【摘要】：準(zhǔn)確量化單個(gè)漏洞可利用性是解決基于攻擊路徑分析網(wǎng)絡(luò)安全態(tài)勢(shì)的基礎(chǔ)和關(guān)鍵,目前運(yùn)用最廣泛的漏洞可利用性評(píng)估系統(tǒng)是通用漏洞評(píng)分系統(tǒng)(common vulnerability scoring system,CVSS).首先利用CVSS對(duì)54 331個(gè)漏洞的可利用性進(jìn)行評(píng)分,將結(jié)果進(jìn)行統(tǒng)計(jì)分析發(fā)現(xiàn)CVSS評(píng)分系統(tǒng)存在著評(píng)分結(jié)果多樣性不足,分?jǐn)?shù)過于集中等問題.鑒于CVSS的不足,進(jìn)一步對(duì)漏洞可利用性影響要素進(jìn)行研究,研究發(fā)現(xiàn)漏洞類型能影響可利用性大小.因此將漏洞類型作為評(píng)估漏洞可利用性的要素之一,采用層次分析法將其進(jìn)行量化,基于CVSS上提出一種更為全面的漏洞可利用性量化評(píng)估系統(tǒng)(exploitability of vulnerability scoring systems,EOVSS).實(shí)驗(yàn)證明:EOVSS具有良好的多樣性,并能更準(zhǔn)確有效地量化評(píng)估單個(gè)漏洞的可利用性.
[Abstract]:Accurately quantifying the exploitability of a single vulnerability is the basis and key to solve the network security situation analysis based on attack path. The most widely used vulnerability availability assessment system is the universal vulnerability scoring system (common vulnerability scoring system,CVSS). Firstly, CVSS is used to evaluate the exploitability of 54,331 loopholes, and the results are statistically analyzed. It is found that the CVSS scoring system has some problems, such as insufficient diversity of scoring results and excessive concentration of scores. In view of the deficiency of CVSS, the factors affecting vulnerability availability are further studied, and it is found that vulnerability type can influence the availability of vulnerability. Therefore, the type of vulnerability is regarded as one of the key factors to evaluate vulnerability availability, which is quantified by analytic hierarchy process (AHP), and a more comprehensive vulnerability availability evaluation system (exploitability of vulnerability scoring systems,EOVSS) based on CVSS is proposed. Experiments show that: EOVSS has good diversity and can evaluate the exploitability of a single vulnerability more accurately and effectively.
【作者單位】： 綜合業(yè)務(wù)網(wǎng)理論及關(guān)鍵技術(shù)國(guó)家重點(diǎn)實(shí)驗(yàn)室(西安電子科技大學(xué));國(guó)家計(jì)算機(jī)網(wǎng)絡(luò)入侵防范中心(中國(guó)科學(xué)院大學(xué));西安電子科技大學(xué)數(shù)學(xué)與統(tǒng)計(jì)學(xué)院;
【基金】：國(guó)家自然科學(xué)基金項(xiàng)目(61572460,61272481) 國(guó)家重點(diǎn)研發(fā)計(jì)劃項(xiàng)目(2016YFB0800700) 信息安全國(guó)家重點(diǎn)實(shí)驗(yàn)室的開放課題(2017-ZD-01) 國(guó)家發(fā)改委信息安全專項(xiàng)項(xiàng)目[(2012)1424] 國(guó)家111項(xiàng)目(B16037)~~
【分類號(hào)】：TP393.08

【相似文獻(xiàn)】

相關(guān)期刊論文 前1條

1 汪洋;基于Web的信息資源的可利用性[J];合肥聯(lián)合大學(xué)學(xué)報(bào);2001年03期

相關(guān)碩士學(xué)位論文 前1條

1 劉平平;基于關(guān)聯(lián)關(guān)系的漏洞評(píng)估技術(shù)研究[D];北京郵電大學(xué);2015年

，

本文編號(hào)：2259100