改进漏洞基础评分指标权重分配方法

doi:10.11772/j.issn.1001-9081.2017.06.1630

计算机应用 ›› 2017, Vol. 37 ›› Issue (6): 1630-1635.DOI: 10.11772/j.issn.1001-9081.2017.06.1630

改进漏洞基础评分指标权重分配方法

谢丽霞, 徐伟华

中国民航大学计算机科学与技术学院, 天津 300300

收稿日期:2016-12-12 修回日期:2017-03-02 出版日期:2017-06-10 发布日期:2017-06-14
通讯作者: 谢丽霞
作者简介:谢丽霞(1974-),女,重庆人,副教授,硕士,CCF会员,主要研究方向:网络与信息安全;徐伟华(1989-),女,山东烟台人,硕士研究生,主要研究方向:网络与信息安全。
基金资助:
国家科技重大专项（2012ZX03002002）；国家自然科学基金资助项目（60776807，61179045）；天津市科技计划重点项目（09JCZDJC16800）；中国民航科技基金资助项目（MHRD201009，MHRD201205）。

Improved weight distribution method of vulnerability basic scoring index

XIE Lixia, XU Weihua

College of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China

Received:2016-12-12 Revised:2017-03-02 Online:2017-06-10 Published:2017-06-14
Supported by:
This work is partially supported by the National Science and Technology Major Project (2012ZX03002002), the National Natural Science Foundation of China (60776807, 61179045), the Science and Technology Major Project of Tianjin (09JCZDJC16800), the Science and Technology Foundation of Civil Aviation University of China (MHRD201009, MHRD201205).

摘要/Abstract

摘要： 针对通用漏洞评分系统（CVSS）的基础评分指标权重分配过多依赖专家经验导致客观性不足的问题，提出一种漏洞威胁基础评分指标权重分配方法。首先，对评分要素的相对重要性进行排序；然后，采用指标权重组合最优搜索方法搜索权重组合方案；最后，结合灰色关联度分析方法，将基于专家经验决策的多个权重分配方案作为输入，获得权重组合方案。实验结果表明，与CVSS相比，从定量角度对比分析，所提方法评分结果分值分布比CVSS更为平缓连续，有效地避免了过多极端值的出现，并且评分分值分布的离散化更能客观有效地区分不同漏洞威胁的严重性；从定性角度对比分析，与CVSS中绝大多数漏洞（92.9%）被定为中高严重级别相比，所提方法在漏洞严重等级分配上实现了更为均衡的特征分布。

关键词: 漏洞评分, 评分要素, 权重分配, 灰色关联, 权重组合

Abstract: The basic scoring index weight distribution of the Common Vulnerability Scoring System (CVSS) relies too much on expert experience, which leads to the lack of objectivity. In order to solve the problem, a vulnerability basic scoring index weight distribution method was proposed. Firstly, the relative importances of scoring elements were sorted. Then, the index weight combination optimal search method was used to search the weight combination scheme. Finally, combined with the grey relation analysis method, the multiple weight distribution schemes based on expert experience decision were used as the input to obtain the weight combination scheme. The experimental results show that, compared with CVSS, from the quantitative point of view, the proposed method has more gentle score distribution of scoring results than the CVSS, which effectively avoids the excessive extreme values, and the discretization of score distribution can effectively distinguish the severity of different vulnerabilities objectively and effectively. The comparative analysis from the qualitative point of view show that, while the vast majority of vulnerabilities (92.9%) in CVSS are designated as the high level of severity, the proposed method can achieve more balanced characteristic distribution in grade distribution of vulnerability severity.

Key words: vulnerability scoring, scoring element, weight distribution, grey relation, weight combination

中图分类号:

TP393.08

谢丽霞, 徐伟华. 改进漏洞基础评分指标权重分配方法[J]. 计算机应用, 2017, 37(6): 1630-1635.

XIE Lixia, XU Weihua. Improved weight distribution method of vulnerability basic scoring index[J]. Journal of Computer Applications, 2017, 37(6): 1630-1635.

