[1]杨一未.多因素漏洞评价方法研究[J].计算机技术与发展,2022,32(12):88-94.[doi:10. 3969 / j. issn. 1673-629X. 2022. 12. 014]
 YANG Yi-wei.Research on Multi-factor Vulnerability Scoring System[J].,2022,32(12):88-94.[doi:10. 3969 / j. issn. 1673-629X. 2022. 12. 014]
点击复制

多因素漏洞评价方法研究()
分享到:

《计算机技术与发展》[ISSN:1006-6977/CN:61-1281/TN]

卷:
32
期数:
2022年12期
页码:
88-94
栏目:
软件技术与工程
出版日期:
2022-12-10

文章信息/Info

Title:
Research on Multi-factor Vulnerability Scoring System
文章编号:
1673-629X(2022)12-0088-07
作者:
杨一未
中国信息安全测评中心,北京 100085
Author(s):
YANG Yi-wei
China Information Technology Security Evaluation Center,Beijing 100085,China
关键词:
漏洞消控通用漏洞评分体系安全风险
Keywords:
vulnerabilityelimination controlcommon vulnerability scoring system / CVSSsecurityrisk
分类号:
TP393. 08
DOI:
10. 3969 / j. issn. 1673-629X. 2022. 12. 014
摘要:
漏洞引起的网络安全问题日益突出,信息系统运营者和安全技术人员正面临着前所未有的压力,仅凭 CNNVD 等漏洞库给出的漏洞技术等级或评分,无法完全体现漏洞在实际场景中信息资产上的危害程度。 该文提出了一种综合计算机系统分级评价、网络防护与联通性、资产使用率、利益相关者风险承受度、漏洞技术评价指标等多种因素的漏洞风险量化评价方法,并给出了详细计算过程。 该方法中计算机系统分级评价指标可使用信息安全等级保护指标综合反映系统的重要程度。 网络防护与联通性指标进行等级细分后,可定量反映系统受保护程度。 资产使用率可通过资产管理系统或在线监测等技术手段获取,反映出系统的影响范围。 利益相关者风险承受度指标通过主观打分反映系统风险承受能力。 漏洞技术评价指标则通过漏洞客观特性反映危害程度。 经模拟数据统计分析显示,该方法能够较全面地分析实际环境中漏洞潜在威胁程度,科学合理地给出不同信息资产上漏洞的消控优先级排序,可供信息系统运营者和安全技术人员用于漏洞危害程度的量化评估。
Abstract:
Network security problems caused by vulnerabilities are becoming increasingly prominent. Information system operators andsecurity technicians are facing unprecedented pressure. The vulnerability technical grade or score only given by vulnerability databasessuch as CNNVD cannot fully reflect the damage degree of vulnerabilities on information assets in actual scenarios. Therefore,we proposea quantitative vulnerability risk evaluation method called " multi - factor vulnerability scoring system" , which includes five indexes:computer system grading evaluation,network protection and connectivity,asset utilization rate,stakeholder risk tolerance and vulnerabilityevaluation. In this method,the computer system grading evaluation index can be used to comprehensively reflect the importance of thesystem by the information security grading protection index. Stakeholder risk tolerance index reflects system risk tolerance throughsubjective scoring. The vulnerability technology evaluation index reflects the hazard degree through the objective characteristics of vulnerability. The statistical analysis shows that the proposed method can comprehensively analyze the potential threat degree of vulnerabilitiesin the actual environment, scientifically and reasonably give the priority order of vulnerability control on different information assets,which can be used by information system operators and security technicians to quantitatively evaluate the vulnerability hazard degree.After subdividing the network protection and connectivity indexes,the protection degree of the system can be quantitatively reflected.Asset utilization index can be obtained through asset management system or online monitoring and other technical means to reflect thescope of influence of the system.

相似文献/References:

[1]汪贵生 夏阳[].基于Rough集理论的主机安全评估模型研究[J].计算机技术与发展,2008,(12):156.
 WANG Gui-sheng,XIA Yang.Host Computer Security Evaluation Model Research Based on Rough Set Theory[J].,2008,(12):156.
[2]张俭鸽 李颖颖.基于多元线性回归预测模型的sensor态势研究[J].计算机技术与发展,2011,(09):229.
 ZHANG Jian-ge,LI Ying-ying.Research of Sensor Situation Based on Multiple Linear Regression Forecast Model[J].,2011,(12):229.
[3]刘意先,慕德俊.基于CIA 属性的网络安全评估方法研究[J].计算机技术与发展,2018,28(04):141.[doi:network security;security assessment;vulnerabilit]
 LIU Yi-xian,MU De-jun.Research on Network Security Assessment Method Based on CIA[J].,2018,28(12):141.[doi:network security;security assessment;vulnerabilit]

更新日期/Last Update: 2022-12-10