Multi-dimensional software security risk assessment method based on CVSS

A risk assessment and software security technology, applied in the computer field, can solve the problems of lack of vulnerability type and vulnerability exploitation time assessment, lack of vulnerability type and vulnerability utilization time factors, and inaccurate assessment of influencing factors in the combination of dynamic and static features. Achieve the effects of increasing external time factors, diversifying risk assessment scores, and improving diversity

Inactive Publication Date: 2022-02-18
XIAN TECHNOLOGICAL UNIV
View PDF0 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The method of combining dynamic and static features lacks the assessment of vulnerability type and vulnerability exploitation time, resulting in inaccurate software vulnerability risk scores
[0008] The current assessment methods are generally not accurate enough for the assessment of influencing factors. At the same time, there is a lack of research on the vulnerability type and vulnerability utilization time factors, resulting in incomplete risk assessment standards and inaccurate risk scores.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Multi-dimensional software security risk assessment method based on CVSS
  • Multi-dimensional software security risk assessment method based on CVSS
  • Multi-dimensional software security risk assessment method based on CVSS

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0031] The application of software is becoming more and more extensive, the scale of software is also increasing, and the demand for software in scientific research and various industries is also increasing. The daily life of modern people is inseparable from the support of software. However, the production and operation of software At the same time, there will inevitably be loopholes. How to make a reasonable assessment of the loopholes and quantify the risk of software loopholes can not only increase users' attention to software loopholes, but also improve the availability of software loopholes, thereby reducing a large number of security incidents. The probability of occurrence, to speed up the time to repair the vulnerability. The safe operation of software is inseparable from a reasonable assessment of vulnerabilities.

[0032]At present, the commonly used CVSS vulnerability risk assessment method is to set two scoring metrics in the risk score, referred to as metrics, wh...

Embodiment 2

[0055] A CVSS-based multi-dimensional software security risk assessment method is the same as that in Embodiment 1, step 4 in which the weight of the relative importance metric index in the impact metric is reset.

[0056] The traditional CVSS risk assessment method sets the same weight for the confidentiality, integrity and availability measures in impact, which limits the diversity of scores. According to the difference in the degree of harm of the measurement indicators in the impact of vulnerabilities, the present invention designs a relative importance weight distribution scheme, and obtains the weight of the relative importance measurement indicators of each measurement indicator in the impact measurement. Compared with the CVSS evaluation method, it has a more accurate score Standards, more diverse risk assessment methods.

[0057] Step 4.1) Determine the principle of the weight distribution scheme, and obtain a variety of weight distribution schemes: the confidentialit...

Embodiment 3

[0063] A CVSS-based multi-dimensional software security risk assessment method is the same as that in Embodiment 1-2, the vulnerability type measurement index is added in the exploitability measurement described in step 5, and the corresponding weight of each type of vulnerability type measurement index is calculated, Including the following steps:

[0064] Step 5.1) Build a standard weight decision matrix data table: select the vulnerability type data set data, and divide it according to the availability and difficulty standards to obtain four levels: difficult to use B1, relatively difficult to use B2, usable B3, and easy to use B4. A variety of vulnerability types are distributed in each class. Divide each type of vulnerability at the same level by the sum of the levels, thereby constructing initial data tables of different levels, as shown in Table 3, which is a data table for constructing a decision matrix for standard weights in the present invention.

[0065] Step 5.2)...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a multi-dimensional software security risk assessment method based on CVSS. The problem that a CVSS measurement assessment standard cannot accurately and comprehensively evaluate vulnerability risk levels is solved. The method comprises the following implementation steps: acquiring software vulnerability data; analyzing vulnerability data and integrating into a data set; readjusting the weight of the relative importance measurement index; optimizing a distribution scheme of the measurement indexes in the influence; adding vulnerability type measurement indexes; adding utilization time probability measurement in the risk score; obtaining a risk assessment result by using the risk assessment formula. Relative importance weight distribution is carried out on measurement indexes in influence, vulnerability measurement indexes are added in availability measurement, and time utilization probabilities are added in risk scores. Compared with a traditional evaluation method, the method has more accurate scoring standards, more comprehensive evaluation factors and more dimensional evaluation results. The method is used for risk assessment of software vulnerabilities.

Description

technical field [0001] The invention belongs to the field of computer technology, and in particular relates to software vulnerability risk assessment, in particular to a multi-dimensional software security risk assessment method based on CVSS, which is used for calculating the risk score of software vulnerabilities. Background technique [0002] With the continuous development of science and technology, the application of computer software is becoming more and more extensive, the scale of software is also increasing, and the demand for software from all walks of life is also increasing. During software development, developers can introduce vulnerabilities that can cause harm. At the same time, attackers can exploit the loopholes in the software to intrude into it, causing a large number of security incidents. For example, in 2020, some attackers exploited vulnerabilities in Microsoft software or credential information, used supply chain attacks to bypass security access, lo...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/57
CPCG06F21/577
Inventor 郭军军邓宇峰李浩南
Owner XIAN TECHNOLOGICAL UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap