Title: Estimating risk levels for vulnerability categories using CVSS
Authors: Anshu Tripathi; Umesh Kumar Singh
Addresses: Department of Information Technology, Mahakal Institute of Technology, Behind Air Strip, Dewas Road, Ujjain-456010, Madhya Pradesh, India ' Institute of Computer Science, Vikram University, Ujjain-456010, Madhya Pradesh, India
Abstract: Objective and automated means for security measurement are becoming essential for security management. The security level of any system can be measured in terms of risk level posed by the presence of vulnerabilities in it. The process can be further improved, if well classified vulnerability datasets are used. With classified vulnerability data, multiple vulnerabilities of same genre can be addressed simultaneously that in turn increases objectivity and scope of security management. In this paper, we proposed an approach to measure severity level of vulnerability categories and develop metrics to estimate risk levels of vulnerability categories. The proposed approach re-evaluate and unify risk levels of vulnerabilities present in a vulnerability category based on vulnerability characteristics, vulnerability population, availability of patches and age of vulnerability to estimate risk level of category. Developed metrics are applied on real vulnerability data repository by NVD and risk levels estimated for 23 vulnerability categories under which NVD classify vulnerability data.
Keywords: CVSS score; vulnerability categories; risk levels; security measurement; security management; vulnerabilities.
DOI: 10.1504/IJITST.2012.054059
International Journal of Internet Technology and Secured Transactions, 2012 Vol.4 No.4, pp.272 - 289
Received: 01 Apr 2012
Accepted: 07 Oct 2012
Published online: 09 Aug 2014 *