ISSN 1000-1239 CN 11-1777/TP

• 信息安全 •

### 基于漏洞类型的漏洞可利用性量化评估系统

1. 1(综合业务网理论及关键技术国家重点实验室(西安电子科技大学) 西安 710071); 2(国家计算机网络入侵防范中心(中国科学院大学) 北京 101408); 3(西安电子科技大学数学与统计学院 西安 710071) (leikn@nipc.org.cn)
• 出版日期: 2017-10-01
• 基金资助:
国家自然科学基金项目(61572460,61272481)；国家重点研发计划项目(2016YFB0800700)；信息安全国家重点实验室的开放课题(2017-ZD-01)；国家发改委信息安全专项项目［(2012)1424］；国家111项目(B16037)

### A System for Scoring the Exploitability of Vulnerability Based Types

Lei Kenan1,2, Zhang Yuqing1,2, Wu Chensi2, Ma Hua3

1. 1(State Key Laboratory of Integrated Services Networks (Xidian University), Xi’an 710071); 2(National Computer Network Intrusion Protection Center (University of Chinese Academy of Sciences), Beijing 101408); 3(School of Mathematics and Statistics, Xidian University, Xi’an 710071)
• Online: 2017-10-01

Abstract: As is known to all, vulnerabilities play an extremely important role in network security now. Accurately quantizing the exploitability of a vulnerability is critical to the attack-graph based analysis of network information system security. Currently the most widely used assessment system for vulnerability exploitability is the common vulnerability scoring system (CVSS). Firstly, the exploitability scores of 54331 vulnerabilities are computed by using CVSS. Then, statistical analysis is performed on the computed exploitability scores, which indicates that CVSS lacks diversity, and more diverse results can help end-users prioritize vulnerabilities and fix those that pose the greatest risks at first. Statistical results show that the scores are too centralized as well. Finally, taking into account the disadvantages of CVSS, we study the influence factors of vulnerability exploitability, and demonstrate that the types of a vulnerability can influence its exploitability. Therefore, we consider vulnerability types as one of the influence factors of vulnerability exploitability, and use analytic hierarchy process to quantify it, and propose a more comprehensive quantitative evaluation system named exploitability of vulnerability scoring systems (EOVSS) based on CVSS. Experiments show that the diversity of scores computed by EOVSS is four times that computed by CVSS, and EOVSS can more accurately and effectively quantify the exploitability of a vulnerability in comparison with CVSS.