CVSS环境指标变量对系统安全的影响研究

通用漏洞评分体系(CVSS)分三个层次对漏洞的威胁进行评估,特定系统的安全性反映在最终的环境分层面上。在CVSS的三组指标变量中,仅环境指标变量取决于特定组织机构、特定系统,难以自动获取,是用户实施安全风险管理和控制策略中关键的和最困难的环节。在分析CVSS计算方法基础上,研究环境指标变量对最终CVSS总分的影响,给出了环境指标向量对CVSS环境分影响的总体估计式,同时给出了环境向量各分量单独影响的估计式。实验表明,本文在CVSS环境指标变量的总体影响和分项指标影响两方面,实现了精度提升,进入了实际标准完全可接受的范围。

Influence of CVSS environmental metrics on system security

The common vulnerability scoring system (CVSS) evaluates the threats of vulnerabilities of a particular system at three levels, and the final environmental scores reflect the degree of its security. In the CVSS metrics, CVSS environmental metrics are the only variable that depends on the conditions of the target organization or system, so obtaining their values becomes the key and most difficult part for users to implement security risk management and control strategies. To solve this issue, we study the influence of environmental metrics on the final CVSS environmental scores, and give an overall estimation of environmental metrics vector influence on CVSS environmental scores, as well as the formulas of each vector component's influence on the score. Experimental results show that the new estimation method can improve the accuracy in the aspects of environmental metrics’ overall impact and sub index influence on CVSS environmental scores, thus entering the completely accepted range of the de facto standard.