参考文献

[1] 刘奇旭,张翀斌,张玉清,等.安全漏洞等级划分关键技术研究[J].通信学报,2012,33(Z1):79-87.(LIU Q X, ZHANG Y B, ZHANG Y Q, et al. Research on key technologies of vulnerability threat classification[J]. Journal on Communications, 2012, 33(Z1):79-87.)
[2] 李锐.通用安全漏洞评估系统(CVSS)简介及应用建议[J].计算机安全,2011(5):58-60.(LI R. Brief introduction and application of general security vulnerability assessment system (CVSS)[J]. Network and Computer Security, 2011(5):58-60.)
[3] MELL P, SCARFONE K, ROMANOSKY S. A complete guide to the common vulnerability scoring system version 2.0[EB/OL].[2016-10-09]. https://wenku.baidu.com/view/5c90a4d5c1c708a1284a44fc.html.
[4] 唐成华,田吉龙,汤申生,等.一种基于GA-FAHP的软件漏洞风险评估方法[J].计算机科学,2015,42(9):134-138,158.(TANG C H, TIAN J L, TANG S S, et al. Risk assessment of software vulnerability based on GA-FAHP[J]. Computer Science, 2015, 42(9):134-138, 158.)
[5] 张恒巍,张健,韩继红,等.基于博弈模型和风险矩阵的漏洞风险分析方法[J].计算机工程与设计,2016,37(6):1421-1427.(ZHANG H W, ZHANG J, HAN J H, et al. Vulnerability risk analysis method based on game model and risk matrix[J]. Computer Engineering and Design, 2016, 37(6):1421-1427.)
[6] 付志耀,高岭,孙骞,等.基于粗糙集的漏洞属性约简及严重性评估[J].计算机研究与发展,2016,53(5):1009-1017.(FU Z Y, GAO L, SUN Q, et al. Evaluation of vulnerability severity based on rough sets and attributes reduction[J]. Journal of Computer Research and Development, 2016, 53(5):1009-1017.)
[7] 韦涛,彭武,王冬海.基于漏洞属性分析的软件安全评估方法[J].电光与控制,2015,22(8):66-70.(WEI T, PENG W, WANG D H. A method for software security assessment based on analysis of software defects[J]. Electronics Optics & Control, 2015, 22(8):66-70.)
[8] WANG Y, YANG Y. PVL:a novel metric for single vulnerability rating and its application in IMS[J]. Journal of Computational Information Systems, 2012, 8(2):579-590.
[9] CAMPBELL K, GORDON L A, LOEB M P, et al. The economic cost of publicly announced information security breaches:empirical evidence from the stock market[J]. Journal of Computer Security, 2003, 11(3):431-448.
[10] CAVUSOGLU H, MISHRA B, RAGHUNATHAN S. The effect of Internet security breach announcements on market value:capital market reactions for breached firms and Internet security developers[J]. International Journal of Electronic Commerce, 2004, 9(1):70-104.
[11] MELL P, SCARFONE K. Improving the common vulnerability scoring system[J]. IET Information Security, 2007, 1(3):119-127.
[12] 蒋诚.信息安全漏洞等级定义标准及应用[J].信息安全与通信保密,2007(6):148-149.(JIANG C. Rank definition standard and application for information security vulnerability[J]. Information Security and Communication Privacy, 2007(6):148-149.)

[1]	严爱军, 魏志远. 案例推理分类器的权重分配及案例库维护方法[J]. 计算机应用, 2021, 41(4): 1071-1077.
[2]	王佳欣, 冯毅, 由睿. 基于依赖关系图和通用漏洞评分系统的网络安全度量[J]. 计算机应用, 2019, 39(6): 1719-1727.
[3]	谢永华, 韩丽萍. 基于主梯度编码局部二进制模式的花粉图像识别[J]. 计算机应用, 2018, 38(6): 1765-1770.
[4]	王仁群, 彭力. 数据中心网络拓扑感知型拥塞控制算法[J]. 计算机应用, 2016, 36(9): 2357-2361.
[5]	邱桂, 闫仁武. 基于灰色关联分析的分布式协同过滤推荐算法[J]. 计算机应用, 2016, 36(4): 1054-1059.
[6]	刘盼盼, 洪旭东, 郭剑毅, 余正涛, 文永华, 陈玮. 基于灰色关联分析的中文新闻事件关联性识别[J]. 计算机应用, 2016, 36(2): 408-413.
[7]	邵田, 陈广胜, 景维鹏. 云存储系统中文件分界点确定方法——Cut-GAR[J]. 计算机应用, 2015, 35(9): 2497-2502.
[8]	陈迪, 周鸣争. 基于灰色理论的无线传感器网络信任模型[J]. 计算机应用, 2015, 35(6): 1693-1697.
[9]	黄会群. 灰色关联分析和粒子群优化算法相融合的合作伙伴选择[J]. 计算机应用, 2015, 35(4): 1045-1048.
[10]	曾友伟杨恢先唐飞谭正华何雅丽. 基于灰色关联度改进的Contourlet变换图像去噪算法[J]. 计算机应用, 2013, 33(04): 1103-1107.
[11]	雷斌陶海龙徐晓光. 基于改进粒子群优化算法的灰色神经网络的铁路货运量预测[J]. 计算机应用, 2012, 32(10): 2948-2951.
[12]	冯文郝顺义冯兴春范振洋. 基于改进B型灰色关联度与权衡因子的容错联邦滤波算法[J]. 计算机应用, 2012, 32(05): 1307-1310.
[13]	贾志娟胡明生刘思. 基于蚁群聚类的历史灾害分级方法[J]. 计算机应用, 2012, 32(04): 1030-1032.
[14]	杜志顺吴国平裘咏霄黄文丽陈茂源. 复合板灰色自适应瑕疵检测[J]. 计算机应用, 2010, 30(8): 2250-2253.
[15]	武月红张毓森朱欣刚. 基于灰色关联分析的多小波域图像隐写算法[J]. 计算机应用, 2009, 29(12): 3182-3184.

改进漏洞基础评分指标权重分配方法

Improved weight distribution method of vulnerability basic scoring index

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics