多因素漏洞评价方法研究

Research on Multi-factor Vulnerability Scoring System

漏洞引起的网络安全问题日益突出,信息系统运营者和安全技术人员正面临着前所未有的压力,仅凭CNNVD等漏洞库给出的漏洞技术等级或评分,无法完全体现漏洞在实际场景中信息资产上的危害程度。该文提出了一种综合计算机系统分级评价、网络防护与联通性、资产使用率、利益相关者风险承受度、漏洞技术评价指标等多种因素的漏洞风险量化评价方法,并给出了详细计算过程。该方法中计算机系统分级评价指标可使用信息安全等级保护指标综合反映系统的重要程度。网络防护与联通性指标进行等级细分后,可定量反映系统受保护程度。资产使用率可通过资产管理系统或在线监测等技术手段获取,反映出系统的影响范围。利益相关者风险承受度指标通过主观打分反映系统风险承受能力。漏洞技术评价指标则通过漏洞客观特性反映危害程度。经模拟数据统计分析显示,该方法能够较全面地分析实际环境中漏洞潜在威胁程度,科学合理地给出不同信息资产上漏洞的消控优先级排序,可供信息系统运营者和安全技术人员用于漏洞危害程度的量化评估。

Network security problems caused by vulnerabilities are becoming increasingly prominent.Information system operators and security technicians are facing unprecedented pressure.The vulnerability technical grade or score only given by vulnerability databases such as CNNVD cannot fully reflect the damage degree of vulnerabilities on information assets in actual scenarios.Therefore,we propose a quantitative vulnerability risk evaluation method called"multi-factor vulnerability scoring system",which includes five indexes:computer system grading evaluation,network protection and connectivity,asset utilization rate,stakeholder risk tolerance and vulnerability evaluation.In this method,the computer system grading evaluation index can be used to comprehensively reflect the importance of the system by the information security grading protection index.Stakeholder risk tolerance index reflects system risk tolerance through subjective scoring.The vulnerability technology evaluation index reflects the hazard degree through the objective characteristics of vulnerability.The statistical analysis shows that the proposed method can comprehensively analyze the potential threat degree of vulnerabilities in the actual environment,scientifically and reasonably give the priority order of vulnerability control on different information assets,which can be used by information system operators and security technicians to quantitatively evaluate the vulnerability hazard degree.After subdividing the network protection and connectivity indexes,the protection degree of the system can be quantitatively reflected.Asset utilization index can be obtained through asset management system or online monitoring and other technical means to reflect the scope of influence of the system.