TY - GEN

T1 - Predictive vulnerability scoring in the context of insufficient information availability

AU - Ghani, H.

AU - Luna, J.

AU - Khelil, A.

AU - Alkadri, N.

AU - Suri, Neeraj

PY - 2013/10/23

Y1 - 2013/10/23

N2 - Multiple databases and repositories exist for collecting known vulnerabilities for different systems and on different levels. However, it is not unusual that extensive time elapses, in some cases more than a year, in order to collect all information needed to perform/publish vulnerability scoring calculations for security management groups to assess and prioritize vulnerabilities for remediation. Scoring a vulnerability also requires broad knowledge about its characteristics, which is not always provided. As an alternative, this paper targets the quantitative understanding of security vulnerabilities in the context of insufficient vulnerability information. We propose a novel approach for the predictive assessment of security vulnerabilities, taking into consideration the relevant scenarios, e.g., zero day vulnerabilities, for which there is limited or no information to perform a typical vulnerability scoring. We propose a new analytical model, the Vulnerability Assessment Model (VAM), which is inspired by the Linear Discriminant Analysis and uses publicly available vulnerability databases such as the National Vulnerability Database (NVD) as a training data set. To demonstrate the applicability of our approach, we have developed a publicly available web application, the VAM Calculator. The experimental results obtained using real-world vulnerability data from the three most widely used Internet browsers show that by reducing the amount of required vulnerability information by around 50%, we can maintain the misclassification rate at approximately 5%. © 2013 IEEE.

AB - Multiple databases and repositories exist for collecting known vulnerabilities for different systems and on different levels. However, it is not unusual that extensive time elapses, in some cases more than a year, in order to collect all information needed to perform/publish vulnerability scoring calculations for security management groups to assess and prioritize vulnerabilities for remediation. Scoring a vulnerability also requires broad knowledge about its characteristics, which is not always provided. As an alternative, this paper targets the quantitative understanding of security vulnerabilities in the context of insufficient vulnerability information. We propose a novel approach for the predictive assessment of security vulnerabilities, taking into consideration the relevant scenarios, e.g., zero day vulnerabilities, for which there is limited or no information to perform a typical vulnerability scoring. We propose a new analytical model, the Vulnerability Assessment Model (VAM), which is inspired by the Linear Discriminant Analysis and uses publicly available vulnerability databases such as the National Vulnerability Database (NVD) as a training data set. To demonstrate the applicability of our approach, we have developed a publicly available web application, the VAM Calculator. The experimental results obtained using real-world vulnerability data from the three most widely used Internet browsers show that by reducing the amount of required vulnerability information by around 50%, we can maintain the misclassification rate at approximately 5%. © 2013 IEEE.

KW - CVSS

KW - LDA

KW - security quantification

KW - vulnerability assessment

KW - Database systems

KW - Internet

KW - Information availability

KW - Linear discriminant analysis

KW - National vulnerability database

KW - Security vulnerabilities

KW - Vulnerability assessments

KW - Security of data

U2 - 10.1109/CRiSIS.2013.6766359

DO - 10.1109/CRiSIS.2013.6766359

M3 - Conference contribution/Paper

SP - 1

EP - 8

BT - 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS)

PB - IEEE

ER -