COMPUTER SCIENCE
and ENGINEERING

For the quantitative analysis of vulnerability risk in the information system, the paper proposes the non-cooperative and nonzero-sum game model of vulnerability attack-defense, in which the value of vulnerability is evaluated by expected payoffs on the equilibrium. In the paper, with the two operators proposed, the comprehensive connection of the vulnerabilities is calculated through the quantitative analysis of the vulnerabilities connection using attack graph and risk matrix. Then the assessment method of system vulnerability risk is devised through the above vulnerability value and comprehensive connection. Based on the quantitative analysis of the vulnerabilities’ own risk and transmission risk, the proposed method comprehensively assesses the global risk of vulnerabilities, whose result can be used to recognize the key vulnerability and improve the effectiveness of system security defense. Finally the model and method proposed in this paper are proved to be valid through an example.

vulnerability risk; Game model; Risk matrix; Comprehensive connection