A Method Of Vulnerability Assessment Based On Attack Process

With the rapid development of Internet technology,the Internet has penetrated into people's lives.In the face of a variety of computer software vulnerabilities,the managers need to timely evaluate these vulnerabilities,and to fix vulnerabilities according to the severity and urgent degree of the vulnerability,so as to reduce the loss of website or host caused by the vulnerability.However,in order to be able to accurately and objectively evaluate the vulnerability,the security agencies and security vendors have done some research on the severity of the security vulnerabilities,but there is still a lack of a unified evaluation criteriaNIAC presents an open vulnerability assessment system,CVSS.Currently,most of the authoritative departments in the world also use CVSS to evaluate vulnerabilities.This system provides a unified approach of vulnerability assessment,which is conducive to the risk assessment of vulnerabilities in a short time,and to minimize the loss.However,this system also has the following problems:(1)it is necessary to judge vulnerability subjectively and objectively,which leads to the inaccurate and objective evaluation.(2)the different vulnerabilities with the same score can not be well distinguished.The vulnerability assessment method based on the attack process effectively solves the above problems.First,we establish the attribute model,in which we define the attribute to be captured in the attack process and the evaluation rules for the attributes.Then,the dynamic instrumentation method is used to capture the state of the attributes and related information more accurately.At last,the hierarchical evaluation algorithm is used to evaluate the obtained attributes to calculate the concrete evaluation value of vulnerabilities.The test results show that:(1)The method of attack process can accurately and objectively evaluate the severity of vulnerability.(2)Effectively solves the problem of assigning subjective judgment.(3)Effectively solves the problem that vulnerabilities with the same score value can not be distinguished.