CVSS Attack Graphs

Gallon, Laurent; Bascou, Jean-Jacques

doi:10.1109/sitis.2011.24

Cited by 15 publications

(5 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If λ is zero, the solution reduces to the OLS estimates, and when λ → ∞, all coefficients inβ b tend to zero. Despite of the overdispersion, the Gaussian LASSO in (7) can be accompanied with a Poisson LASSO as an additional robustness check.…”

Section: Resultsmentioning

confidence: 99%

“…CVSS is also widely used in academic research. Typical application domains include risk analysis [2,14], security audit frameworks [4], so-called attack graphs [7,26], and empirical assessments using CVSS for different purposes [1,25,31,33]. To these ends, a lot of work has been done to improve CVSS with different weighting algorithms [17,40], among other techniques [9,30].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A look at the time delays in CVSS vulnerability scoring

Ruohonen

2019

Applied Computing and Informatics

View full text Add to dashboard Cite

This empirical paper examines the time delays that occur between the publication of Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) information attached to published CVEs. According to the empirical results based on regularized regression analysis of over eighty thousand archived vulnerabilities, (i) the CVSS content does not statistically influence the time delays, which, however, (ii) are strongly affected by a decreasing annual trend. In addition to these results, the paper contributes to the empirical research tradition of software vulnerabilities by a couple of insights on misuses of statistical methodology.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A look at the time delays in CVSS vulnerability scoring

Ruohonen

2019

Applied Computing and Informatics

View full text Add to dashboard Cite

show abstract

“…This approach models the relationships between vulnerabilities using attack graphs, converting CVSS scores into probabilities [22]- [27]. In this way, both the CVSS value and the place of the vulnerability in the whole graph are taken into account.…”

Section: B Attack Graph-based Aggregationmentioning

confidence: 99%

A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

Longueira-Romero

Iglesias

Flores

et al. 2022

Sensors

View full text Add to dashboard Cite

The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. Such incidents are caused by the vulnerabilities present in these components. Designing a secure system is critical, but it is also complex, costly, and an extra factor to manage during the lifespan of the component. This paper presents a model to analyze the known vulnerabilities of industrial components over time. The proposed Extended Dependency Graph (EDG) model is based on two main elements: a directed graph representation of the internal structure of the component, and a set of quantitative metrics based on the Common Vulnerability Scoring System (CVSS). The EDG model can be applied throughout the entire lifespan of a device to track vulnerabilities, identify new requirements, root causes, and test cases. It also helps prioritize patching activities. The model was validated by application to the OpenPLC project. The results reveal that most of the vulnerabilities associated with OpenPLC were related to memory buffer operations and were concentrated in the libssl library. The model was able to determine new requirements and generate test cases from the analysis.

show abstract

“…For example, a pre-condition of the "buffer overflow" vulnerability could be "execution stack by overwriting the stored return address, the stack pointer or the frame pointer". Whereas, Postcondition(s) [10] represent the results of an activated threat. For example, the results of a "buffer overflow: could be an "unauthorized access to system".…”

Section: A Sossec Abstract and Concrete Syntaxesmentioning

confidence: 99%

“…1) It is rare that an attacker exploits a single vulnerability on a single target system to achieve its objective, in most cases he uses several single attacks on several systems to accomplish his attack [10]. 2) "The consequences of attacks on the SoS cannot be understood by means of the merely evaluation of the behavior of the single systems, but require an assessment of the effect of the inter-dependencies on the behavior of the whole SoS" [11].…”

Section: Introductionmentioning

confidence: 99%

Model Driven Software Security Architecture of Systems-of-Systems

Hachem

Pang

Chiprianov

et al. 2016

2016 23rd Asia-Pacific Software Engineering Conference (APSEC)

View full text Add to dashboard Cite

Recently, there is a growing interest in Systems of Systems (SoS), their architecture, security and application domains. However, their specific characteristics such as the operational independence of SoS constituent systems (CS), the absence of central authority and their emergent behavior make the modeling of their structure, behavior and security a complex task. One of the current main security challenges in the context of SoS is the cascading attack problem. The challenge is to predict the concatenation/sequence of CS's vulnerabilities that could be triggered resulting in destructive cascading failures and take corrective actions to reduce the cost, development time and effect of later changes. In this paper, we propose a domain specific modeling language (DSML) to represent SoS security architecture. Having SoS security models will enable the discovery, analysis and resolution of cascading attacks, in the architecture phase, preventing development time and cost wastage. Following a Model Driven Engineering (MDE) approach, we generate a graphical editor for our DSML and use it to model a Smart Campus case study.

show abstract

CVSS Attack Graphs

Cited by 15 publications

References 7 publications

A look at the time delays in CVSS vulnerability scoring

A look at the time delays in CVSS vulnerability scoring

A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

Model Driven Software Security Architecture of Systems-of-Systems

Contact Info

Product

Resources

About