کد مقاله کد نشریه سال انتشار مقاله انگلیسی نسخه تمام متن
461909 696647 2012 10 صفحه PDF دانلود رایگان
عنوان انگلیسی مقاله ISI
Improving VRSS-based vulnerability prioritization using analytic hierarchy process
موضوعات مرتبط
مهندسی و علوم پایه مهندسی کامپیوتر شبکه های کامپیوتری و ارتباطات
پیش نمایش صفحه اول مقاله
Improving VRSS-based vulnerability prioritization using analytic hierarchy process
چکیده انگلیسی

The number of vulnerabilities discovered in computer systems has increased explosively. Thus, a key question for system administrators is which vulnerabilities to prioritize. The need for vulnerability prioritization in organizations is widely recognized. The significant role of the vulnerability evaluation system is to separate vulnerabilities from each other as far as possible. There are two major methods to assess the severity of vulnerabilities: qualitative and quantitative methods. In this paper, we first describe the design space of vulnerability evaluation methodology and discuss the measures of well-defined evaluation framework. We analyze 11,395 CVE vulnerabilities to expose the differences among three current vulnerability evaluation systems (X-Force, CVSS and VRSS). We find that vulnerabilities are not separated from each other as much as possible. In order to increase the diversity of the results, we firstly enable vulnerability type to prioritize vulnerabilities using analytic hierarchy process on the basis of VRSS. We quantitatively characterize the vulnerability type and apply the method on the set of 11,395 CVE vulnerabilities. The results show that the quality of the quantitative scores can be improved with the help of vulnerability type.


► We describe the design space of vulnerability evaluation methodology and discuss on the measures of well-defined system.
► We analyze 11,395 vulnerabilities to expose the problems among three current vulnerability evaluation systems.
► We quantitatively characterize the vulnerability type to prioritize vulnerabilities.
► We use analytic hierarchy process to calculate vulnerability type factor.

ناشر
Database: Elsevier - ScienceDirect (ساینس دایرکت)
Journal: Journal of Systems and Software - Volume 85, Issue 8, August 2012, Pages 1699–1708
نویسندگان
, , , ,