CN114065223A - Multi-dimensional software security risk assessment method based on CVSS - Google Patents

Abstract

The invention discloses a CVSS multi-dimensional software security risk assessment method, which solves the problem that a CVSS measurement and assessment standard cannot accurately and comprehensively evaluate vulnerability risk levels. The implementation steps are as follows: acquiring software vulnerability data; integrating the analyzed vulnerability data into a data set; readjusting the relative importance measure index weight; optimizing the distribution scheme of the measurement indexes in the influence; vulnerability type measurement indexes are added; adding a time-of-use probability measure to the risk score; and obtaining a risk evaluation result by using the risk evaluation formula. The invention carries out relative importance weight distribution on the measurement indexes in the influence, adds the vulnerability measurement indexes in the availability measurement and adds the time utilization probability in the risk score. Compared with the traditional evaluation method, the method has more accurate score standard, more comprehensive evaluation factors and more multidimensional evaluation results. The method is used for risk assessment of software bugs.

Description

Multi-dimensional software security risk assessment method based on CVSS

Technical Field

The invention belongs to the technical field of computers, and particularly relates to software vulnerability risk assessment, in particular to a multi-dimensional software security risk assessment method based on a CVSS (composite virtual switching system), which is used for calculating risk scores of software vulnerabilities.

Background

With the continuous development of science and technology, the application of computer software is more and more extensive, the software scale is also larger and larger, and the software requirements of various industries are more and more. During software development, a developer may introduce vulnerabilities, causing harm. Meanwhile, an attacker can invade the software by using the vulnerability in the software, so that a large number of security accidents are caused. For example, in 2020 some attackers exploit microsoft software or credential information vulnerabilities, circumvent security access with supply chain attacks, log in microsoft cloud service customer information and implant remote access tools in it, stealing local and online information and data. At least 200 government units, organizations or companies, such as government departments of all levels in the united states, north treaty, the united kingdom government, the european parliament, microsoft, etc., are affected, and data of some government organizations is revealed. Once a software bug is exploited, a great deal of loss and serious damage are caused, so that the software bug cannot be ignored.

Software vulnerability is a main factor for damaging software security, software risk assessment is systematic evaluation on the harmfulness of the software vulnerability, security personnel need to perform comprehensive and accurate risk assessment on the vulnerability so as to guide software vulnerability protection decision, improve software vulnerability protection capability, and analysis of software vulnerability risk is a main measurement mode for ensuring software vulnerability classification processing. In practice, the software vulnerability risk assessment utilizes a plurality of assessment factors to comprehensively assess vulnerability risk conditions, and can effectively quantitatively assess the software vulnerability according to different factor conditions, thereby improving the utilization value of the software vulnerability in the aspect of software security.

As for the software vulnerability risk assessment method, various different software vulnerability risk assessment methods are proposed at home and abroad at the present stage. The traditional evaluation method CVSS general vulnerability scoring system divides the basic risk score of the vulnerability into two parts of availability and influence. The availability includes three standards of attack path, attack complexity and identity verification. Attack approaches in the three standards are divided into remote and local, attack complexity is divided into three different levels of high, medium and low, and identity authentication is divided into authentication required and authentication not required. The impact in the basic risk score also uses three criteria of confidentiality, integrity and availability, which are equally classified as none, partial, and full. The CVSS calculates a vulnerability risk score according to the integration of the influence part and the availability part.

The CVSS performs equal weight distribution on three standards of confidentiality, integrity and availability in vulnerability influence without setting relative importance according to different damage degrees of the CVSS to the system, so that evaluation results cannot clearly distinguish the internal attribute differences of the security vulnerabilities with similar basic scoring values. Meanwhile, the CVSS assessment method ignores the influence of vulnerability types on vulnerability risk assessment, so that vulnerability assessment with high vulnerability number occupation ratio or high vulnerability type destructiveness is insufficient, and the vulnerability risk assessment result is incomplete due to the lack of consideration of factors such as vulnerability utilization time and the like. A new vulnerability risk assessment method is urgently needed to change the singleness of the traditional assessment.

For these problems, vulnerability assessment and scoring system (VRSS) assesses vulnerability impact according to three components of confidentiality impact, integrity impact, availability impact of traditional CVSS assessment methods and qualitatively ranks them. And quantifying the sum of the influence and the availability of the vulnerability, and giving qualitative rating and quantitative scoring of the vulnerability by combining the respective advantages of a qualitative system and a quantitative system. However, the VRSS only considers quantitative vulnerability impact evaluation and does not evaluate factors such as vulnerability types and vulnerability utilization time.

The vulnerability risk assessment of dynamic and static feature combination is characterized in that fixed attributes such as attack complexity, influence degree and attack vector of a CVSS (composite risk assessment system) in a traditional risk assessment method are used as static features, attributes which are likely to change along with time such as defense capacity, vulnerability repair condition and attack capacity of an attacker are used as dynamic features, and the two are combined to carry out more comprehensive assessment on the vulnerability risk degree. The dynamic and static feature combination method lacks of assessment of vulnerability types and vulnerability utilization time, and therefore software vulnerability risk scoring is not accurate.

The current evaluation method generally has the defects that the evaluation of the influencing factors is not accurate enough, and the research on the vulnerability type and the vulnerability utilization time factor is lacked, so that the risk evaluation standard is not comprehensive, and the risk score is not accurate enough.

Disclosure of Invention

Aiming at the defects of the traditional CVSS scoring standard, the invention provides the CVSS-based multi-dimensional software security risk assessment method which has more comprehensive assessment factors and higher scoring precision.

The invention relates to a multi-dimensional software security risk assessment method based on CVSS, which is characterized by comprising the following steps:

step 1) acquiring software vulnerability data: selecting a software vulnerability to be evaluated, and acquiring vulnerability data of the vulnerability from a public vulnerability database, wherein the vulnerability data comprises vulnerability information, vulnerability types, vulnerability influence factors, vulnerability availability factors and vulnerability utilization time information;

step 2), analyzing vulnerability data, and integrating into a data set: integrating the collected vulnerability data into a database, classifying the collected vulnerability data according to vulnerability types and vulnerability utilization time, and dividing and integrating respective data sets;

step 3) readjusting the weights of three measurement indexes of the influential measurement in the CVSS risk score: carrying out weight distribution again on the three measurement indexes of the influential measurement according to the degree of harm to the system, increasing the weight with larger harmfulness, reducing the weight with smaller harmfulness, resetting the relative importance weight of each measurement index in the influential measurement according to the harmfulness of the influential measurement, and obtaining a plurality of weight distribution schemes according to the distribution principle;

step 4) selecting the distribution scheme of the measurement indexes in the influence from various weight distribution schemes: the method comprises the steps of optimizing weight values of three measurement indexes with the best influence in multiple weight distribution schemes by using a weight searching method, resetting the weight of a relative importance measurement index in influence measurement, obtaining a weight distribution scheme with three measurement indexes of confidentiality, integrity and availability meeting requirements in the multiple distribution schemes by using the weight searching method, counting to obtain an average value, a standard deviation and a variation coefficient of vulnerability scores of different schemes and different risk score quantities obtained by the scheme, and selecting the optimal relative importance weight scheme;

step 5), adding a vulnerability type measurement index in the availability measurement: adding vulnerability type measurement indexes on the basis of the measurement indexes of attack ways, attack complexity and identity verification in the availability measurement; classifying the vulnerability type data set according to vulnerability availability difficulty, and dividing the quantity of each type of vulnerability in different grades by the sum of the quantity of the vulnerabilities in the same grade to construct an initial vulnerability type data table; constructing a decision matrix according to the initial data table and the corresponding standard weight, and obtaining the initial weight corresponding to each level of vulnerability by using a hierarchical analysis method; calculating the relative pasting progress of each type by using a Topsis method to serve as the corresponding vulnerability type weight; calculating the weight proportion of the vulnerability type according to the vulnerability type influence resisting method, and forming the availability measurement expression of the CVSS-based multi-dimensional software security risk assessment method together with the attack approach, the attack complexity and the identity verification, wherein the availability measurement expression formula is as follows:

the availability is 18 multiplied by the attack way multiplied by the attack complexity multiplied by the identity verification and the vulnerability type;

step 6) adding a time utilization probability measure to the risk score: adding vulnerability time exploit probability measures in risk

Wherein beta is a shape parameter, alpha is a proportion parameter, and t is the vulnerability exploitation duration; the time factor of the vulnerability is specifically the difference duration of the disclosure and utilization time of the vulnerability; the time for quantifying the vulnerability is the influence of increasing time factors on vulnerability risk assessment, vulnerability utilization time data set data is analyzed by a Weibull distribution model, the median level of data points is calculated, the values after logarithmic conversion are used for regression, a vulnerability utilization time fitting curve is determined, the linear trend of utilization time is determined according to the fitting curve, the shape parameter beta and the proportional parameter alpha of the vulnerability fitting curve are calculated according to the trend slope and the intercept, the shape parameter beta and the proportional parameter alpha are substituted into a utilization probability calculation formula, and the calculated vulnerability time utilization probability P is obtained_t，

Step 7) obtaining a multi-dimensional risk assessment result: and (3) integrating all the measurement standards and the weighted values of relative importance to form a CVSS-based multi-dimensional software security risk assessment score formula:

risk score (0.6 × influential +0.4 × availability × utilization probability P_t-1.5)

Wherein the influence is the best relative importance measurement index; and increasing vulnerability type measurement indexes for the availability, and performing risk assessment on the acquired vulnerability data by using a multi-dimensional risk assessment score formula to obtain a risk assessment result of the acquired vulnerability, wherein the risk assessment result is fused with more assessment factors, and the risk score is displayed more objectively.

The invention solves the technical problems that the conventional CVSS assessment method is incomplete in measurement assessment, inaccurate in assessment measurement index and incapable of comprehensively assessing vulnerability risks according to factors such as vulnerability type vulnerability utilization time and the like.

Compared with the prior art, the method has the following advantages:

the relative importance is utilized to ensure that the measurement index weight is more reasonable and the risk assessment score is more accurate: according to the invention, the optimal weight distribution scheme is selected from various schemes by carrying out relatively important weight distribution on the damage degree caused by confidentiality, integrity and availability of the system after the vulnerability is successfully utilized. Compared with the traditional evaluation method in which the confidentiality, integrity and availability measurement indexes have equal weights in a calculation mode, the method has better side points, ensures the diversity of risk evaluation scores, and ensures the discretization of vulnerabilities, so that the vulnerability risk evaluation is more accurate.

The risk assessment scores of the added vulnerability assessment items are more diverse and the scoring measurement is more comprehensive: according to the method, the influence of the vulnerability time utilization probability and the vulnerability type on the risk assessment score is introduced by increasing the vulnerability time utilization probability measurement and the measurement index of the vulnerability type. The traditional assessment method CVSS only aims at internal factors of the vulnerability, so that vulnerability assessment is not comprehensive; the diversity of the scores is improved by introducing the vulnerability type; the introduction of the exploit time increases the extrinsic time factor, thereby making the risk assessment more comprehensive.

Drawings

FIG. 1 is a block flow diagram of the present invention;

FIG. 2 is a flow chart of the present invention for assigning weights search scheme;

FIG. 3 is a Weibull distribution model fitting graph in accordance with the present invention;

FIG. 4 is a diagram of a risk assessment metric structure of the present invention.

The present invention will be described in detail below with reference to the accompanying drawings and examples.

Detailed Description

Example 1

The software is more and more widely applied and has larger and larger scale, scientific research and various industries have more and more requirements on the software, the daily life of modern people cannot be supported by the software, however, the software is produced and operated without generating bugs, how to reasonably evaluate the bugs is carried out, the risk of the software bugs is quantized, the attention degree of users to the improvement of the software bugs can be increased, the availability of the software bugs can be improved, the probability of a large number of safety accidents is reduced, and the bug repairing time is shortened. The software runs safely, and the reasonable evaluation of the vulnerability cannot be achieved.

The current commonly used CVSS vulnerability risk assessment method is that two scoring metrics, called metrics for short, are set in risk scores, namely, influence and availability, three metric indexes of confidentiality, integrity and availability are set in the influence metrics, and each metric index also contains three attributes of 'no influence', 'partial influence' and 'complete influence'. The measurement of the availability is divided into three measurement indexes of attack path, attack complexity and identity verification, wherein the measurement indexes of the attack path comprise two categories of remote and local, the attack complexity is divided into three categories of high, medium and low, and the identity verification is divided into identity verification required and identity verification not required. Existing risk assessment scores lack consideration of vulnerability type and vulnerability time factors. The existing CVSS vulnerability assessment method cannot effectively assess the relative importance of confidentiality, integrity and availability in vulnerability influence, and cannot accurately assess factors such as vulnerability types and vulnerability utilization time.

The invention provides a multi-dimensional software security risk assessment method based on CVSS through research and experiments on the current situation.

The invention relates to a multi-dimensional software security risk assessment method based on CVSS, which adds time utilization probability measurement in risk score, adds vulnerability type measurement index in availability measurement and adds relative importance weight in influential measurement index, and referring to FIG. 1, FIG. 1 is a flow chart of the invention, comprising the following steps:

step 1) acquiring software vulnerability data: selecting a software vulnerability to be tested, and acquiring vulnerability data of the vulnerability from a public vulnerability database, wherein the vulnerability data comprises vulnerability information, vulnerability types, vulnerability influence factors, vulnerability availability factors, vulnerability disclosure time and vulnerability utilization time information. Such as obtaining attribute data of measures of confidentiality, integrity and availability included in vulnerability influencing factors. In the method, more vulnerability information is considered during the software vulnerability acquisition, for example, vulnerability types have different influences on the availability measurement of the vulnerability, and the vulnerability utilization time increases the influence of vulnerability external factors on risk evaluation.

Step 2), analyzing vulnerability data, and integrating a data table: integrating the collected vulnerabilities into a data table base, classifying data in the data table base according to vulnerability types and utilization time measurement, and dividing respective data sets.

The method integrates the vulnerability type and the utilization time of the vulnerability data, acquires vulnerability duration data from the vulnerability data and the vulnerability disclosure time and the utilization time, integrates the vulnerability time data, and constructs a database with vulnerability influence factors, availability factors and vulnerability time factors.

Step 3) readjusting the weight of the influential index in the CVSS risk score: in the traditional CVSS influence measurement, equal weight distribution is carried out on confidentiality, integrity and availability measurement indexes, but actually, the three measurement indexes have different destructiveness on the system affected by the vulnerability, the confidentiality in the influence measurement greatly destroys the system, the integrity greatly destroys the system, the availability generally destroys the system, and the existing CVSS only carries out equal weight distribution on the weights of the three measurement indexes, so that the influence measurement evaluation cannot accurately display the vulnerability harmfulness, and the grading lacks discreteness. According to the method, the three measurement indexes in the vulnerability influence are subjected to weight distribution again according to the degree of harm of the system after being invaded by the vulnerability, the confidentiality is set as a main evaluation factor, the integrity is set as a secondary evaluation factor, the availability is set as a general evaluation factor, the measurement indexes in the influence are divided according to the degree of harm, and a more reasonable weight distribution method is determined.

