基于漏洞类型的漏洞可利用性量化评估系统
|
摘要
准确量化单个漏洞可利用性是解决基于攻击路径分析网络安全态势的基础和关键,目前运用最广泛的漏洞可利用性评估系统是通用漏洞评分系统(common vulnerability scoring system,CVSS).首先利用CVSS对54 331个漏洞的可利用性进行评分,将结果进行统计分析发现CVSS评分系统存在着评分结果多样性不足,分数过于集中等问题.鉴于CVSS的不足,进一步对漏洞可利用性影响要素进行研究,研究发现漏洞类型能影响可利用性大小.因此将漏洞类型作为评估漏洞可利用性的要素之一,采用层次分析法将其进行量化,基于CVSS上提出一种更为全面的漏洞可利用性量化评估系统(exploitability of vulnerability scoring systems,EOVSS).实验证明:EOVSS具有良好的多样性,并能更准确有效地量化评估单个漏洞的可利用性.
As is known to all,vulnerabilities play an extremely important role in network security now.Accurately quantizing the exploitability of a vulnerability is critical to the attack-graph based analysis of network information system security.Currently the most widely used assessment system for vulnerability exploitability is the common vulnerability scoring system(CVSS).Firstly,the exploitability scores of 54331 vulnerabilities are computed by using CVSS.Then,statistical analysis is performed on the computed exploitability scores,which indicates that CVSS lacks diversity,and more diverse results can help end-users prioritize vulnerabilities and fix those that pose the greatest risks at first.Statistical results show that the scores are too centralized as well.Finally,taking into account the disadvantages of CVSS,we study the influence factors of vulnerability exploitability,and demonstrate that the types of a vulnerability can influence its exploitability.Therefore,we consider vulnerability types as one of the influence factors of vulnerability exploitability,and use analytic hierarchy process to quantify it,and propose a more comprehensive quantitative evaluation system named exploitability of vulnerability scoring systems(EOVSS)based on CVSS.Experiments show that the diversity of scores computed by EOVSS is four times that computed by CVSS,and EOVSS can more accurately and effectively quantify the exploitability of a vulnerability in comparison with CVSS.
As is known to all,vulnerabilities play an extremely important role in network security now.Accurately quantizing the exploitability of a vulnerability is critical to the attack-graph based analysis of network information system security.Currently the most widely used assessment system for vulnerability exploitability is the common vulnerability scoring system(CVSS).Firstly,the exploitability scores of 54331 vulnerabilities are computed by using CVSS.Then,statistical analysis is performed on the computed exploitability scores,which indicates that CVSS lacks diversity,and more diverse results can help end-users prioritize vulnerabilities and fix those that pose the greatest risks at first.Statistical results show that the scores are too centralized as well.Finally,taking into account the disadvantages of CVSS,we study the influence factors of vulnerability exploitability,and demonstrate that the types of a vulnerability can influence its exploitability.Therefore,we consider vulnerability types as one of the influence factors of vulnerability exploitability,and use analytic hierarchy process to quantify it,and propose a more comprehensive quantitative evaluation system named exploitability of vulnerability scoring systems(EOVSS)based on CVSS.Experiments show that the diversity of scores computed by EOVSS is four times that computed by CVSS,and EOVSS can more accurately and effectively quantify the exploitability of a vulnerability in comparison with CVSS.
