Estimating risk levels for vulnerability categories using CVSS

Authors:
Anshu Tripathi;Umesh Kumar Singh
Affiliations:
Department of Information Technology, Mahakal Institute of Technology, Behind Air Strip, Dewas Road, Ujjain-456010, Madhya Pradesh, India;Institute of Computer Science, Vikram University, Ujjain-456010, Madhya Pradesh, India
Venue:
International Journal of Internet Technology and Secured Transactions
Year:
2012

Citing 8
Cited 1

Vulnerability analysis For evaluating quality of protection of security policies

Proceedings of the 2nd ACM workshop on Quality of protection
Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Window

ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Open source vs. closed source software: towards measuring security

Proceedings of the 2009 ACM symposium on Applied Computing
On a Classification Approach for SOA Vulnerabilities

COMPSAC '09 Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference - Volume 02
Ranking Attacks Based on Vulnerability Analysis

HICSS '10 Proceedings of the 2010 43rd Hawaii International Conference on System Sciences
An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure

Information Systems Research
A Categorization Framework for Common Computer Vulnerabilities and Exposures

The Computer Journal
A comparison of software design security metrics

Proceedings of the Fourth European Conference on Software Architecture: Companion Volume

A model for quantitative security measurement and prioritisation of vulnerability mitigation

International Journal of Security and Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

Objective and automated means for security measurement are becoming essential for security management. The security level of any system can be measured in terms of risk level posed by the presence of vulnerabilities in it. The process can be further improved, if well classified vulnerability datasets are used. With classified vulnerability data, multiple vulnerabilities of same genre can be addressed simultaneously that in turn increases objectivity and scope of security management. In this paper, we proposed an approach to measure severity level of vulnerability categories and develop metrics to estimate risk levels of vulnerability categories. The proposed approach re-evaluate and unify risk levels of vulnerabilities present in a vulnerability category based on vulnerability characteristics, vulnerability population, availability of patches and age of vulnerability to estimate risk level of category. Developed metrics are applied on real vulnerability data repository by NVD and risk levels estimated for 23 vulnerability categories under which NVD classify vulnerability data.