Step 4) weight values of three metrics with the best influence are preferably selected in a plurality of weight distribution schemes by using a weight searching method: and resetting the relative importance measurement index weight in the influence measurement according to the principle of distributing the weight according to the hazard size provided in the step 3. In the influence measurement of vulnerability risk assessment, three measurement indexes of confidentiality, integrity and availability respectively have three attributes of 'no influence', 'partial influence' and 'complete influence'. Referring to fig. 4, fig. 4 is a structure diagram of risk assessment metrics of the present invention, and in the method for setting weight search of the present invention, it is ensured that the complete influence of the integrity of the secondary assessment factors in the impact metrics is greater than the partial influence of the confidentiality of the primary assessment factors, and the complete influence of the availability of the general assessment factors is greater than the partial influence of the integrity of the secondary assessment factors, the partial influence is half of the complete influence, and the three metric index values cannot be equal to each other, and the minimum increment and decrement step size is set using the CVSS basic weight range. And searching for a weight distribution scheme meeting the requirement by using a weight searching method. As shown in fig. 2, fig. 2 is a flow chart of the weight assignment searching scheme of the present invention: and acquiring the maximum weight value of the availability according to the weight range of the CVSS by setting the initial weight value of the availability on the basis of the CVSS. And arranging various measurement index weight distribution schemes between the initial value and the maximum weight value according to the set minimum increment and decrement, carrying out equal setting on the integrality and the confidentiality measurement indexes in each scheme, ensuring that the basic weight confidentiality is greater than the integrality and is greater than the availability, obtaining the weight distribution schemes of various measurement indexes, setting the weight of the measurement indexes to be unequal in pairs, and removing the weight schemes which do not meet the requirements. Finally, a plurality of weight distribution schemes of three measurement indexes of confidentiality, integrity and availability which meet the requirements are obtained, each weight distribution scheme comprises an attribute basic weight value of the measurement index, and the weight distribution schemes are shown in the table 1 which is a weight distribution scheme table obtained by searching in the invention. Counting to obtain different schemes; the average value, standard deviation and variation coefficient of the vulnerability score and the number of different risk scores obtained by the scheme are shown in table 2, and the T2 scheme in table 2 has better variation coefficient and different number of risk scores, so the relative importance weight distribution scheme of the optimal weight in the invention is preferred.

The invention obtains a plurality of distribution schemes with relative importance by using a weight distribution principle, obtains the weight distribution scheme meeting the requirement by using a weight searching method, and optimally obtains the optimal weight distribution scheme by comparing the average value, the standard deviation, the variation coefficient, the different risk score quantities and the like of vulnerability scores of each scheme. Compared with the traditional method for evaluating the equal proportion weight of the measurement index in the CVSS influence, the method disclosed by the invention has the advantages that the relative importance weight distribution is carried out on the measurement index in the influence, and the standard is more reasonable and the evaluation is more accurate compared with the CVSS method.

Step 5) adding vulnerability type indexes in the availability measurement, and really integrating the weight indexes to obtain availability measurement expression: and (3) additionally arranging a vulnerability type measurement index on the basis of the measurement indexes of the attack path, the attack complexity and the identity verification in the availability measurement, and constructing a novel availability calculation formula according to the traditional CVSS availability calculation method. The vulnerability type difference has different influences on vulnerability availability, one part of vulnerability type samples are generally difficult to utilize, the other part of vulnerability type samples are generally easy to utilize, and vulnerability type measurement indexes are additionally arranged in the availability measurement to serve as evaluation factors according to the influences of the vulnerability type on the availability, so that the diversity of vulnerability risk assessment is increased, the diversity of vulnerability risk assessment is improved, and the risk assessment is more comprehensive.

The invention adds a vulnerability type measurement index on the availability measurement of the traditional CVSS, and carries out quantitative research on various vulnerability type measurement indexes, and the specific operation steps are as follows: dividing the vulnerability type data set into four levels according to vulnerability availability difficulty, dividing the quantity of each type of vulnerability of different levels by the sum of the quantity of the vulnerabilities of the same level, and constructing an initial vulnerability type data table, such as table 3, wherein the table 3 is a decision matrix data table constructed by standard weights in the invention, and the decision matrix data table comprises the initial weights corresponding to the vulnerabilities of each level, which are obtained by processing the initial data table by using a hierarchical analysis method. The Topsis method is used to calculate the relative closeness of each vulnerability type as the corresponding vulnerability type weight, as shown in table 4, where table 4 is a weight table obtained by analyzing 22 vulnerability types according to the present invention. Calculating the weight proportion of the vulnerability type according to a vulnerability type influence resisting method to obtain the availability measurement expression of the CVSS-based multi-dimensional software security risk assessment method of the invention:

availability is 18 × attack route × attack complexity × authentication + vulnerability type

According to the vulnerability assessment method, vulnerability types are added to the availability measurement, the comprehensiveness of the availability measurement in vulnerability assessment is improved, and the accuracy of the vulnerability types on risk assessment is improved by introducing factors for increasing vulnerability risk scores through the vulnerability types.

Step 6) adding a time utilization probability measure to the risk score: adding vulnerability time utilization probability items in risk scoring formula

The method is characterized in that the time utilization probability measurement of the vulnerability is based on the utilization duration factor of the vulnerability and is closely related to the vulnerability availability measurement. The time utilization probability is added to increase vulnerability external factors to evaluate vulnerability risks, in the vulnerability risk evaluation, the utilization time of the vulnerability is easy to ignore, but the utilization time of the vulnerability represents the attention degree of the vulnerability from the outside, and the vulnerability with high attention degree can be evaluated in a short timeThe vulnerability assessment method has the advantages that the vulnerability assessment time is utilized, external attention can be more obviously represented by quantifying the vulnerability utilization time, meanwhile, the vulnerability risk score can be evaluated in a multi-dimensional mode by utilizing the time as a vulnerability measurement factor, and a more reasonable score standard is achieved. The time factor of the vulnerability is specifically the time factor of the difference between the disclosure and the utilization time of the vulnerability; and quantifying the time factor of the vulnerability to evaluate the vulnerability risk. When the data is time data, Weibull distribution is most appropriate, vulnerability time data set data is analyzed by a Weibull distribution model, the median level of the data is calculated, the numerical value after logarithmic conversion is used for regression, a coordinate axis is determined according to the median level conversion data to obtain a linear trend, the slope of the linear trend is obtained as a shape parameter beta, a proportional parameter alpha is calculated according to the shape parameter beta and the intercept, the shape parameter beta and the proportional parameter alpha are substituted into a utilization probability formula, and vulnerability time utilization probability P is obtained_t。

According to the method, time utilization probability measurement related to vulnerability availability is added in a traditional CVSS risk score formula, compared with the traditional CVSS, the influence of external time factors on vulnerability risk assessment is introduced, the influence of the external factors on vulnerability assessment is quantified, the time utilization probability of the vulnerability is increased, and the vulnerability risk assessment can be multidimensional.

Step 7), acquiring a vulnerability risk assessment result by using a multidimensional risk assessment formula: and integrating the obtained measurement standards of influence, availability and time utilization probability to form a CVSS-based multidimensional software security risk assessment score formula of the invention:

risk score (0.6 × influential +0.4 × availability × utilization probability P_t-1.5)

Wherein the influence is the optimal relative importance measurement index obtained in the step 4; and increasing vulnerability type measurement indexes for the availability, and performing risk assessment on the acquired vulnerability data by using a multi-dimensional risk assessment score formula to obtain a risk assessment result of the acquired vulnerability, wherein the risk assessment result is fused with more assessment factors, and the risk score is displayed more objectively.

