Comparing Vulnerability Severity and Exploits Using Case-Control Studies
作者: Luca Allodi , Fabio Massacci
DOI: 10.1145/2630069
关键词:
摘要: (US) Rule-based policies for mitigating software risk suggest using the CVSS score to measure the risk of an individual vulnerability and act accordingly. A key issue is whether the 'danger'score does actually match the risk of exploitation in the wild, and if and how such a score could be improved. To address this question, we propose using a case-control study methodology similar to the procedure used to link lung cancer and smoking in the 1950s. A case-control study allows the researcher to draw conclusions on the relation between some …
acm.org
tue.nl参考文章(34)
Karen A. Scarfone, Stephen D. Quinn, Christopher S. Johnson, Matthew Barrett, SP 800-117. Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0 National Institute of Standards & Technology. ,(2010)
Luca Allodi, Fabio Massacci, Vadim Kotov, MalwareLab: Experimentation with Cybercrime Attack Tools. 6th Workshop on Cyber Security Experimentation and Test (CSET 2013). ,(2013)
Lingyu Wang, Tania Islam, Tao Long, Anoop Singhal, Sushil Jajodia, An Attack Graph-Based Probabilistic Security Metric Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security. ,vol. 5094, pp. 283- 296 ,(2008) , 10.1007/978-3-540-70567-3_22
Viet Hung Nguyen, Fabio Massacci, Stephan Neuhaus, After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes international conference on engineering secure software and systems. pp. 195- 208 ,(2011) , 10.5555/1946341.1946361
Cormac Herley, Dinei Florêncio, Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy Economics of Information Security and Privacy. pp. 33- 53 ,(2010) , 10.1007/978-1-4419-6967-5_3
J M. Bland, D. G Altman, Multiple significance tests: the Bonferroni method BMJ. ,vol. 310, pp. 170- 170 ,(1995) , 10.1136/BMJ.310.6973.170
Viet Hung Nguyen, Fabio Massacci, An independent validation of vulnerability discovery models computer and communications security. pp. 6- 7 ,(2012) , 10.1145/2414456.2414459
Mehran Bozorgi, Lawrence K. Saul, Stefan Savage, Geoffrey M. Voelker, Beyond heuristics: learning to classify vulnerabilities and predict exploits knowledge discovery and data mining. pp. 105- 114 ,(2010) , 10.1145/1835804.1835821
Siv Hilde Houmb, Virginia N.L. Franqueira, Erlend A. Engum, Quantifying security risk level from CVSS estimates of frequency and impact Journal of Systems and Software. ,vol. 83, pp. 1622- 1634 ,(2010) , 10.1016/J.JSS.2009.08.023
Andy Ozment, Improving vulnerability discovery models Proceedings of the 2007 ACM workshop on Quality of protection - QoP '07. pp. 6- 11 ,(2007) , 10.1145/1314257.1314261