DocumentCode :
1257985
Title :
Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks
Author :
Holm, Hannes ; Ekstedt, Mathias ; Andersson, Dennis
Author_Institution :
Dept. of Ind. Inf. & Control Syst., R. Inst. of Technol., Stockholm, Sweden
Volume :
9
Issue :
6
fYear :
2012
Firstpage :
825
Lastpage :
837
Abstract :
The Common Vulnerability Scoring System (CVSS) is a widely used and well-established standard for classifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database (NVD) are scored according to this method. As computer systems typically have multiple vulnerabilities, it is often desirable to aggregate the score of individual vulnerabilities to a system level. Several such metrics have been proposed, but their quality has not been studied. This paper presents a statistical analysis of how 18 security estimation metrics based on CVSS data correlate with the time-to-compromise of 34 successful attacks. The empirical data originates from an international cyber defense exercise involving over 100 participants and were collected by studying network traffic logs, attacker logs, observer logs, and network vulnerabilities. The results suggest that security modeling with CVSS data alone does not accurately portray the time-to-compromise of a system. However, results also show that metrics employing more CVSS data are more correlated with time-to-compromise. As a consequence, models that only use the weakest link (most severe vulnerability) to compose a metric are less promising than those that consider all vulnerabilities.
Keywords :
security of data; statistical analysis; CVSS data; NVD; US National Vulnerability Database; attacker logs; common vulnerability scoring system; computer systems; empirical analysis; international cyber defense exercise; network traffic logs; network vulnerabilities; observer logs; security vulnerabilities; statistical analysis; system-level vulnerability metrics; time-to-compromise; Authorization; Computational modeling; Computer crime; Mathematical model; Network security; Risk management; Telecommunication network management; Network-level security and protection; network management; phreaking); risk management; unauthorized access (hacking;
fLanguage :
English
Journal_Title :
Dependable and Secure Computing, IEEE Transactions on
Publisher :
ieee
ISSN :
1545-5971
Type :
jour
DOI :
10.1109/TDSC.2012.66
Filename :
6259801
Link To Document :
بازگشت