problem 2 65 5.2 Solution Approach 67 5.2.1 Lagrangean Relaxation of Problem 1 67 5.2.2 Getting Primal Feasible Solutions for Problem 1 71 5.2.3 Lagrangean Relaxation of Problem 2 72 5.2.4 Getting Primal Feasible Solutions for Problem 2 76 5.3 Computational Experiments 77 5.3.1 Experimental Results for Problem 1 77 5.3.2 Experimental Results for Problem 2 83 Chapter 6 Conclusions and Remarks 89 References 915380574 bytesapplication/pdf論文使用權限：不同意授權資訊安全弱點資訊安全評估模糊層級分析法模糊綜合決策模糊積分決策防禦資源配置thesishttp://ntur.lib.ntu.edu.tw/bitstream/246246/263477/1/ntu-103-D97725002-1.pdf