论文信息 - Software Vulnerability Prioritization: A Comparative Study Using TOPSIS and VIKOR Techniques

Software Vulnerability Prioritization: A Comparative Study Using TOPSIS and VIKOR Techniques

The ever-mounting existence of security vulnerabilities in a software is an inevitable challenge for organizations. Additionally, developers have to operate within limited budgets while meeting the deadlines. So they need to prioritize their vulnerability responses. In this paper, we propose an approach for vulnerability response prioritization using “closeness to the ideal” approach. We used TOPSIS and VIKOR method in this study. Both of these techniques employ an aggregating function to achieve the ranking of desired alternatives. VIKOR method determines a compromise solution on the basis of measure of closeness to a single ideal solution while TOPSIS method determines a feasible solution while taking into account the shortest distance from the positive ideal solution and the maximum distance from negative ideal solution. Both these methods share some significant similarities and differences. A comparative analysis of these two methods is done by applying them on real-life software vulnerability datasets for achieving vulnerability prioritization.

[1] Yuqing Zhang,et al. VRSS: A new system for rating and scoring vulnerabilities , 2011, Comput. Commun..

[2] Tomi Männistö,et al. Improving CVSS-based vulnerability prioritization and response with context information , 2009, ESEM 2009.

[3] Lefteris Angelis,et al. WIVSS: a new methodology for scoring information systems vulnerabilities , 2013, PCI '13.

[4] Gwo-Hshiung Tzeng,et al. Compromise solution by MCDM methods: A comparative analysis of VIKOR and TOPSIS , 2004, Eur. J. Oper. Res..

[5] Yuqing Zhang,et al. Improving VRSS-based vulnerability prioritization using analytic hierarchy process , 2012, J. Syst. Softw..

[6] Ritu Sibal,et al. Prioritizing software vulnerability types using multi-criteria decision-making techniques , 2017 .

[7] Ching-Lai Hwang,et al. Methods for Multiple Attribute Decision Making , 1981 .

[8] Karen Scarfone,et al. Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[9] Ruchi Sharma,et al. An Improved Scoring System for Software Vulnerability Prioritization , 2018 .

[10] Lefteris Angelis,et al. Impact Metrics of Security Vulnerabilities: Analysis and Weighing , 2015, Inf. Secur. J. A Glob. Perspect..