The invention provides an overall technical scheme of a CVSS-based multi-dimensional software security risk assessment method, the traditional CVSS basic assessment method assesses vulnerability influence measurement and availability measurement to quantify the risk of the vulnerability, but the traditional CVSS basic assessment method does equal importance weight on confidentiality and integrity availability in the influence measurement, and does not consider different harmfulness to a system after the confidentiality and integrity availability are damaged; moreover, the CVSS does not consider the influence of vulnerability type factors and vulnerability time factors on the risk score, so that the evaluation factors are incomplete and the evaluation score is inaccurate. According to the invention, optimization is carried out according to the traditional CVSS method, relative importance is redistributed to confidentiality integrity availability in the influence measurement of the scoring standard, and the relative importance weights of the measurement indexes with different harmfulness are set according to the difference of harmfulness of the measurement indexes in the vulnerability influence, so that the evaluation score is more accurate; according to the method, starting from the vulnerability type, the vulnerability type measurement index weight is added to the availability measurement on the basis of the CVSS, the influence of the vulnerability type on the risk evaluation is optimized, the influence of vulnerability type factors on the risk evaluation is increased, and the risk evaluation score is more comprehensive; the invention also starts from time factors, introduces time utilization probability measurement in a CVSS risk score formula, increases the influence of external factors on vulnerability risk evaluation, and considers vulnerability risk evaluation in multiple dimensions, so that vulnerability risk evaluation is more multidimensional.

The invention solves the problem that the existing software vulnerability CVSS measurement evaluation standard can not fully evaluate vulnerability risk level. The method and the device have the advantages that the weights are distributed based on the relative importance of the influential metrics, so that the inaccuracy of scoring caused by the fact that the influential metrics with different severities are set to be equal in weight is avoided; the method considers the availability measurement standard of the vulnerability based on the type of the vulnerability, and has more comprehensive score compared with the traditional scoring standard; the method and the device set the utilization probability based on the utilization time of the loophole, and improve the diversity of risk assessment. And summarizing each measurement index standard of the vulnerability risk, and obtaining the software vulnerability risk assessment formula based on the CVSS. The method is used for security detection and risk assessment of software vulnerabilities.

Compared with the existing assessment method, the invention can evaluate influence by using the measurement indexes with relative importance, can utilize the measurement indexes with vulnerability type rich availability, can introduce time factor rich risk scores into the risk assessment method, has more standard and accurate influence assessment measurement, more comprehensive and more diversified availability assessment measurement and more diversified and multidimensional risk assessment methods, and can specifically solve the problems that the software vulnerability risk assessment method at the present stage is not standard and is not comprehensive enough.

Example 2

A multi-dimensional software security risk assessment method based on CVSS is the same as that in the embodiment 1 and the step 4, and the relative importance measurement index weight in the influence measurement is reset.

The traditional CVSS risk assessment method sets the confidentiality, integrity and usability measures in influence to be the same in weight, and limits the diversity of scores. According to the method, a relative importance weight distribution scheme is designed according to the difference of the harmfulness of the measurement indexes in the vulnerability influence, so that the relative importance measurement index weight of each measurement index in the influence measurement is obtained.

Step 4.1) determining the weight distribution scheme principle to obtain a plurality of weight distribution schemes: confidentiality, integrity and availability measurement indexes in vulnerability influence measurement in the CVSS respectively divide the difference of the influence degree of the exploited vulnerability into three attributes of no influence, partial influence and complete influence, but the weight distribution of the CVSS only performs equal weight distribution. The invention designs a relative importance weight distribution scheme principle, ensures that the complete influence of the integrity of the secondary evaluation factors among all attributes is larger than the partial influence of the confidentiality of the main evaluation factors, the complete influence of the availability of general evaluation factors is larger than the partial influence of the integrity of the secondary evaluation factors, the partial influence is half of the complete influence, sets a weight range and a minimum increment and decrement step length, and obtains a basic weight distribution scheme of various measurement indexes according to the weight distribution scheme principle. And in the multiple weight distribution schemes, pairwise equal distribution schemes exist, the pairwise equal distribution schemes do not meet the requirements, the pairwise equal schemes need to be eliminated, and the obtained weight distribution schemes are simplified continuously.

Step 4.2) searching a measurement index basic weight scheme meeting the requirements by using a weight searching method: on the basis of the multiple distribution schemes obtained in the step 4.1, setting the measurement index weight equal in pairs as unsatisfactory, excluding the unsatisfactory weight schemes, and finally obtaining multiple satisfactory weight distribution schemes.

Step 4.3) statistical weight distribution scheme data: and (3) counting the average value, the standard deviation and the variation coefficient of the vulnerability scores of the basis weight scheme meeting the requirements in the step 4.2 and the quantity of different risk scores obtained by the scheme, as shown in table 2, wherein table 2 is a data statistical table of the weight distribution scheme in the invention, and T1-T14 is the comparison of different data of the CVSS of various distribution schemes found in the invention and the traditional scheme. The standard deviation and the coefficient of variation in table 2 may represent the variability of each weight assignment scheme, and the number of different risk scores is the main factor for re-assigning the weight of the impact metric, so the preferred weight assignment scheme of the present invention mainly considers the standard deviation, the coefficient of variation and the number of different risk scores.

Step 4.4) to obtain the optimal weight distribution scheme: and (4) analyzing and counting the vulnerability risk score average value, the standard deviation, the variation coefficient and different risk score quantities of the multiple weight distribution schemes obtained in the step 4.3, and preferably selecting the optimal relative importance weight scheme of the confidentiality measurement index, the integrity measurement index and the availability measurement index according to the data in the table 2 to obtain the relative importance specific weight values of the attributes in the confidentiality measurement index, the integrity measurement index and the availability measurement index in the influence measurement.

In the traditional CVSS assessment method, the confidentiality, integrity and availability measurement indexes of the influential measurement are weighted equally, so that the influential factors of the vulnerability cannot be accurately represented, and the risk score of the vulnerability is inaccurate. The method carries out hazard analysis on the measurement indexes of confidentiality, integrity and availability in influence, and considers that the confidentiality cannot be repaired after being damaged, so the confidentiality is set as a main evaluation factor, the integrity can cause damage to the system after being damaged, so the integrity is set as a secondary evaluation factor, the damage to the system after the availability is damaged is small, and the method is set as a general evaluation factor. The relative importance weight is set according to different harmfulness, the reset relative importance is more accurate compared with equivalent weight consideration standards, the harmfulness of the loophole can be displayed more clearly and accurately, and the risk assessment of the loophole is more accurate.

Example 3

A CVSS-based multidimensional software security risk assessment method is as in embodiments 1-2, wherein step 5 adds vulnerability type metric indexes to the availability metric, and calculates the corresponding weight of each vulnerability type metric index, including the following steps:

step 5.1) constructing a standard weight decision matrix data table: selecting vulnerability type data set data, dividing according to the availability difficulty standard to obtain four levels of B1 difficult to utilize, B2 difficult to utilize, B3 easy to utilize and B4 easy to utilize, and distributing multiple vulnerability types in each level. Dividing each kind of vulnerability under the same level by the sum of the number of the level, thereby constructing initial data tables of different levels, such as table 3, wherein table 3 is a decision matrix data table constructed by standard weights in the invention.

Step 5.2) constructing an initial decision matrix: and obtaining an initial weight corresponding to each grade of vulnerability by adopting an Analytic Hierarchy Process (AHP) method, and constructing an initial decision matrix according to the initial weight and an initial data table.

Step 5.3) calculating the relative paste progress: and carrying out normalization processing on the initial decision matrix, calculating a weighted normalization matrix, and determining a positive and negative ideal solution of the weighted decision matrix. And calculating the distance from each object to the positive and negative ideal solutions according to the Euclidean norm as the distance measure, and obtaining the relative paste progress of the ideal solutions.

Step 5.4) to obtain a final risk assessment availability calculation formula: the calculated relative closeness of each type is used as the weight of the vulnerability type measurement index, and the weight of the vulnerability type accounts for the availability proportion by the vulnerability type influence resisting method. And obtaining a novel availability calculation formula according to the attack type, the attack complexity and the identity verification measurement index in the availability measurement in the original CVSS method.

