The invention discloses an intrusion process layering online
risk assessment system and a method, which are used for assessing the risk condition produced on three
layers of the service, the host and the network of an occurrent intrusion process in real time. In the invention, on the layer of the service, an evidence theory is used for fusing multi vectors in an alarm thread to compute a
risk index, wherein the vectors can response risk change conditions, the objective condition of intrusion risks is reflected by the
risk index, and simultaneously, with target
risk distribution reflected by subjective safety awareness, the risk condition of a target is comprehensively assessed; on the layer of the host, a
risk assessment method based on a
cask principle is provided; and on the layer of the network, a safety
dependence network concept is provided, and an improved risk spreading
algorithm is utilized so as to complete the
risk assessment of the layer of the network. According to the invention, the alarm processes of alarm
verification, aggregation and correlation as well as alarm confidence learning are closely combined with the risk assessment, so that the subjectivity, the fuzziness, the uncertainty and other problems in the risk assessment are better processed.