引文
[1]Liu Qixu,Zhang Chongbing,Zhang Yuqing,et al.Research on key technology of vulnerability threat classification[J].Journal on Communications,2012,33(Z1):79-87(in Chinese)(刘奇旭,张翀斌,张玉清,等.安全漏洞等级划分关键技术研究[J].通信学报,2012,33(Z1):79-87)
[2]Acemoglu D,Malekian A,Ozdaglar A.Network security and contagion[J].Journal of Economic Theory,2016,42(3):38-48
[3]Wang Lingyu,Singhal A,Jajodia S.Measuring the overall security of network configurations using attack graphs[C]//Proc of the 11th Ifip Wg 11.3 Working Conf on Data and Applications Security.Berlin:Springer,2007:98-112
[4]Younis A,Malaiya Y K,Ray I.Assessing vulnerability exploitability risk using software properties[J].Software Quality Journal,2016,24(1):159-202
[5]Szwed P,Skrzyński P.A new lightweight method for security risk assessment based on fuzzy cognitive maps[J].International Journal of Applied Mathematics&Computer Science,2014,24(1):213-225
[6]Dawkins J,Hale J.A systematic approach to multi-stage network attack analysis[C]//Proc of the 4th Int Information Assurance Workshop.Piscataway,NJ:IEEE,2004:48-56
[7]Lai Y P,Hsia P L.Using the vulnerability information of computer systems to improve the network security[J].Computer Communications,2007,30(9):2032-2047
[8]Zhang Fengli,Feng Bo.Vulnerability assessment based on correlation[J].Application Research of Computers,2014,31(3):811-814
[9]Frigault M.Measuring network security using bayesian network-based attack graphs[J].Computer Software and Applications,2010,22(4):698-703
[10]Lu Yuliang,Xia Yang.Reaserch on target-computer secure quantitative fusion model[J].Chinese Journal of Computers,2005,28(5):914-920(in Chinese)(陆余良,夏阳.主机安全量化融合模型研究[J].计算机学报,2005,28(5):914-920)
[11]Wen Tao,Zhang Yuqing.ASVC:An automatic security vulnerability categorization framework based on novel features of vulnerability data[J].Journal of Communications,2015,76(8):823-895
[12]Wen Tao,Zhang Yuqing,Dong Ying,et al.A novel automatic severity vulnerability assessment framework[J].Journal of Communications,2015,10(5):786-798
[13]Liu Qixu,Zhang Yuqing,Kong Ying,et al.Improving VRSS-based vulnerability prioritization using analytic hierarchy process[J].Journal of Systems&Software,2012,85(8):1699-1708
[14]Wang Ruyi,Gao Ling,Sun Qian,et al.An improved CVSS-based vulnerability scoring mechanism[C]//Proc of the 3rd Int Conf on Multimedia Information Networking and Security.Piscataway,NJ:IEEE,2011:352-355
[15]Zhang Yuqing,Fang Zhejun,Wang Kai,et al.Survey of Android vulnerability detection[J].Journal of Computer Research and Development,2015,52(10):2167-2177(in Chinese)(张玉清,方喆君,王凯,等.Android安全漏洞挖掘技术综述[J].计算机研究与发展,2015,52(10):2167-2177)
[16]Liu Qixu,Zhang Yuqing.VRSS:A new system for rating and scoring vulnerabilities[J].Computer Communications,2011,34(3):264-273
[17]Spanos G,Sioziou A,Angelis L.WIVSS:A new methodology for scoring information systems vulnerabilities[J].Computer Communications,2013,34(5):83-90
[18]Mell P,Scarfone K,Romanosky S.Common vulnerability scoring system[J].IEEE Security&Privacy Magazine,2006,4(6):85-89
[19]Scarfone K,Mell P.An analysis of CVSS version 2vulnerability scoring[C]//Proc of the 3rd Int Symp on Empirical Software Engineering and Measurement.Piscataway,NJ:IEEE,2009:516-525
[20]CANs.Common vulnerabilities and exposures[EB/OL].[2017-04-14].http://cve.mitre.org/index.html
[21]CANs.Common weakness enumeration[EB/OL].[2017-01-18].http://cwe.mitre.org
[22]Rasheed A R,Abdulla A,Zakariyya N I.Vulnerability of different types of fishers to potential implementation of a management plan in a marine protected area(MPA)in the Maldives[J].Marine Policy,2016,74(2):195-204
[23]Montaigne D,Coisne A,Sosner P,et al.Electrical atrial vulnerability and renal complications in type 2diabetes[J].Diabetologia,2015,59(4):1-12
[24]Aonso J A,Lamata M T.Consistency in the analytic hierarchyprocess:A new approach[J].International Journal of Uncertainty,Fuzziness and Knowlege-Based Systems,2006,14(4):445-459
[25]Keramati M,Akbari A,Keramati M.CVSS-based security metrics for quantitative analysis of attack graphs[C]//Proc of the 2013 IEEE Int conf Computer and Knowledge Engineering.Piscataway,NJ:IEEE,2013:178-183
[26]Jiang Hui.The detection of global vulnerability based on attack path[D].Qingdao:Ocean University of China,2015(in Chinese)(姜慧.基于攻击路径的全局漏洞检测[D].青岛:中国海洋大学,2015)
