ABSTRACT
Analyzing the risks caused by system vulnerabilities is core task in industry system security management and assessment [1]. The Common Vulnerability Scoring System (CVSS) now is a common evaluation standard by providing metrics for the vulnerabilities. It includes three groups of metrics (Base, Temporal and Environmental). However, since temporal and environmental metrics which contains dynamic factors are optional in CVSS and the scoring process of them is so subjective that it is difficult to quantify the metric factors [2], most organization just use the base metrics group to evaluate vulnerability. So the industry system cannot be correctly evaluated when real-time changing occurs, such as the vulnerability being mended by patch. Therefore the feasible security strategy cannot be applied to these systems.
