#br#
CVSS环境指标变量对系统安全的影响研究

计算机工程与科学

#br# CVSS环境指标变量对系统安全的影响研究

周诗洋,傅鹂

（重庆大学软件学院，重庆 400044）

收稿日期:2015-09-08 修回日期:2015-11-27 出版日期:2016-12-25 发布日期:2016-12-25
基金资助:
国家自然科学基金（61472054）

Influence of CVSS environmental metrics on system security

ZHOU Shiyang，FU Li

(School of Software Engineering,Chongqing University,Chongqing 400044,China)

Received:2015-09-08 Revised:2015-11-27 Online:2016-12-25 Published:2016-12-25

摘要/Abstract

摘要：

通用漏洞评分体系（CVSS）分三个层次对漏洞的威胁进行评估，特定系统的安全性反映在最终的环境分层面上。在CVSS的三组指标变量中，仅环境指标变量取决于特定组织机构、特定系统，难以自动获取，是用户实施安全风险管理和控制策略中关键的和最困难的环节。在分析CVSS计算方法基础上，研究环境指标变量对最终CVSS总分的影响，给出了环境指标向量对CVSS环境分影响的总体估计式，同时给出了环境向量各分量单独影响的估计式。实验表明，本文在CVSS环境指标变量的总体影响和分项指标影响两方面，实现了精度提升，进入了实际标准完全可接受的范围。

关键词: 漏洞, 通用漏洞评分体系（CVSS）, 环境指标, 评分, 安全

Abstract:

The common vulnerability scoring system (CVSS) evaluates the threats of vulnerabilities of a particular system at three levels, and the final environmental scores reflect the degree of its security. In the CVSS metrics, CVSS environmental metrics are the only variable that depends on the conditions of the target organization or system, so obtaining their values becomes the key and most difficult part for users to implement security risk management and control strategies. To solve this issue, we study the influence of environmental metrics on the final CVSS environmental scores, and give an overall estimation of environmental metrics vector influence on CVSS environmental scores, as well as the formulas of each vector component's influence on the score. Experimental results show that the new estimation method can improve the accuracy in the aspects of environmental metrics’ overall impact and subindex influence on CVSS environmental scores, thus entering the completely accepted range of the defacto standard.

Key words: vulnerability, common vulnerability scoring system (CVSS), environmental metric, scoring, security

周诗洋,傅鹂. #br# CVSS环境指标变量对系统安全的影响研究[J]. 计算机工程与科学.

ZHOU Shiyang，FU Li. Influence of CVSS environmental metrics on system security[J]. Computer Engineering & Science.

参考文献［13］

［1］	CVE details［EB/OL］.［20150521］.http:∥www.cvedetails.com/browsebydate.php.
［2］	Mell P,Scarfone K,Romanosky S.A complete guide to the common vulnerability scoring system version 2.0［C］∥FIRSTForum of Incident Response and Security Teams,2007:123.
［3］	Fruhwirth C,Mannisto T.Improving CVSSbased vulnerability prioritization and response with context information［C］∥Proc of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement,2009:535544.
［4］	NVD CVSSv2 calculator［EB/OL］.［20150526］.https:∥nvd.nist.gov/cvss.cfm?calculator&version=2.
［5］	Wang J A,Xia M,Zhang F.Metrics for information security vulnerabilities ［J］.Journal of Applied Global Research,2008,1(1):4858.
［6］	Wang J A,Zhang F,Xia M.Temporal metrics for software vulnerabilities［C］∥Proc of the 4th ACM Annual Workshop on Cyber Security and Information Intelligence Research:Developing Strategies to Meet the Cyber Security and Information Intelligence Challenges Ahead,2008:44.
［7］	Ibidapo A O,Zavarsky P,Lindskog D,et al.An analysis of CVSSv2 environmental scoring［C］∥Proc of
20	11 IEEE 3rd International Conference on Privacy,Security,Risk and Trust (PASSAT) and 2011 IEEE 3rd International Conference on Social Computing (SocialCom),2011:11251130.
［8］	Wang J A,Guo M,Wang H,et al.Environmental metrics for software security based on a vulnerability ontology［C］∥Proc of the 3rd IEEE International Conference on
	Secure Software Integration and Reliability Improvement(SSIRI 2009),2009:159168.
［9］	Tripathi A,Singh U K.Analyzing trends in vulnerability classes across CVSS metrics［J］.International Journal of Computer Applications,2011,36(3):3844.
［10］	Scarfone K,Mell P.An analysis of CVSS version 2 vulnerability scoring［C］∥Proc of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement,2009:516525.
［11］	Gallon L.On the impact of environmental metrics on CVSS scores［C］∥SocialCom/PASSAT,2010:987992.
［12］	Ali A,Zavarsky P,Lindskog D,et al.A software application to analyze the effects of temporal and environmental metrics on overall CVSSv2 score［C］∥
	Proc of IEEE 2011 World Congress on Internet Security (WorldCIS),2011:109113.
［13］	Xi Rongrong,Yun Xiaochun,Zhang Yongzheng.Research on the distribution of CVSS environmental scores［J］.Chinese High Technology Letters,2014,24(1):1015.(in Chinese)
	附中文参考文献：
	席荣荣,云晓春,张永铮.CVSS环境分的评分值布特点研究［J］.高技术通讯,2014,24(1):1015.

[1]	张玉凤，楼芳，张历. 面向软件攻击面的Web应用安全评估模型研究[J]. J4, 20160101, 38(01): 73-77.
[2]	夏戈明, 虞朝栋, 陈健. 边缘计算中的信任问题：挑战与评论[J]. 计算机工程与科学, 2023, 45(08): 1393-1404.
[3]	付伟, 谢振杰, 朱婷婷, 任正伟. 基于密文强不可分性的云数据确定性删除方案[J]. 计算机工程与科学, 2023, 45(03): 434-442.
[4]	李彤彤, 王诗蕊, 张耀方, 王佰玲, 王子博, 刘红日, . 面向工控系统漏洞的多维属性评估[J]. 计算机工程与科学, 2023, 45(02): 261-268.
[5]	白坚镜, 顾瑞春, 刘清河. SDN环境中基于Bi-LSTM的DDoS攻击检测方案[J]. 计算机工程与科学, 2023, 45(02): 277-285.
[6]	许城洲, 王晨, 张文涛. 基于时间因子的可撤销可追踪属性基加密方案[J]. 计算机工程与科学, 2023, 45(02): 286-294.
[7]	寇广岳, 魏国珩, 平源, 刘鹏. RFID安全认证协议综述[J]. 计算机工程与科学, 2023, 45(01): 77-84.
[8]	牛胜杰, 李鹏, 张玉杰, . 模糊测试技术研究综述[J]. 计算机工程与科学, 2022, 44(12): 2173-2186.
[9]	程小刚, 郭韧, 周长利, . 基于理性密码学的分布式隐私保护数据挖掘框架[J]. 计算机工程与科学, 2022, 44(10): 1781-1787.
[10]	王克克, 郭莉丽, 郎静宏 . 基于STAMP模型的风险评估行为安全指标体系[J]. 计算机工程与科学, 2022, 44(08): 1372-1381.
[11]	龚锐, 石伟, 刘威, 张剑锋, 王蕾. 基于NAND Flash的CPU安全启动设计与实现[J]. 计算机工程与科学, 2022, 44(06): 971-978.
[12]	车生兵, 张光琳. 基于深度学习的Webshell检测[J]. 计算机工程与科学, 2022, 44(06): 994-1002.
[13]	郑思飞, 冯子婧, 刘成语, 陈日清, 柳晓龙. 云存储环境中基于矢量量化的图像伪装加密方法[J]. 计算机工程与科学, 2022, 44(06): 1030-1036.
[14]	陈祥国, 尚凡, 宋君强. 嵌入式系统安全防护方案比较与应用案例分析[J]. 计算机工程与科学, 2022, 44(03): 417-426.
[15]	贾俊杰, 段超强. 基于评分离散度的托攻击检测算法[J]. 计算机工程与科学, 2022, 44(03): 554-562.