Is Vulnerability Report Confidence Redundant? Pitfalls Using Temporal Risk Scores

Boechat, Francois; Ribas, Gabriel; Senos, Lucas; Bicudo, Miguel; Nogueira, Mateus; Aguiar, Leandro Pfleger de; Menasché, Daniel Sadoc

doi:10.1109/msec.2021.3070978

Cited by 4 publications

(1 citation statement)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Frühwirth and Männistö [29] proposed a change in the selection of options in the temporal metrics, the exploit code maturity, and the remediation level. It is curious that of the three temporal metrics, changes were only proposed to the first two, since only 12 years later Boechat et al [33] raised the issue of the redundancy of the CVSS temporal metrics, discussing how one can infer attribution of the report confidence from the exploit code maturity and the remediation level.…”

Section: Vulnerabilities Lifecycle: Can Pareto and Weibull Models Pro...mentioning

confidence: 99%

Measuring the Risk of Vulnerabilities Exploitation

Brilhante,

Pestana,

Pestana

et al. 2023

AppliedMath

View full text Add to dashboard Cite

Modeling the vulnerabilities lifecycle and exploitation frequency are at the core of security of networks evaluation. Pareto, Weibull, and log-normal models have been widely used to model the exploit and patch availability dates, the time to compromise a system, the time between compromises, and the exploitation volumes. Random samples (systematic and simple random sampling) of the time from publication to update of cybervulnerabilities disclosed in 2021 and in 2022 are analyzed to evaluate the goodness-of-fit of the traditional Pareto and log-normal laws. As censoring and thinning almost surely occur, other heavy-tailed distributions in the domain of attraction of extreme value or geo-extreme value laws are investigated as suitable alternatives. Goodness-of-fit tests, the Akaike information criterion (AIC), and the Vuong test, support the statistical choice of log-logistic, a geo-max stable law in the domain of attraction of the Fréchet model of maxima, with hyperexponential and general extreme value fittings as runners-up. Evidence that the data come from a mixture of differently stretched populations affects vulnerabilities scoring systems, specifically the common vulnerabilities scoring system (CVSS).

show abstract

Section: Vulnerabilities Lifecycle: Can Pareto and Weibull Models Pro...mentioning

confidence: 99%