A novel approach to evaluate software vulnerability prioritization

摘要

The aim of this study is to formulate an analysis model which can express the security grades of software vulnerability and serve as a basis for evaluating danger level of information program or filtering hazardous weaknesses of the system and improve it to counter the threat of different danger factors. Through the utilization of fuzzy analytic hierarchy process (FAHP), we will organize the crossover factors of the software blind spots and build an evaluation framework. First of all, via the fuzzy Delphi method the aspects and relative determinants affecting security will be filtered out. Then we will identify the value equation of each factor and settle down the fuzzy synthetic decision making model of software vulnerability. Thanks to this model we will be able to analyze the various degrees to which the vulnerability is affecting the security and this information will serve as a basis for future ameliorations of the system itself. The higher the security score obtained therefore imply securer system. Beside this, this study also propose an improvement from the traditional fuzzy synthetic decision making model for measuring the fuzziness between enhancement and independence of various aspects and criteria. Furthermore taking into consideration the subjectivity of human in reality and constructing the fuzzy integral decision making model. Through case study, we show that the evaluation model in question is practical and can be applied on the new software vulnerabilities and measure their degree of penetration. The fuzzy integral decision making emphasize through formulation the multiply-add effect between different factors influencing information security.