面向实网环境的漏洞指标体系构建和应用研究  被引量：1

作　　者：施凡 开少锋 钟瑶 SHI Fan;KAI Shaofeng;ZHONG Yao(College of Electronic Engineering,National University of Defense Technology,Hefei 230037,China;Unit 31121 of PLA,Nanjing 210042,China)

机构地区：[1]国防科技大学电子对抗学院,安徽合肥230037 [2]31121部队,江苏南京210042

出　　处：《信息对抗技术》2023年第2期39-53,共15页Information Countermeasures Technology

基　　金：国家重点研发计划项目(2021YFB3100500)。

摘　　要：互联网上的网络资产数量庞大,环境复杂多变。然而,现有的评估指标无法全面地评估这些因素对漏洞产生的影响,从而影响评估结果的准确性。为了解决上述问题,构建了一种面向实网环境的漏洞指标体系,并将其应用到实际评估中。采用通用漏洞评分系统的基本指标作为静态指标,并利用预训练模型对漏洞描述文本进行静态分数的自动评估。同时,使用资产和环境因素作为动态指标,基于层次分析法计算各指标的权重,构建评估方程。在基于网络空间资源测绘平台数据计算动态分数的基础上,将其与静态分数结合,计算漏洞危害评分。所提出的面向实网环境的漏洞评估指标体系和基于网络空间资源测绘平台数据的漏洞评估方法,能够对漏洞的真实危害性进行评估,具有较高的评估准确性和较快的评估速度,因而具有良好的应用价值。Currently,there is a vast number of network assets on the Internet,and the envi-ronment is complex and constantly changing.However,the existing evaluation metrics can-not comprehensively assess the impact of these factors on vulnerabilities,which will affect the accuracy of assessment results.To solve this problem,a vulnerability metric system was con-structed for realistic network environment and applied to practical assessments.Specifically,the basic metrics of the common vulnerability scoring system were used as static metrics and pre-trained models were applied to automatically evaluate the static scores of vulnerability de-scription texts.Meanwhile,asset and environmental factors were used as dynamic metrics and the method of analytic hierarchy process was used to calculate the weight of each metric and construct an evaluation equation.Based on the data calculated by the network space re-source mapping platform for dynamic scoring and static scores,the vulnerability hazard score was obtained.The proposed vulnerability assessment metric system for realistic network en-vironments and the vulnerability assessment method based on network space resource map-ping platform data can accurately assess the true hazard of vulnerabilities and have high accu-racy,high speed and good application value as well.

关 键 词：漏洞评估 层次分析法 通用漏洞评分系统 预训练模型 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]