Dynamic Risk Assessment System for the Vulnerability Scoring
One of the key factors that endangers network security is software vulnerabilities. So, increasing growth of vulnerability emergence is a critical challenge in security management. Also, organizations constantly encounter the limited budget problem. Therefore, to do network hardening in a cost-benefit manner, quantitative vulnerability assessment for finding the most critical vulnerabilities is a vital issue. The most prominent vulnerability scoring systems is CVSS (Common Vulnerability Scoring System) that ranks vulnerabilities based on their intrinsic characteristics. But in CVSS, Temporal features or the effect of existing patches and exploit tools in risk estimation of vulnerabilities are ignored. So, CVSS scores are not accurate. Another deficiency with CVSS that limits its application in real networks is that, in CVSS, only a small set of scores is used for discriminating between numerous numbers of vulnerabilities. To improve the difficulties with existing scoring systems, here some security metrics are defined that rank vulnerabilities by considering their temporal features beside their intrinsic ones. Also, by the aim of improving scores diversity in CVSS, a new method is proposed for Impact estimation of vulnerability exploitation on security parameters of the network. Performing risk assessment by considering the type of the attacker which endangers the network security most is another novelty of this paper
 http://cwe.mitre.org/(accessed May, 7, 2016)
 http://cwe.mitre.org/cwss/cwss_v1.0.1.html(accessed May, 7, 2016)
 http://www.kb.cert.org/vuls/html/fieldhelp (accessed May, 7, 2016)
 https://technet.microsoft.com/en-us/security/gg309177.aspx(accessed May, 7, 2016)
 http://www-935.ibm.com/services/us/iss/xforce/faqs.html (accessed May, 7, 2016)
 http://www.symantec.com/security_response/severityassessment.jsp. (accessed May, 7, 2016)
 http://www.mozilla.org/security/announce/. (accessed May, 7, 2016)
 Wang, Y., & Yang, Y. PVL: A Novel Metric for Single Vulnerability Rating and Its Application in IMS. Journal of Computational Information Systems, 8(2), 579-590, 2012.
 Thaier Hamid, Carsten Maple and Paul Sant. Article: Methodologies to Develop Quantitative Risk Evaluation Metrics. International Journal of Computer Applications 48(14):17-24, June 2012.
 H. Joh and Y. K. Malaiya, "Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics,'' Proc. Int. Conference on Security and Management (SAM11), 2011, pp.10-16.
 Frühwirth, C. & Männistö, T. Improving CVSS-based vulnerability prioritization and response with context information. Proceeedings of International Workshop on Security Measurement and Metrics (MetriSec), 2009, PP. 535-544.
 Massimiliano Albanese, Sushil Jajodia, Anoop Singhal, Lingyu Wang, “An efficient approach to assessing the risk of zero-day vulnerabilities,” Proc. 10th International Conference on Security and Cryptpgraphy (SECRYPT 2013), Reykjavik, Iceland, July 29-31, 2013
 Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng, Steven Noel: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities. IEEE Trans. Dependable Sec. Comput. 11(1): 30-44 (2014)
 GALLON, L. Vulnerability discrimination using cvss framework. In New Technologies, Mobility and Security (NTMS), 4th IFIP International Conference, 2010, pp. 1 –6.
 Liu, Q. & Zhang, Y. VRSS: A new system for rating and scoring vulnerabilities. Computer Communications. 34(3), 2011, PP. 264-273.
 Spanos, G. & Sioziou, A. & Angelis L. WIVSS: a new methodology for scoring information systems vulnerabilities. Panhellenic Conference on Informatics.2013, PP. 83-90
 Ghani, H. & Luna, j. & Suri, N. Quantitative assessment of software vulnerabilities based on economic-driven security metrics. International Conference on Risks and Security of Internet and Systems (CRiSIS)., 2013, pp. 1-8.
 http://cve.mitre.org/.(accessed May, 7, 2016)
 Frei, S. & May, S. & Fiedler, U. & Plattner, B. Large-scale vulnerability analysis. LSAD ’06:Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense. pp. 131–138, 2006.
 Triantaphyllou, E. & Baig, K. (2005). The Impact of Aggregating Benefit and Cost
 http://www.cvedetails.com/vendor/345/Mcafee.html (accessed December, 17, 2016).
 Criteria in Four MCDA Methods. In IEEE Transactions on Engineering
Management. 52(2), pp. 213-226.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)