Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
}
TY - GEN
T1 - Predictive vulnerability scoring in the context of insufficient information availability
AU - Ghani, H.
AU - Luna, J.
AU - Khelil, A.
AU - Alkadri, N.
AU - Suri, Neeraj
PY - 2013/10/23
Y1 - 2013/10/23
N2 - Multiple databases and repositories exist for collecting known vulnerabilities for different systems and on different levels. However, it is not unusual that extensive time elapses, in some cases more than a year, in order to collect all information needed to perform/publish vulnerability scoring calculations for security management groups to assess and prioritize vulnerabilities for remediation. Scoring a vulnerability also requires broad knowledge about its characteristics, which is not always provided. As an alternative, this paper targets the quantitative understanding of security vulnerabilities in the context of insufficient vulnerability information. We propose a novel approach for the predictive assessment of security vulnerabilities, taking into consideration the relevant scenarios, e.g., zero day vulnerabilities, for which there is limited or no information to perform a typical vulnerability scoring. We propose a new analytical model, the Vulnerability Assessment Model (VAM), which is inspired by the Linear Discriminant Analysis and uses publicly available vulnerability databases such as the National Vulnerability Database (NVD) as a training data set. To demonstrate the applicability of our approach, we have developed a publicly available web application, the VAM Calculator. The experimental results obtained using real-world vulnerability data from the three most widely used Internet browsers show that by reducing the amount of required vulnerability information by around 50%, we can maintain the misclassification rate at approximately 5%. © 2013 IEEE.
AB - Multiple databases and repositories exist for collecting known vulnerabilities for different systems and on different levels. However, it is not unusual that extensive time elapses, in some cases more than a year, in order to collect all information needed to perform/publish vulnerability scoring calculations for security management groups to assess and prioritize vulnerabilities for remediation. Scoring a vulnerability also requires broad knowledge about its characteristics, which is not always provided. As an alternative, this paper targets the quantitative understanding of security vulnerabilities in the context of insufficient vulnerability information. We propose a novel approach for the predictive assessment of security vulnerabilities, taking into consideration the relevant scenarios, e.g., zero day vulnerabilities, for which there is limited or no information to perform a typical vulnerability scoring. We propose a new analytical model, the Vulnerability Assessment Model (VAM), which is inspired by the Linear Discriminant Analysis and uses publicly available vulnerability databases such as the National Vulnerability Database (NVD) as a training data set. To demonstrate the applicability of our approach, we have developed a publicly available web application, the VAM Calculator. The experimental results obtained using real-world vulnerability data from the three most widely used Internet browsers show that by reducing the amount of required vulnerability information by around 50%, we can maintain the misclassification rate at approximately 5%. © 2013 IEEE.
KW - CVSS
KW - LDA
KW - security quantification
KW - vulnerability assessment
KW - Database systems
KW - Internet
KW - Information availability
KW - Linear discriminant analysis
KW - National vulnerability database
KW - Security vulnerabilities
KW - Vulnerability assessments
KW - Security of data
U2 - 10.1109/CRiSIS.2013.6766359
DO - 10.1109/CRiSIS.2013.6766359
M3 - Conference contribution/Paper
SP - 1
EP - 8
BT - 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS)
PB - IEEE
ER -