针对WIVSS默认评分机制无法体现脆弱点复杂性和多样性的缺点,对脆弱性分析理论与脆弱
点评分技术进行分析,在通用脆弱点评分系统(common vulnerability scoring system, CVSS)基
础上进行改进,设计了一种更具多样性且更能反映实际情况的脆弱点评分方法.该脆弱点评分方法
主要由分析后得出的一系列实际系统约束规则出发,使用最优脆弱点评分权值组合搜索算法和基
于信息熵的权值组合选择算法,联合确定目标网络的最优脆弱点评分权值组合,最终实现对脆弱点
的最优评分.结果表明,文中方法确定的目标网络最优脆弱点评分权值组合保证了脆弱点多样性,
弥补了WIVSS的不足.
Abstract
To reflect the complexity and diversity of vulnerability for the WIVSS
scoring mechanism, the frequently used vulnerability analysis theory and
vulnerability scoring method were analyzed. A new vulnerability scoring method was
designed based on common vulnerability scoring system (CVSS) to reflect the
complexity of vulnerabilities well. According to a set of actual system constraint
rules from analysis, the optimum combination search algorithm of fragile comment
decentralization values and the selection algorithm of information entropy weights
portfolio were used to determine the optimal decentralization vulnerable reviews
combination of values by the target network, and the best scores of vulnerable
points were obtained. The results show that the proposed weight combination of
vulnerability can ensure the diversity of vulnerability point and improve the WIVSS.
关键词
脆弱性评估 /
脆弱点评分 /
网络安全 /
信息熵 /
权值组合
{{custom_keyword}} /
Key words
vulnerability score /
vulnerability assessment /
network security /
information entropy /
weight combination
{{custom_keyword}} /
{{custom_sec.title}}
{{custom_sec.title}}
{{custom_sec.content}}
参考文献
[1]SPANOS G, ANGELIS L. Impact metrics of security vulnerabilities: analysis and
weighing[J]. Information Security Journal:A Global Perspective, 2015, 24(1/2/
3):57-71.
[2]LI Q M. Multiple QoS constraints finding paths algorithm in TMN[J].
InformationAn International Interdisciplinary Journal,2011, 14(3): 731-737.
[3]LI Q M, LI J. Rough outlier detection based security risk analysis methodology
[J]. China Communications, 2012, 9(7): 14-21.
[4]LI Q M, HOU J, QI Y, et al. The rule engineer model on the highspeed
processing of disaster warning information[J]. Disaster Advances, 2012, 5(4):
1196-1201.
[5]LI Q M, ZHANG H. Information security risk assessment technology of cyberspace:
a review[J]. InformationAn International Interdisciplinary Journal, 2012, 15
(11A): 4677-4683.
[6]陈小军,方滨兴,谭庆丰,等. 基于概率攻击图的内部攻击意图推断算法研究[J]. 计算机
学报,2014, 37(1):62-72.
CHEN X J, FANG B X, TAN Q F, et al. Inferring attack intent of malicious insider
based on probabilistic attack graph model[J]. Chinese Journal of Computers, 2014,
37(1):62-72. (in Chinese)
[7]ALHOMIDI M, REED M. Risk assessment and analysis through populationbased
attack graph modelling[C]∥Proceedings of the 2013 World Congress on Internet
Security. Piscataway:IEEE Computer Society, 2013: 19-24.
[8]ISLAM T, WANG L Y. A heuristic approach to minimumcost network hardening
using attack graph[C]∥Proceedings of the 2008 New Technologies, Mobility and
Security Conference and Workshops. Piscataway:IEEE Computer Society, 2008,doi:
10.1109/NTMS.2008.ECP.9.
[9]CHEN F, LIU D H, ZHANG Y, et al. A scalable approach to analyzing network
security using compact attack graphs[J]. Journal of Networks, 2010, 5(5):543-550.
[10]朱叶青,牛德姣,蔡涛,等. 不同网络环境下大数据系统的测试与分析[J].江苏大学学报(
自然科学版),2016,37(4):429-437.
ZHU Y Q, NIU D J, CAI T, et al. Test and analysis of big data system in different
network environment [J]. Journal of Jiangsu University (Natural Science Edition),
2016, 37(4):429-437. (in Chinese)
{{custom_fnGroup.title_cn}}
脚注
{{custom_fn.content}}
基金
国家电网公司科技项目(SGRIXTKJ[2015]614)
{{custom_fund}}