中文摘要：

针对信息系统安全漏洞的风险定量分析问题,建立非合作非零和的漏洞攻防博弈模型,利用均衡局势下的收益期望对漏洞价值进行量化赋值。结合攻击图和风险矩阵对漏洞的连通关系进行定量分析,提出两种矩阵算子,实现对漏洞间综合连通度的计算。借助漏洞价值和综合连通度,设计系统漏洞风险评估算法。在量化分析漏洞的自身风险和传播风险的基础上,完成对漏洞全局风险的综合评价,评价结果可用于识别关键漏洞,提高系统安全防御的效能。实例分析结果表明了该模型和该算法的有效性。

英文摘要：

To quantificationally analyze the vulnerability risk of information system,the non-cooperative nonzero-sum attack-defense game model was built.The vulnerabilities worth was evaluated by the expectation profit on Nash equilibrium.Attack graph and risk matrix were considered to quantificationally analyze connectivity of the system vulnerabilities,and two matrix operators were proposed which were used to calculate the comprehensive connectivity degree among the vulnerabilities.With the vulnerabilities worth and comprehensive connectivity degree,a vulnerability risk evaluation algorithm was designed.The algorithm gained the global risk of system vulnerabilities based on quantification analysis of the self-risk and transmission-risk.Through the global risk,the managers can find the critical vulnerabilities and improve the security management efficiency.The example analysis verifies the effectiveness of the model and the algorithm.