摘要： 为合理、科学地识别信息安全风险评估中安全漏洞的真实危害程度，引入安全漏洞生命周期概念，提出安全漏洞的时间风险模型。该模型利用早期报道的攻击事件统计量对安全漏洞进行攻击预测估计，根据结果计算出安全漏洞的攻击热度，结合漏洞攻击技术发展水平对安全漏洞时间维度上的风险进行评估。以Phf漏洞为例进行分析，结果表明，该风险评估模型可以真实、动态地反映出安全漏洞时间 风险。

关键词: 安全漏洞, 生命周期, 攻击热度, 时间风险, 评估

Abstract: The time risk model is proposed to identify the real damage degree of security vulnerability in information security risk evaluation reasonably and scientifically, combining with vulnerability lifecycle. The subsequent exploitation of the vulnerability is predicted by using Gompertz model based on the incident report data, and attack heat is calculated. Based on the attack heat and the attack technology development, the evaluation can be drawn on the time dimension. An example of Phf vulnerability is given to demonstrate the validity of this method, and the result indicates that it can reflect time risk truly and dynamically.

Key words: security vulnerability, lifecycle, attack heat, time risk, evaluation

中图分类号: 

• TP309