A Novel Improved System Based on CVSS
CVSS is one of the most representative quantitative assessment algorithms for security vulnerabilities. The calculated values of vulnerability harm according to the given index and formula. However, there is still insufficient objectivity of CVSS. Expert System is a kind of expert system for vulnerabilities; the severity of vulnerability can be assessed by experts based on the Expert System. The objectivity of Expert System and CVSS is analyzed, and CVSS is revised based on Expert System. The relationship between the above systems and the CWE, and between above systems and Product is analyzed, respectively, in the process. A new way of using Expert System is put forward based on CWE, namely, CWE Cycle Sorting Algorithm, in order to sort the average of vulnerability severity. Meanwhile, CWE Sort Factor is put forward based on CWE Cycle Sorting Algorithm to modify CVSS. The result is closer to the Expert System in terms of objectivity.
KeywordsCVSS vulnerability Vulnerability assessment Expert System CSA CSF
This paper is supported by Beijing NOVA Program (Z181100006218041); the National Key R&D Program of China (2016YFB0800700), the National Natural Science Foundation of China (61572460, 61272481), the Open Project Program of the State Key Laboratory of Information Security (2017-ZD-01), the National Information Security Special Projects of National Development and Reform Commission of China [(2012)1424], and China 111 Project (B16037).