河北大学学报(自然科学版) ›› 2017, Vol. 37 ›› Issue (4): 405-410.DOI: 10.3969/j.issn.1000-1565.2017.04.012脆弱性严重性动态综合量化评估方法

• • 上一篇    下一篇

脆弱性严重性动态综合量化评估方法

高妮1, 贺毅岳2, 常言说1, 王孟阳3   

  • 收稿日期:2016-08-22 出版日期:2017-07-25 发布日期:2017-07-25
  • 作者简介:高妮(1982—),女,陕西咸阳人,西安财经学院讲师,博士,主要从事网络安全、机器学习方向研究. E-mail:gaoni@nwu.edu.cn
  • 基金资助:
    国家自然科学基金资助项目(61373176;61572401;61672426);陕西省自然科学基金资助项目(2015JQ7278)

A dynamic and comprehensive quantitative scoring method of vulnerability severity

GAO Ni1, HE Yiyue2, CHANG Yanshuo1, WANG Mengyang3   

  1. 1.School of Information, Xi’an University of Finance and Economics, Xi’an 710100, China; 2.School of Economics and Management, Northwest University, Xi’an 710127, China; 3.People's Bank of China Xi’an Branch, Xi’an 710075, China
  • Received:2016-08-22 Online:2017-07-25 Published:2017-07-25

摘要: 针对CVSS(common vulnerability scoring system)方法很少考虑随时间改变的动态指标对脆弱性严重性评估的动态影响,提出一种脆弱性严重性动态综合量化评估方法(dynamic vulnerability severity assessment,DVSA).在CVSS评分的基础上,引入脆弱性代码可利用性和补丁修复等级2个动态指标.安全影响、静态脆弱性可利用性和动态脆弱性可利用性3个脆弱性指标被选取,并进行脆弱性指标量化.该方法可获得每个脆弱性从0到10的严重性量化值,并将脆弱性严重性等级评定为高危、中危和低危3个严重等级.实验结果表明DVSA方法可提高脆弱性严重性评估结果的多样性和准确性.

关键词: 脆弱性, 脆弱性严重性评估, 脆弱性代码可利用性

Abstract: The vulnerability severity evaluation is rarely considered the dynamic indicator with changing time in the CVSS method, so the paper proposes a method of dynamic vulnerability severity assessment(DVSA).The code exploitability and the patch remediation level of dynamical indexes are introduced based on the CVSS score.Three vulnerability indexes, such as the safety influence attribute, the static vulnerability exploitability attribute and the dynamic vulnerability exploitability attribute, are selected and quantified.The vulnerability severity is evaluated with values from 0 to 10 by using the DVSA method, which can divide vulnerability severity rank into three levels: high, moderate and low.Experimental results showed that this method can more precisely distinguish the difference between vulnerabilities, and improve the diversity and accuracy of the vulnerability severity evaluation.

Key words: vulnerability, vulnerability severity evaluation, the code exploitability of vulnerability

中图分类号: