short-paper

Identifying Relevant Information Cues for Vulnerability Assessment Using CVSS

Authors:

Luca Allodi,

Sebastian Banescu,

Henning Femmer,

Kristian BeckersAuthors Info & Claims

CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

Pages 119 - 126

https://doi.org/10.1145/3176258.3176340

Published: 13 March 2018 Publication History

Get Access

Abstract

The assessment of new vulnerabilities is an activity that accounts for information from several data sources and produces a 'severity' score for the vulnerability. The Common Vulnerability Scoring System (CVSS) is the reference standard for this assessment. Yet, no guidance currently exists on which information aids a correct assessment and should therefore be considered. In this paper we address this problem by evaluating which information cues increase (or decrease) assessment accuracy. We devise a block design experiment with 67 software engineering students with varying vulnerability information and measure scoring accuracy under different information sets. We find that baseline vulnerability descriptions provided by standard vulnerability sources provide only part of the information needed to achieve an accurate vulnerability assessment. Further, we find that additional information on assets, attacks, and vulnerability type contributes in increasing the accuracy of the assessment; conversely, information on known threats misleads the assessor and decreases assessment accuracy and should be avoided when assessing vulnerabilities. These results go in the direction of formalizing the vulnerability communication to, for example, fully automate security assessments.

References

[1]

Luca Allodi and Fabio Massacci. 2014. Comparing vulnerability severity and exploits using case-control studies. ACM Transaction on Information and System Security (TISSEC) Vol. 17, 1 (August. 2014).

Digital Library

Google Scholar

[2]

Luca Allodi, Shim Woohyun, and Fabio Massacci. 2013. Quantitative assessment of risk reduction with cybercrime black market monitoring. In Proc. of IWCC'13.

Digital Library

Google Scholar

[3]

Sean Barnum and Gary McGraw. 2005. Knowledge for software security. IEEE Security & Privacy Vol. 3, 2 (2005), 74--78.

Digital Library

Google Scholar

[4]

Steve Christey and Brian Martin. 2013. Buying into the bias: why vulnerability statistics suck. https://www.blackhat.com/us-13/archives.html#Martin. (July. 2013).

Google Scholar

[5]

Stanislav Dashevskyi, Achim D Brucker, and Fabio Massacci. 2016. On the Security Cost of Using a Free and Open Source Component in a Proprietary Product. In International Symposium on Engineering Secure Software and Systems. Springer, 190--206.

Digital Library

Google Scholar

[6]

Prem Devanbu, Thomas Zimmermann, and Christian Bird. 2016. Belief & Evidence in Empirical Software Engineering Proceedings of the 38th International Conference on Software Engineering (ICSE '16). ACM, New York, NY, USA, 108--119.

Digital Library

Google Scholar

[7]

Martin J Eppler and Jeanne Mengis. 2004. The concept of information overload: A review of literature from organization science, accounting, marketing, MIS, and related disciplines. The information society Vol. 20, 5 (2004), 325--344.

Google Scholar

[8]

Henning Femmer, Daniel Méndez Fernández, Stefan Wagner, and Sebastian Eder. 2016. Rapid quality assurance with Requirements Smells. Journal of Systems and Software (2016).

Google Scholar

[9]

James Walden, Jeff Stuckman, and Riccardo Scandariato. 2014. Predicting vulnerable components: Software metrics vs text mining 2014 IEEE 25th International Symposium on Software Reliability Engineering. IEEE, 23--33.

Digital Library

Google Scholar

[10]

Koen Yskout, Riccardo Scandariato, and Wouter Joosen. 2015. Do Security Patterns Really Help Designers?. In Proceedings of the 37th International Conference on Software Engineering - Volume 1 (ICSE '15). IEEE Press, 292--302.

Digital Library

Google Scholar

[11]

Hongyu Zhang, Liang Gong, and Steve Versteeg. 2013. Predicting bug-fixing time: an empirical study of commercial software projects Proceedings of the 2013 International Conference on Software Engineering. IEEE Press, 1042--1051.

Digital Library

Google Scholar

[12]

Yu Zhao, Feng Zhang, Emad Shihab, Ying Zou, and Ahmed E Hassan. 2016. How Are Discussions Associated with Bug Reworking?: An Empirical Study on Open Source Projects. In Proceedings of the 10th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement. ACM, 21.

Digital Library

Google Scholar

[13]

Thomas Zimmermann, Rahul Premraj, Nicolas Bettenburg, Sascha Just, Adrian Schroter, and Cathrin Weiss. 2010. What makes a good bug report? IEEE Transactions on Software Engineering Vol. 36, 5 (2010), 618--643.

