Skip to main content
SpringerLink
Log in
Book cover

International Conference on Green, Pervasive, and Cloud Computing

GPC 2019: Green, Pervasive, and Cloud Computing pp 238–253Cite as

AutoCVSS: An Approach for Automatic Assessment of Vulnerability Severity Based on Attack Process

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 11484))

Abstract

Vulnerability severity assessment is an important research problem. Common Vulnerability Scoring System (CVSS) has been widely used to quantitatively assess the vulnerability severity, but its assessment process relies on human experts to determine metric values, which makes the assessment process tedious and subjective. This calls for tools that can assess the vulnerability severity automatically and objectively. In this paper, we move a step forward in this direction by proposing an approach for automatic assessment of vulnerability severity based on attack process, dubbed (AutoCVSS). The key insight is to leverage characteristics and rules we define to model the CVSS base metrics, and assess the vulnerability severity more automatically and objectively by capturing the attributes related to the characteristics during the attack process. In order to evaluate AutoCVSS, we reproduce the attacks for 98 vulnerabilities from Linux kernel, FTP service, and Apache service with their exploits. The experimental results show that the vulnerability severity scores automatically obtained by AutoCVSS are basically in accordance with those assessed manually by security experts in the National Vulnerability Database (NVD), which verifies the effectiveness of our approach.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Common Vulnerability Scoring System. https://www.first.org/cvss/

  2. Exploit database. https://www.exploit-db.com/

  3. National Vulnerability Database. https://nvd.nist.gov/

  4. Allodi, L., Banescu, S., Femmer, H., Beckers, K.: Identifying relevant information cues for vulnerability assessment using CVSS. In: Proceedings of the 8th ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 119–126. ACM (2018)

    Google Scholar 

  5. Allodi, L., Biagioni, S., Crispo, B., Labunets, K., Massacci, F., Santos, W.: Estimating the assessment difficulty of CVSS environmental metrics: an experiment. In: Dang, T.K., Wagner, R., Küng, J., Thoai, N., Takizawa, M., Neuhold, E.J. (eds.) FDSE 2017. LNCS, vol. 10646, pp. 23–39. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70004-5_2

    Chapter  Google Scholar 

  6. Almasizadeh, J., Azgomi, M.A.: A stochastic model of attack process for the evaluation of security metrics. Comput. Netw. 57(10), 2159–2180 (2013)

    Article  Google Scholar 

  7. Cheng, P., Wang, L., Jajodia, S., Singhal, A.: Aggregating CVSS base scores for semantics-rich network security metrics. In: Proceedings of the 31st Symposium on Reliable Distributed Systems (SRDS), pp. 31–40. IEEE (2012)

    Google Scholar 

  8. Del Valle, S., Hethcote, H., Hyman, J.M., Castillo-Chavez, C.: Effects of behavioral changes in a smallpox attack model. Math. Biosci. 195(2), 228–251 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  9. Gallon, L.: On the impact of environmental metrics on CVSS scores. In: Proceedings of the 2nd International Conference on Social Computing (SocialCom), pp. 987–992. IEEE (2010)

    Google Scholar 

  10. Ghani, H., Luna, J., Khelil, A., Alkadri, N., