A dynamic and comprehensive quantitative scoring method of vulnerability severity

doi:10.3969/j.issn.1000-1565.2017.04.012脆弱性严重性动态综合量化评估方法

Abstract

Abstract: The vulnerability severity evaluation is rarely considered the dynamic indicator with changing time in the CVSS method, so the paper proposes a method of dynamic vulnerability severity assessment(DVSA).The code exploitability and the patch remediation level of dynamical indexes are introduced based on the CVSS score.Three vulnerability indexes, such as the safety influence attribute, the static vulnerability exploitability attribute and the dynamic vulnerability exploitability attribute, are selected and quantified.The vulnerability severity is evaluated with values from 0 to 10 by using the DVSA method, which can divide vulnerability severity rank into three levels: high, moderate and low.Experimental results showed that this method can more precisely distinguish the difference between vulnerabilities, and improve the diversity and accuracy of the vulnerability severity evaluation.

Key words: vulnerability, vulnerability severity evaluation, the code exploitability of vulnerability

CLC Number:

TP393

GAO Ni, HE Yiyue, CHANG Yanshuo, WANG Mengyang. A dynamic and comprehensive quantitative scoring method of vulnerability severity[J]. Journal of Hebei University (Natural Science Edition), 2017, 37(4): 405-410.

0
/ / Recommend

Add to citation manager EndNote|Ris|BibTeX

URL: //xbzrb.hbu.edu.cn/EN/10.3969/j.issn.1000-1565.2017.04.012脆弱性严重性动态综合量化评估方法

//xbzrb.hbu.edu.cn/EN/Y2017/V37/I4/405

References

[1] 中国信息安全测评中心.China national vulnerability database of information security(CNNVD)[EB/OL]. [2017-5-2].http://www.cnnvd.org.cn/.
[2] 高妮.网络安全多维动态风险评估关键技术研究[D].西安:西北大学, 2016. GAO N.The research on key technologies of multi-dimensional and dynamic risk assement of network security[D].Xi’an:Northwest University, 2016.
[3] THE MITRE CORPORATION.Common vulnerabilities and exposures(CVE)[EB/OL].[2017-4-24].http://www.cve.mitre.org/.
[4] NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY.National vulnerability database(NVD)[EB/OL]. [2017-1-23].https://nvd.nist.gov/download.cfm.
[5] AHMED M S, AI-SHAER E, KHAN L.A novel quantitative approach for measuring network security[Z].International Conference on Computer Communications, Phoenix, 2008.
[6] DINH T N, YING X, THAI M T, et al.On new approaches of assessing network vulnerability: hardness and approximation[J].IEEE/ACM Transactions on Networking, 2012, 20(2):609-619.
[7] YANG H, ZHANG Y, HU Y, et al.IKE vulnerability discovery based on fuzzing[J].Security & Communication Networks, 2013, 6(7):889-901.
[8] LIU Q, ZHANG Y, KONG Y, et al.Improving VRSS-based vulnerability prioritization using analytic hierarchy process[J].Journal of Systems and Software, 2012, 85(8):1699-1708.
[9] 付志耀, 高岭, 孙骞, 等.基于粗糙集的脆弱性属性约简及严重性评估[J].计算机研究与发展, 2016, 53(5):1009-1017.DOI: 10.7544/issn1000-1239.2016.20150065. FU Z Y, GAO L, SUN Q, et al.Evaluation of vulnerability severity based on rough sets and attributes reduction[J].Journal of Computer Research and Development, 2016, 53(5):1009-1017.DOI: 10.7544/issn1000-1239.2016.20150065.
[10] FREI S, MAY M, FIEDLER U, et al.Large-scale vulnerability analysis[Z].Proceedings of the Workshop on Large-scale Attack Defense, Pisa, 2006:131-138.

[1]	WEI Zihui, LI Xiaoyang, WANG Le, CAI Daxin, YE Xingyue, DING Zhenjun. Improved TDOA 3d positioning algorithm based on adaptive Levy flight [J]. Journal of Hebei University(Natural Science Edition), 2023, 43(2): 207-215.
[2]	YANG Xiaohui, WANG Weibin. Spammer detection model based on hierarchical attention mechanism [J]. Journal of Hebei University(Natural Science Edition), 2023, 43(1): 95-102.
[3]	WEI Mingjun, ZHANG Xinnan, LIU Yazhi, ZHOU Taiyu. A network intrusion detection method based on SSA-BRF [J]. Journal of Hebei University(Natural Science Edition), 2022, 42(5): 552-560.
[4]	CHANG Tieyuan, LIU Weina, ZHANG Yan, LI Huiya. Optimized LEACH protocol based on distance and energy of cluster head [J]. Journal of Hebei University (Natural Science Edition), 2019, 39(2): 194-200.
[5]	TIAN Junfeng, CAI Hongyun. Shilling attacks and security of recommender systems [J]. Journal of Hebei University (Natural Science Edition), 2018, 38(6): 640-647.
[6]	HE Zhiqiang, LIN Yongjun. A LARS scheduling algorithm based on classification improvement and its dynamic parameter performance analysis [J]. Journal of Hebei University (Natural Science Edition), 2017, 37(5): 537-544.
[7]	MA Guofu,WANG Zixian,MA Shengli. Analysis of the effectiveness of machine learning model in predicting the risk of inmates [J]. Journal of Hebei University (Natural Science Edition), 2017, 37(4): 426-433.
[8]	ZHANG Xizhong,XU Jianmin. Research on document similarity based on terms synonymous relationship [J]. Journal of Hebei University (Natural Science Edition), 2017, 37(1): 108-112.
[9]	MA Guofu,WANG Zixian,MA Shengli. Prediction of the risk of offenders based on big data [J]. Journal of Hebei University (Natural Science Edition), 2016, 36(6): 657-666.
[10]	MA Guofu,MA Shengli,WANG Zixian,LI Shuangyin,CHENG Yusi. Application of data recovery in the electronic data forensics and judicial identification [J]. Journal of Hebei University (Natural Science Edition), 2015, 35(5): 538-545.
[11]	LIU Haiqin. Research on resource search mechanism in hybrid P2P network [J]. Journal of Hebei University (Natural Science Edition), 2015, 35(3): 311-315.
[12]	XIAO Xianqian,ZHU Junping,JING Xu,MA Qiaoe. One-class intrusion detection technique based on Bayesian approach [J]. Journal of Hebei University (Natural Science Edition), 2014, 34(1): 7-13.
[13]	MA Guofu,WANG Zixian,WANG Kuipeng. On electronic judicial identification model based on evidence chain [J]. Journal of Hebei University (Natural Science Edition), 2013, 33(3): 317-323.
[14]	WANG Jianling,LI Renling,WANG Hengcao,WANG Tiezhu. Multi-layer intrusion tolerant mechanism for Web services [J]. Journal of Hebei University (Natural Science Edition), 2012, 32(5): 545-549.
[15]	TIAN Jun-feng,CAI Hong-yun. Actuality and Development of Trust Model [J]. Journal of Hebei University (Natural Science Edition), 2011, 31(5): 555-560.