Vulnerability Management Models Using a Common Vulnerability Scoring System

Walkowski, Michał; Oko, Jacek; Sujecki, S.

doi:10.3390/app11188735

Cited by 20 publications

(7 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A notable reduction of the final CVSS 3.x

accuracy when compared with the individual components resulted from the fact that the final value of the CVSS 3.x

was calculated using mathematical formulas linking the eight vector components. Finally, we note that the described ML-based solution can be applied to replace the CVSS 2.0 standard with the CVSS 3.x one during the vulnerability management process in vulnerability management centres [ 22 ]. This is important because, using the newer CVSS 3.x standard, it is possible to more accurately estimate the level of asset security, especially when taking into account the context of a particular organisation environment.…”

Section: Discussionmentioning

confidence: 99%

“…Further, it is known that the CVSS 2.0

does not provide an accurate measure of IT infrastructure security, because the Target Distribution (

) parameter underestimates the assessment of all detected vulnerabilities. The CVSS 3.x standard, on the other hand, gives a more accurate assessment of threats’ criticality including organisation context, which directly translates into a higher level of protection against hacker attacks [ 18 , 22 ]. Summarising, there are clear benefits to using the newer 3.x standard.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Support for the Vulnerability Management Process Using Conversion CVSS Base Score 2.0 to 3.x

Nowak

Walkowski

Sujecki

2023

Sensors

Self Cite

View full text Add to dashboard Cite

COVID-19 forced a number of changes in many areas of life, which resulted in an increase in human activity in cyberspace. Furthermore, the number of cyberattacks has increased. In such circumstances, detection, accurate prioritisation, and timely removal of critical vulnerabilities is of key importance for ensuring the security of various organisations. One of the most-commonly used vulnerability assessment standards is the Common Vulnerability Scoring System (CVSS), which allows for assessing the degree of vulnerability criticality on a scale from 0 to 10. Unfortunately, not all detected vulnerabilities have defined CVSS base scores, or if they do, they are not always expressed using the latest standard (CVSS 3.x). In this work, we propose using machine learning algorithms to convert the CVSS vector from Version 2.0 to 3.x. We discuss in detail the individual steps of the conversion procedure, starting from data acquisition using vulnerability databases and Natural Language Processing (NLP) algorithms, to the vector mapping process based on the optimisation of ML algorithm parameters, and finally, the application of machine learning to calculate the CVSS 3.x vector components. The calculated example results showed the effectiveness of the proposed method for the conversion of the CVSS 2.0 vector to the CVSS 3.x standard.

show abstract

“…A notable reduction of the final CVSS 3.x

accuracy when compared with the individual components resulted from the fact that the final value of the CVSS 3.x

Section: Discussionmentioning

confidence: 99%

“…Further, it is known that the CVSS 2.0

does not provide an accurate measure of IT infrastructure security, because the Target Distribution (

Section: Introductionmentioning

confidence: 99%

Support for the Vulnerability Management Process Using Conversion CVSS Base Score 2.0 to 3.x

Nowak

Walkowski

Sujecki

2023

Sensors

Self Cite

View full text Add to dashboard Cite

show abstract

“…For this, they rely on the evidence collected from the cloud service providers, and determine the level of trust with respect to the infrastructure of a given provider, and quantify its capability to comply with the expected security policy. The authors of [22] also evaluate the risk associated to each cloud environment based on a quantification and classification of vulnerabilities inherent to the environment. Approaches, such as [23], target orchestrating security chains, including firewalls and intrusion detection systems, in order to protect cloud resources.…”

Section: Related Workmentioning

confidence: 99%

C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-Based Cloud Services

Oulaaffart,

Badonnel,

Festor

2024

J Netw Syst Manage

View full text Add to dashboard Cite

The large-scale deployment of cloud composite services distributed over heterogeneous environments poses new challenges in terms of security management. In particular, the migration of their resources is facilitated by recent advances in the area of virtualization techniques. This contributes to increase the dynamics of their configuration, and may induce vulnerabilities that could compromise the security of cloud resources, or even of the whole service. In addition, cloud providers may be reluctant to share precise information regarding the configuration of their infrastructures with cloud tenants that build and deploy cloud composite services. This makes the assessment of vulnerabilities difficult to be performed with only a partial view on the overall configuration. We therefore propose in this article an inter-cloud trusted third-party approach, called C3S-TTP, for supporting secure configurations in cloud composite services, more specifically during the migration of their resources. We describe the considered architecture, its main building blocks and their interactions based on an extended version of the TOSCA orchestration language. The trusted third party is capable to perform a precise and exhaustive vulnerability assessment, without requiring the cloud provider and the cloud tenant to share critical configuration information between each other. After designing and formalizing this third party solution, we perform large series of experiments based on a proof-of-concept prototype in order to quantify its benefits and limits.

show abstract

“…Conversely, vulnerability management includes continuous reporting, remediation, and evaluation procedures (Walkowski et al, 2021). The first step of the assessment process involves determining and categorizing the IT infrastructure's vulnerabilities.…”

Section: Vulnerability Assessment and Managementmentioning

confidence: 99%

Untitled

2024

IJSC

View full text Add to dashboard Cite

Vulnerability Management Models Using a Common Vulnerability Scoring System

Cited by 20 publications

References 31 publications

Support for the Vulnerability Management Process Using Conversion CVSS Base Score 2.0 to 3.x

Support for the Vulnerability Management Process Using Conversion CVSS Base Score 2.0 to 3.x

C3S-TTP: A Trusted Third Party for Configuration Security in TOSCA-Based Cloud Services

Untitled

Contact Info

Product

Resources

About