A revised CVSS-based system to improve the dispersion of vulnerability risk scores

Wu, Chensi; Wen, Tao; Zhang, Yuqing

doi:10.1007/s11432-017-9445-4

Cited by 10 publications

(12 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Paper [4] focuses on the elimination of shortcomings [2]. The study is based on the recalculation of CVSS metrics using the principal component method [5] and a change in the variance of vulnerability risk scores.…”

Section: Literature Review and Problem Statementmentioning

confidence: 99%

Constructing a model for the dynamic evaluation of vulnerability in software based on public sources

Tatarinova¹,

Sinelnikova

2021

EEJET

View full text Add to dashboard Cite

One of the key processes in software development and information security management is the evaluation of vulnerability risks. Analysis and evaluation of vulnerabilities are considered a resource-intensive process that requires high qualifications and a lot of technical information. The main opportunities and drawbacks of existing systems for evaluation of vulnerability risks in software, which include the lack of consideration of the impact of trends and the degree of popularity of vulnerability on the final evaluation, were analyzed. During the study, the following information was analyzed in the structured form: the vector of the general system of vulnerability evaluation, the threat type, the attack vector, the existence of the original code with patches, exploitation programs, and trends. The obtained result made it possible to determine the main independent characteristics, the existence of a correlation between the parameters, the order, and schemes of the relationships between the basic magnitudes that affect the final value of evaluation of vulnerability impact on a system. A dataset with formalized characteristics, as well as expert evaluation for further construction of a mathematical model, was generated. Analysis of various approaches and methods for machine learning for construction of a target model of dynamic risk evaluation was carried out: neuro-fuzzy logic, regression analysis algorithms, neuro-network modeling. A mathematical model of dynamic evaluation of vulnerability risk in software, based on the dynamics of spreading information about a vulnerability in open sources and a multidimensional model with an accuracy of 88.9 %, was developed. Using the obtained model makes it possible to reduce the analysis time from several hours to several minutes and to make a more effective decision regarding the establishment of the order of patch prioritization, to unify the actions of experts, to reduce the cost of managing information security risks

show abstract

Section: Literature Review and Problem Statementmentioning

confidence: 99%

Constructing a model for the dynamic evaluation of vulnerability in software based on public sources

Tatarinova¹,

Sinelnikova

2021

EEJET

View full text Add to dashboard Cite

show abstract

“…The authors of [17] conducted research on the dispersion of the CVSS. In [4], a CVSSbased vulnerability scoring system was proposed to improve dispersion.…”

Section: Related Work a The Cvss-based Approachesmentioning

confidence: 99%

“…As a quantitative scoring system, objectivity and dispersion should be considered. Objectivity reflects how well the results of an assessment reproduce the nature of practical scenarios [4], while dispersion considers the degree of difference and distribution of the results. For example, the Access Vector is a submetric of CVSS that has three possible values: Local_(L), Adjacent Network_(A), and Network_(N).…”

Section: Introductionmentioning

confidence: 99%

“…For example, the Access Vector is a submetric of CVSS that has three possible values: Local_(L), Adjacent Network_(A), and Network_(N). One survey reported that for all known vulnerabilities, the Network_(N) value accounts for 85.69% of the three possible values [4], which can lead to a situation in which several vulnerabilities are assigned the same risk CVSS score in a network. However, that is an unreasonable result, as that will not able to distinguish which vulnerability possess a higher risk score.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Vulnerability Risk Assessment Method Based on Heterogeneous Information Network

et al. 2020

View full text Add to dashboard Cite

Due to the increasing number of network security vulnerabilities, vulnerability risk assessment must be performed to prioritize the repair of high-risk vulnerabilities. Traditional vulnerability risk assessment is based primarily on the Common Vulnerability Scoring Systems (CVSS) and attack graphs. Nevertheless, the CVSS metrics ignore the impact of the vulnerability on the specific network, which accounts that the identical vulnerability exists in different network environments is assigned repeated values. Additionally, the attack graphs still suffer from scalability and readability issues. To solve the above problems, a ranking method based on the heterogeneous information network is innovatively proposed to assess the vulnerability risk in a specific network. It considers the exploitability of a vulnerability, the impact of a vulnerability on the network components, and the importance of the vulnerable components. First, a heterogeneous information network containing vulnerability and host and the relationships between host and host is constructed to compute the risk score for each vulnerability and implement the ranking process. Second, a model extension method is proposed to adapt to situations in which additional factors related to vulnerability risk assessment need to be considered. Finally, we explore two case studies to compare the proposed method with CVSS and attack graph-based methods. The simulation results show that the proposed method can accurately assess the risk of vulnerabilities in a specific network environment and that it has a lower computational complexity than other methods. INDEX TERMS Common vulnerability scoring systems (CVSS), vulnerability, risk assessment, information fusion, heterogeneous information network.

show abstract

“…Directed graphs can be generated automatically by existing tools. Meantime, standards such as Common Vulnerability Scoring System (CVSS) [3] can be directly used to quantify the exploitability of each known vulnerability. However, KVRA does not consider the situation that defenders may have less or no prior knowledge on vulnerabilities.…”

Section: Introductionmentioning

confidence: 99%

Unknown Vulnerability Risk Assessment Based on Directed Graph Models: A Survey

2019

IEEE Access

View full text Add to dashboard Cite

Nowadays, vulnerability attacks occur frequently. Due to the information asymmetry between attackers and defenders, vulnerabilities can be divided into known and unknown. Existing researches mainly focus on the risk assessment of known vulnerabilities. However, unknown vulnerabilities are more threatening and harder to detect. Therefore, unknown vulnerability risk assessment deserves the widespread attention. To model the exploit process, directed graph models are applied to vulnerability risk assessment. And security metrics are used to quantify the exploitability of vulnerabilities. In this paper, according to the data source of nodes, related works of unknown vulnerability risk assessment based on directed graph models are divided into two types. One is based on network-level data, the other is based on system-level data. The former is to visualize the network status, while the latter is to reflect the running process of the system. The concept and purpose of these directed graph models are given at first. Then, these models are analyzed from three aspects, including advantages, flaws and solutions. After that, challenges and solutions of unknown vulnerability risk assessment based on directed graph models are given. Meantime, security metrics for unknown vulnerability risk assessment based on directed graph models are summarized and classified. Finally, future work directions of unknown vulnerability risk assessment are discussed from the perspective of techniques and application trends. Consequently, this paper can fill in the lack of current survey on unknown vulnerability risk assessment based on directed graph models. INDEX TERMS Directed graph model, risk assessment, security metric, unknown vulnerability.

show abstract

A revised CVSS-based system to improve the dispersion of vulnerability risk scores

Cited by 10 publications

References 7 publications

Constructing a model for the dynamic evaluation of vulnerability in software based on public sources

Constructing a model for the dynamic evaluation of vulnerability in software based on public sources

A Vulnerability Risk Assessment Method Based on Heterogeneous Information Network

Unknown Vulnerability Risk Assessment Based on Directed Graph Models: A Survey

Contact Info

Product

Resources

About