A Vulnerability Prioritization System Using A Fuzzy Risk Analysis Approach

  • Maxwell G. Dondo
Part of the IFIP – The International Federation for Information Processing book series (IFIPAICT, volume 278)


In this work, we present a fuzzy systems approach for assessing the relative potential risk associated with computer network assets exposed to attack by vulnerabilities. We use this approach to rank vulnerabilities so that analysts can prioritize their work based on the potential risk exposure of assets and networks. We associate vulnerabilities with individual assets, and therefore networks, and develop fuzzy models of the vulnerability attributes. Fuzzy rules are then used to make an inference on the risk exposure and the likelihood of attack, which allows us to rank the vulnerabilities and show which ones need more immediate attention. We argue that our approach has more meaningful vulnerability prioritization values than the severity level calculated by the popular Common Vulnerability Scoring System (CVSS) approach.


  1. 1.
    Anderson, K.E.: Intelligence-based threat assessments for information networks and infrastructures: A white paper. Global Technology Research, Inc. (1998)Google Scholar
  2. 2.
    Chen, S., Chen, s.: Fuzzy risk analysis based on similarity measures of generalized fuzzy numbers. IEEE Transactions on Fuzzy Systems 11(1), 45–56 (2003)CrossRefGoogle Scholar
  3. 3.
    Dondo, M.: A fuzzy risk calculations approach for a network vulnerability ranking system (2007)Google Scholar
  4. 4.
    FEMA: Asset value, threatharzard, vulnerability and risk. URL pdf/fima/426/fema426_ch1.pdfGoogle Scholar
  5. 5.
    H-J. Zimmerman: Fuzzy Sets, Decision Making and Expert Systems. Kluwer Academic Publishers (1987)Google Scholar
  6. 6.
    Isograph: FaultTree+ - Event Tree Analysis (2005). URL http://www. Scholar
  7. 7.
    Mosleh, A., Hilton, E.R., Browne, P.S.: Bayesian probabilistic risk analysis. ACM SIGMETRICS–Performance Evaluation Review 13(1), 5–12 (1985)CrossRefGoogle Scholar
  8. 8.
    Ng, G.W., Ng, K.H., Yang, R., Foo, P.H.: Intent inference for attack aircraft through fusion. In: B.V. Dasarathy (ed.) Proceedings of SPIE, vol. 6242–06. Orlando, Fl (2006)Google Scholar
  9. 9.
    NVD: National vulnerability database. URL http://nvd.nist.govGoogle Scholar
  10. 10.
    Pfleeger, C.P.: Security in Computing, 2 edn. Prentice Hall PTR, Upper Saddle River, NJ (1997)Google Scholar
  11. 11.
    Schiffman, M.: The common vulnerability scoring system (CVSS). URL http://www. Scholar
  12. 12.
    Shah, S.: Measuring operational risk using fuzzy logic modeling. URL http://www. Scholar
  13. 13.
    Symantec Enterprise Security: Symantec internet security threat report: Trends for july 05- december 05. Symantec Enterprise Security IX, 1–106 (2006)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Maxwell G. Dondo
    • 1
  1. 1.Defence Research&Development Canada (Ottawa)Ottawa ONCanada

Personalised recommendations