Dynamic Risk Assessment System for the Vulnerability Scoring

  • marjan keramati Computer Science Department Semnan University Semnan, Iran
Keywords: CVSS, Risk, Vulnerability, Impact, Network Hardening, Security Metric, exploit, patch

Abstract

One of the key factors that endangers network security is software vulnerabilities. So, increasing growth of vulnerability emergence is a critical challenge in security management. Also, organizations constantly encounter the limited budget problem. Therefore, to do network hardening in a cost-benefit manner, quantitative vulnerability assessment for finding the most critical vulnerabilities is a vital issue. The most prominent vulnerability scoring systems is CVSS (Common Vulnerability Scoring System) that ranks vulnerabilities based on their intrinsic characteristics. But in CVSS, Temporal features or the effect of existing patches and exploit tools in risk estimation of vulnerabilities are ignored. So, CVSS scores are not accurate. Another deficiency with CVSS that limits its application in real networks is that, in CVSS, only a small set of scores is used for discriminating between numerous numbers of vulnerabilities.  To improve the difficulties with existing scoring systems, here some security metrics are defined that rank vulnerabilities by considering their temporal features beside their intrinsic ones. Also, by the aim of improving scores diversity in CVSS, a new method is proposed for Impact estimation of vulnerability exploitation on security parameters of the network. Performing risk assessment by considering the type of the attacker which endangers the network security most is another novelty of this paper

Downloads

Download data is not yet available.

Author Biography

marjan keramati, Computer Science Department Semnan University Semnan, Iran

received both her undergraduate and graduate degrees in Computer System Architecture from Iran University of Science and Technology. Currently, she is Faculty Member in Semnan University, Department of Computer Science. Also, she is Editorial Board Member in the International Journal of Cases on Information Technology (USA). Besides, she is the member of Technical Commission of Standard Codification and registered one National Standard in the field of network security in 2017. Publishing papers in International Journals and Conferences, Journal paper reviewing in various prestigious International Journals and being both Scientific and Executive Committee member in International Conferences are the other examples of her academic activities. Her research Interests include: Risk Evaluation, Security Metrics, Security Modeling ,Vulnerability Analysis, Cloud Computing Security, Intrusion Prevention Systems, Intrusion Response Systems.

 

References

[1] http://www.first.org/cvss/ (accessed December, 11, 2016)
[2] http://cwe.mitre.org/(accessed May, 7, 2016)
[3] http://cwe.mitre.org/cwss/cwss_v1.0.1.html(accessed May, 7, 2016)
[4] http://www.kb.cert.org/vuls/html/fieldhelp (accessed May, 7, 2016)
[5] https://technet.microsoft.com/en-us/security/gg309177.aspx(accessed May, 7, 2016)
[6] http://www-935.ibm.com/services/us/iss/xforce/faqs.html (accessed May, 7, 2016)
[7] http://www.symantec.com/security_response/severityassessment.jsp. (accessed May, 7, 2016)
[8] http://www.mozilla.org/security/announce/. (accessed May, 7, 2016)
[9] Wang, Y., & Yang, Y. PVL: A Novel Metric for Single Vulnerability Rating and Its Application in IMS. Journal of Computational Information Systems, 8(2), 579-590, 2012.
[10] Thaier Hamid, Carsten Maple and Paul Sant. Article: Methodologies to Develop Quantitative Risk Evaluation Metrics. International Journal of Computer Applications 48(14):17-24, June 2012.
[11] H. Joh and Y. K. Malaiya, "Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics,'' Proc. Int. Conference on Security and Management (SAM11), 2011, pp.10-16.
[12] Frühwirth, C. & Männistö, T. Improving CVSS-based vulnerability prioritization and response with context information. Proceeedings of International Workshop on Security Measurement and Metrics (MetriSec), 2009, PP. 535-544.
[13] Massimiliano Albanese, Sushil Jajodia, Anoop Singhal, Lingyu Wang, “An efficient approach to assessing the risk of zero-day vulnerabilities,” Proc. 10th International Conference on Security and Cryptpgraphy (SECRYPT 2013), Reykjavik, Iceland, July 29-31, 2013
[14] Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng, Steven Noel: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities. IEEE Trans. Dependable Sec. Comput. 11(1): 30-44 (2014)
[15] GALLON, L. Vulnerability discrimination using cvss framework. In New Technologies, Mobility and Security (NTMS), 4th IFIP International Conference, 2010, pp. 1 –6.
[16] Liu, Q. & Zhang, Y. VRSS: A new system for rating and scoring vulnerabilities. Computer Communications. 34(3), 2011, PP. 264-273.
[17] Spanos, G. & Sioziou, A. & Angelis L. WIVSS: a new methodology for scoring information systems vulnerabilities. Panhellenic Conference on Informatics.2013, PP. 83-90
[18] Ghani, H. & Luna, j. & Suri, N. Quantitative assessment of software vulnerabilities based on economic-driven security metrics. International Conference on Risks and Security of Internet and Systems (CRiSIS)., 2013, pp. 1-8.
[19] http://cve.mitre.org/.(accessed May, 7, 2016)
[20] Frei, S. & May, S. & Fiedler, U. & Plattner, B. Large-scale vulnerability analysis. LSAD ’06:Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense. pp. 131–138, 2006.
[21] Triantaphyllou, E. & Baig, K. (2005). The Impact of Aggregating Benefit and Cost
[22] http://www.cvedetails.com/vendor/345/Mcafee.html (accessed December, 17, 2016).
[23] Criteria in Four MCDA Methods. In IEEE Transactions on Engineering
Management. 52(2), pp. 213-226.
Volume 9- Number 4-7-Autumn 2017
Published
2018-08-11
How to Cite
keramati, marjan. (2018, August 11). Dynamic Risk Assessment System for the Vulnerability Scoring. International Journal of Information & Communication Technology Research, 9(4), 57-68. Retrieved from http://journal.itrc.ac.ir/index.php/ijictr/article/view/203