基于漏洞类型的漏洞可利用性量化评估系统
发布时间:2018-10-09 11:03
【摘要】:准确量化单个漏洞可利用性是解决基于攻击路径分析网络安全态势的基础和关键,目前运用最广泛的漏洞可利用性评估系统是通用漏洞评分系统(common vulnerability scoring system,CVSS).首先利用CVSS对54 331个漏洞的可利用性进行评分,将结果进行统计分析发现CVSS评分系统存在着评分结果多样性不足,分数过于集中等问题.鉴于CVSS的不足,进一步对漏洞可利用性影响要素进行研究,研究发现漏洞类型能影响可利用性大小.因此将漏洞类型作为评估漏洞可利用性的要素之一,采用层次分析法将其进行量化,基于CVSS上提出一种更为全面的漏洞可利用性量化评估系统(exploitability of vulnerability scoring systems,EOVSS).实验证明:EOVSS具有良好的多样性,并能更准确有效地量化评估单个漏洞的可利用性.
[Abstract]:Accurately quantifying the exploitability of a single vulnerability is the basis and key to solve the network security situation analysis based on attack path. The most widely used vulnerability availability assessment system is the universal vulnerability scoring system (common vulnerability scoring system,CVSS). Firstly, CVSS is used to evaluate the exploitability of 54,331 loopholes, and the results are statistically analyzed. It is found that the CVSS scoring system has some problems, such as insufficient diversity of scoring results and excessive concentration of scores. In view of the deficiency of CVSS, the factors affecting vulnerability availability are further studied, and it is found that vulnerability type can influence the availability of vulnerability. Therefore, the type of vulnerability is regarded as one of the key factors to evaluate vulnerability availability, which is quantified by analytic hierarchy process (AHP), and a more comprehensive vulnerability availability evaluation system (exploitability of vulnerability scoring systems,EOVSS) based on CVSS is proposed. Experiments show that: EOVSS has good diversity and can evaluate the exploitability of a single vulnerability more accurately and effectively.
【作者单位】: 综合业务网理论及关键技术国家重点实验室(西安电子科技大学);国家计算机网络入侵防范中心(中国科学院大学);西安电子科技大学数学与统计学院;
【基金】:国家自然科学基金项目(61572460,61272481) 国家重点研发计划项目(2016YFB0800700) 信息安全国家重点实验室的开放课题(2017-ZD-01) 国家发改委信息安全专项项目[(2012)1424] 国家111项目(B16037)~~
【分类号】:TP393.08
本文编号:2259100
[Abstract]:Accurately quantifying the exploitability of a single vulnerability is the basis and key to solve the network security situation analysis based on attack path. The most widely used vulnerability availability assessment system is the universal vulnerability scoring system (common vulnerability scoring system,CVSS). Firstly, CVSS is used to evaluate the exploitability of 54,331 loopholes, and the results are statistically analyzed. It is found that the CVSS scoring system has some problems, such as insufficient diversity of scoring results and excessive concentration of scores. In view of the deficiency of CVSS, the factors affecting vulnerability availability are further studied, and it is found that vulnerability type can influence the availability of vulnerability. Therefore, the type of vulnerability is regarded as one of the key factors to evaluate vulnerability availability, which is quantified by analytic hierarchy process (AHP), and a more comprehensive vulnerability availability evaluation system (exploitability of vulnerability scoring systems,EOVSS) based on CVSS is proposed. Experiments show that: EOVSS has good diversity and can evaluate the exploitability of a single vulnerability more accurately and effectively.
【作者单位】: 综合业务网理论及关键技术国家重点实验室(西安电子科技大学);国家计算机网络入侵防范中心(中国科学院大学);西安电子科技大学数学与统计学院;
【基金】:国家自然科学基金项目(61572460,61272481) 国家重点研发计划项目(2016YFB0800700) 信息安全国家重点实验室的开放课题(2017-ZD-01) 国家发改委信息安全专项项目[(2012)1424] 国家111项目(B16037)~~
【分类号】:TP393.08
【相似文献】
相关期刊论文 前1条
1 汪洋;基于Web的信息资源的可利用性[J];合肥联合大学学报;2001年03期
相关硕士学位论文 前1条
1 刘平平;基于关联关系的漏洞评估技术研究[D];北京邮电大学;2015年
,本文编号:2259100
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2259100.html