基于网络环境的漏洞可利用性评估方法

doi:10.7523/j.ucas.2023.037

摘要/Abstract

摘要： 通用漏洞评分系统是目前应用最为广泛的漏洞评估方法，但其评估结果偏向于漏洞本身的危害性，而未考虑网络环境因素。针对上述问题，提出一种面向网络环境的漏洞可利用性评估方法，基于群体专家经验，利用统计学方法选择漏洞属性，构建漏洞可利用性评估指标体系。同时，结合网络环境属性，基于最近邻算法对漏洞可利用性进行评估。该方法能对已知和未知漏洞进行精准的智能化评估，既融合了网络环境对漏洞可利用性的影响，又降低了专家经验的依赖程度。最后通过实验验证了该方法的有效性。

关键词: 网络安全, 漏洞评估, 可利用性, 指标约简, 机器学习

Abstract: The common vulnerability scoring system is the most widely used vulnerability evaluation method, but its evaluation results tend to be the harmfulness of the vulnerability itself, ignoring the network environment factors. In view of the above problems, we propose a network environment-oriented vulnerability exploitability assessment method. Based on the experience of group experts, using statistical methods to select vulnerability attributes, the vulnerability exploitability assessment metric system is constructed. And combined with the target environment attributes, this method can evaluate the vulnerability exploitability based on the K-nearest neighbor (KNN) algorithm. This method performs accurate and intelligent assessment of known and unknown vulnerabilities, integrating the impact of the target environment and reducing the reliance on expert experience. At last, we validate the method through experiments. Our method provides a scientific decision-making basis for network security protection measures.

Key words: cybersecurity, vulnerability assessment, exploitability, metric parsimony, machine learning

中图分类号:

TP393

郑敬华, 开少锋, 施凡. 基于网络环境的漏洞可利用性评估方法[J]. 中国科学院大学学报, 2024, 41(6): 842-852.

ZHENG Jinghua, KAI Shaofeng, SHI Fan. Vulnerability exploitability assessment method based on network environment[J]. Journal of University of Chinese Academy of Sciences, 2024, 41(6): 842-852.