The traditional CVSS assessment does not assess the types of the vulnerabilities, the software vulnerabilities cannot be assessed comprehensively, and assessment scores lack discreteness. The availability of the vulnerability samples is divided into difficult to be utilized and easy to be utilized, most vulnerability type samples are distributed with emphasis on easy to be utilized, a small amount of vulnerability type samples are distributed with emphasis on difficult to be utilized, and it is proved that the vulnerability types have great influence on the availability of the vulnerability, and vulnerability type factors need to be added for the availability. According to the method, the influence of vulnerability types on vulnerability risk assessment is increased, the difference of the availability of partial types of vulnerabilities is increased, vulnerability type measurement indexes in availability measurement are increased, software vulnerabilities can be assessed more comprehensively, and risk scores are diversified.

Example 4

A CVSS-based multi-dimensional software security risk assessment method as in embodiments 1-3, wherein the step 6 of adding a time-based probability measure to a risk score includes the following steps:

step 6.1) analyzing time data of the vulnerability by using a Weibull model: and applying a Weibull distribution characteristic model which is most suitable for processing time data to the collected vulnerability data of the vulnerability utilization time data set, and preliminarily estimating an approximate proportion parameter alpha according to the ascending sequencing data result.

Step 6.2) calculating the slope of the regression curve to obtain a shape parameter beta: computing the median level P of a data point_xRegression was performed using logarithmically transformed values, see FIG. 3, where FIG. 3 is a graph of a Weibull distribution model fit of the present invention and FIG. 3 is a graph with ln (1/P) on the horizontal axis_x) And the vertical axis is ln (x), and the fitting curve is fitted into a linear straight line in the middle range, so that the utilization probability trend of the time data is better represented. The mid-range data is selected and the values are converted for regression to analyze the linear trend of the utilization time. The linear trend slope is obtained as the shape parameter beta and the intercept.

Step 6.3), calculating a proportion parameter to obtain a time utilization probability formula: calculating a proportion parameter alpha according to the obtained linear trend slope shape parameter beta, and calculating and utilizing probability by a Weibull distribution model

According to the time distribution scale proportion parameter alpha and the shape parameter beta obtained by calculation, the utilization probability P is further obtained_t，

The traditional CVSS does not take a vulnerability time factor as a grading standard, lacks consideration of the time factor, and only aims at the inherent characteristics of the vulnerability as evaluation results, but does not take the external time of the vulnerability as a vulnerability evaluation factor.

A more detailed example is given below to further illustrate the invention

Example 5

A CVSS-based multi-dimensional software security risk assessment method similar to embodiments 1-4, comprising the steps of:

step 1) obtaining software vulnerability data to be evaluated: the method comprises the steps of selecting a vulnerability to be evaluated for a risk vulnerability, obtaining vulnerability information from an open source database (NVD), obtaining the type of the vulnerability, measuring the influence of the vulnerability, including attribute data and availability measurement of three measurement indexes of confidentiality, integrity and availability of the vulnerability, data including three measurement indexes of an attack path, attack complexity and identity verification, publishing time of the vulnerability, and the difference between public time and vulnerability exploitation time of vulnerability exploitation time.

Step 2), analyzing vulnerability data, and integrating into a data set: and integrating the collected vulnerability data into a database, classifying the collected vulnerability data according to the influence measurement, the availability measurement and the vulnerability utilization time, and further dividing and integrating the vulnerability types and the vulnerability utilization time. If the single software bug is evaluated, only the bug data is analyzed, and a data table is constructed. The vulnerability information, vulnerability type, vulnerability influence factor, vulnerability availability factor, vulnerability disclosure time and vulnerability availability time are included.

Step 3) readjusting the weight of the influential index in the CVSS risk score: the traditional CVSS evaluation method is characterized in that the weighted values of all the measurement indexes in the influence are equal, and the relative importance of the weight of each measurement index is reset on the basis. After the vulnerability is utilized, the destructiveness of the vulnerability on the system is different, wherein the destructiveness of the vulnerability on the system is different from the destructiveness of the vulnerability on the system, the confidentiality of the vulnerability which is very destructive and cannot be repaired is set as a main evaluation factor, and the integrity of the vulnerability which causes great damage on the system is set as a secondary evaluation factor. The availability of less damage to the system is taken as a general evaluation factor. And distributing the weight of the relative importance of the measurement indexes in the influence, redistributing the weight of the three measurement indexes according to the degree of harm of the system, increasing the weight with larger hazard, reducing the weight with smaller hazard, and respectively resetting the weight of the measurement indexes of the relative importance in the influence according to the hazard of the evaluation factors.

Step 4) weight values of three measurement indexes with the best influence are preferably selected in a plurality of weight distribution schemes by using a weight searching method: the impact relative importance weight setting takes a weight range (0-7.0) Wc consistent with CVSS to represent confidentiality weight, Wi to represent integrity weight, Wa to represent availability weight, and t to represent minimum increment step.

Wc+Wi+Wa＝7

According to the three grading basic grading factors, three attributes of no influence, partial influence and complete influence are respectively provided, the partial influence is half of the complete influence, the complete influence of the integrity of the secondary evaluation factor is larger than the partial influence of the confidentiality of the primary evaluation factor, and the general evaluation factors can be usedThe total effect of sex is greater than the partial effect of the integrity of the secondary assessment factor. According to the traditional CVSS, the sum of the confidentiality, the integrity and the availability measurement index is 7, the increment t is 0.2, and then the weight Wa of the availability measurement index is>1, because confidentiality, integrity and availability cannot select the same value, Wa is less than or equal to (7-0.6)/3, and the maximum value of Wa is 2.0. Thus, 3 can be obtained³A weight combining scheme. By using the weight search method shown in fig. 2, every two equal unsatisfactory schemes are excluded to obtain 14 satisfactory weight distribution schemes, as shown in table 1, where table 1 is a weight distribution scheme table obtained by searching in the present invention.

Table 1: weight distribution scheme table obtained by searching in the invention

Table 2: weight distribution scheme data statistical table in the invention

The average value, the standard deviation and the variation coefficient of the vulnerability scores of different schemes and the number of different risk scores obtained by the scheme are shown in table 2, and the table 2 is a data analysis result obtained by counting 14 weight schemes and the CVSS distribution scheme. With emphasis on standard deviation, coefficient of variation and number of different scores. Because the standard deviation and coefficient of variation may reflect the variability of each scheme, different numbers of risk scores are the primary factors in the reassignment of the impact metric weights.

According to the data in table 2, the scheme T2 has the largest number of different risk scores and higher coefficient of variation and bias variance, so that the method can make the scores more diverse and better distinguish different vulnerabilities compared with the CVSS distribution method. And in the comprehensive weight distribution method, the optimal relative importance weight distribution scheme is selected from T2 according to vulnerability score statistical data. The invention uses the weight searching method to count the weight distribution scheme data in various weight distribution schemes to obtain the optimal distribution scheme.

In the single vulnerability assessment, the attribute data in the three measurement indexes of confidentiality, integrity and availability of the influence obtained in the step 1 are introduced into the T2 weight distribution scheme to obtain the weight values of the specific relative importance of the attributes of the three measurement indexes, and the influence measurement value of the vulnerability is obtained based on the influence calculation formula of the CVSS.

Step 5) adding vulnerability type indexes in the availability measurement, and really integrating the weight indexes to obtain availability measurement expression: a database is selected to divide a data set of 22 vulnerability types, the data set is divided into a vulnerability (B1) which is easy to use (B2) and difficult to use (B3) according to the availability of the vulnerability, and the vulnerability of 18 vulnerability types in the vulnerability (B4) belongs to B3 and B4 accounts for 71.5% -97.9%. The 3 vulnerability types belong to B1 and B2 and account for 62.2% -89.30%, only one vulnerability type has 58.4% of samples distributed in B3 and B4, 41.6% of samples distributed in B1 and B2, and the vulnerability type only accounts for 7% of the total samples. This result proves that the vulnerability type has a great influence on the availability degree, and needs to be used as the availability measurement index. And dividing the number of each type of vulnerability by the sum of the numbers of different levels to construct an initial data table. An AHP (analytic hierarchy process) method is adopted to obtain an initial weight corresponding to each level of vulnerability, and a decision matrix data table is constructed by standard weights in the invention as shown in a table 3. Calculating the relative pasting degree of each vulnerability type as the weight of the vulnerability type by using a Topsis method, specifically operating as follows:

step 5.1) constructing an initial decision matrix according to the initial data set and the initial weight:

step 5.2) by

Normalizing the decision matrix;

according to v_ij＝r_ij×w_jA weighted normalization matrix is calculated and,

determining a positive and negative ideal solution for a weighted decision matrix by the following formula

Table 3: standard weight construction decision matrix data table in the invention

Step 5.3) calculating the distance from each object to the positive and negative ideal solutions according to the Euclidean norm as the distance measure

According to

And calculating the relative close-in degree and the relative close-in degree of the ideal solution, and taking the relative close-in degree as the weight of the vulnerability type, wherein the table 4 is a weight table of 22 vulnerability types in the invention.

Table 4: the invention relates to a weight table for 22 vulnerability types

Step 5.4) calculating the weight of the vulnerability type to account for the availability proportion according to the vulnerability type influence resisting method:

based on the traditional CVSS risk assessment availability calculation formula:

availability 20 x attack path x attack complexity x identity verification

The invention adopts a method for resisting the influence of vulnerability types proposed by Miaoui et al to calculate that the weight of the vulnerability types accounts for 0.1 of the proportion of the availability on the basis of the traditional CVSS, and the weights of other attack ways, attack complexity and identity verification are 0.9, thereby obtaining an availability calculation formula of the invention:

availability is 18 × attack route × attack complexity × authentication + vulnerability type

The influence of vulnerability types on vulnerability availability is not considered in the traditional calculation formula, so that a risk assessment mode cannot accurately assess vulnerability risks and an accurate risk assessment score cannot be obtained. According to the method, the weight of the vulnerability type is quantitatively calculated by using a Topsis method, the vulnerability type is scientifically and effectively introduced into a risk score calculation formula, risk evaluation factors can be considered more comprehensively, and vulnerability risk evaluation accuracy is improved.

In the single vulnerability assessment, the vulnerability type, the attack way, the attack complexity and the identity verification data obtained in the step 1 are selected according to the 22 vulnerability type weight tables in the table 4 to obtain the weight of the vulnerability to be detected, and the weight is substituted into the calculation formula of the vulnerability availability to calculate the vulnerability availability metric value.

Step 6) adding a time utilization probability measure to the risk score: the traditional CVSS risk assessment method only considers the inherent characteristics of the vulnerability, and external factors such as time and the like are not taken as assessment factors to be introduced into the risk assessment method, so that the assessment method cannot carry out multi-dimensional assessment on the software vulnerability with high external attention of a certain vulnerability, and the vulnerability risk is ignored or overlooked. Aiming at the problem, classification processing calculation is carried out on the vulnerability exploitation time, the vulnerability time exploitation probability is obtained, and a risk calculation scoring method is introduced. The risk of such problems is avoided.

The time utilization probability P of the vulnerability is quantized by analyzing the time length data of the utilization time of the vulnerability and based on the most suitable Weibull distribution of the time data_t，

A two-parameter Weibull distribution method is designed, a proportion parameter alpha and a shape parameter beta of time distribution are set, wherein beta is equivalent to a linear trend slope parameter, a longitudinal axis and a transverse axis are set according to distribution median to determine a trend slope beta, the proportion parameter alpha is calculated according to the slope beta, and a final utilization probability calculation method is obtained. When the vulnerability data is temporal data, Weibull distribution is most appropriate. The Weibull distribution has the advantage that the Weibull distribution fully defines the extreme value deviating from the median of the distribution, and the specific operation steps are as follows:

step 6.1) applying the Weibull distribution characteristic model to the collected vulnerability exploitation time data set data, sorting the data results according to ascending order, wherein the data results corresponding to 63% of the deviation from the middle position of the distribution are 108 days. This is the rough estimated parameter α of the characteristic model of Weibull.

Step 6.2) calculating the median level P of the data points_x: median root equation of distribution

Px＝(Rank(x)-0.3)/(x+0.4)

Regression was performed using the logarithmically converted values according to the horizontal axis ln (ln (1/P)_x) With the vertical axis ln (x). The converted values are regressed as shown in fig. 3, fig. 3 is a fitting curve of Weibull distribution in the invention, and the fitting curve of the intermediate data in fig. 3 tends to be a linear straight line to better represent the time utilization probability. And analyzing the linear trend, wherein the slope k of the linear trend is 2.12, and the intercept b is-10.22.

And 6.3) converting the slope to obtain the slope of the linear trend of the beta value after the numerical conversion, wherein the shape parameter beta is 2.12. Calculating a proportion parameter alpha according to the shape parameter beta: the calculation method of the proportional parameter alpha comprises the following steps:

α＝e^{- (intercept/slope)}

To obtain the corresponding alpha-124.05

Step 6.4) calculating the utilization probability according to Weibull distribution, and obtaining the utilization probability P according to the time distribution scale parameter alpha and the shape parameter beta obtained by calculation_t：

The method and the device set the utilization probability based on the time factor of the vulnerability, and fully consider the trend of the vulnerability from disclosure to utilization of time data. And (3) obtaining a fitting curve by quantizing the time data of the vulnerability so as to calculate the utilization probability of the vulnerability, and embodying the characteristics of the vulnerability discovery process by using a Weibull distribution method. Compared with the traditional assessment method, the method has the advantages that the time utilization probability is increased, the multi-dimensionality of the vulnerability risk assessment is increased, and the accuracy of the vulnerability risk assessment is improved.

In the single vulnerability assessment, the disclosure time and the utilization time obtained in the step 1 are selected, the difference value between the disclosure time and the utilization time is calculated to obtain the specific vulnerability utilization duration t, and the specific vulnerability utilization duration t is substituted into a utilization probability formula to obtain a time utilization probability P_t。

Step 7) obtaining a novel vulnerability risk assessment method: on the basis of the traditional CVSS assessment method, under the condition of equal weights of confidentiality integrity availability measurement indexes in the influence measurement, the relative importance weight of the measurement indexes is set according to different harmfulness degrees of the measurement indexes; on the basis of representing the availability measurement which is not comprehensive enough in the traditional CVSS evaluation, a vulnerability type measurement index is added in the availability measurement; in the case where the traditional CVSS assessment does not take into account extrinsic time factors, a time utilization probability metric is added to the risk score formula. Summarizing the measurement indexes with relative importance weights in the risk assessment influence, the availability measurement with the vulnerability type measurement indexes and the time utilization probability of the vulnerability, and synthesizing all the measurement and measurement index standards to obtain the risk score formula of the CVSS-based multi-dimensional software security risk assessment method, disclosed by the invention:

risk score (0.6 × influential +0.4 × availability × utilization probability P_t-1.5)

In the invention, aiming at single vulnerability risk assessment, according to the step 4, the influence metric value of the vulnerability is obtained, the step 5 is used for obtaining the availability metric value of the vulnerability, and the step 6 is used for obtaining the time of the vulnerabilityUsing probability P_tAnd substituting the value into an integral vulnerability risk assessment formula to obtain the final risk score value of the vulnerability.

The method aims at the defect that the existing CVSS vulnerability risk assessment method cannot effectively represent the relative importance of the measurement indexes in vulnerability influence, and lacks of exploration on vulnerability type weight and time factor probability. In the aspect of influence, the three measurement standards of confidentiality, integrity and availability of the influence are subjected to relative importance weight setting, and compared with a CVSS (unified importance system) method, the method improves the scientificity of a risk assessment method; the vulnerability type measurement of vulnerability risk score availability is increased, the measurement standards of vulnerability weights of different types are set, and the diversity of the risk evaluation method score is increased; the method increases the utilization probability of the time factor of the vulnerability and increases the timeliness and the accuracy of the risk assessment method. The method improves the diversity and scientificity of the vulnerability risk assessment method, can be used for assessing a large number of vulnerability risk levels, and has high practical value; the method specifically solves the problems that the existing assessment method is inaccurate, simple, lack of discreteness in risk score and the like.

The following explains the continued effect of the present invention through a specific risk assessment case

Example 6

A multi-dimensional software security risk assessment method based on CVSS is the same as the embodiment 1-5,

in this example, the evaluation basis is to obtain vulnerability information, vulnerability type, confidentiality, integrity and availability in vulnerability influence, attack path in availability, attack complexity, identity verification, vulnerability disclosure time and utilization time from the public database NVD by using a specific vulnerability CVE-2020-.

Table 5: the invention aims at a data table constructed by acquiring specific vulnerability data from CVE-2020-

And substituting the vulnerability influential measurement into the influential measurement index of the relative importance weight of the invention to calculate to obtain the vulnerability influential measurement value of the invention. And substituting the availability measurement of the vulnerability into the availability calculation formula to obtain the availability calculation formula of the vulnerability, and calculating the vulnerability measurement value of the vulnerability calculation formula. And substituting the utilization duration of the vulnerability into the time utilization probability formula to obtain the vulnerability time utilization probability value of the invention. And (3) integrating the measurement indexes of the vulnerability to obtain a final vulnerability risk score value, as shown in table 6, wherein table 6 is a comparison table of the assessment results of the invention and the traditional CVSS aiming at CVE-2020 and 15275 vulnerability risk equal grades.

Table 6: the invention and the traditional CVSS for CVE-2020 and 15275 vulnerability risk score evaluation result comparison table

The traditional CVSS assessment risk score standard is 0-10, the higher the risk score is, the greater the vulnerability is, as can be seen from Table 6, aiming at the CVE-2020 + 15275 vulnerability, the traditional CVSS assessment influenzability metric value is 2.863, the influenzability metric value of the invention is 11.451, compared with the traditional CVSS, the invention utilizes the relative importance weight to have higher influenzability assessment score, which indicates that the vulnerability is more influenzability hazardous. The traditional CVSS assessment availability metric of 11.2 and the availability metric of 10.187 in the present invention are lower than the traditional assessment score, indicating that the vulnerability type degrades the vulnerability availability metric. The traditional CVSS does not research the utilization time of the vulnerability, the invention researches the utilization time of the vulnerability, calculates the vulnerability utilization probability to be 0.72, and shows that the vulnerability risk score is reduced when the vulnerability time is too long. The traditional CVSS assessment risk score was 4.3 and the present invention assessment risk score was 8.3. Compared with the traditional method, the method has the advantage that the harmfulness of the risk of the vulnerability is displayed more obviously and intuitively.

Compared with the influence metric value of the traditional CVSS method, the influence metric value has large difference, the design of the invention designs relative importance weight according to different harmfulness of each metric index in influence, and has more accurate score value compared with the equivalent weight of the metric index in the traditional CVSS evaluation vulnerability influence metric. The availability score of the method is different from that of the traditional CVSS assessment method, and compared with the traditional CVSS assessment method, the method adds the vulnerability type measurement index in the availability measurement, so that the vulnerability risk assessment standard is more comprehensive. The traditional CVSS does not consider time factors, time utilization probability factors are added in risk assessment, the influence of external factors on vulnerability risk assessment is increased, and the multidimensional property of vulnerability risk assessment is improved. Compared with the traditional risk score, the risk score of the invention can more obviously express the harmfulness of the vulnerability risk, the evaluation result has more scientificity and timeliness, and the attention of security personnel to the vulnerability risk can be better improved.

The invention can evaluate influence by relatively important measurement indexes, can utilize vulnerability type richness availability measurement indexes, can introduce time factor richness risk score into a risk evaluation method, and solves the problem that the existing traditional CVSS evaluation method cannot scientifically and accurately evaluate the software security vulnerability risk, so that vulnerability destructiveness and severity are neglected. The specific implementation steps are as follows: acquiring data; analyzing vulnerability data and integrating a data set; designing a weight distribution scheme of relative importance of influence; assigning a scoring algorithm according to the influential best weight; setting a usability measurement index according to the vulnerability type; determining a utilization probability formula of vulnerability time; and obtaining a novel vulnerability risk assessment method, and finishing scoring of vulnerability risk assessment. Aiming at the problem that the relative importance is not considered in the weight distribution of the basic scoring index of the influence confidentiality, the integrity and the availability of the CVSS scoring, the invention sets a weight measurement scheme based on the relative importance of three influencing factors; aiming at the problem that the CVSS scoring index does not consider the influence of the vulnerability type, the invention provides the availability weight measurement of the vulnerability type. Aiming at the problem that the score standard of the CVSS only pays attention to the fact that the intrinsic features of vulnerability data ignore extrinsic time factors, the time difference and the actual trend between vulnerability utilization time and dates are quantized, and the utilization probability is calculated. The method for scientifically evaluating the vulnerability risk score has the advantages of wide application scenes and accurate and various evaluation scores. And the method is used for evaluating the risk degree of the software vulnerability risk and scoring.

In conclusion, the invention provides a software security risk assessment method based on CVSS multiple angles, which solves the problem that the existing software vulnerability CVSS measurement assessment standard cannot fully evaluate vulnerability risk level. The implementation steps are as follows: acquiring software vulnerability data; analyzing the vulnerability data and integrating into a data set; readjusting the weights of the three metrics of the influential metric in the CVSS risk score; the distribution scheme of the measurement indexes in the influence is preferably selected from the multiple weight distribution schemes; vulnerability type measurement indexes are added in the availability measurement; adding a time-of-use probability measure to the risk score; and acquiring a vulnerability risk evaluation result by using a multi-dimensional risk evaluation formula. The method and the device have the advantages that the weights are distributed based on the relative importance of the influential metrics, so that the inaccuracy of scoring caused by the fact that the influential metrics with different severities are set to be equal in weight is avoided; the method considers the availability measurement standard of the vulnerability based on the type of the vulnerability, and has more comprehensive score compared with the traditional scoring standard; the method and the device set the utilization probability based on the utilization time of the loophole, and improve the diversity of risk assessment. And summarizing each measurement index standard of the vulnerability risk, and obtaining the multi-dimensional software security risk assessment method based on the CVSS. The method is used for security detection and risk assessment of software vulnerabilities.

