Qing Yang,Yixin Jiang,Aidong Xu,Hong Wen,Feng Wang,LiuFei Chen,Kai Ouyang,Xiping Zhu

DOI: https://doi.org/10.1109/cns.2017.8228663

2017-01-01

Abstract:With the progress of the network and technology, the perfect combination of mobile intelligent terminal and internet, people are increasingly dependent on intelligent terminals. So, it was very necessary of a model for assessing the security performance of mobile intelligent terminals, especially to establish the objective model of the security performance of mobile intelligent terminal. In this paper, we propose a model that classification intelligent terminal security risk based on SVM algorithm, and it can achieve the classification of mobile intelligent terminal security level objectivity and accurately. Such that users have an intuitive understanding for the intelligent mobile terminal security, by which the security needs can be met.

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3597503.3639110

2024-01-01

Abstract:It is increasingly suggested to identify emerging software vulner-abilities (SVs) through relevant development activities (e.g., issue reports) to allow early warnings to open source software (OSS) users. However, the support for the following assessment of the de-tected SVs has not yet been explored. SV assessment characterizes the detected SVs to prioritize limited remediation resources on the critical ones. To fill this gap, we aim to enable early vulnerability assessment based on SV-related issue reports (SIR). Besides, we observe the following concerns of the existing assessment techniques: 1) the assessment output lacks rationale and practical value; 2) the associations between Common Vulnerability Scoring System (CVSS) metrics have been ignored; 3) insufficient evaluation sce-narios and metrics. We address these concerns to enhance the prac-ticality of our proposed early vulnerability assessment approach (namely proEVA). Specifically, based on the observation of strong associations between CVSS metrics, we propose a prompt-based model to exploit such relations for CVSS metrics prediction. More-over, we design a curriculum-learning (CL) schedule to guide the model better learn such hidden associations during training. Aside from the standard classification metrics adopted in existing works, we propose two severity-aware metrics to provide a more compre-hensive evaluation regarding the prioritization of the high-severe SVs. Experimental results show that proEVA significantly outper-forms the baselines in both types of metrics. We further discuss the transferability of the prediction model regarding the upgrade of the assessment system, an important yet overlooked evaluation scenario in existing works. The results verify that proEVA is more efficient and flexible in migrating to different assessment systems.

Luca Allodi,Fabio Massacci

DOI: https://doi.org/10.1145/2630069

2013-09-24

Abstract:(U.S) Rule-based policies to mitigate software risk suggest to use the CVSS score to measure the individual vulnerability risk and act accordingly: an HIGH CVSS score according to the NVD (National (U.S.) Vulnerability Database) is therefore translated into a "Yes". A key issue is whether such rule is economically sensible, in particular if reported vulnerabilities have been actually exploited in the wild, and whether the risk score do actually match the risk of actual exploitation. We compare the NVD dataset with two additional datasets, the EDB for the white market of vulnerabilities (such as those present in Metasploit), and the EKITS for the exploits traded in the black market. We benchmark them against Symantec's threat explorer dataset (SYM) of actual exploit in the wild. We analyze the whole spectrum of CVSS submetrics and use these characteristics to perform a case-controlled analysis of CVSS scores (similar to those used to link lung cancer and smoking) to test its reliability as a risk factor for actual exploitation. We conclude that (a) fixing just because a high CVSS score in NVD only yields negligible risk reduction, (b) the additional existence of proof of concepts exploits (e.g. in EDB) may yield some additional but not large risk reduction, (c) fixing in response to presence in black markets yields the equivalent risk reduction of wearing safety belt in cars (you might also die but still..). On the negative side, our study shows that as industry we miss a metric with high specificity (ruling out vulns for which we shouldn't worry). In order to address the feedback from BlackHat 2013's audience, the final revision (V3) provides additional data in Appendix A detailing how the control variables in the study affect the results.

Cryptography and Security

June Wei,Yuan Liu,June Lu,Milos Slaninka,Kristie Abston

DOI: https://doi.org/10.1504/ijmc.2021.114313

2021-01-01

International Journal of Mobile Communications

Abstract:This paper proposed an indexed matrix to assess information security risks' impacts on mobile social media to help organisations address security risks effectively and efficiently. It developed and integrated a static social media information security risk model and a dynamic social media information flow model in the mobile environment to investigate the potential security risks in social networks. The pattern of security risks with three levels was identified using cluster analysis. An indexed matrix is also proposed to assess the information security impacts on social media via the relative-weigh quantitative method. The results can help to develop an effective and safe way to transmit information through social media. This research is the first attempt to integrate static information security threats into the dynamic social media information flow processes to assess the information security risk levels by developing a new indexed method. The theoretical and practical implications are presented.

Qiuyuan Chen,Lingfeng Bao,Li Li,Xin Xia,Liang Cai

DOI: https://doi.org/10.1109/APSEC.2018.00049

2018-01-01

Abstract:To share vulnerability information across separate databases, tools, and services, newly identified vulnerabilities are recurrently reported to Common Vulnerabilities and Exposures (CVE) database.Unfortunately, not all vulnerability reports will be accepted. Some of them might get rejected or be accepted with disputations.In this work, we refer to those rejected or disputed CVEs as invalid vulnerability reports. Invalid vulnerability reports not only cause unnecessary efforts to confirm the vulnerability but also impact the reputation of the software vendors. In this paper, we aim to understand the root causes of invalid vulnerability reports and build a prediction model to automatically identify them.To this end, we first leverage card sorting to categorize invalid vulnerability reports, from which six main reasons are observed for rejected and disputed CVEs, respectively.Then, we propose a text mining approach to predict the invalid vulnerability reports. Our experiments reveal that the proposed text mining approach can achieve an AUC score of 0.87 for predicting invalid vulnerabilities. We also discuss the implications of our study: our categorization can be used to guide new committer to avoid these traps; some root causes of invalid CVEs can be avoided by using automatic techniques or optimizing reviewing mechanism; invalid vulnerability reports data should not be neglected.

Julia Wunder,Andreas Kurtz,Christian Eichenmüller,Freya Gassmann,Zinaida Benenson

DOI: https://doi.org/10.48550/arXiv.2308.15259

2024-05-08

Abstract:The Common Vulnerability Scoring System (CVSS) is a popular method for evaluating the severity of vulnerabilities in vulnerability management. In the evaluation process, a numeric score between 0 and 10 is calculated, 10 being the most severe (critical) value. The goal of CVSS is to provide comparable scores across different evaluators. However, previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ. This raises the following questions: Are CVSS evaluations consistent? Which factors influence CVSS assessments? We systematically investigate these questions in an online survey with 196 CVSS users. We show that specific CVSS metrics are inconsistently evaluated for widespread vulnerability types, including Top 3 vulnerabilities from the "2022 CWE Top 25 Most Dangerous Software Weaknesses" list. In a follow-up survey with 59 participants, we found that for the same vulnerabilities from the main study, 68% of these users gave different severity ratings. Our study reveals that most evaluators are aware of the problematic aspects of CVSS, but they still see CVSS as a useful tool for vulnerability assessment. Finally, we discuss possible reasons for inconsistent evaluations and provide recommendations on improving the consistency of scoring.

Cryptography and Security

Miguel Santana,Vinicius V. Cogo,Alan Oliveira de Sá

2024-05-14

Abstract:Background: Timely prioritising and remediating vulnerabilities are paramount in the dynamic cybersecurity field, and one of the most widely used vulnerability scoring systems (CVSS) does not address the increasing likelihood of emerging an exploit code. Aims: We present SecScore, an innovative vulnerability severity score that enhances CVSS Threat metric group with statistical models from empirical evidences of real-world exploit codes. Method: SecScore adjusts the traditional CVSS score using an explainable and empirical method that more accurately and promptly captures the dynamics of exploit code development. Results: Our approach can integrate seamlessly into the assessment/prioritisation stage of several vulnerability management processes, improving the effectiveness of prioritisation and ensuring timely remediation. We provide real-world statistical analysis and models for a wide range of vulnerability types and platforms, demonstrating that SecScore is flexible according to the vulnerability's profile. Comprehensive experiments validate the value and timeliness of SecScore in vulnerability prioritisation. Conclusions: SecScore advances the vulnerability metrics theory and enhances organisational cybersecurity with practical insights.

