Improving VRSS-based vulnerability prioritization using analytic hierarchy process

Authors:
Qixu Liu;Yuqing Zhang;Ying Kong;Qianru Wu
Affiliations:
National Computer Network Intrusion Protection Center, GUCAS, Beijing 100049, PR China and School of Information Science and Engineering, GUCAS, Beijing 100190, PR China;National Computer Network Intrusion Protection Center, GUCAS, Beijing 100049, PR China and School of Information Science and Engineering, GUCAS, Beijing 100190, PR China;National Computer Network Intrusion Protection Center, GUCAS, Beijing 100049, PR China and School of Information Science and Engineering, GUCAS, Beijing 100190, PR China;National Computer Network Intrusion Protection Center, GUCAS, Beijing 100049, PR China and School of Information Science and Engineering, GUCAS, Beijing 100190, PR China
Venue:
Journal of Systems and Software
Year:
2012

Citing 11
Cited 2

Common Vulnerability Scoring System

IEEE Security and Privacy
An Attack Graph-Based Probabilistic Security Metric

Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security
Measuring network security using dynamic bayesian network

Proceedings of the 4th ACM workshop on Quality of protection
PCChecker: Harding Windows Security Configurations

ICCIT '08 Proceedings of the 2008 Third International Conference on Convergence and Hybrid Information Technology - Volume 02
A Study and Implementation of Vulnerability Assessment and Misconfiguration Detection

APSCC '08 Proceedings of the 2008 IEEE Asia-Pacific Services Computing Conference
An AHP-based methodology to rank critical success factors of executive information systems

Computer Standards & Interfaces
Improving CVSS-based vulnerability prioritization and response with context information

ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
An analysis of CVSS version 2 vulnerability scoring

ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Vulnerability analysis for a quantitative security evaluation

ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Quantifying security risk level from CVSS estimates of frequency and impact

Journal of Systems and Software
VRSS: A new system for rating and scoring vulnerabilities

Computer Communications

WIVSS: a new methodology for scoring information systems vulnerabilities

Proceedings of the 17th Panhellenic Conference on Informatics
A novel approach to evaluate software vulnerability prioritization

Journal of Systems and Software

Quantified Score

Hi-index	0.00

Visualization

Abstract

The number of vulnerabilities discovered in computer systems has increased explosively. Thus, a key question for system administrators is which vulnerabilities to prioritize. The need for vulnerability prioritization in organizations is widely recognized. The significant role of the vulnerability evaluation system is to separate vulnerabilities from each other as far as possible. There are two major methods to assess the severity of vulnerabilities: qualitative and quantitative methods. In this paper, we first describe the design space of vulnerability evaluation methodology and discuss the measures of well-defined evaluation framework. We analyze 11,395 CVE vulnerabilities to expose the differences among three current vulnerability evaluation systems (X-Force, CVSS and VRSS). We find that vulnerabilities are not separated from each other as much as possible. In order to increase the diversity of the results, we firstly enable vulnerability type to prioritize vulnerabilities using analytic hierarchy process on the basis of VRSS. We quantitatively characterize the vulnerability type and apply the method on the set of 11,395 CVE vulnerabilities. The results show that the quality of the quantitative scores can be improved with the help of vulnerability type.