Quantitative assessment of software vulnerabilities based on economic-driven security metrics

Ghani, Hamza; Luna, Jesús; Suri, Neeraj

doi:10.1109/crisis.2013.6766361

Cited by 24 publications

(12 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Quantitative evaluation of computer systems vulnerability is a question of great debates with many approaches proposed [36,37,38,39]. It is clear that the more vulnerabilities exist in a system, the more that system is prone to hacker attacks.…”

Section: Vulnerability Severity and Cvss-based Statisticsmentioning

confidence: 99%

From Analyzing Operating System Vulnerabilities to Designing Multiversion Intrusion-Tolerant Architectures

et al. 2020

View full text Add to dashboard Cite

This paper analyses security problems of modern computer systems caused by vulnerabilities in their operating systems. Our scrutiny of widely used enterprise operating systems focuses on their vulnerabilities by examining the statistical data available on how vulnerabilities in these systems are disclosed and eliminated, and by assessing their criticality. This is done by using statistics from both the National Vulnerabilities database (NVD) and the Common Vulnerabilities and Exposures system (CVE). The specific technical areas the paper covers are the quantitative assessment of forever-day vulnerabilities, estimation of days-ofrisk, the analysis of the vulnerabilities severity and their distributions by attack vector and impact on security properties. In addition, the study aims to explore those vulnerabilities that have been found across a diverse range of operating systems. This leads us to analysing how different intrusion-tolerance architectures deploying the operating system diversity impact availability, integrity and confidentiality.

show abstract

Section: Vulnerability Severity and Cvss-based Statisticsmentioning

confidence: 99%

From Analyzing Operating System Vulnerabilities to Designing Multiversion Intrusion-Tolerant Architectures

et al. 2020

View full text Add to dashboard Cite

show abstract

“…The value of quantitative VAS is computed referring to several key metrics of the standard. At first, the QVAS fixes several key metrics of the vulnerability, then assigns these values to a given formula, finally the severity ranks of the vulnerability is computed [30]- [32]. Compared with other types, this type greatly reduces the subjectivity in the vulnerability assessment (although the subjectivity is not eliminated totally).…”

Section: A Vulnerability Assessment Standard (Vas)mentioning

confidence: 99%

“…However, the difficulty lies in how to choose the key metrics and define the formula [33]. Lots of researchers turn to this topic in recent years [32], [34]. The most successful QVAS is Common Vulnerability Scoring System (CVSS).…”

Section: B Common Vulnerability Scoring System (Cvss)mentioning

confidence: 99%

“…However, since these frameworks are not based on Text Ming, they must assess the vulnerabilities one by one, and cannot in batch, so the efficiency is as low as manual assessment. Chani et al [32] proposed an automatic vulnerability assessment framework based on the scheme of Linear Discriminant Analysis (LDA) in the situation of lacking the information about vulnerabilities. However, more than half values of metrics of CVSS were needed.…”

Section: Automatic Security Vulnerability Assessment Frameworkmentioning

confidence: 99%

“…In order to address these problems and give improvement of existing works, considering Text Mining has the powerful function in automatically finding the laws of the historical information and foreseeing the unknown information, we propose a new automatic vulnerability assessment scheme termed ASVA based on the supervised learning theory. As a comparison to the works of Chani [32], ASVA do not need to know any values of metrics.…”

Section: Automatic Security Vulnerability Assessment Frameworkmentioning

confidence: 99%

See 2 more Smart Citations

A Novel Automatic Severity Vulnerability Assessment Framework

Wen¹,

Zhang²,

Dong³

et al. 2015

JCM

View full text Add to dashboard Cite

Abstract-Security vulnerabilities play an important role in network security. With the development of the network and the increasing number of vulnerabilities, many Quantitative Vulnerability Assessment Standards (QVAS) was proposed in order to enable professionals to prioritize the most important vulnerabilities with limited energy. However, it is difficult to apply QVAS manually due to the large number of vulnerabilities and lack of information. In order to address these problems, an Automatic Security Vulnerability Assessment Framework (ASVA) is proposed, which can automatically apply any QVAS to special Vulnerability Databases. ASVA obtain values of the metrics of a QVAS with new features of Text Mining; assign these values to a formula of QVAS and finally compute the severity values of the vulnerabilities. New features proposed in ASVA are special combinations of metrics of QVAS, so that consider the influence of metrics each other and improve the accuracy of Text Mining. Based on ASVA, CVSS as a QVAS is applied to three representative Vulnerability Databases. The results show that ASVA reduces the cost and period of the application of QVAS and promotes the standardization of security vulnerability management.

show abstract