Abstract
In this work, we present a fuzzy systems approach for assessing the relative potential risk associated with computer network assets exposed to attack by vulnerabilities. We use this approach to rank vulnerabilities so that analysts can prioritize their work based on the potential risk exposure of assets and networks. We associate vulnerabilities with individual assets, and therefore networks, and develop fuzzy models of the vulnerability attributes. Fuzzy rules are then used to make an inference on the risk exposure and the likelihood of attack, which allows us to rank the vulnerabilities and show which ones need more immediate attention. We argue that our approach has more meaningful vulnerability prioritization values than the severity level calculated by the popular Common Vulnerability Scoring System (CVSS) approach.
Chapter PDF
Similar content being viewed by others
References
Anderson, K.E.: Intelligence-based threat assessments for information networks and infrastructures: A white paper. Global Technology Research, Inc. (1998)
Chen, S., Chen, s.: Fuzzy risk analysis based on similarity measures of generalized fuzzy numbers. IEEE Transactions on Fuzzy Systems 11(1), 45–56 (2003)
Dondo, M.: A fuzzy risk calculations approach for a network vulnerability ranking system (2007)
FEMA: Asset value, threatharzard, vulnerability and risk. URL http://www.fema.gov/ pdf/fima/426/fema426_ch1.pdf
H-J. Zimmerman: Fuzzy Sets, Decision Making and Expert Systems. Kluwer Academic Publishers (1987)
Isograph: FaultTree+ - Event Tree Analysis (2005). URL http://www. isograph-software.com/ftpovereta.htm
Mosleh, A., Hilton, E.R., Browne, P.S.: Bayesian probabilistic risk analysis. ACM SIGMETRICS–Performance Evaluation Review 13(1), 5–12 (1985)
Ng, G.W., Ng, K.H., Yang, R., Foo, P.H.: Intent inference for attack aircraft through fusion. In: B.V. Dasarathy (ed.) Proceedings of SPIE, vol. 6242–06. Orlando, Fl (2006)
NVD: National vulnerability database. URL http://nvd.nist.gov
Pfleeger, C.P.: Security in Computing, 2 edn. Prentice Hall PTR, Upper Saddle River, NJ (1997)
Schiffman, M.: The common vulnerability scoring system (CVSS). URL http://www. first.org/cvss/cvss-guide.html
Shah, S.: Measuring operational risk using fuzzy logic modeling. URL http://www. irmi.com/Expert/Articles/2003/Shah09.aspx
Symantec Enterprise Security: Symantec internet security threat report: Trends for july 05- december 05. Symantec Enterprise Security IX, 1–106 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Dondo, M.G. (2008). A Vulnerability Prioritization System Using A Fuzzy Risk Analysis Approach. In: Jajodia, S., Samarati, P., Cimato, S. (eds) Proceedings of The Ifip Tc 11 23rd International Information Security Conference. SEC 2008. IFIP – The International Federation for Information Processing, vol 278. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09699-5_34
Download citation
DOI: https://doi.org/10.1007/978-0-387-09699-5_34
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09698-8
Online ISBN: 978-0-387-09699-5
eBook Packages: Computer ScienceComputer Science (R0)