Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3597503.3639110

2024-01-01

Abstract:It is increasingly suggested to identify emerging software vulner-abilities (SVs) through relevant development activities (e.g., issue reports) to allow early warnings to open source software (OSS) users. However, the support for the following assessment of the de-tected SVs has not yet been explored. SV assessment characterizes the detected SVs to prioritize limited remediation resources on the critical ones. To fill this gap, we aim to enable early vulnerability assessment based on SV-related issue reports (SIR). Besides, we observe the following concerns of the existing assessment techniques: 1) the assessment output lacks rationale and practical value; 2) the associations between Common Vulnerability Scoring System (CVSS) metrics have been ignored; 3) insufficient evaluation sce-narios and metrics. We address these concerns to enhance the prac-ticality of our proposed early vulnerability assessment approach (namely proEVA). Specifically, based on the observation of strong associations between CVSS metrics, we propose a prompt-based model to exploit such relations for CVSS metrics prediction. More-over, we design a curriculum-learning (CL) schedule to guide the model better learn such hidden associations during training. Aside from the standard classification metrics adopted in existing works, we propose two severity-aware metrics to provide a more compre-hensive evaluation regarding the prioritization of the high-severe SVs. Experimental results show that proEVA significantly outper-forms the baselines in both types of metrics. We further discuss the transferability of the prediction model regarding the upgrade of the assessment system, an important yet overlooked evaluation scenario in existing works. The results verify that proEVA is more efficient and flexible in migrating to different assessment systems.

Subil Abraham,Suku Nair

DOI: https://doi.org/10.48550/arXiv.1501.01901

2015-01-08

Cryptography and Security

Abstract:Numerous security metrics have been proposed in the past for protecting computer networks. However we still lack effective techniques to accurately measure the predictive security risk of an enterprise taking into account the dynamic attributes associated with vulnerabilities that can change over time. In this paper we present a stochastic security framework for obtaining quantitative measures of security using attack graphs. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. Gaining a better understanding of the relationship between vulnerabilities and their lifecycle events can provide security practitioners a better understanding of their state of security. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.

Chen,Gang Chen

DOI: https://doi.org/10.1109/aiipcc57291.2022.00077

2022-01-01

Abstract:With the rapid development and popular utilization of computer network system, the proportion of attacks against computer network system has been increasing year by year. The traditional security vulnerability assessment method only evaluates individual vulnerabilities in isolation, and the assessment results do not reflect the degree of impact of vulnerabilities on the whole network. To address this problem this paper proposes a computer network system security assessment method, which uses the CVSSv3 evaluation index to assess vulnerabilities based on vulnerability association graph and risk matrix, while taking into account the association relationship between the fore-order vulnerability nodes, back-order vulnerability nodes and the vulnerability itself. The vulnerability correlation hazard calculated by the method can accurately reflect the degree of impact of the vulnerability on the whole computer network system, and the accuracy and effectiveness of the method is proved through experiments.

Gaurav Sharma,Stilianos Vidalis,Catherine Menon,Niharika Anand

DOI: https://doi.org/10.1007/s11042-022-14036-y

Abstract:Proactive security plays a vital role in preventing the attack before entering active mode. In the modern information environment, it depends on the vulnerability management practitioners of an organization in which the critical factor is the prioritization of threats. The existing models and methodology follow the traditional approaches of a Common Vulnerability Scoring System (CVSS) to prioritize threats and vulnerabilities. The CVSS is not able to provide effectiveness to the security of the business of an organization. In contrast, the vulnerability analysis needs a model which can give significance to the prioritization policies. The model depends on the CVSS score of threats and compares various features of vulnerability like threat vectors, inputs, environments used by threat agent's groups, and potential outputs of threat agents. Therefore, the research aims to design a semi-automatic model for vulnerability analysis of threats for the National Institute of Standards and Technology (NIST) database of cyber-crime. We have developed a semi-automatic model that simulates the CVE (Common Vulnerabilities and Exposures) list of the NIST database between 1999 and 2021, concerning the resources used by the threat agents, pre-requisites input, attack vectors, and dormant results. The semi-automatic approach of the model to perform the vulnerability analysis of threat agent groups identified in a network makes the model more efficient and effective to addresses the profiling of threat agents and evaluating the CTI (Critical Threat intelligence feed). Our experimental results imply that the semi-automatic model implements the vulnerability prioritization based on the CVSS score and uses the comparative analysis based on the threat agent's vectors identified. It also provides potency and optimized complexity to an organization's business to mitigate the vulnerability identified in a network.

Alex Ramos,Marcella Lazar,Raimir Holanda Filho,Joel J. P. C. Rodrigues

DOI: https://doi.org/10.1109/comst.2017.2745505

2017-01-01

Abstract:Network security metrics (NSMs) based on models allow to quantitatively evaluate the overall resilience of networked systems against attacks. For that reason, such metrics are of great importance to the security-related decision-making process of organizations. Considering that over the past two decades several model-based quantitative NSMs have been proposed, this paper presents a deep survey of the state-of-the-art of these proposals. First, to distinguish the security metrics described in this survey from other types of security metrics, an overview of security metrics, in general, and their classifications is presented. Then, a detailed review of the main existing model-based quantitative NSMs is provided, along with their advantages and disadvantages. Finally, this survey is concluded with an in-depth discussion on relevant characteristics of the surveyed proposals and open research issues of the topic.

computer science, information systems,telecommunications

Milda Petraityte,Ali Dehghantanha,Gregory Epiphaniou

DOI: https://doi.org/10.1007/978-3-319-73951-9_11

2018-07-27

Abstract:Various researchers have shown that the Common Vulnerability Scoring System (CVSS) has many drawbacks and may not provide a precise view of the risks related to software vulnerabilities. However, many threat intelligence platforms and industry-wide standards are relying on CVSS score to evaluate cybersecurity compliance. This paper suggests several improvements to the calculation of Impact and Exploitability sub-scores within the CVSS, improve its accuracy and help threat intelligence analysts to focus on the key risks associated with their assets. We will apply our suggested improvements against risks associated with several Android and iOS applications and discuss achieved improvements and advantages of our modelling, such as the importance and the impact of time on the overall CVSS score calculation.

Cryptography and Security

Hui Guan,Weiru Chen,Lin Liu,Hongji Yang

2012-01-01

Abstract:Risk assessment has been getting increased attention as the new vulnerabilities and threats are emerging on daily basis. The popularity and complexity of web application present challenges to the security implementation for web engineering. It is well known that the earlier to perform risk assessment for software, the less cost needed to mitigate the security risks. However, quantitative estimation of security in the earlier stage of software development life cycle is largely missing. In this paper, we propose a quantitative approach to perform risk assessment at design stage for web application which is based on multiple security vectors of asset, threat and vulnerability. An environment-driven method is proposed to elicit threats to the system. In the end, the risk assessment methodology is applied on a customer goods case study.

Raj Pokhrel Nawa,P. Tsokos Chris,Nawa Raj Pokhrel,Chris P. Tsokos

DOI: https://doi.org/10.4236/jis.2017.82007

2017-01-01

Journal of Information Security

Abstract:There are several security metrics developed to protect the computer networks. In general, common security metrics focus on qualitative and subjective aspects of networks lacking formal statistical models. In the present study, we propose a stochastic model to quantify the risk associated with the overall network using Markovian process in conjunction with Common Vulnerability Scoring System (CVSS) framework. The model we developed uses host access graph to represent the network environment. Utilizing the developed model, one can filter the large amount of information available by making a priority list of vulnerable nodes existing in the network. Once a priority list is prepared, network administrators can make software patch decisions. Gaining in depth understanding of the risk and priority level of each host helps individuals to implement decisions like deployment of security products and to design network topologies.

Volodymyr Buriachok,Volodymyr Sokolov,Pavlo Skladannyi

DOI: https://doi.org/10.48550/arXiv.1906.10877

2019-06-26

Cryptography and Security

Abstract:The paper examines quantitative assessment of wireless distribution system security, as well as an assessment of risks from attacks and security violations. Furthermore, it describes typical security breach and formal attack models and five methods for assessing security. The proposed normalized method for assessing the degree of security assurance operates with at least three characteristics, which allows comparatively analyze heterogeneous information systems. The improved calculating formulas have been proposed for two security assessment methods, and the elements of functional-cost analysis have been applied to calculate the degree of security. To check the results of the analysis, the coefficient of concordance was calculated, which gives opportunity to determine the quality of expert assessment. The simultaneous use of several models to describe attacks and the effectiveness of countering them allows us to create a comprehensive approach to countering modern security threats to information networks at the commercial enterprises and critical infrastructure facilities.

Miguel Santana,Vinicius V. Cogo,Alan Oliveira de Sá

2024-05-14

Abstract:Background: Timely prioritising and remediating vulnerabilities are paramount in the dynamic cybersecurity field, and one of the most widely used vulnerability scoring systems (CVSS) does not address the increasing likelihood of emerging an exploit code. Aims: We present SecScore, an innovative vulnerability severity score that enhances CVSS Threat metric group with statistical models from empirical evidences of real-world exploit codes. Method: SecScore adjusts the traditional CVSS score using an explainable and empirical method that more accurately and promptly captures the dynamics of exploit code development. Results: Our approach can integrate seamlessly into the assessment/prioritisation stage of several vulnerability management processes, improving the effectiveness of prioritisation and ensuring timely remediation. We provide real-world statistical analysis and models for a wide range of vulnerability types and platforms, demonstrating that SecScore is flexible according to the vulnerability's profile. Comprehensive experiments validate the value and timeliness of SecScore in vulnerability prioritisation. Conclusions: SecScore advances the vulnerability metrics theory and enhances organisational cybersecurity with practical insights.

Cryptography and Security

Xiu-Zhen Chen,Qing-Hua Zheng,Xiao-Hong Guan,Chen-Guang Lin,Jie Sun

DOI: https://doi.org/10.1016/j.cose.2004.08.009

IF: 5.105

2005-01-01

Computers & Security

Abstract:How to evaluate network security threat quantitatively is one of key issues in the field of network security, which is vital for administrators to make decision on the security of computer networks. A novel model of security threat evaluation with a series of quantitative indices is proposed on the analysis of prevalent network intrusions. This model is based on multiple behavior information fusion and two indices of privilege validity and service availability that are proposed to evaluate the impact of prevalent network intrusions on system security, so as to provide security evolution over time, i.e., monitor security changes with respect to modification of security factors. The Markov model and the algorithm of D-S evidence reasoning are proposed to measure these two indices, respectively. Compared with other methods, this method mitigates the impact of unsuccessful intrusions on threat evaluation. It evaluates the impact of important intrusions on system security comprehensively and helps administrators to insight into intrusion steps, determine security state and identify dangerous intrusion traces. Testing in a real network environment shows that this method is reasonable and feasible in alleviating the tremendous task of data analysis and facilitating the understanding of the security evolution of the system for its administrators.

Alan Raveling,Yanzhen Qu

DOI: https://doi.org/10.24018/ejece.2023.7.4.546

2023-07-12

European Journal of Electrical Engineering and Computer Science

Abstract:This paper has examined the application of the Common Vulnerability Scoring System applied to operational technology or industrial control system-based cybersecurity controls and demonstrated that the unique considerations and aspects of these environments are more accurately captured when compared against a traditional IT based evaluation. Multiple business drivers are compelling consumer goods manufacturers to augment and connect their manufacturing systems bringing with it increases in potential for experiencing a cybersecurity incident [1]. While other business verticals are able to utilize cybersecurity standards and control documents tailored for their industry, manufacturers do not have a set of materials that directly correlate to the operational technology environments in which their systems reside [2]. Cybersecurity practitioners face additional challenges in developing an understanding of the severity of the risks within these environments due to the lack of current quantifiable methods of evaluating the risks. The findings from this research provide cybersecurity practitioners with a repeatable and extensible method to derive the operational risk present to an organization due to the technologies and business strategies employed in the pursuit of business objectives.