参考文献

[1] Singh U K, Joshi C. Quantitative security risk evaluation using CVSS metrics by estimation of frequency and maturity of exploit[C]//2016 Proceedings of the World Congress on Engineering and Computer Science (WCECS). October 19-21, 2016, San Francisco, USA. Newswood Limited, 2016: 170-175.
[2] Gallon L. On the impact of environmental metrics on CVSS scores[C]//2010 IEEE Second International Conference on Social Computing (SocialCom). September 30, 2010, Minneapolis, MN, USA. IEEE, 2010: 987-992. DOI:10.1109/SocialCom.2010.146.
[3] Allodi L, Biagioni S, Crispo B, et al. Estimating the assessment difficulty of CVSS environmental metrics: an experiment[C]//2017 Future Data and Security Engineering: 4th International Conference (FDSE). November 29–December 1, 2017, Ho Chi Minh City, Vietnam. Springer, 2017: 23-39. DOI:10.1007/978-3-319-70004-5_2.
[4] Holm H, Afridi K K. An expert-based investigation of the common vulnerability scoring system[J]. Computers & Security, 2015, 53: 18-30. DOI:10.1016/j.cose.2015.04.012.
[5] Peterson L E. K-nearest neighbor[J]. Scholarpedia, 2009, 4(2): 1883. DOI:10.4249/scholarpedia.1883.
[6] Kramer O. K-nearest neighbors[M]//Dimensionality Reduction with Unsupervised Nearest Neighbors, Berlin:Springer Berlin Heidelberg, 2013: 13-23. DOI: 10.1007/978-3-642-38652-7_2.
[7] 王秋艳, 张玉清. 一种通用漏洞评级方法[J]. 计算机工程, 2008, 34(19): 133-136, 140. DOI: 10.3969/j.issn.1000-3428.2008.19.046.
[8] 温涛. 安全漏洞危害评估研究暨标准漏洞库的设计与实现[D].西安：西安电子科技大学, 2016.
[9] 贾炜, 冯登国, 连一峰. 基于网络中心性的计算机网络脆弱性评估方法[J]. 中国科学院研究生院学报, 2012, 29(4): 529-535. DOI: 10.7523/j.issn.2095-6134.2012. 4.015.
[10] Ammann P, Wijesekera D, Kaushik S. Scalable, graph-based network vulnerability analysis[C]//2002 Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS). November 18–22, 2002, Washington, DC, USA. ACM, 2002: 217-224. DOI:10.1145/586110.586140.
[11] Dawkins J, Hale J. A systematic approach to multi-stage network attack analysis[C]//2004 Second IEEE International Information Assurance Workshop (IWIA). August 24, 2004, Charlotte, NC, USA. IEEE, 2004: 48-56. DOI:10.1109/IWIA.2004.1288037.
[12] 陆余良, 夏阳. 主机安全量化融合模型研究[J]. 计算机学报, 2005(05): 914-920. DOI：10.3321/j.issn:0254-4164.2005.05.021.
[13] Kalogeraki E M, Papastergiou S, Panayiotopoulos T. An attack simulation and evidence chains generation model for critical information infrastructures[J]. Electronics, 2022, 11(3): 404. DOI: 10.3390/electronics11030404.
[14] Forum of Incident Response and Security Teams. Common vulnerability scoring system[EB/OL]. (2021-12-25)[2021/12/29]. https://www.first.org/cvss/.
[15] Schiffman M, Wright A, Ahmad D, et al. The common vulnerability scoring system[R]. National Infrastructure Advisory Council, Vulnerability Disclosure Working Group, Vulnerability Scoring Subgroup, 2004:2-20.
[16] Mell P, Scarfone K, Romanosky S. Common vulnerability scoring system[J]. IEEE Security & Privacy, 2006, 4(6): 85-89. DOI:10.1109/MSP.2006.145.
[17] 雷柯楠, 张玉清, 吴晨思, 等.基于漏洞类型的漏洞可利用性量化评估系统[J].计算机研究与发展, 2017, 54(10):2296-2309. DOI：10.7544/issn1000-1239.2017.20170457.
[18] Liu Q X, Zhang Y Q, Kong Y, et al. Improving VRSS-based vulnerability prioritization using analytic hierarchy process[J]. Journal of Systems and Software, 2012, 85(8): 1699-1708. DOI: 10.1016/j.jss.2012.03.057.
[19] Keskin O, Gannon N, Lopez B, et al. Scoring cyber vulnerabilities based on their impact on organizational goals[C]//2021 Systems and Information Engineering Design Symposium (SIEDS). April 29-30, 2021, Charlottesville, VA, USA. IEEE, 2021: 1-6. DOI: 10.1109/SIEDS52267. 2021.9483741.
[20] Yin J, Tang M J, Cao J L, et al. A real-time dynamic concept adaptive learning algorithm for exploitability prediction[J]. Neurocomputing, 2022, 472: 252-265. DOI: 10.1016/j.neucom.2021.01.144.
[21] Lyu J H, Bai Y D, Xing Z C, et al. A character-level convolutional neural network for predicting exploitability of vulnerability[C]//2021 International Symposium on Theoretical Aspects of Software Engineering (TASE). August 25-27, 2021, Shanghai, China. IEEE, 2021: 119-126. DOI: 10.1109/TASE52547.2021.00014.
[22] Bhatt N, Anand A, Yadavalli V S S. Exploitability prediction of software vulnerabilities[J]. Quality and Reliability Engineering International, 2021, 37(2): 648-663. DOI:10.1002/qre.2754.
[23] Yin J, Tang M J, Cao J L, et al. Apply transfer learning to cybersecurity: predicting exploitability of vulnerabilities by description[J]. Knowledge-Based Systems, 2020, 210: 106529. DOI: 10.1016/j.knosys.2020.106529.
[24] Fang Y, Liu Y C, Huang C, et al. FastEmbed: predicting vulnerability exploitation possibility based on ensemble machine learning algorithm[J]. PLoS One, 2020, 15(2): e0228439. DOI: 10.1371/journal.pone.0228439.
[25] 孙宇祥, 周献中, 戴迪.基于属性约简与BP神经网络的舰艇目标威胁评估方法[J].指挥与控制学报, 2021, 7(4):397-402. DOI:10.3969/j.issn.2096-0204.2021.04.0397.
[26] 毋雪雁, 王水花, 张煜东.K最近邻算法理论与应用综述[J].计算机工程与应用, 2017, 53(21):1-7. DOI：10.3778/j.issn.1002-8331.1707-0202.
[27] 张庆国, 张宏伟, 张君玉. 一种基于 k最近邻的快速文本分类方法[J]. 中国科学院研究生院学报, 2005, 22(5): 554-559. DOI: 10.7523/j.issn.2095-6134.2005.5.004.