Title: Estimating risk levels for vulnerability categories using CVSS

Authors: Anshu Tripathi; Umesh Kumar Singh

Addresses: Department of Information Technology, Mahakal Institute of Technology, Behind Air Strip, Dewas Road, Ujjain-456010, Madhya Pradesh, India ' Institute of Computer Science, Vikram University, Ujjain-456010, Madhya Pradesh, India

Abstract: Objective and automated means for security measurement are becoming essential for security management. The security level of any system can be measured in terms of risk level posed by the presence of vulnerabilities in it. The process can be further improved, if well classified vulnerability datasets are used. With classified vulnerability data, multiple vulnerabilities of same genre can be addressed simultaneously that in turn increases objectivity and scope of security management. In this paper, we proposed an approach to measure severity level of vulnerability categories and develop metrics to estimate risk levels of vulnerability categories. The proposed approach re-evaluate and unify risk levels of vulnerabilities present in a vulnerability category based on vulnerability characteristics, vulnerability population, availability of patches and age of vulnerability to estimate risk level of category. Developed metrics are applied on real vulnerability data repository by NVD and risk levels estimated for 23 vulnerability categories under which NVD classify vulnerability data.

Keywords: CVSS score; vulnerability categories; risk levels; security measurement; security management; vulnerabilities.

DOI: 10.1504/IJITST.2012.054059

International Journal of Internet Technology and Secured Transactions, 2012 Vol.4 No.4, pp.272 - 289

Received: 01 Apr 2012
Accepted: 07 Oct 2012

Published online: 09 Aug 2014 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article