| With the development of technology, the internet grows rapidly and the information systems become more complex. As we enjoy the efficient and intelligent services which information technology has brought us, we also have realized that security problems arise and cause lots of loss. Vulnerability is the key factor which leads to the network system insecurity.Security vulnerability which exists in the information age is a critical factor causing insecurity in the information system, and now, it has become the focus of contention between safety manager and the malicious. New vulnerabilities may be found every day. Sometimes, the users neglect the remedy, so the network hosts may have threats anytime. On account of improvement of technology and increasingly complex attacks, network security measures, such as firewall and intrusion detection systems, can not completely stop all attacks. So, identifying the priority of the vulnerabilities and protecting the key one have become particularly important. Taken as the base and premise of information system security, vulnerability evaluation becomes a new branch of network security and the quantitative evaluation of vulnerability especially turns into research focus.This paper summarizes the current studies about the security vulnerability evaluation and introduces the Common Vulnerability Scoring System (CVSS). After analyzing various shortcomings of evaluation methods, the paper proposes a multi-dimensional security vulnerability evaluation model. After introducing the overall structure of multi-dimensional security vulnerability evaluation model, this paper elaborates the contents of evaluation on each dimension.In the first dimension, the inherent attribute of vulnerability is considered. The confidentiality (C), integrity (I), as well as the availability (A) of the information system, are quantified and classified, if the vulnerability in this system is explored.In the second dimension, the attacks amount and pattern of security vulnerabilities are different at different time periods. Combined with product life-cycle theory, the analytical method based on the Gompertz model is proposed. Taking predictions for attack heat calculation and development of the attack as the inputs, the risk of security vulnerabilities in the time dimension is obtained by using the reasoning mechanism of Mamdani fuzzy model. In the third dimension, this paper mainly considers the harm to the network in specific situation. The relevant relationship of the vulnerabilities can be established through logic language. According to the space network structure of vulnerabilities, the weights of each attack chain can be obtained, and then, the risk evaluation of security vulnerability in the spatial dimension is calculated using the weighted network flow centrality method.The model assesses the security vulnerability from three dimensions, inherent attribute, time dimension and the spatial dimension, and the assessing results can be different with the changing of the sets of vulnerabilities and time, which make the risk analysis more dynamic and authentic. This will provide a strong theoretical basis for safety manager to establish the targeted defense strategy quickly and effectively. |
PDF Full Text Request