Abstract: Computer vulnerability is a major hidden danger which endangers the safety of the network, and will attack the system by system configuration mistakes, system design flaws or software bugs. Due to a variety of factors which can produce vulnerability, there are many attributes associated with vulnerability, and it is difficult to shift attributes which are more relevant. It is also a hard problem to calculate attribute weights objectively which doesn’t depend on expert experience or prior knowledge. A new method named RAR of vulnerability assessment is proposed to shift vulnerability attributes and evaluate severity objectively. The attributes reduction for decision-making of vulnerability assessment is found depended on the discriminate matrix in rough sets theory. Then evaluate the vulnerability severity based on attributes comprehensive evaluation system theory. Finally we can get a binary group to represent qualitative evaluation and quantitative evaluation value of vulnerability. The result shows this method avoids the subjective choice for vulnerability attributes and the dependence of experts prior knowledge, and it satisfies for attributes reduction and attribute weights. And it is also accurate and effective for qualitative analysis and quantitative analysis of the vulnerability.

Key words: vulnerability, network security, rough sets, attributes reduction, assessment of vulnerability