[27]Miaoui Y,Boudriga N.Enterprise security investment through time when facing different types of vulnerabilities[J].Information Systems Frontiers,2017,20(2):11-24
[2]Acemoglu D,Malekian A,Ozdaglar A.Network security and contagion[J].Journal of Economic Theory,2016,42(3):38-48
[3]Wang Lingyu,Singhal A,Jajodia S.Measuring the overall security of network configurations using attack graphs[C]//Proc of the 11th Ifip Wg 11.3 Working Conf on Data and Applications Security.Berlin:Springer,2007:98-112
[4]Younis A,Malaiya Y K,Ray I.Assessing vulnerability exploitability risk using software properties[J].Software Quality Journal,2016,24(1):159-202
[5]Szwed P,Skrzyński P.A new lightweight method for security risk assessment based on fuzzy cognitive maps[J].International Journal of Applied Mathematics&Computer Science,2014,24(1):213-225
[6]Dawkins J,Hale J.A systematic approach to multi-stage network attack analysis[C]//Proc of the 4th Int Information Assurance Workshop.Piscataway,NJ:IEEE,2004:48-56
[7]Lai Y P,Hsia P L.Using the vulnerability information of computer systems to improve the network security[J].Computer Communications,2007,30(9):2032-2047
[8]Zhang Fengli,Feng Bo.Vulnerability assessment based on correlation[J].Application Research of Computers,2014,31(3):811-814
[9]Frigault M.Measuring network security using bayesian network-based attack graphs[J].Computer Software and Applications,2010,22(4):698-703
[10]Lu Yuliang,Xia Yang.Reaserch on target-computer secure quantitative fusion model[J].Chinese Journal of Computers,2005,28(5):914-920(in Chinese)(陆余良,夏阳.主机安全量化融合模型研究[J].计算机学报,2005,28(5):914-920)
[11]Wen Tao,Zhang Yuqing.ASVC:An automatic security vulnerability categorization framework based on novel features of vulnerability data[J].Journal of Communications,2015,76(8):823-895
[12]Wen Tao,Zhang Yuqing,Dong Ying,et al.A novel automatic severity vulnerability assessment framework[J].Journal of Communications,2015,10(5):786-798
[13]Liu Qixu,Zhang Yuqing,Kong Ying,et al.Improving VRSS-based vulnerability prioritization using analytic hierarchy process[J].Journal of Systems&Software,2012,85(8):1699-1708
[14]Wang Ruyi,Gao Ling,Sun Qian,et al.An improved CVSS-based vulnerability scoring mechanism[C]//Proc of the 3rd Int Conf on Multimedia Information Networking and Security.Piscataway,NJ:IEEE,2011:352-355
[15]Zhang Yuqing,Fang Zhejun,Wang Kai,et al.Survey of Android vulnerability detection[J].Journal of Computer Research and Development,2015,52(10):2167-2177(in Chinese)(张玉清,方喆君,王凯,等.Android安全漏洞挖掘技术综述[J].计算机研究与发展,2015,52(10):2167-2177)
[16]Liu Qixu,Zhang Yuqing.VRSS:A new system for rating and scoring vulnerabilities[J].Computer Communications,2011,34(3):264-273
[17]Spanos G,Sioziou A,Angelis L.WIVSS:A new methodology for scoring information systems vulnerabilities[J].Computer Communications,2013,34(5):83-90
[18]Mell P,Scarfone K,Romanosky S.Common vulnerability scoring system[J].IEEE Security&Privacy Magazine,2006,4(6):85-89
[19]Scarfone K,Mell P.An analysis of CVSS version 2vulnerability scoring[C]//Proc of the 3rd Int Symp on Empirical Software Engineering and Measurement.Piscataway,NJ:IEEE,2009:516-525
[20]CANs.Common vulnerabilities and exposures[EB/OL].[2017-04-14].http://cve.mitre.org/index.html
[21]CANs.Common weakness enumeration[EB/OL].[2017-01-18].http://cwe.mitre.org
[22]Rasheed A R,Abdulla A,Zakariyya N I.Vulnerability of different types of fishers to potential implementation of a management plan in a marine protected area(MPA)in the Maldives[J].Marine Policy,2016,74(2):195-204
[23]Montaigne D,Coisne A,Sosner P,et al.Electrical atrial vulnerability and renal complications in type 2diabetes[J].Diabetologia,2015,59(4):1-12
[24]Aonso J A,Lamata M T.Consistency in the analytic hierarchyprocess:A new approach[J].International Journal of Uncertainty,Fuzziness and Knowlege-Based Systems,2006,14(4):445-459
[25]Keramati M,Akbari A,Keramati M.CVSS-based security metrics for quantitative analysis of attack graphs[C]//Proc of the 2013 IEEE Int conf Computer and Knowledge Engineering.Piscataway,NJ:IEEE,2013:178-183
[26]Jiang Hui.The detection of global vulnerability based on attack path[D].Qingdao:Ocean University of China,2015(in Chinese)(姜慧.基于攻击路径的全局漏洞检测[D].青岛:中国海洋大学,2015)
[27]Miaoui Y,Boudriga N.Enterprise security investment through time when facing different types of vulnerabilities[J].Information Systems Frontiers,2017,20(2):11-24