Advertisement

A Novel Improved System Based on CVSS

  • Wen TaoEmail author
  • Zhang Yuqing
  • Zhang Bo
  • Lei Jing
  • Yang Yunxiang
  • Guo Jing
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 517)

Abstract

CVSS is one of the most representative quantitative assessment algorithms for security vulnerabilities. The calculated values of vulnerability harm according to the given index and formula. However, there is still insufficient objectivity of CVSS. Expert System is a kind of expert system for vulnerabilities; the severity of vulnerability can be assessed by experts based on the Expert System. The objectivity of Expert System and CVSS is analyzed, and CVSS is revised based on Expert System. The relationship between the above systems and the CWE, and between above systems and Product is analyzed, respectively, in the process. A new way of using Expert System is put forward based on CWE, namely, CWE Cycle Sorting Algorithm, in order to sort the average of vulnerability severity. Meanwhile, CWE Sort Factor is put forward based on CWE Cycle Sorting Algorithm to modify CVSS. The result is closer to the Expert System in terms of objectivity.

Keywords

CVSS vulnerability Vulnerability assessment Expert System CSA CSF 

Notes

Acknowledgements

This paper is supported by Beijing NOVA Program (Z181100006218041); the National Key R&D Program of China (2016YFB0800700), the National Natural Science Foundation of China (61572460, 61272481), the Open Project Program of the State Key Laboratory of Information Security (2017-ZD-01), the National Information Security Special Projects of National Development and Reform Commission of China [(2012)1424], and China 111 Project (B16037).

References

  1. 1.
    CVSS, Common Vulnerability Scoring System. http://nvd.nist.gov/cvss.cfm[EB/OL]. (2014-08-01) [2015-08-01]
  2. 2.
    NVD, National Vulnerability Database. http://nvd.nist.gov[EB/OL]. (2014-08-01) [2015-08-01]
  3. 3.
    Wang, L.Y., Jajodia, S., Singhal, A., et al.: K-zero day safety a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secure Comput. 11(1), 30–44 (2013)CrossRefGoogle Scholar
  4. 4.
    Holm, H., Ekstedt, M., Andersson, D.: Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Trans. Dependable Secure Comput. 9(6), 825–837 (2012)CrossRefGoogle Scholar
  5. 5.
    CWE, Common Weakness Enumeration. http://cwe.mitre.org/[EB/OL]. 2015-08-01

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  • Wen Tao
    • 1
    Email author
  • Zhang Yuqing
    • 2
    • 3
  • Zhang Bo
    • 1
  • Lei Jing
    • 1
  • Yang Yunxiang
    • 1
  • Guo Jing
    • 1
  1. 1.China Academy of Electronics and Information TechnologyBeijingChina
  2. 2.State Key Laboratory of Integrated Services NetworksXidian UniversityXi’anChina
  3. 3.National Computer Network Intrusion Protection CenterUniversity of Chinese Academy of SciencesBeijingChina

Personalised recommendations