The algorithm model for cumulative vulnerability risk assessment

The network information security vulnerability assessment consists of two kinds of risks. The stable risks of vulnerability itself and the cumulative multi-risks that are generated from a successful attack and which can impact on the whole network. To count cumulative multi-risk, a new method has been developed, which uses vulnerabilities in attack graph and reverse iteration tracing algorithm based on rough sets. Two kinds of cumulative multi-risks will be identified, named ‘the worst state’ and ‘the critical state’. The experimental evidences prove the veracity and validity of the new algorithm model.