CVSS-based Multi-Factor Dynamic RiskAssessment Model for Network System

The risk assessment model of network systems is designed to provide quantifiable evidence to assist security administrators in choosing appropriate defend methods. Most models measure the overall risk by combining CVSS base scores of system vulnerabilities. However, they merely consider the impact of dynamic risk factors including attacker capability and evolutions of vulnerabilities. To address this issue, we propose a CVSS based Multi-Factor dynamic risk assessment Model, CMFM. It uses attack paths to model an attacker's capability, which is thus used to estimate the successful probabilities about vulnerability exploitations. Besides, we exploit both static and time-variant factors of vulnerabilities to produce a better estimation result. The final system risk assessment can then be accessed via a Bayesian attack graph. We evaluate the proposed model in two scenarios, all of which demonstrate that CMFM outperforms the state-of-the-art models in assessing the dynamic risk status of network systems.