Browse > Article
http://dx.doi.org/10.22156/CS4SMB.2019.9.8.035

A Study on the Probabilistic Vulnerability Assessment of COTS O/S based I&C System  

Euom, Ieck-Chae (Cyber Security Consulting Team, KEPCO KDN)
Publication Information
Journal of Convergence for Information Technology / v.9, no.8, 2019 , pp. 35-44 More about this Journal
Abstract
The purpose of this study is to find out quantitative vulnerability assessment about COTS(Commercial Off The Shelf) O/S based I&C System. This paper analyzed vulnerability's lifecycle and it's impact. this paper is to develop a quantitative assessment of overall cyber security risks and vulnerabilities I&C System by studying the vulnerability analysis and prediction method. The probabilistic vulnerability assessment method proposed in this study suggests a modeling method that enables setting priority of patches, threshold setting of vulnerable size, and attack path in a commercial OS-based measurement control system that is difficult to patch an immediate vulnerability.
Keywords
Critical Infrastructure; Risk Modeling; Vulnerability Life Cycle; Vulnerability Detection Model; Attack Graph; Markov Model;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 S. Roger. (1989). Markov and Markov reward model transient analysis: An overview of numerical approaches. European journal of Operation Research, 40(2). 257-267. DOI : 10.1016/0377-2217(89)90335-4   DOI
2 N. Skku. (2015). Exploitability analysis using predictive cyber security framework. 2015 IEEE 2nd International Conference on Cybernetics. DOI : 10.1109/CYBConf.2015.7175953   DOI
3 J. Y. Kim. (2007). Vulnerability Discovery in Multi version software systems. 10th IEEE High Assurance Systems Engineering Symposium.. DOI : 10.1109/HASE.2007.55   DOI
4 S. Y. Oh. & J. K. Hong. (2018). Vulnerability Case Analysis of Wireless Moving Vehicle. Journal of the Korea convergence society, 9(8), 41-46. DOI : 10.15207/JKCS.2018.9.8.041   DOI
5 J. K. Cho. (2019). Study on Improvement of Vulnerability Diagnosis Items for PC Security Enhancement. Journal of Convergence for information Technology, 9(3), 1-7. DOI : 10.22156/CS4SMB.2019.9.3.001   DOI
6 Recommended Practice for Patch Management of Control Systems. (2008). Department of Homeland Security. (pp. 23-24).
7 L. S. IS. (2018). Digital I&C System Diagram. LS IS Product. http://www.lsis.com/ko/product/view/P01211
8 Pubudu et al. (2018). Non-Homogeneous Stochastic Model for Cyber Security Predictions. The Journal of Information Security. (pp. 12-24). DOI : 10.15207/JKCS.2018.9.8.041
9 S. M. Rajasooriya & C. P. Tsokos. (2017). Cybersecurity: Nonlinear Stochastic models for Predicting the Exploitability. The Journal of information Security. (pp. 125-140). DOI : 10.4236/jis.2017.82009   DOI
10 Karen Scarfone. (2009). An analysis of CVSS version 2 vulnerability scoring. ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement. (pp. 516-525). DOI : 10.1109/ESEM.2009.5314220   DOI
11 P. Ammann. (2002). Scalable, graph-based network vulnerability analysis. Proceedings of the 9th ACM conference on Computer and communications security. (pp. 217-224). DOI : 10.1145/586110.586140   DOI
12 S. Jah. (2002). Two formal analyses of attack graphs. The Proceedings 15th IEEE Computer Security Foundations Workshop. DOI : 10.1109/CSFW.2002.1021806   DOI
13 S. Abraham. & S. Nair. (2014). Cyber Security Analytics: A Stochastic Model for Security Quantification Using Absorbing Markov Chains. Journal of Communications, 9(12), 899-907. DOI : 10.12720/jcm.9.12.899-907   DOI
14 A. Reibman & K. Trivedi. (1998). Numerical transient analysis of markov models. Computer & Operations Research, 15(1), 19-36. DOI : 10.1016/0305-0548(88)90026-3   DOI
15 G. Laurent. (2011). Vulnerability Discrimination Using CVSS Framework. 2011 4th IFIP International Conference on New Technologies, Mobility and Security. DOI : 10.1109/NTMS.2011.5720656   DOI
16 B. A. Craig. (2002). Estimation of the transition matrix of a discrete time Markov chain. Health Economics, 11(1), 33-42. DOI : 10.1002/hec.654   DOI
17 S. Swapna. (2004). Analysis of Software Fault Removal Policies Using a Non-Homogeneous Continuous Time Markov Chain. Software Quality Journal, 12(3). (pp. 211-230). DOI : 10.1023/B:SQJO.0000034709.63615.8b   DOI
18 A. Andan & S. Munmad. (2005). Verifying continuous time Markov chains. International Conference on Computer Aided Verification. (pp. 269-276). DOI : 10.1007/3-540-61474-5_75   DOI