Cryptography and Security

Yiming Jing,Gail-Joon Ahn,Ziming Zhao,Hongxin Hu

DOI: https://doi.org/10.1109/tdsc.2014.2366457

2015-09-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Mobile operating systems, such as Apple's iOS and Google's Android, have supported a ballooning market of feature-rich mobile applications. However, helping users understand and mitigate security risks of mobile applications is still an ongoing challenge. While recent work has developed various techniques to reveal suspicious behaviors of mobile applications, there exists little work to answer the following question: are those behaviors necessarily inappropriate? In this paper, we seek an approach to cope with such a challenge and present a continuous and automated risk assessment framework called RiskMon that uses machine-learned ranking to assess risks incurred by users' mobile applications, especially Android applications. RiskMon combines users' coarse expectations and runtime behaviors of trusted applications to generate a risk assessment baseline that captures appropriate behaviors of applications. With the baseline, RiskMon assigns a risk score on every access attempt on sensitive information and ranks applications by their cumulative risk scores. Furthermore, we demonstrate how RiskMon supports risk mitigation with automated permission revocation. We also discuss a proof-of-concept implementation of RiskMon as an extension of the Android mobile platform and provide both system evaluation and usability study of our methodology.

computer science, information systems, software engineering, hardware & architecture

Silvia Lucia Sanna,Diego Soi,Davide Maiorca,Giorgio Fumera,Giorgio Giacinto

2024-06-04

Abstract:Android is the most used Operating System worldwide for mobile devices, with hundreds of thousands of apps downloaded daily. Although these apps are primarily written in Java and Kotlin, advanced functionalities such as graphics or cryptography are provided through native C/C++ libraries. These libraries can be affected by common vulnerabilities in C/C++ code (e.g., memory errors such as buffer overflow), through which attackers can read/modify data or execute arbitrary code. The detection and assessment of vulnerabilities in Android native code have only been recently explored by previous research work. In this paper, we propose a fast risk-based approach that provides a risk score related to the native part of an Android application. In this way, before an app is released, the developer can check if the app may contain vulnerabilities in the Native Code and, if present, patch them to publish a more secure application. To this end, we first use fast regular expressions to detect library versions and possible vulnerable functions. Then, we apply scores extracted from a vulnerability database to the analyzed application, thus obtaining a risk score representative of the whole app. We demonstrate the validity of our approach by performing a large-scale analysis on more than $100,000$ applications (but only $40\%$ contained native code) and $15$ popular libraries carrying known vulnerabilities. The attained results show that many applications contain well-known vulnerabilities that miscreants can potentially exploit, posing serious concerns about the security of the whole Android applications landscape.

Cryptography and Security

YU Haiyang,CHEN Xiuzhen,MA Jin,ZHOU Zhihong,HOU Shuning

DOI: https://doi.org/10.11959/j.issn.2096-109x.2021096

2022-01-01

Abstract:More and more electronic devices are integrated into the modern vehicles with the development of intelligent vehicles. There are various design flaws and vulnerabilities hidden in a large number of hardware, firmware and software. Therefore, the vulnerabilities of intelligent vehicles have become the most important factor affecting the vehicle safety. The safety of vehicles is seriously affected by the disclosure of a large number of vulnerabilities, and the wide application of smart cars is also restricted. Vulnerability management is an effective method to reduce the risk of vulnerabilities and improve vehicle security. And vulnerability scoring is one the important step in vulnerability management procedure. However, current method have no capability assessing automotive vulnerabilities reasonably. In order to handle this problem, a vulnerability scoring model for intelligent vehicles was proposed, which was based on CVSS. The attack vector and attack complexity were optimized, and property security, privacy security, functional safety and life safety were added to characterize the possible impact of the vulnerabilities according to the characteristics of intelligent vehicles. With the machine learning method, the parameters in CVSS scoring formula were optimized to describe the characteristics of intelligent vehicle vulnerabilities and adapt to the adjusted and new added weights. It is found in case study and statistics that the diversity and distribution of the model are better than CVSS, which means the model can better score different vulnerabilities. And then AHP is used to evaluate the vulnerability of the whole vehicle based on the vulnerability score of the model, a score is given representing the risk level of whole vehicle. The proposed model can be used to evaluate the severity of information security vulnerabilities in intelligent vehicles and assess the security risks of the entire vehicle or part of the system reasonably, which can provide an evidence for fixing the vulnerabilities or reinforcing the entire vehicle.

Yinghui Wang,Bin Yu,Haiyang Yu,Lingyun Xiao,Haojie Ji,Yanan Zhao

DOI: https://doi.org/10.1109/jsyst.2022.3230097

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:As a promising technology, connected and autonomous vehicle (CAV) can reduce energy consumption and improve transportation safety. Nevertheless, as more enabling technologies are embedded in vehicles, the CAV is becoming more vulnerable to cybersecurity threats. Priority must be given to highly sensitive, life-threatening vulnerabilities. Therefore, an improved vulnerability assessment method for CAVs is proposed in this article, in which the common vulnerability scoring system (CVSS) and Bayes theory are adopted. Compared to the classical CVSS method, our scheme considers the impact of exploited vulnerabilities on the real world. In the meantime, a Bayesian network vulnerability classification model based on the $\text{CVSS}_{\text{CAV}}$ method is designed to resolve the problem that the CAVs' vulnerability dataset is small and incomplete. The case study as well as simulation results with different datasets or algorithms indicate that our proposal is effective for vehicle vulnerability evaluation.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Christopher S. Gates,Ninghui Li,Hao Peng,Bhaskar Sarma,Yuan Qi,Rahul Potharaju,Cristina Nita-Rotaru,Ian Molloy

DOI: https://doi.org/10.1109/tdsc.2014.2302293

2014-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:One of Android's main defense mechanisms against malicious apps is a risk communication mechanism which, before a user installs an app, warns the user about the permissions the app requires, trusting that the user will make the right decision. This approach has been shown to be ineffective as it presents the risk information of each app in a “stand-alone” fashion and in a way that requires too much technical knowledge and time to distill useful information. We discuss the desired properties of risk signals and relative risk scores for Android apps in order to generate another metric that users can utilize when choosing apps. We present a wide range of techniques to generate both risk signals and risk scores that are based on heuristics as well as principled machine learning techniques. Experimental results conducted using real-world data sets show that these methods can effectively identify malware as very risky, are simple to understand, and easy to use.

Ruyi Wang,Ling Gao,Qian Sun,Deheng Sun

DOI: https://doi.org/10.1109/mines.2011.27

2011-01-01

Abstract:Through scoring vulnerabilities according to their risks, mastering statuses of vulnerabilities, security managers could adjust the configuration for computer security in time and give repair methods to different vulnerabilities flexibly. Since scoring vulnerabilities is significant for evaluating and repairing vulnerabilities, this paper presents a vulnerability scoring mechanism based on CVSS by analyzing advantages and disadvantages of CVSS and comparing with some improved CVSS-based methods. Our improved scoring mechanism makes the vulnerability evaluating more exactly and effectively, simplifying the process of vulnerability evaluating.

Alan Raveling,Yanzhen Qu

DOI: https://doi.org/10.24018/ejece.2023.7.4.546

2023-07-12

European Journal of Electrical Engineering and Computer Science

Abstract:This paper has examined the application of the Common Vulnerability Scoring System applied to operational technology or industrial control system-based cybersecurity controls and demonstrated that the unique considerations and aspects of these environments are more accurately captured when compared against a traditional IT based evaluation. Multiple business drivers are compelling consumer goods manufacturers to augment and connect their manufacturing systems bringing with it increases in potential for experiencing a cybersecurity incident [1]. While other business verticals are able to utilize cybersecurity standards and control documents tailored for their industry, manufacturers do not have a set of materials that directly correlate to the operational technology environments in which their systems reside [2]. Cybersecurity practitioners face additional challenges in developing an understanding of the severity of the risks within these environments due to the lack of current quantifiable methods of evaluating the risks. The findings from this research provide cybersecurity practitioners with a repeatable and extensible method to derive the operational risk present to an organization due to the technologies and business strategies employed in the pursuit of business objectives.

Chanchala Joshi,U. Singh

Abstract:The evaluation of network risk is a vital task. It is an essential step in securing any network. This evaluation can help security professionals in making optimal decisions about how to design security countermeasures in order to improve security. This paper proposes a risk estimation model that uses vulnerability database National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS). The CVSS Risk Level Estimation Model estimates a security risk level from vulnerability information as a combination of period of exploitation and frequency of occurrence to estimates the impact derived from the CVSS. Proposed model provides quantitative security metrics that produces rapid and consistent security measurement which helps in automated and reasonable security management.

Computer Science,Engineering

Luca Allodi,Sebastian Banescu,Henning Femmer,Kristian Beckers

DOI: https://doi.org/10.1145/3176258.3176340

2018-03-21

Abstract:The assessment of new vulnerabilities is an activity that accounts for information from several data sources and produces a `severity' score for the vulnerability. The Common Vulnerability Scoring System (\CVSS) is the reference standard for this assessment. Yet, no guidance currently exists on \emph{which information} aids a correct assessment and should therefore be considered. In this paper we address this problem by evaluating which information cues increase (or decrease) assessment accuracy. We devise a block design experiment with 67 software engineering students with varying vulnerability information and measure scoring accuracy under different information sets. We find that baseline vulnerability descriptions provided by standard vulnerability sources provide only part of the information needed to achieve an accurate vulnerability assessment. Further, we find that additional information on \texttt{assets}, \texttt{attacks}, and \texttt{vulnerability type} contributes in increasing the accuracy of the assessment; conversely, information on \texttt{known threats} misleads the assessor and decreases assessment accuracy and should be avoided when assessing vulnerabilities. These results go in the direction of formalizing the vulnerability communication to, for example, fully automate security assessments.

Cryptography and Security

Marjan Keramati,

DOI: https://doi.org/10.52547/jiaeee.19.1.35

2022-04-01

Journal of Iranian Association of Electrical and Electronics Engineers

Abstract:Nowadays, computer network attacks are considered as the most serious issue in everybody’s life. Network hardening is a necessity which requires prioritizing vulnerabilities and finding the most dangerous ones. So, risk assessment should be done as much accurate as possible. The most widely used system for risk assessment is CVSS (Common ...

Mahmood Deypir,Toktam Zoughi

DOI: https://doi.org/10.13052/jwe1540-9589.2343

2024-08-08

Journal of Web Engineering

Abstract:The Android operating system has a dominant market for use within a wide range of devices. Along with the widespread growth of the use of the Android system and the development of a huge number of apps for this operating system, new malicious apps are released daily by adversaries, which are difficult to identify and deal with. This is due to them using sophisticated techniques and strikes. Although there are a diverse range of classification models and risk estimation metrics for identifying malware in this operating system, there is still a requirement for more effective approaches in this context. In this paper, we present a new algorithm to calculate the security risk score of Android apps, which can be used to identify malicious apps from benign ones. This algorithm uses a novel technique named twin k-nearest neighbor. In this technique, to estimate the security risk of an unknown app, its nearest neighbors to malicious apps and its nearest neighbors to normal apps are computed separately using an appropriate distance formula. Then, the security risk of the input app can be computed using a simple formulation. In this formulation, the average distances of both k-nearest malicious apps and k-nearest non-malicious apps to the input app are used. In this way, the proposed method can calculate a high security risk for malware and a lower security risk for goodware. Experimental evaluations on real datasets show that the proposed algorithm has better performance over the previously proposed ones in terms of detection rate, precision, recall, and f1-score.

computer science, theory & methods, software engineering

Dan LIAO,Ming ZHOU,Dan LIU,Zhong TIAN

DOI: https://doi.org/10.3778/j.issn.1002-8331.1304-0133

2015-01-01

Abstract:Considering that there are several drawbacks included in CVSS 2.0, such as strongly subjectivity, inefficient maneuverability, the difficulty to create automated assessment model, the evaluation index system is improved based on CVSS 2.0 evaluation system. And the evaluation index system is divided into two parts which are objective category and subjective category. It optimizes evaluation factor with principles of BP neural network self-learning and builds an automa-tion evaluation model based on BP neural network, then quantizes the input indicators characteristic into approximation of effectiveness rapidly. Finally the effectiveness, accuracy and feasibility of the method are proved by MATLAB simulation.

Zhicheng Zhu,Kun Lan,Zhihong Rao,Yuguang Zhang

DOI: https://doi.org/10.1088/1742-6596/1732/1/012051

2021-01-01

Journal of Physics: Conference Series

Abstract:Abstract With the development of IoT technology, the number of attacks against IoT software chain vulnerabilities is greater than ever, and a reasonable vulnerability assessment system needs to be established for research. The Common Vulnerability Scoring System (CVSS) is a free, public risk assessment system used by information security vendors to assess the severity of vulnerability threats. However, CVSS is insufficient because of the strong subjectivity in the selection of measurement standards and the allocation of evaluation index weights. Based on this reason, this paper designs and proposes a more objective risk assessment method for IoT software chain vulnerabilities, and verifies the feasibility and effectiveness of the method through experiments.

English Else