Home > Published Issues > 2015 > Volume 10, No. 5, May 2015 >

A Novel Automatic Severity Vulnerability Assessment Framework

Tao Wen 1, Yuqing Zhang 1, 2, Ying Dong 2, and Gang Yang 2
1. State Key Laboratory of Integrated Services Networks, Xidian University, Xi’an 710071, China
2. National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing 101408, China

Abstract —Security vulnerabilities play an important role in network security. With the development of the network and the increasing number of vulnerabilities, many Quantitative Vulnerability Assessment Standards (QVAS) was proposed in order to enable professionals to prioritize the most important vulnerabilities with limited energy. However, it is difficult to apply QVAS manually due to the large number of vulnerabilities and lack of information. In order to address these problems, an Automatic Security Vulnerability Assessment Framework (ASVA) is proposed, which can automatically apply any QVAS to special Vulnerability Databases. ASVA obtain values of the metrics of a QVAS with new features of Text Mining; assign these values to a formula of QVAS and finally compute the severity values of the vulnerabilities. New features proposed in ASVA are special combinations of metrics of QVAS, so that consider the influence of metrics each other and improve the accuracy of Text Mining. Based on ASVA, CVSS as a QVAS is applied to a representative Vulnerability Database. The results show that ASVA reduces the cost and period of the application of QVAS and promotes the standardization of security vulnerability management.

Index Terms—Vulnerability assessment, vulnerability database, vulnerability, information security, ASVA, text mining

Cite: Tao Wen, Yuqing Zhang, Ying Dong, and Gang Yang, "A Novel Automatic Severity Vulnerability Assessment Framework," Journal of Communications, vol. 10, no. 5, pp. 320-329, 2015. Doi: 10.12720/jcm.10.5.320-329