Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
97 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
5 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

SecScore: Enhancing the CVSS Threat Metric Group with Empirical Evidences (2405.08539v1)

Published 14 May 2024 in cs.CR

Abstract: Background: Timely prioritising and remediating vulnerabilities are paramount in the dynamic cybersecurity field, and one of the most widely used vulnerability scoring systems (CVSS) does not address the increasing likelihood of emerging an exploit code. Aims: We present SecScore, an innovative vulnerability severity score that enhances CVSS Threat metric group with statistical models from empirical evidences of real-world exploit codes. Method: SecScore adjusts the traditional CVSS score using an explainable and empirical method that more accurately and promptly captures the dynamics of exploit code development. Results: Our approach can integrate seamlessly into the assessment/prioritisation stage of several vulnerability management processes, improving the effectiveness of prioritisation and ensuring timely remediation. We provide real-world statistical analysis and models for a wide range of vulnerability types and platforms, demonstrating that SecScore is flexible according to the vulnerability's profile. Comprehensive experiments validate the value and timeliness of SecScore in vulnerability prioritisation. Conclusions: SecScore advances the vulnerability metrics theory and enhances organisational cybersecurity with practical insights.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (45)
  1. STRIDE threat model-based framework for assessing the vulnerabilities of modern vehicles. Computers & Security 133 (2023), 103391. https://doi.org/10.1016/j.cose.2023.103391
  2. A framework for designing vulnerability metrics. Computers & Security 132 (2023), 103382. https://doi.org/10.1016/j.cose.2023.103382
  3. Luca Allodi. 2015. The Heavy Tails of Vulnerability Exploitation. Proc. of the International Symposium on Engineering Secure Software and Systems (ESSOS), 133–148. https://doi.org/10.1007/978-3-319-15618-7_11
  4. Team Ascend. 2019. The Five Stages of Vulnerability Management. https://blog.teamascend.com/stages-of-vulnerability-management.
  5. Nick Cavalancia. 2020. Vulnerability management explained. https://cybersecurity.att.com/blogs/security-essentials/vulnerability-management-explained.
  6. Using Twitter to Predict When Vulnerabilities Will Be Exploited. In Proc. of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD). 3143–3152. https://doi.org/10.1145/3292500.3330742
  7. A Statistical Relational Learning Approach Towards Products, Software Vulnerabilities and Exploits. IEEE Transactions on Network and Service Management (TNSM) (2023), 1–1. https://doi.org/10.1109/TNSM.2023.3234554
  8. FIRST—Forum of Incident Response and Security Teams, Inc. 2023a. Common Vulnerability Scoring System (CVSS). https://www.first.org/cvss/
  9. FIRST—Forum of Incident Response and Security Teams, Inc. 2023b. Exploit Prediction Scoring System (EPSS). https://www.first.org/epss/
  10. FIRST—Forum of Incident Response and Security Teams, Inc. 2024. Common Vulnerability Scoring System version 4.0 Specification Document - Version: 1.1. https://www.first.org/cvss/v4-0/cvss-v40-specification.pdf
  11. Center for Disease Control and Prevention. 2021. Vulnerability Management Life Cycle. https://www.cdc.gov/cancer/npcr/tools/security/vmlc.htm.
  12. Park Foreman. 2019. Vulnerability Management. CRC Press.
  13. Jonathan Greig. 2021. With 18,378 vulnerabilities reported in 2021, NIST records fifth straight year of record numbers. https://www.zdnet.com/article/with-18376-vulnerabilities-found-in-2021-nist-reports-fifth-straight-year-of-record-numbers/.
  14. Towards Optimal Triage and Mitigation of Context-Sensitive Cyber Vulnerabilities. IEEE Transactions on Dependable and Secure Computing (TDSC) 20, 2 (2023), 1270–1285. https://doi.org/10.1109/TDSC.2022.3152164
  15. Historical Analysis of Exploit Availability Timelines. In Proc. of the 13th USENIX Workshop on Cyber Security Experimentation and Test (CSET). https://www.usenix.org/conference/cset20/presentation/householder
  16. Henry Howland. 2021. CVSS: Ubiquitous and Broken. Digital Threats: Research and Practice (2021). https://doi.org/10.1145/3491263
  17. Sam Humphries. 2020. 4 Stages of Vulnerability Management: A Process for Risk Mitigation. https://www.exabeam.com/information-security/vulnerability-management/.
  18. Improving vulnerability remediation through better exploit prediction. Journal of Cybersecurity 6 (1 2020). Issue 1. https://doi.org/10.1093/cybsec/tyaa015
  19. Exploit Prediction Scoring System (EPSS). Digital Threats: Research and Practice 2 (7 2021), 1–17. Issue 3. https://doi.org/10.1145/3436242
  20. Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights. In Proc. of the IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 194–206. https://doi.org/10.1109/EuroSPW59978.2023.00027
  21. Tomasz J Kozubowski and Krzysztof Podgórski. 2000. A multivariate and asymmetric generalization of Laplace distribution. Computational Statistics 15 (2000), 531–540. https://doi.org/10.1007/PL00022717
  22. Common vulnerability scoring system prediction based on open source intelligence information sources. Computers & Security 131 (2023), 103286. https://doi.org/10.1016/j.cose.2023.103286
  23. Information Technology Laboratory. 2021. CVSS Severity Distribution Over Time. https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time.
  24. Takashi Minohara and Masaya Shimakawa. 2023. Security Risk Growth Models for Software Vulnerability Assessment. In Proc. of the 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). IEEE, 32–35. https://doi.org/10.1109/DSN-W58399.2023.00026
  25. Forum of Incident Response and Security Teams. 2005. Complete CVSS v1 Guide. https://www.first.org/cvss/v1/guide.
  26. Forum of Incident Response and Security Teams. 2019. Common Vulnerability Scoring System v3.1: Specification Document. https://www.first.org/cvss/v3.1/specification-document.
  27. University of Miami. [n. d.]. Vulnerability Management. https://web.archive.org/web/20230920064111/https://security.it.miami.edu/services/vulnerability-management/index.html.
  28. OffSec Services Limited. 2023. Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers. https://www.exploit-db.com/.
  29. Pyxyp Inc. 2023. VulDB - Vulnerability Database. https://vuldb.com/
  30. Rapid7. [n. d.]. Vulnerability Management Process: Scanning, Prioritizing, and Remediating. https://www.rapid7.com/fundamentals/vulnerability-management-and-scanning/.
  31. OffSec Offensive Security. 2023. ExploitDB - The official Exploit-Database repository. https://gitlab.com/exploit-database/exploitdb.
  32. SecurityScorecard, Inc. 2023. CVE security vulnerability database. https://www.cvedetails.com/
  33. A hybrid scoring system for prioritization of software vulnerabilities. Computers & Security 129 (2023), 103256. https://doi.org/10.1016/j.cose.2023.103256
  34. Time to Change the CVSS? IEEE Security & Privacy 19, 2 (2021), 74–78. https://doi.org/10.1109/MSEC.2020.3044475
  35. Towards Improving CVSS. Technical Report. Carnegie Mellon University.
  36. The who, what, how of software engineering research: a socio-technical framework. Empirical Software Engineering 25 (2020), 4097–4129. https://doi.org/10.1007/s10664-020-09858-z
  37. Tenable. 2020a. How to Implement Risk-based Vulnerability Management. Technical Report. Tenable, Inc. 1–10 pages.
  38. Tenable. 2020b. Risk-based Vulnerability Management: Focus On The Vulnerabilities That Pose The Greatest Risk. Technical Report. Tenable, Inc. 1–14 pages.
  39. Tenable. 2020c. Your Answer to the Vulnerability Overload Problem: Risk-based Vulnerability Management. Technical Report. Tenable, Inc. 1–2 pages.
  40. The MITRE Corporation. 2023. Common Vulnerabilities and Exposures (CVE). https://www.cve.org
  41. Fordham University. 2021. Vulnerability Management Procedure. https://www.fordham.edu/info/29071/vulnerability_management_procedure.
  42. Intrusion-Tolerant Architectures: Concepts and Design. In Architecting Dependable Systems, Rogério de Lemos, Cristina Gacek, and Alexander Romanovsky (Eds.). Springer, 3–36. https://doi.org/10.1007/3-540-45177-3_1
  43. Vulcan. 2019. Vulnerability Management 2020: Navigating to New Heights. Technical Report. Vulcan Cyber Ltd. 1–10 pages. https://www.bitpipe.com/detail/RES/1589403842_44.html
  44. Michał Walkowski. 2022. VMC (OWASP Vulnerability Management Center). https://github.com/DSecureMe/vmc.
  45. LICALITY—Likelihood and Criticality: Vulnerability Risk Prioritization Through Logical Reasoning and Deep Learning. IEEE Transactions on Network and Service Management (TNSM) 19, 2 (2022), 1746–1760. https://doi.org/10.1109/TNSM.2021.3133811
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (3)
  1. Miguel Santana (1 paper)
  2. Vinicius V. Cogo (3 papers)
  3. Alan Oliveira de Sá (3 papers)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets