动静态特征结合的漏洞风险评估及缓解方法

针对如何提高漏洞风险评估的准确性进行了研究，提出一种动静态特征结合的漏洞风险评估及缓解方法。通过将传统风险评估方法中常用的来源于通用漏洞评分系统（CVSS）的攻击复杂度、影响程度、攻击向量等固定属性作为静态特征，将防御能力、漏洞修复情况、攻击者的攻击能力等随时间推移可能发生变化的属性作为动态特征，两者结合对漏洞的风险程度进行更加全面的评估。给出了在实际应用中各特征的量化计算方法，以及漏洞修复策略的推荐方法。以单个漏洞的风险评估过程和多个漏洞的风险评估结果为例，将评估结果与CVSS评分进行对比实验。结果表明该方法能结合具体的网络环境给出更加准确的漏洞风险评估结果及合理的漏洞修复策略，验证了该方法的可行性和有效性。

Vulnerability risk assessment and mitigation method combining dynamic and static features

Aiming at improving the accuracy of vulnerability risk assessment, this paper proposed a vulnerability risk asses-sment and mitigation method combining dynamic and static features. The method took fixed features such as attack complexity, impact degree and attack vector, which were commonly used in traditional risk assessment methods, as static features, and took the features such as defense capability, vulnerability repair and attacker''s attack capability that maybe changed over time as dynamic features. The method combined the two kinds of features to make a more comprehensive assessment of the risk of vulnerabilities. Then this paper gave quantitative calculation method of each feature in practice and the recommendation me-thod of vulnerability repair strategy. To verify the method, it took the risk assessment process of single vulnerability and the risk assessment results of multiple vulnerabilities as examples, and compared the results with CVSS scores. The experimental results show that the proposed method can provide more accurate vulnerability risk assessment results and reasonable vulnerability repair strategy in combination with specific network environment, thus demonstrates the feasibility and effectiveness of the method.