论文信息 - A Vulnerability Prioritization System Using A Fuzzy Risk Analysis Approach

A Vulnerability Prioritization System Using A Fuzzy Risk Analysis Approach

In this work, we present a fuzzy systems approach for assessing the relative potential risk associated with computer network assets exposed to attack by vulnerabilities. We use this approach to rank vulnerabilities so that analysts can prioritize their work based on the potential risk exposure of assets and networks. We associate vulnerabilities with individual assets, and therefore networks, and develop fuzzy models of the vulnerability attributes. Fuzzy rules are then used to make an inference on the risk exposure and the likelihood of attack, which allows us to rank the vulnerabilities and show which ones need more immediate attention. We argue that our approach has more meaningful vulnerability prioritization values than the severity level calculated by the popular Common Vulnerability Scoring System (CVSS) approach.

Maxwell G. Dondo | M. Dondo

[1] Peter S. Browne,et al. Bayesian probabilistic risk analysis , 1985, PERV.

[2] Piero Risoluti. Fuzzy Sets, Decision Making, and Expert Systems , 2004 .

[3] S. Radack. The Common Vulnerability Scoring System (CVSS) , 2007 .

[4] Charles P. Pfleeger,et al. Security in computing , 1988 .

[5] Gee Wah Ng,et al. Intent inference for attack aircraft through fusion , 2006, SPIE Defense + Commercial Sensing.

[6] Dennis J. Turner,et al. Symantec Internet Security Threat Report Trends for July 04-December 04 , 2005 .

[7] Shyi-Ming Chen,et al. Fuzzy risk analysis based on similarity measures of generalized fuzzy numbers , 2003, IEEE Trans. Fuzzy Syst..

[8] H. Zimmermann. Fuzzy sets, decision making, and expert systems , 1987 .