A System for Scoring the Exploitability of Vulnerability Based Types

Lei Kenan; Zhang Yuqing; Wu Chensi; Ma Hua

doi:10.7544/issn1000-1239.2017.20170457

Journal of Computer Research and Development > 2017 > 54(10): 2296-2309. > DOI: 10.7544/issn1000-1239.2017.20170457 CSTR: 32373.14.issn1000-1239.2017.20170457

Lei Kenan, Zhang Yuqing, Wu Chensi, Ma Hua. A System for Scoring the Exploitability of Vulnerability Based Types[J]. Journal of Computer Research and Development, 2017, 54(10): 2296-2309. DOI: 10.7544/issn1000-1239.2017.20170457

Citation:

PDF (2454 KB)

A System for Scoring the Exploitability of Vulnerability Based Types

¹(State Key Laboratory of Integrated Services Networks (Xidian University), Xi’an 710071)
²(National Computer Network Intrusion Protection Center (University of Chinese Academy of Sciences), Beijing 101408)
³(School of Mathematics and Statistics, Xidian University, Xi’an 710071)

More Information

Published Date: September 30, 2017

Graphical Abstract

Abstract

Abstract

As is known to all, vulnerabilities play an extremely important role in network security now. Accurately quantizing the exploitability of a vulnerability is critical to the attack-graph based analysis of network information system security. Currently the most widely used assessment system for vulnerability exploitability is the common vulnerability scoring system (CVSS). Firstly, the exploitability scores of 54331 vulnerabilities are computed by using CVSS. Then, statistical analysis is performed on the computed exploitability scores, which indicates that CVSS lacks diversity, and more diverse results can help end-users prioritize vulnerabilities and fix those that pose the greatest risks at first. Statistical results show that the scores are too centralized as well. Finally, taking into account the disadvantages of CVSS, we study the influence factors of vulnerability exploitability, and demonstrate that the types of a vulnerability can influence its exploitability. Therefore, we consider vulnerability types as one of the influence factors of vulnerability exploitability, and use analytic hierarchy process to quantify it, and propose a more comprehensive quantitative evaluation system named exploitability of vulnerability scoring systems (EOVSS) based on CVSS. Experiments show that the diversity of scores computed by EOVSS is four times that computed by CVSS, and EOVSS can more accurately and effectively quantify the exploitability of a vulnerability in comparison with CVSS.
- vulnerability,
- exploitability,
- vulnerability type,
- analytic hierarchy process,
- quantification

FullText(HTML)

References (0)

[1]	Wu Zehui, Wei Qiang, Wang Xinlei, Wang Yunchao, Yan Chenyu, Chen Jing. Survey of Automatic Software Vulnerability Exploitation[J]. Journal of Computer Research and Development, 2024, 61(9): 2261-2274. DOI: 10.7544/issn1000-1239.202220410
[2]	Fan Zhihua, Wu Xinxin, Li Wenming, Cao Huawei, An Xuejun, Ye Xiaochun, Fan Dongrui. Dataflow Architecture Optimization for Low-Precision Neural Networks[J]. Journal of Computer Research and Development, 2023, 60(1): 43-58. DOI: 10.7544/issn1000-1239.202111275
[3]	Huang Huafeng, Wang Jiajie, Yang Yi, Su Purui, Nie Chujiang, Xin Wei. Automatic Software Vulnerability Discovery and Exploit Under the Limited Resource Conditions[J]. Journal of Computer Research and Development, 2019, 56(11): 2299-2314. DOI: 10.7544/issn1000-1239.2019.20190341
[4]	Zhao Liang, Wang Yongli, Du Zhongshu, Chen Guangsheng. HL-DAQ: A Dynamic Adaptive Quantization Coding for Hash Learning[J]. Journal of Computer Research and Development, 2018, 55(6): 1294-1307. DOI: 10.7544/issn1000-1239.2018.20170238
[5]	Jiang Shuhao, Yan Guihai, Li Jiajun, Lu Wenyan, Li Xiaowei. A Quantitative Analysis on the “Approximatability” of Machine Learning Algorithms[J]. Journal of Computer Research and Development, 2017, 54(6): 1337-1347. DOI: 10.7544/issn1000-1239.2017.20170086
[6]	WangXiangyang, YangHongying, NiuPanpan, WangChunpeng. Quaternion Exponent Moments Based Robust Color Image Watermarking[J]. Journal of Computer Research and Development, 2016, 53(3): 651-665. DOI: 10.7544/issn1000-1239.2016.20148177
[7]	Wu Linping, Wei Yong, Xu Xiaowei, Liu Xu. Impact of System Noise by Quantitative Analysis[J]. Journal of Computer Research and Development, 2015, 52(5): 1146-1152. DOI: 10.7544/issn1000-1239.2015.20131921
[8]	Wang Wenbin, Sun Qibo, and Yang Fangchun. Environment-Aware Quantitative Assessment Model for Service Availability in MANET[J]. Journal of Computer Research and Development, 2012, 49(3): 558-564.
[9]	Lu Han, Cao Cungen, Wang Shi. Implementation of a Meta-Property Based Quantity Attribute-Value Extraction System[J]. Journal of Computer Research and Development, 2010, 47(10): 1741-1748.
[10]	Ji Xiuhua, Zhang Caiming, Liu Hui. A Fast 2D 8×8 DCT Algorithm Based on Look-Up Table for Image Compression[J]. Journal of Computer Research and Development, 2009, 46(4): 618-628.