A preliminary analysis of vulnerability scores for attacks in wild
作者: Luca Allodi , Fabio Massacci
关键词:
摘要: NVD and Exploit-DB are the de facto standard databases used for research on vulnerabilities, CVSS score is measure risk. On open question whether such scores actually representative of attacks found in wild. To address this we have constructed a database (EKITS) based vulnerabilities currently exploit kits from black market extracted another Symantec's Threat Database (SYM). Our final conclusion that EDB not reliable source information exploits wild, even after controlling exploitability subscore. An high or medium shows only significant sensitivity (i.e. prediction wild) present market. All datasets exhibit low specificity.
acm.org
tue.nl参考文章(17)
Karen A. Scarfone, Stephen D. Quinn, Christopher S. Johnson, Matthew Barrett, SP 800-117. Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0 National Institute of Standards & Technology. ,(2010)
Lingyu Wang, Tania Islam, Tao Long, Anoop Singhal, Sushil Jajodia, An Attack Graph-Based Probabilistic Security Metric Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security. ,vol. 5094, pp. 283- 296 ,(2008) , 10.1007/978-3-540-70567-3_22
Michael Howard, Jon Pincus, Jeannette M. Wing, Measuring Relative Attack Surfaces Springer, Boston, MA. pp. 109- 137 ,(2005) , 10.1007/0-387-24006-3_8
Cormac Herley, Dinei Florêncio, Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy Economics of Information Security and Privacy. pp. 33- 53 ,(2010) , 10.1007/978-1-4419-6967-5_3
Viet Hung Nguyen, Fabio Massacci, An independent validation of vulnerability discovery models computer and communications security. pp. 6- 7 ,(2012) , 10.1145/2414456.2414459
Mehran Bozorgi, Lawrence K. Saul, Stefan Savage, Geoffrey M. Voelker, Beyond heuristics: learning to classify vulnerabilities and predict exploits knowledge discovery and data mining. pp. 105- 114 ,(2010) , 10.1145/1835804.1835821
Karen Scarfone, Peter Mell, An analysis of CVSS version 2 vulnerability scoring empirical software engineering and measurement. pp. 516- 525 ,(2009) , 10.1109/ESEM.2009.5314220
Stefan Frei, Martin May, Ulrich Fiedler, Bernhard Plattner, Large-scale vulnerability analysis Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense - LSAD '06. pp. 131- 138 ,(2006) , 10.1145/1162666.1162671
Marti Motoyama, Damon McCoy, Kirill Levchenko, Stefan Savage, Geoffrey M. Voelker, An analysis of underground forums Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference - IMC '11. pp. 71- 80 ,(2011) , 10.1145/2068816.2068824
Vern Paxson, Jason Franklin, Stefan Savage, Adrian Perrig, An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants computer and communications security. pp. 375- 388 ,(2007)