Research And Design Of Vulnerability Description Language Supporting The Severity Evaluation

With the rapid development of computer and network technology, there are more and more computer vulnerabilities. With the continued increase in the number of network vulnerabilities, threat event also grows with each passing day. If we have reasonable management and assessment of computer vulnerabilities, we can take appropriate security measures, to thereby prevent the security threats events.This paper first studies the current mainstream of the vulnerability database, puts forward the vulnerability attribute selection principle, and establishes a fully scalable relational vulnerability database. This database is compatible with the mainstream database, using CVE ID to index, and complies with the relevant national standards. IT has the advantage of comprehensive, targeted, compatibility, scalability, and supports for security assessment.Then, according to the structure of the above vulnerability database, this paper designs a vulnerability description language based on XML which is called CCVDL. Its main function is to describe the vulnerability database information, to define a text format description standard, and to conveniently display the vulnerability information in the form of relational database on the webpage. And CCVDL has a comprehensive and expansibility, normative rigorous standards, can be at any time and unlimited added new vulnerabilities. Especially, CCVDL can support the security evaluation of vulnerabilities, and also provides the format of the results of the security evaluation.Last but not least, this paper presents a static vulnerability assessment algorithm. This method uses the principle of statistics and adds up the relevance and the change low between the security levels of the70thousands of existing vulnerabilities. It calculates the influence degree of each parameter on the security results, according to the principal component analysis method and the six parameters in the Base Metrix of CVSS assessment system. Then it uses the influence degree as the weight of the parameter respectively and weights, thereby gets the formula of this static evaluation algorithm and the score of each vulnerability. Because of using the principle of statistic and adding up the data of nearly70thousands existing vulnerabilities, this method is more comprehensive, and reflects some certain regularity, which makes it an important consult of the security of vulnerability.