Guoquan Li,Yulong Fu,Zheng Yan,Weilin Hao

DOI: https://doi.org/10.1007/978-3-030-30619-9_5

2019-01-01

Abstract:Security Metrics help network administrators master the security status and strengthen security management for many years. Recently, with the usages of many new techniques and network structures, the cyber attacks become complex and the security measurement has received more and more attentions. However, existing methods usually focus on one aspect of security and the indicators used are usually difficult to quantify, which makes it difficult to understand network security status in some real circumstance. In this paper, we consider the network system security from the perspective of attack and defense and the changes of external security environment to propose a comprehensive and quantifiable index system for network security measurement. We illustrate the corresponding theories and the usages of each selected indicators and we also complete the real-time security measurement in various attacks and defenses by using NS3 simulator. The simulation results verify the correctness and rationality of the proposed Security Measurement Index System.

Yukun Zheng,Kun Lv,Changzhen Hu

DOI: https://doi.org/10.1007/978-3-319-64701-2_25

2017-01-01

Abstract:With the rapid development of network, network security issues become increasingly important. It is a tough challenge to evaluate the network security due to the increasing vulnerabilities. In this paper, we propose a quantitative method for evaluating network security based on attack graph. We quantify the importance of nodes and the maximum reachable probability of nodes, and construct a security evaluation function to calculate the security risk score. Our approach focuses on the attacker's view and considers the most important factors that may affect the network security. The parameters we use are easily to be acquired in any network. Thus, the assessment score gotten through the evaluation function can comprehensively reflect the security level. According to the security risk value, security professionals can take appropriate countermeasures to harden the network. Experimental results prove that this model solves the security evaluation problem efficiently.

张鑫,顾庆,陈道蓄

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.09.032

2009-01-01

Computer Science

Abstract:Quality of protection can be seen as the security target of security modules when doing their security treatments,which can be judged by quantitative criteria.The question of how to evaluate whether the current software system has fulfills the quality of protection target objectively and effectively has become one of the hotspots of research.Currently,however,most security professionals use the qualitative method for security evaluation,which is highly subjective and makes the evaluation result dependent on the individual experience and thus unreliable.So what needed are substantive and quantitative security metrics.Because of the complexity and the difficulty of implementing the security metrics,a novel security evaluation model was presented in this paper,which analyzed the relative security level of given systems from the views of attack surface,denial of service and attack graph.At last,a general discussion for the process and the result of the evaluation were given.

Lina Zhu,Guoen Xia,Zuochang Zhang,Jianhua Li,Renjie Zhou

DOI: https://doi.org/10.14257/ijsia.2016.10.11.14

2016-01-01

International Journal of Security and Its Applications

Abstract:Network security situation awareness is vital important for network security supervision. In order to obtain the network security situation effectively, a multidimensional assessment method is proposed in this paper. The method is composed of three dimensions at different levels, namely vulnerability, threat and basic operation, with quantitative calculation method for each index. In the service layer, CVSS standard is adopted to assess the vulnerability situation, and simplified DREAD model is chosen for the threat situation. In the node layer, the vulnerability situation in the service layer is added with a weight, the threat situation in the service layer is accumulated according to attack paths based on Markov model, and the basic operation situation is evaluated by DS evidence fusion of several host and network performance index. In the network layer, each situation equals to weighted summation of corresponding situation in the node layer. Experimental results show the ease of use of this method, and multi-dimensional situation depicts the overall safety evolution process of network system accurately and intuitively.

