隨著電腦技術的精進，各行業使用電腦極為普遍，電腦網路和資訊系統現今已成為社會發展和人們日常生活中不可或缺的重要工具。然而根據脆弱性資料庫的記載，電腦使用的作業系統與應用程式，均存在可能的風險或是潛在的脆弱性的危機，因此安全人員必須掌握這些脆弱性，降低系統遭受外來的破壞，包括駭客的入侵攻擊、竄改或毀損資料或植入木馬程式等，此外，企業內部的破壞，例如應用程式設計不良、存檔時遺失資料等問題。企業必須盡量遏止這些問題發生，才能夠減少資訊安全事件的發生機率。針對系統脆弱性的部份，本研究使用相對權重來分析資訊系統的安全狀態。主因在於目前市面上描述系統脆弱性的網站和脆弱性掃瞄工具十分眾多，並未考量脆弱性交互影響之因素，因此本研究將主要的研究方向放在脆弱性評估上。在研究方法上，依據資訊系統之主機所提供的服務種類來區分群組，之後再比對各種服務於開放源碼脆弱性資料庫(Open Source Vulnerability Database，OSVDB)記載之脆弱性資訊，參照通用脆弱性評估系統(Common Vulnerability Scoring System，CVSS)，有效的評估資訊系統主機安全脆弱性之量度；再設計問卷，以分析網路程序法(Analytic Network Process，ANP)探討各脆弱性之相對權重，找出整個系統中脆弱性最高的群組。本研究之評估架構，可發展成適用於其他組織評估脆弱性指標之評鑑模型，此評鑑模型可提供為加強及改善控制措施不足的依據，使管理者考量是否在資訊安全上須投入更多的管理成本，並且讓管理者可以優先處理系統的不足點，也可做為風險管理持續改善的目標。

In recent years, most people work in the companies to use computer is very common. Computers, networks and information systems have become an important tool of daily life now. However, the computer operating systems and applications exist potential vulnerabilities and risks according to the vulnerability database records. Managers must control these vulnerabilities and reduce the damage of system from external: such as invasion of hackers, tampering or damage of data, implantation of Trojans, or internal: such as poor design, loss of data, etc. The managers must reduce risks and information security incidents. This study used a measure of the relative weights that the system security status about vulnerability of the system. Many websites that provide vulnerability lists and vulnerability scanning tools don't include the interdependencies among various vulnerability. Therefore, the major research of this study focuses on vulnerability assessment. In this study, according to the services of information system, we can identify three main resource groups, and get metrics of vulnerability from OSVDB(Open Source Vulnerability Database) and CVSS(Common Vulnerability Scoring System). Then we get relative weights of vulnerability using the ANP(Analytic Network Process) technique and find out the highest groups of vulnerability in the system. The assessment framework of this study can be applied to other organizations to develop into the vulnerability assessment of evaluation model. This model not only improves the system security but also enables the administrator to visualize the impact of various vulnerability in the final result. Further, this model can be used as security solution assessment tool.

目 錄
摘要 i
Abstract ii
目錄 iii
表目錄 iv
圖目錄 vi
1. 緒論 1
1.1 研究動機 1
1.2 研究目的 2
1.3 研究限制 3
1.4 研究架構 3
2. 文獻探討 5
2.1 脆弱性資料庫概述 5
2.2 分析網路程序法 9
2.3 通用脆弱性評估系統 11
2.4 防火牆概述 15
2.5 脆弱性分析相關文獻 17
2.6 AHP與ANP評選之相關文獻 19
3. 研究方法 21
3.1 建構系統脆弱性評估模型 21
3.2 使用OSVDB評估系統脆弱性之重要性 22
3.3 分析網路程序法評估步驟 24
3.4 脆弱性加權處理 25
3.5 脆弱性資料庫更新流程 25
4. 進行風險評鑑，以S大學為例 27
4.1 使用OSVDB分析資訊系統計算系統群組脆弱性權重 27
4.2 利用分析網路程序法分析問卷 31
4.3 建構系統脆弱性評估模型 36
4.4 小結 37
5. 結論 39
5.1 結論 39
5.2 未來工作 39
參考文獻 41
附錄一 43
附錄二 47

參考文獻
中文

[1]王蓮芬，「網路分析法(ANP)的理論與算法」，系統工程理論與實踐第3期，pp. 44-50，2001。
[2]林勤經，樊國楨，方仁威，黃景彰，「資訊安全管理系統建置工作之研究」，資訊管理研究，第4卷，第2期，p43-69，2002年7月。
[3]教育部校園資訊安全服務網，http://cissnet.edu.tw/。
[4]陳志豪，「弱點評估及不良設定檢測之研究與實作」，國立成功大學電腦與通訊研究所碩士論文，pp. 72，2007。
[5]陳盈達，「網際網路防火牆政策驗證系統」，逢甲大學資訊工程學系碩士班碩士論文，pp. 1，2006。
[6]黃小玲，「個資法與國際隱私管理標準、規範之分析與應用」，資訊安全通訊，第17卷，第3期，p.22-36，2011年7月。
[7]黃鵬羽，楊中皇，「異質性弱點資料庫整合與研究」，2009資訊科技國際研討會，pp. 2，2009。
[8]葉桂珍，張榮庭，「企業之資訊安全策略與其產業別及資訊化程度關係探討」，資訊管理學報，第13卷，第2期，p.113-143，2006年4月。
[9]詹燦芳，「國內ISMS導入效益、成功要素與遭遇困難之研究」，國立臺灣科技大學資訊管理系碩士論文，pp. 79，2007。
[10]褚志鵬，「層級分析法(AHP)理論與實作」，國立東華大學企業管理學系教材，pp. 12，2009。
[11]樊國楨，黃健誠，「個人資料保護與資訊安全管理初探」，電腦稽核，第23期，p.1-15，2011年1月。
[12]樊國楨，朱潮昌，黃健誠，「影響組織採行與應用資訊安全管理系統認證之關鍵因素」，資訊安全通訊，第17卷，第3期，p.3-21，2011年7月。
[13]蘇建源，蔡旻修，阮金聲，「以個案分析法探討金融業之企業營運持續管理」，電腦稽核，第24期，p.65-81，2011年7月。

英文

[14]BSI British Standards Institute's Taiwan branch, http://www.bsigroup.tw/zh-tw.
[15]C. Kruegel and G. Vigna, "Anomaly Detection of Web-based Attacks," Proc of the 10th ACM Conference on Computer and Communication Security (CCS-03), USA, pp. 251-261, October 2003.
[16]C.H. Lin, C.H. Chen and C.S. Laih, "A Study and Implementation of Vulnerability Assessment and Misconfiguration Detection," Asia-Pacific Services Computing Conference 2008, pp. 1252-1257, 2008.
[17]Cisco Systems Inc. "Cisco ASDM User Guide Version 5.2," http://www.cisco.com /en/US/docs/security/asa/asa72/asdm52/user/guide/ASDMp.pdf, pp. 17-1-10, 2008.
[18]F. Feng and H.Y. Liu, "Evaluation of logistics service provider using analytic network process," Third International Conference on Natural Computation (ICNC 2007), pp. 227-231, 2007.
[19]G. Vache, "Vulnerability Analysis for a Quantitative Security Evaluation," ESEM'09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 526-534, 2009.
[20]J. Edwards and D. DeVoe, "3-Tier Client/Server at Work," John Wiley & Sons Inc.,1997.
[21]J. Sun, H. Chen and C. Niu, "A New Database Firewall Based on Anomaly Detection," Parallel and Distributed Computing, Applications and Technologies (PDCAT), 2010 International Conference, pp. 399-404, 2010.
[22]K. Scarfone and P. Mell, "An Analysis of CVSS Version 2 Vulnerability Scoring," ESEM'09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 516-525, 2009.
[23]M.D. Aime and F. Guasconi, "Enhanced Vulnerability Ontology for Information Risk Assessment and Dependability Management," 2010 Third International Conference on Dependability, pp. 92-97, July 2010.
[24]MITRE Corporation, "Common Vulnerabilities and Exposures (CVE)," http://cve. mitre.org/.
[25]Microsoft TechNet, Security TechCenter Library, http://technet.microsoft.com/en-us /library/cc875841.aspx.
[26]National Infrastructure Advisory Council, "Common Vulnerability Scoring System," http://www.first.org/cvss/cvss-dhs-12-02-04.pdf.
[27]Open Source Vulnerability Database, http://osvdb.org/.
[28]P. Mell, K. Scarfone and S. Romanosky, "A Complete Guide to the Common Vulnerability Scoring System Version 2.0," Forum of Incident Response and Security Teams, June 2007.
[29]R. Arnott, "A Review of Current Firewall Technologies," 2002.
[30]R. Kuhn and C. Johnson, "Vulnerability Trends Measuring Progress," IT Professional, pp. 51-53, July 2010.
[31]T.L. Saaty, "Decision making with dependence and feedback: the analytic network process," Pittsburgh, PA: RWS Publications, 1996.
[32]T.L. Saaty, "The analytic hierarchy process," New York, McGraw-Hill, 1980.
[33]X. Ji and C. Pattinson, "AHP Implemented Security Assessment and Security Weight Verification, socialcom," 2010 IEEE Second International Conference on Social Computing, pp. 1026-1031, 2010.