A hybrid scoring system for prioritization of software vulnerabilities. Issue 129 (June 2023)
- Record Type:
- Journal Article
- Title:
- A hybrid scoring system for prioritization of software vulnerabilities. Issue 129 (June 2023)
- Main Title:
- A hybrid scoring system for prioritization of software vulnerabilities
- Authors:
- Sharma, Abhishek
Sabharwal, Sangeeta
Nagpal, Sushama - Abstract:
- Abstract: While security experts, firms, security providers, threat analysts all around the globe are working hard to provide ironclad security for information system softwares, vulnerabilities in softwares are still being detected on a daily basis. Although it is very important to neutralize all these vulnerabilities as quickly as possible, prioritization of vulnerabilities to determine the order for resolving these vulnerabilities is an equally important step for optimization of the remediation process. Among different available techniques for prioritization of vulnerabilities, scoring the vulnerabilities is the most common practice. In this paper, we have proposed a novel hybrid technique, VIEWSS: Variable Impact-Exploitability Weightage Scoring System, which scores vulnerabilities by varying the Impact-Exploitability score ratio towards calculation of base scores. We have also discussed three popular quantitative vulnerability scoring techniques; CVSS (Common Vulnerability Scoring System), VRSS (Vulnerability Rating and Scoring System) and WIVSS (Weighted Impact Vulnerability Scoring System) by explaining the underlying metrics, scoring systems, formulas and some limitations of these techniques. The proposed technique, VIEWSS is also compared with the discussed techniques by generating scores for around 83, 500 vulnerabilities reported on NVD (National Vulnerability Database) in the last five years. It is observed that our proposed technique generates the greatest numberAbstract: While security experts, firms, security providers, threat analysts all around the globe are working hard to provide ironclad security for information system softwares, vulnerabilities in softwares are still being detected on a daily basis. Although it is very important to neutralize all these vulnerabilities as quickly as possible, prioritization of vulnerabilities to determine the order for resolving these vulnerabilities is an equally important step for optimization of the remediation process. Among different available techniques for prioritization of vulnerabilities, scoring the vulnerabilities is the most common practice. In this paper, we have proposed a novel hybrid technique, VIEWSS: Variable Impact-Exploitability Weightage Scoring System, which scores vulnerabilities by varying the Impact-Exploitability score ratio towards calculation of base scores. We have also discussed three popular quantitative vulnerability scoring techniques; CVSS (Common Vulnerability Scoring System), VRSS (Vulnerability Rating and Scoring System) and WIVSS (Weighted Impact Vulnerability Scoring System) by explaining the underlying metrics, scoring systems, formulas and some limitations of these techniques. The proposed technique, VIEWSS is also compared with the discussed techniques by generating scores for around 83, 500 vulnerabilities reported on NVD (National Vulnerability Database) in the last five years. It is observed that our proposed technique generates the greatest number of distinct scores and also the score distribution of our technique performs well on different parameters including skewness and kurtosis. Further when these techniques were applied on a dataset containing around 12, 200 'high-risk' vulnerabilities extracted by cross-referencing NVD and Exploit-DB, our proposed technique outperformed all the discussed techniques in terms of identifying the threat accurately. … (more)
- Is Part Of:
- Computers & security. Issue 129(2023)
- Journal:
- Computers & security
- Issue:
- Issue 129(2023)
- Issue Display:
- Volume 129, Issue 129 (2023)
- Year:
- 2023
- Volume:
- 129
- Issue:
- 129
- Issue Sort Value:
- 2023-0129-0129-0000
- Page Start:
- Page End:
- Publication Date:
- 2023-06
- Subjects:
- Vulnerability -- Prioritization -- Scoring -- CVSS -- Impact -- Exploitability
Computer security -- Periodicals
Electronic data processing departments -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/science/journal/01674048 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.cose.2023.103256 ↗
- Languages:
- English
- ISSNs:
- 0167-4048
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3394.781000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 27035.xml