Comparing and Evaluating CVSS Base Metrics and Microsoft Rating System
作者: Awad A. Younis , Yashwant K. Malaiya
DOI: 10.1109/QRS.2015.44
关键词: Software 、 De facto standard 、 Technical analysis 、 Vulnerability (computing) 、 Software system 、 Reliability engineering 、 The Internet 、 Database 、 Computer science 、 Exploit 、 CVSS
摘要: Evaluating the accuracy of vulnerability security risk metrics is important because incorrectly assessing a to be more critical could lead waste limited resources available and ignoring assessed as not breach with high impact. In this paper, we compare evaluate performance CVSS Base Microsoft Rating system. The are de facto standard that currently used measure severity individual vulnerabilities. system developed by has been for some most widely systems. software vulnerabilities have both which makes their comparison feasible. two approaches, technical analysis approach (Microsoft) expert opinions (CVSS) differ significantly. To conduct study, examine 813 Internet Explorer Windows 7. systems selected they rich history publicly vulnerabilities, significantly in functionality size. presence actual exploits evaluating them. results show exploitability either do correlate strongly existence exploits, false positive rate.
colostate.edu 参考文章(20)
Stilianos Vidalis, Andrew Jones, Analyzing Threat Agents and Their Attributes. european conference on information warfare and security. pp. 369- 380 ,(2005)
Emmanuel Aroms, NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems ,(2012)
Lawrence A. Kuznar, Sarah Canna, Allison Astorino-Courtois, From the Mind to the Feet - Assessing the Perception-to-Intent-to-Action Dynamic ,(2011)
Stefan Frei, Dominik Schatzmann, Bernhard Plattner, Brian Trammell, Modeling the Security Ecosystem - The Dynamics of (In)Security Economics of Information Security and Privacy. pp. 79- 106 ,(2010) , 10.1007/978-1-4419-6967-5_6
Charles P. Pfleeger, Security in Computing ,(1988)
Mehran Bozorgi, Lawrence K. Saul, Stefan Savage, Geoffrey M. Voelker, Beyond heuristics: learning to classify vulnerabilities and predict exploits knowledge discovery and data mining. pp. 105- 114 ,(2010) , 10.1145/1835804.1835821
Andy Ozment, Improving vulnerability discovery models Proceedings of the 2007 ACM workshop on Quality of protection - QoP '07. pp. 6- 11 ,(2007) , 10.1145/1314257.1314261
Vilhelm Verendel, Quantified security is a weak hypothesis: a critical survey of results and assumptions new security paradigms workshop. pp. 37- 50 ,(2009) , 10.1145/1719030.1719036
S. Farrell, Why didn't we spot that? [Practical Security] IEEE Internet Computing. ,vol. 14, pp. 84- 87 ,(2010) , 10.1109/MIC.2010.21
Awad Younis, Yashwant K. Malaiya, Indrajit Ray, Assessing vulnerability exploitability risk using software properties Software Quality Journal. ,vol. 24, pp. 159- 202 ,(2016) , 10.1007/S11219-015-9274-6