摘要
为解决在处理大量漏洞时,有效地确定漏洞的处置优先级问题,帮助组织聚焦重要的漏洞,在CVSS的基础上,从漏洞对组织造成的实际风险出发,对漏洞优先级评估模型进行设计。评估模型包括了CVSS评分、用户实际环境因子、资产重要性等静态指标,也包括时间因子等动态指标,这些指标都对漏洞的实际风险有极大影响,而这些维度的评价在CVSS评分体系中难以准确量化。
To address the problem of effectively determining the disposal priority of vulnerabilities when dealing with a large number of vulnerabilities,and to help organizations focus on important vulnerabilities,based on CVSS,this paper designs a vulnerability priority evaluation model in terms of the actual risk that vulnerabilities pose to organizations.The evaluation model includes not only static indicators such as CVSS score,user’s actual environment factor,and asset importance,but also dynamic indicators such as time factor,which have a great impact on the actual risk of vulnerabilities,and the evaluation of these dimensions is difficult to accurately quantify in the CVSS scoring system.
作者
曹旭博
钟夫
CAO Xubo;ZHONG Fu(CETC Cyberspace Security Technology Co.,Ltd.,Chengdu Sichuan 610095,China)
出处
《通信技术》
2023年第12期1411-1417,共7页
Communications Technology