Claims (4)

1. A multi-dimensional software security risk assessment method based on CVSS is characterized by comprising the following steps:

step 1) acquiring software vulnerability data: selecting a software vulnerability to be evaluated, and acquiring vulnerability data of the vulnerability from a public vulnerability database, wherein the vulnerability data comprises vulnerability information, vulnerability types, vulnerability influence factors, vulnerability availability factors and vulnerability utilization time information;

step 2), analyzing vulnerability data, and integrating into a data set: integrating the collected vulnerability data into a database, classifying the collected vulnerability data according to vulnerability types and vulnerability utilization time, and dividing and integrating respective data sets;

step 3) readjusting the weights of three measurement indexes of the influential measurement in the CVSS risk score: carrying out weight distribution again on the three measurement indexes of the influential measurement according to the degree of harm to the system, increasing the weight with larger harmfulness, decreasing the weight with smaller harmfulness, resetting the relative importance weight of each measurement index in the influential measurement according to the harmfulness of the influential factors, and obtaining a plurality of weight distribution schemes according to the distribution principle;

step 4) selecting the distribution scheme of the measurement indexes in the influence from various weight distribution schemes: the method comprises the steps of optimizing weight values of three measurement indexes with the best influence in multiple weight distribution schemes by using a weight searching method, resetting the weight of a relative importance measurement index in influence measurement, obtaining a weight distribution scheme with three measurement indexes of confidentiality, integrity and availability meeting requirements in the multiple distribution schemes by using the weight searching method, counting to obtain an average value, a standard deviation and a variation coefficient of vulnerability scores of different schemes and different risk score quantities obtained by the scheme, and selecting the optimal relative importance weight scheme;

step 5), adding a vulnerability type measurement index in the availability measurement: adding vulnerability type measurement indexes on the basis of the measurement indexes of attack ways, attack complexity and identity verification in the availability measurement; classifying the vulnerability type data set according to vulnerability availability difficulty, and dividing the quantity of each type of vulnerability in different grades by the sum of the quantity of the vulnerabilities in the same grade to construct an initial vulnerability type data table; constructing a decision matrix according to the initial data table and the corresponding standard weight, and obtaining a basic weight corresponding to each level of vulnerability by using a hierarchical analysis method; calculating the relative pasting progress of each type by using a Topsis method to serve as the corresponding vulnerability type weight; calculating the weight proportion of the vulnerability type according to the vulnerability type influence resisting method, and forming the availability measurement expression of the CVSS-based multi-dimensional software security risk assessment method together with the attack approach, the attack complexity and the identity verification, wherein the availability measurement expression formula is as follows:

the availability is 18 multiplied by the attack way multiplied by the attack complexity multiplied by the identity verification and the vulnerability type;

step 6) adding a time probability measurement in the risk score: adding vulnerability time utilization probability item measurement in risk assessment

Wherein beta is a shape parameter, alpha is a proportion parameter, and t is the vulnerability exploitation duration; the time factor of the vulnerability is specifically the difference duration of the disclosure and utilization time of the vulnerability; the time for quantifying the vulnerability is the influence of increasing time factors on vulnerability risk assessment, vulnerability utilization time data set data is analyzed by a Weibull distribution model, the median level of data points is calculated, the values after logarithmic conversion are used for regression, a vulnerability utilization time fitting curve is determined, the linear trend of utilization time is determined according to the fitting curve, the shape parameter beta and the proportional parameter alpha of the vulnerability fitting curve are calculated according to the trend slope and the intercept, the shape parameter beta and the proportional parameter alpha are substituted into a utilization probability calculation formula, and the calculated vulnerability time utilization probability P is obtained_t，

Step 7) obtaining a multi-dimensional risk assessment result: and (3) integrating all the measurement standards and the weighted values of relative importance to form a CVSS-based multi-dimensional software security risk assessment score formula:

risk score (0.6 × influential +0.4 × availability × utilization probability P_t-1.5)

Wherein the influence is the best relative importance measurement index; and increasing vulnerability type measurement indexes for the availability, and performing risk assessment on the acquired vulnerability data by using a multi-dimensional risk assessment score formula to obtain a risk assessment result of the acquired vulnerability, wherein the risk assessment result is fused with more assessment factors, and the risk score is displayed more objectively.

2. The CVSS-based multi-dimensional software security risk assessment method according to claim 1, wherein said step 4 selects the distribution scheme of the measure of influence index from the plurality of weight distribution schemes:

step 4.1) determining the weight distribution scheme principle to obtain a plurality of weight distribution schemes: the method is divided into three attributes of no influence, partial influence and complete influence according to the difference of the measuring indexes such as confidentiality, integrity, availability and the like of vulnerability influence on the influence degree of the vulnerability after the vulnerability is utilized. Ensuring that the complete influence of integrity among all attributes is larger than the partial influence of confidentiality, ensuring that the complete influence of availability is larger than the partial influence of integrity, setting a weight range and a minimum increment and decrement step length, wherein the partial influence is half of the complete influence; obtaining basic weight distribution schemes of various measurement indexes;

step 4.2) searching a measurement index basic weight scheme meeting the requirements by using a weight searching method: on the basis of the multiple distribution schemes obtained in the step 4.1, setting the measurement index weight equal in pairs as unsatisfactory, excluding the unsatisfactory weight schemes, and finally obtaining multiple satisfactory weight distribution schemes.

Step 4.3) statistical weight distribution scheme data: counting the average value, the standard deviation and the variation coefficient of the vulnerability scores of the basic weight scheme meeting the requirements in the step 4.2 and the different risk score quantities obtained by the scheme, wherein the standard deviation and the variation coefficient can reflect the variability of each scheme, and the different score quantities are main factors for redistributing the influence measurement index weights, so that the standard deviation, the variation coefficient and the different score quantities are considered in the evaluation emphasis;

step 4.4) to obtain the optimal weight distribution scheme: and 4, analyzing and counting the average value, the standard deviation, the variation coefficient and the number of different risk scores of the vulnerability scores of the multiple weight distribution schemes in the step 4.3, and preferably selecting the optimal relative importance weight scheme of the confidentiality, integrity and availability measurement indexes.

3. The CVSS-based multi-dimensional software security risk assessment method according to claim 1, wherein the step 5 of adding vulnerability type metric indexes to the availability metric and calculating the corresponding weight of each vulnerability type metric index comprises the following steps:

step 5.1) constructing a standard weight decision matrix data table: and selecting vulnerability type data set data, dividing the vulnerability type data set data into four levels according to the availability difficulty standard, and distributing a plurality of vulnerability types in each level. Dividing each type of vulnerability under the same level by the sum of the number of the level, and constructing initial data tables of different levels;

step 5.2) constructing an initial decision matrix: obtaining an initial weight corresponding to each grade of vulnerability by adopting an Analytic Hierarchy Process (AHP) method, and constructing an initial decision matrix according to the initial weight and an initial data table;

step 5.3) calculating the relative paste progress: and carrying out normalization processing on the initial decision matrix, calculating a weighted normalization matrix, and determining a positive and negative ideal solution of the weighted decision matrix. Calculating the distance from each object to a positive ideal solution and a negative ideal solution according to the Euclidean norm as the distance measure to obtain the relative pasting progress of the ideal solutions;

step 5.4) to obtain a final risk assessment availability calculation formula: and calculating the weight of the vulnerability type to account for the availability proportion by using the method for resisting vulnerability type influence, wherein the calculated relative closeness degree of each type is used as the weight of the vulnerability type measurement index. In the traditional CVSS method, vulnerability type weight is added to attack types, attack complexity and identity authentication measurement indexes in availability measurement to obtain a novel availability calculation formula.

4. The CVSS-based multi-dimensional software security risk assessment method according to claim 1, wherein the exploit probability calculation method based on exploit time in step 6 comprises the following steps:

step 6.1) processing the time data of the vulnerability by using a Weibull method: and applying a Weibull distribution characteristic model which is most suitable for processing time data to the collected vulnerability data of the vulnerability utilization time data set, and preliminarily estimating an approximate proportion parameter alpha according to the ascending sequencing data result.

Step 6.2) calculating the slope of the regression curve to obtain a shape parameter beta: calculating the median grade of the data points, performing regression by using the values after logarithmic conversion, selecting data in a middle range, and analyzing and utilizing the time linear trend. The linear trend slope is obtained as the shape parameter beta and the intercept.

Step 6.3), calculating a proportion parameter to obtain a time utilization probability formula: calculating a proportion parameter alpha according to the obtained linear trend slope shape parameter beta, and calculating and utilizing probability of Weibull distribution

According to the time distribution scale proportion parameter alpha and the shape parameter beta obtained by calculation, the utilization probability P is further obtained_t，

Images