Common Vulnerability Scoring System

Mell, Peter; Scarfone, Karen; Romanosky, Sasha

doi:10.1109/msp.2006.145

Cited by 433 publications

(234 citation statements)

References 0 publications

Supporting

Mentioning

210

Contrasting

Unclassified

Order By: Relevance

“…This value thus only depends on each individual vulnerability, which is similar to many existing metrics, such as the CVSS [13]. On the other hand, we can clearly see the limitation of such metrics in assessing the impact, damage, or relevance of vulnerabilities, because such factors are rather determined by the combination of exploits.…”

Section: Definition 1 An Attack Graph G Is a Directed Graph G(e ∪ Csupporting

confidence: 58%

“…In Figure 1, we have assigned the individual scores (probabilities shown inside the ovals) based on simple facts, such as a buffer overflow attack requires more skills than executing a remote shell command. In practice, individual scores can be obtained by converting vulnerability scores provided by existing standards, such as the CVSS base score and temporal score [13], to probabilities.…”

Section: The Basic Definitionmentioning

confidence: 99%

“…They discuss simple cases of combining individual measures but do not study the general case. Standardization efforts for vulnerability assessment include the Common Vulnerability Scoring System (CVSS) [13], although these generally treat vulnerabilities in isolation, without considering attack interdependencies on target networks. More recently, we propose an attack resistance metric based on attack graph in [31,30].…”

Section: Related Workmentioning

confidence: 99%

“…However, existing network metric standards typically focus on the measurement of individual vulnerabilities. For example, the Common Vulnerability Scoring System (CVSS) measures the potential impact and environmental metrics in terms of each individual vulnerability [13]. This is a major limitation, because the impact, damage, and relevance should be measured against potential compromises of critical resources, which typically require combining more than one vulnerability.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

An Attack Graph-Based Probabilistic Security Metric

Wang

Islam

Long

et al. 2008

Lecture Notes in Computer Science

276

205

View full text Add to dashboard Cite

Abstract.To protect critical resources in today's networked environments, it is desirable to quantify the likelihood of potential multi-step attacks that combine multiple vulnerabilities. This now becomes feasible due to a model of causal relationships between vulnerabilities, namely, attack graph. This paper proposes an attack graph-based probabilistic metric for network security and studies its efficient computation. We first define the basic metric and provide an intuitive and meaningful interpretation to the metric. We then study the definition in more complex attack graphs with cycles and extend the definition accordingly. We show that computing the metric directly from its definition is not efficient in many cases and propose heuristics to improve the efficiency of such computation.

show abstract

Section: Definition 1 An Attack Graph G Is a Directed Graph G(e ∪ Csupporting

confidence: 58%

Section: The Basic Definitionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

An Attack Graph-Based Probabilistic Security Metric

Wang

Islam

Long

et al. 2008

Lecture Notes in Computer Science

276

205

View full text Add to dashboard Cite

show abstract

“…The importance of exploitability is reflected by its inclusion in all the well-known vulnerability scoring systems. For instance, the Common Vulnerabilities Scoring System (CVSS) [1] computes exploitability as a linear combination of qualitative values. The Computer Emergency Response Team/Coordination Center (CERT/CC) [2] produces a numeric vulnerability score based on a series of questions-one of which is, "How easy is it [the vulnerability] to exploit?"…”

Section: Introductionmentioning

confidence: 99%

A Kolmogorov Complexity Approach for Measuring Attack Path Complexity

Idika

Bhargava

2011

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. The difficulty associated with breaching an enterprise network is commensurate with the security of that network. A security breach, or a security policy violation, occurs as a result of an attacker successfully executing some attack path. The difficulty associated with this attack path, then, is critical to understanding how secure a given network is. Currently, however, there are no consistent methods for measuring attack path complexity that make the assumptions of a modeler explicit while providing flexibility in how the modeler models the attack path. To provide these desirable attributes, we propose a regularexpressions-inspired language whose rationale for attack path complexity measurement is based on Kolmogorov Complexity. After detailing our Kolmogorov Complexity-based method, we demonstrate how it can be applied to a novel security metric: the K-step Capability Accumulation metric-a metric that defines the security of a network in terms of the network assets attainable for attack effort exerted.

show abstract