ABSTRACT
Vulnerability exploitation is reportedly one of the main attack vectors against computer systems. Yet, most vulnerabilities remain unexploited by attackers. It is therefore of central importance to identify vulnerabilities that carry a high 'potential for attack'. In this paper we rely on Symantec data on real attacks detected in the wild to identify a trade-off in the Impact and Complexity of a vulnerability in terms of attacks that it generates; exploiting this effect, we devise a readily computable estimator of the vulnerability's Attack Potential that reliably estimates the expected volume of attacks against the vulnerability. We evaluate our estimator performance against standard patching policies by measuring foiled attacks and demanded workload expressed as the number of vulnerabilities entailed to patch. We show that our estimator significantly improves over standard patching policies by ruling out low-risk vulnerabilities, while maintaining invariant levels of coverage against attacks in the wild. Our estimator can be used as a first aid for vulnerability prioritisation to focus assessment efforts on high-potential vulnerabilities.
- L. Allodi. The heavy tails of vulnerability exploitation. In Proc. of ESSoS'15, 2015.Google ScholarCross Ref
- L. Allodi and F. Massacci. Comparing vulnerability severity and exploits using case-control studies. ACM Transaction on Information and System Security (TISSEC), 17(1), August 2014. Google ScholarDigital Library
- L. Allodi, F. Massacci, and J. Williams. The work-averse cyber attacker model. evidence from two million attack signatures. In Published in WEIS 2017. Available at https://ssrn.com/abstract=2862299, 2017.Google ScholarCross Ref
- L. Allodi, S. Woohyun, and F. Massacci. Quantitative assessment of risk reduction with cybercrime black market monitoring. In In Proc. of IWCC'13, 2013. Google ScholarDigital Library
- S. Chakradeo, B. Reaves, P. Traynor, and W. Enck. Mast: Triage for market-scale mobile malware analysis. In Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks, pages 13--24. ACM, 2013. Google ScholarDigital Library
- S. Christey and B. Martin. Buying into the bias: why vulnerability statistics suck. https://www.blackhat.com/us-13/archives.html#Martin, July 2013.Google Scholar
- T. Dumitras and D. Shou. Toward a standard benchmark for computer security research: The worldwide intelligence network environment (wine). In Proc. of BADEGRS'11, pages 89--96. ACM, 2011. Google ScholarDigital Library
- L. Evans. The effectiveness of safety belts in preventing fatalities. Accident Anal. & Prev., 18(3):229--241, 1986.Google ScholarCross Ref
- S. Frei, M. May, U. Fiedler, and B. Plattner. Large-scale vulnerability analysis. In Proc. of LSAD'06, pages 131--138. ACM, 2006. Google ScholarDigital Library
- H. Holm and K. K. Afridi. An expert-based investigation of the common vulnerability scoring system. Computers & Security, 53:18--30, 2015. Google ScholarDigital Library
- P. Mell, K. Scarfone, and S. Romanosky. A complete guide to the common vulnerability scoring system version 2.0. Technical report, FIRST, Available at http://www.first.org/cvss, 2007.Google Scholar
- K. Nayak, D. Marino, P. Efstathopoulos, and T. Dumitraş,. Some vulnerabilities are different than others. In Proc. of RAID'14, pages 426--446. Springer, 2014.Google Scholar
- PCI. Pci dss requirements and security assessment procedures, version 2.0. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf, 2010.Google Scholar
- S. D. Quinn, K. A. Scarfone, M. Barrett, and C. S. Johnson. Sp 800-117. guide to adopting and using the security content automation protocol (scap) version 1.0. Technical report, NIST, 2010. Google ScholarDigital Library
- K. Scarfone and P. Mell. An analysis of cvss version 2 vulnerability scoring. In Proc. of ESEM'09, pages 516--525, 2009. Google ScholarDigital Library
- Verizon. Verizon 2014 pci compliance report. Technical report, Verizon Enterprise, 2014.Google Scholar
Index Terms
- Attack Potential in Impact and Complexity
Recommendations
Automated Generation of Attack Graphs Using NVD
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyToday's computer networks are prone to sophisticated multi-step, multi-host attacks. Common approaches of identifying vulnerabilities and analyzing the security of such networks with naive methods such as counting the number of vulnerabilities, or ...
Comparing Vulnerability Severity and Exploits Using Case-Control Studies
(U.S.) Rule-based policies for mitigating software risk suggest using the CVSS score to measure the risk of an individual vulnerability and act accordingly. A key issue is whether the ‘danger’ score does actually match the risk of exploitation in the ...
A hybrid scoring system for prioritization of software vulnerabilities
AbstractWhile security experts, firms, security providers, threat analysts all around the globe are working hard to provide ironclad security for information system softwares, vulnerabilities in softwares are still being detected on a daily basis. ...
Comments