Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.6.1449

Risk Scoring System for Software Vulnerability Using Public Vulnerability Information  

Kim, Min Cheol (Graduate School of Information Security, Korea University)
Oh, Sejoon (Graduate School of Information Security, Korea University)
Kang, Hyunjae (Graduate School of Information Security, Korea University)
Kim, Jinsoo (Agency for Defense Development)
Kim, Huy Kang (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.6, 2018 , pp. 1449-1461 More about this Journal
Abstract
As the number of software vulnerabilities grows year by year, attacks on software are also taking place a lot. As a result, the security administrator must identify and patch vulnerabilities in the software. However, it is important to prioritize the patches because patches for all vulnerabilities are realistically hard. In this paper, we propose a scoring system that expands the scale of risk assessment metric by taking into consideration attack patterns or weaknesses cause vulnerabilities with the vulnerability information provided by the NIST(National Institute of Standards and Technology). The proposed scoring system is expanded based on the CWSS and uses only public vulnerability information to utilize easily for any company. In this paper, we applied the automated scoring system to software vulnerabilities, and showed the expanded metrics with consideration for influence of attack pattern and weakness are meaningful.
Keywords
scoring system; risk based prioritization; CVE; CWE; CVSS;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Umesh Kumar Singh and Chanchala Joshi, "Quantitative security risk evaluation using CVSS metrics by estimati on of frequency and maturity of exploit," Proceedings of the World Congress on Engineering and Computer Science, vol. 1, Oct. 2016.
2 Umesh Kumar Singh and Chanchala Joshi, "Quantifying security risk by critical network vulnerabilities assessment," International Journal of Computer Applications vol. 156, no. 13, pp. 26-33, Dec. 2016.
3 Siv Hilde Houmb and Virginia N.L. Franqueira, "Estimating ToE risk level using CVSS," Availability, Reliability and Security, 2009, ARES'09, International Conference on. IEEE, Mar. 2009.
4 Candace Suh-Lee and Juyeon Jo, "Quantifying security risk by measuring network risk conditions," Computer and Information Science (ICIS), 2015 IEEE/ACIS 14th International Conference on. IEEE, July 2015.
5 Young Hoon Moon, Ji Hong Kim, Dong Seong Kim and Huy Kang Kim, "Hybrid attack path enumeration system based on reputation scores," In Computer and Information Technology (CIT), 2016 IEEE International Conference on, IEEE, pp. 241-248, Dec, 2016.
6 Joonseon Ahn, Byeong-Mo Chang and EunYoung Lee, "Quantitative scoring system on the importance of software vulnerabilities," Journal of The Korea Institute of Information Security & Cryptology, Aug. 2015.
7 Yeu-Pong Lai, Po-Lun Hsia, "Using the vulnerability information of computer systems to improve the network security," Computer Communications vol. 30, no. 9, pp. 2032-2047, June 2007.   DOI
8 TIOBE, "TIOBE Index for August 2018," https://www.tiobe.com/tiobe-index/, Aug. 2018.
9 Thanassis Avgerinos, Sang Kil Cha, Alexandre Rebert, Edward J. Schwartz, Maverick Woo and David Brumley, "Automatic Exploit Generation," Communications of the ACM vol. 57, no. 2, pp.74-84, Feb. 2014.   DOI
10 StatCounter GlobalStats, "Operating System Market Share Worldwide - July 2018," http://gs.statcounter.com/osmarket-share, July 2018.
11 Reuters, "Global Enterprise Software Market Size, Share, Trends and Forecast by 2022 - Market Research Report 2017," https://www.reuters.com/brandfeatures/venture-capital/article?id=4981, Apr. 2017.
12 RAPID7, "Under the Hoodie: 2018," https://www.rapid7.com/globalassets/_pdfs/research/rapid7-under-the-hoodie-2018-research-report.pdf, July 2018.
13 Ashish Arora, Ramayya Krishnan, Rahul Telang and Yubao Yang, "An empirical analysis of software vendors' patch release behavior: impact of vulnerability disclosure," Information Systems Research vol. 21, no. 1, pp. 115-132, Mar. 2010.   DOI
14 Risk Based Security, "2017 Year End Vulnerability QuickView Report," https://pages.riskbasedsecurity.com/2017-q3-vulnerability-quickview-report, Feb. 2018.
15 Christian Fruhwirth and Tomi Mannisto, "Improving CVSS-based vulnerability prioritization and response with context information," Proceedings of the 2009 3rd international Symposium on Empirical Software Engineering and Measurement, IEEE Computer Society, Oct. 2009.
16 FIRST, "Common Vulnerability Scoring System(CVSS)" https://www.first.org/cvss/
17 MITRE, "Common Weakness Scoring System(CWSS)" http://cwe.mitre.org/cwss/cwss_v1.0.1.html
18 Stefan Frei, Martin May, Ulrich Fiedler and Bernhard Plattner, "Large-scale vulnerability analysis," Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, ACM, Sep. 2006.
19 FORRESTER, "Top Cybersecurity Threats In 2018," https://www.forrester.com/report/Top+Cybersecurity+Threats+In+2018/-/E-RES137206, Nov. 2017.
20 Mengmeng Ge, Huy Kang Kim and Dong Seong Kim, "Evaluating security and availability of multiple redundancy designs when applying security patches," Dependable Systems and Networks Workshop (DSN-W), 2017 47th Annual IEEE/IFIP International Conference on. IEEE, June 2017.
21 Laurent Gallon, "On the impact of environmental metrics on CVSS scores," Social Computing (SocialCom), 2010 IEEE Second International Conference on. IEEE, Aug. 2010.
22 Ruyi Wang, Ling Gao, Qian Sun and Deheng Sun, "An improved CVSS-base d vulnerability scoring mechanism," Multimedia Information Networking and Security (MINES), 2011 Third International Conference on. IEEE, Nov. 2011.
23 Anshu Tripathi and Umesh Kumar Singh, "On prioritization of vulnerability categories based on CVSS scores," Computer Sciences and Convergence Information Technology (ICCIT), 2011 6th International Conference on. IEEE, Dec. 2011.