VEST: A System for Vulnerability Exploit Scoring & Timing

Abstract: Knowing if/when a cyber-vulnerability will be exploited and how severe the vulnerability is can help enterprise security officers (ESOs) come up with appropriate patching schedules. Today, this ability is severely compromised: our study of data from Mitre and NIST shows that on average there is a 132 day gap between the announcement of a vulnerability by Mitre and the time NIST provides an analysis with severity score estimates and 8 important severity attributes. Many attacks happen during this very 132-day w… Show more

“…Therefore, the developed VMC can be applied for every network infrastructure. Additionally, none of the presented solutions [37,[49][50][51] and [6][7][8][9] offer prioritization for CVSS 2.0 and CVSS 3.1 simultaneously. Thanks to the use of CVSS environmental score, the stakeholders using the developed VMC fully understand the nature of received vulnerability prioritization and can trace back all steps for the all received scores.…”

“…For instance, Qualys uses a 7-point scale [7], Rapid7 performs the prioritization in the range from 1 to 1000 [8], whereas Tenable named its prioritization method VPR and the provided levels range from 1 to 10 [9]. Next to commercial solutions, it is possible to find in literature, other solutions, i.e.,: PatchRank [49], SecureRank [50], VULCON [37], or VEST [51]. The PatchRank solution focuses only on the updates prioritization for SCADA systems [49].…”

“…The Vulcon's software strategy is based on two elementary pointers: the vulnerability appearance time (TVR) and total vulnerability exposure time [37]. VEST, however, focuses on verifying whether the vulnerability is exploited and how quickly it can be used by an attacker [51]. Other solutions, e.g., [37,[49][50][51] do not take into consideration the value of assets and are not adjusted to the increasing amount of data in cloud computing environment and therefore they cannot be applied in every network infrastructure.…”

“…VEST, however, focuses on verifying whether the vulnerability is exploited and how quickly it can be used by an attacker [51]. Other solutions, e.g., [37,[49][50][51] do not take into consideration the value of assets and are not adjusted to the increasing amount of data in cloud computing environment and therefore they cannot be applied in every network infrastructure. Additionally, none of the presented solutions offer prioritization for CVSS 2.0 and CVSS 3.1 simultaneously.…”

“…Thus, allowing to adjust the tool easily to the increasing amount of incoming data. In comparison to [37,[49][50][51] the developed VMC uses the information collected from the asset database. Unlike [6][7][8][9] the prioritization procedure has been outlined in detail and hence can be analyzed using FIRST standard [14].…”

Efficient Algorithm for Providing Live Vulnerability Assessment in Corporate Network Environment

“…Therefore, the developed VMC can be applied for every network infrastructure. Additionally, none of the presented solutions [37,[49][50][51] and [6][7][8][9] offer prioritization for CVSS 2.0 and CVSS 3.1 simultaneously. Thanks to the use of CVSS environmental score, the stakeholders using the developed VMC fully understand the nature of received vulnerability prioritization and can trace back all steps for the all received scores.…”

“…For instance, Qualys uses a 7-point scale [7], Rapid7 performs the prioritization in the range from 1 to 1000 [8], whereas Tenable named its prioritization method VPR and the provided levels range from 1 to 10 [9]. Next to commercial solutions, it is possible to find in literature, other solutions, i.e.,: PatchRank [49], SecureRank [50], VULCON [37], or VEST [51]. The PatchRank solution focuses only on the updates prioritization for SCADA systems [49].…”

“…The Vulcon's software strategy is based on two elementary pointers: the vulnerability appearance time (TVR) and total vulnerability exposure time [37]. VEST, however, focuses on verifying whether the vulnerability is exploited and how quickly it can be used by an attacker [51]. Other solutions, e.g., [37,[49][50][51] do not take into consideration the value of assets and are not adjusted to the increasing amount of data in cloud computing environment and therefore they cannot be applied in every network infrastructure.…”

“…VEST, however, focuses on verifying whether the vulnerability is exploited and how quickly it can be used by an attacker [51]. Other solutions, e.g., [37,[49][50][51] do not take into consideration the value of assets and are not adjusted to the increasing amount of data in cloud computing environment and therefore they cannot be applied in every network infrastructure. Additionally, none of the presented solutions offer prioritization for CVSS 2.0 and CVSS 3.1 simultaneously.…”

“…Thus, allowing to adjust the tool easily to the increasing amount of incoming data. In comparison to [37,[49][50][51] the developed VMC uses the information collected from the asset database. Unlike [6][7][8][9] the prioritization procedure has been outlined in detail and hence can be analyzed using FIRST standard [14].…”

Efficient Algorithm for Providing Live Vulnerability Assessment in Corporate Network Environment

Software Vulnerability Classification Using Learning Techniques

Software Vulnerability Analysis Based on Statistical Characteristics