刘芳,戴葵,王志英,吴丹

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.18.007

2004-01-01

Abstract:In this paper, the necessity and feasibility of quantitative security evaluation are analyzed, in particular with regard to nowadays security requirements. Based on the probability and statistics, the quantitative security model is brought forward. And then a complete quantitative evaluating system is introduced, which is based on the modularization and the quantitative security model. Finally, the rationality and validity of this system are verified through experiments.

Luca Allodi,Fabio Massacci

DOI: https://doi.org/10.1145/2630069

2013-09-24

Abstract:(U.S) Rule-based policies to mitigate software risk suggest to use the CVSS score to measure the individual vulnerability risk and act accordingly: an HIGH CVSS score according to the NVD (National (U.S.) Vulnerability Database) is therefore translated into a "Yes". A key issue is whether such rule is economically sensible, in particular if reported vulnerabilities have been actually exploited in the wild, and whether the risk score do actually match the risk of actual exploitation. We compare the NVD dataset with two additional datasets, the EDB for the white market of vulnerabilities (such as those present in Metasploit), and the EKITS for the exploits traded in the black market. We benchmark them against Symantec's threat explorer dataset (SYM) of actual exploit in the wild. We analyze the whole spectrum of CVSS submetrics and use these characteristics to perform a case-controlled analysis of CVSS scores (similar to those used to link lung cancer and smoking) to test its reliability as a risk factor for actual exploitation. We conclude that (a) fixing just because a high CVSS score in NVD only yields negligible risk reduction, (b) the additional existence of proof of concepts exploits (e.g. in EDB) may yield some additional but not large risk reduction, (c) fixing in response to presence in black markets yields the equivalent risk reduction of wearing safety belt in cars (you might also die but still..). On the negative side, our study shows that as industry we miss a metric with high specificity (ruling out vulns for which we shouldn't worry). In order to address the feedback from BlackHat 2013's audience, the final revision (V3) provides additional data in Appendix A detailing how the control variables in the study affect the results.

Cryptography and Security

CHEN Xiu-Zhen,ZHENG Qing-Hua,GUAN Xiao-Hong,LIN Chen-Guang

DOI: https://doi.org/10.1360/jos170885

2006-01-01

Journal of Software

Abstract:Evaluating security threat status is very important in network security management and analysis. A quantitative hierarchical threat evaluation model is developed in this paper to evaluate security threat status of a computer network system and the computational method is developed based on the structure of the network and the importance of services and hosts. The evaluation policy from bottom to top and from local to global is adopted in this model. The threat indexes of services, hosts and local networks are calculated by weighting the importance of services and hosts based on attack frequency, severity and network bandwidth consumption, and the security threat status is then evaluated. The experiment results show that this model can provide the intuitive security threat status in three hierarchies: services, hosts and local networks so that system administrators are freed from tedious analysis tasks based on the alarm datasets to have overall security status of the entire system. It is also possible for them to find the security behaviors of the system, to adjust the security strategies and to enhance the performance on system security. This model is valuable for guiding the security engineering practice and developing the tool of security risk evaluation.

Dan LIAO,Ming ZHOU,Dan LIU,Zhong TIAN

DOI: https://doi.org/10.3778/j.issn.1002-8331.1304-0133

2015-01-01

Abstract:Considering that there are several drawbacks included in CVSS 2.0, such as strongly subjectivity, inefficient maneuverability, the difficulty to create automated assessment model, the evaluation index system is improved based on CVSS 2.0 evaluation system. And the evaluation index system is divided into two parts which are objective category and subjective category. It optimizes evaluation factor with principles of BP neural network self-learning and builds an automa-tion evaluation model based on BP neural network, then quantizes the input indicators characteristic into approximation of effectiveness rapidly. Finally the effectiveness, accuracy and feasibility of the method are proved by MATLAB simulation.