Digital Library

Google Scholar

Cited By

View all

Yue QLi JHuang ZXie XYang Q(2024)Vulnerability Assessment and Topology Reconstruction of Task Chains in UAV NetworksElectronics10.3390/electronics1311212613:11(2126)Online publication date: 29-May-2024
https://doi.org/10.3390/electronics13112126
Li JYue QHuang ZXie XYang Q(2024)Vulnerability Analysis of UAV Swarm Network with Emergency TasksElectronics10.3390/electronics1311200513:11(2005)Online publication date: 21-May-2024
https://doi.org/10.3390/electronics13112005
Isogai SOgata SKashiwa YYazawa SOkano KOkubo TWashizaki H(2024)Toward Extracting Learning Pattern: A Comparative Study of GPT-4o-mini and BERT Models in Predicting CVSS Base Vectors2024 IEEE 35th International Symposium on Software Reliability Engineering Workshops (ISSREW)10.1109/ISSREW63542.2024.00067(127-134)Online publication date: 28-Oct-2024
https://doi.org/10.1109/ISSREW63542.2024.00067
Show More Cited By

Index Terms

Identifying Relevant Information Cues for Vulnerability Assessment Using CVSS

Recommendations

CVSS: Ubiquitous and Broken
The Common Vulnerability Scoring System is at the core of vulnerability management for systems of private corporations to highly classified government networks, allowing organizations to prioritize remediation in descending order of risk. With a lack of ...
Comparing Vulnerability Severity and Exploits Using Case-Control Studies

(U.S.) Rule-based policies for mitigating software risk suggest using the CVSS score to measure the risk of an individual vulnerability and act accordingly. A key issue is whether the ‘danger’ score does actually match the risk of exploitation in the ...
CVSS Attack Graphs
SITIS '11: Proceedings of the 2011 Seventh International Conference on Signal Image Technology & Internet-Based Systems

Attack models and attack graphs are efficient tools to describe and analyse attack scenarios aimed at computer networks. More precisely, attack graphs give all possible scenarios for an attacker to reach a certain goal, exploiting vulnerabilities of the ...

Comments

Information & Contributors

Information

Published In

CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

March 2018

401 pages

ISBN:9781450356329

DOI:10.1145/3176258

General Chairs:
Ziming Zhao
Arizona State University, USA
,
Gail-Joon Ahn
Arizona State University, USA & Samsung Research, Korea
,
Program Chairs:
Ram Krishnan
University of Texas at San Antonio, USA
,
Gabriel Ghinita
University of Massachusetts Boston, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Conference

CODASPY '18

Sponsor:

SIGSAC

CODASPY '18: Eighth ACM Conference on Data and Application Security and Privacy

March 19 - 21, 2018

AZ, Tempe, USA

Acceptance Rates

CODASPY '18 Paper Acceptance Rate 23 of 110 submissions, 21%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
546
Total Downloads

Downloads (Last 12 months)56
Downloads (Last 6 weeks)4

Reflects downloads up to 01 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Yue QLi JHuang ZXie XYang Q(2024)Vulnerability Assessment and Topology Reconstruction of Task Chains in UAV NetworksElectronics10.3390/electronics1311212613:11(2126)Online publication date: 29-May-2024
https://doi.org/10.3390/electronics13112126
Li JYue QHuang ZXie XYang Q(2024)Vulnerability Analysis of UAV Swarm Network with Emergency TasksElectronics10.3390/electronics1311200513:11(2005)Online publication date: 21-May-2024
https://doi.org/10.3390/electronics13112005
Isogai SOgata SKashiwa YYazawa SOkano KOkubo TWashizaki H(2024)Toward Extracting Learning Pattern: A Comparative Study of GPT-4o-mini and BERT Models in Predicting CVSS Base Vectors2024 IEEE 35th International Symposium on Software Reliability Engineering Workshops (ISSREW)10.1109/ISSREW63542.2024.00067(127-134)Online publication date: 28-Oct-2024
https://doi.org/10.1109/ISSREW63542.2024.00067
Rengarajan AKarpagam G(2024)Enhancing Cybersecurity Resilience with CYBRANA: A Cyber YARA/YAML-Based Resilience Firewall Solution Applied with Next-Gen AI2024 IEEE International Conference on Computer Vision and Machine Intelligence (CVMI)10.1109/CVMI61877.2024.10782249(1-7)Online publication date: 19-Oct-2024
https://doi.org/10.1109/CVMI61877.2024.10782249
Isogai SOgata SKashiwa YYazawa SOkano KOkubo TWashizaki H(2024)Comparison of Methods for Automatically Predicting CVSS Base Vector2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00140(1029-1034)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00140
Empl PSchlette DStöger LPernul G(2024)Generating ICS vulnerability playbooks with open standardsInternational Journal of Information Security10.1007/s10207-023-00760-523:2(1215-1230)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1007/s10207-023-00760-5
Grümer PBrandão P(2023)Computing an Automotive Cybersecurity Maturity Level Assessment ProgrammeProceedings of the 7th ACM Computer Science in Cars Symposium10.1145/3631204.3631865(1-10)Online publication date: 5-Dec-2023
https://dl.acm.org/doi/10.1145/3631204.3631865
Qin YXiao YLiao XMeng WJensen CCremers CKirda E(2023)Vulnerability Intelligence Alignment via Masked Graph Attention NetworksProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616686(2202-2216)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616686
Seker EMeng W(2023)XVRS: Extended Vulnerability Risk Scoring based on Threat Intelligence2023 IEEE International Conference on Metaverse Computing, Networking and Applications (MetaCom)10.1109/MetaCom57706.2023.00094(516-523)Online publication date: Jun-2023
https://doi.org/10.1109/MetaCom57706.2023.00094
Reyes JFuertes WArévalo PMacas M(2022)An Environment-Specific Prioritization Model for Information-Security Vulnerabilities Based on Risk Factor AnalysisElectronics10.3390/electronics1109133411:9(1334)Online publication date: 22-Apr-2022
https://doi.org/10.3390/electronics11091334
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

CVSS: Ubiquitous and Broken

Comparing Vulnerability Severity and Exploits Using Case-Control Studies

CVSS Attack Graphs

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations