Software Vulnerability Severity Evaluation Based on Economic Losses

被引:0
作者
Yang, Yunxue [1 ]
Jin, Shuyuan [1 ]
He, Xiaowei [1 ]
机构
[1] Chinese Acad Sci, Inst Comp Technol, CAS Key Lab Network Data Sci & Technol, Beijing, Peoples R China
来源
TRUSTWORTHY COMPUTING AND SERVICES (ISCTCS 2014) | 2015年 / 520卷
关键词
Software vulnerability; Vulnerability evaluation; Economic losses; Analytic hierarchy process; CVSS; ANALYTIC HIERARCHY PROCESS; PRIORITIZATION; VRSS;
D O I
10.1007/978-3-662-47401-3_19
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Enterprises suffer economic losses due to vulnerability exploitation. The aim of this paper is to propose a comprehensive software vulnerability severity evaluation model incorporating technical assessment and circumstances information of enterprises, especially economic losses caused by vulnerability exploitation. We use analytic hierarchy process to establish the model and get weights of evaluation factors, obtaining both of qualitative severity ranking levels and quantitative severity scores of vulnerabilities. Through case study, we show that evaluation values are accurate and effective and consequently, our model can be used for security improvement prioritization.
引用
收藏
页码:144 / 151
页数:8
相关论文
共 10 条
[1]   Comparing Vulnerability Severity and Exploits Using Case-Control Studies [J].
Allodi, Luca ;
Massacci, Fabio .
ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY, 2014, 17 (01)
[2]   Aggregating CVSS Base Scores for Semantics-Rich Network Security Metrics [J].
Cheng, Pengsu ;
Wang, Lingyu ;
Jajodia, Sushil ;
Singhal, Anoop .
2012 31ST INTERNATIONAL SYMPOSIUM ON RELIABLE DISTRIBUTED SYSTEMS (SRDS 2012), 2012, :31-40
[3]  
Frigault M, 2008, ACM WORKSH QUAL PROT, P23
[4]  
Ghani H., 2013, 2013 INT C RISKS SEC, P8
[5]   A novel approach to evaluate software vulnerability prioritization [J].
Huang, Chien-Cheng ;
Lin, Feng-Yu ;
Lin, Frank Yeong-Sung ;
Sun, Yeali S. .
JOURNAL OF SYSTEMS AND SOFTWARE, 2013, 86 (11) :2822-2840
[6]  
Innerhofer- Oberperfler F., 2009, 4 INT C AV REL SEC A, V2, P66
[7]  
Innerhofer- Oberperfler F., 2009, 4 INT C AV REL SEC A, V1, P66
[8]   Improving VRSS-based vulnerability prioritization using analytic hierarchy process [J].
Liu, Qixu ;
Zhang, Yuqing ;
Kong, Ying ;
Wu, Qianru .
JOURNAL OF SYSTEMS AND SOFTWARE, 2012, 85 (08) :1699-1708
[9]   VRSS: A new system for rating and scoring vulnerabilities [J].
Liu, Qixu ;
Zhang, Yuqing .
COMPUTER COMMUNICATIONS, 2011, 34 (03) :264-273
[10]   HOW TO MAKE A DECISION - THE ANALYTIC HIERARCHY PROCESS [J].
SAATY, TL .
EUROPEAN JOURNAL OF OPERATIONAL RESEARCH, 1990, 48 (01) :9-26
1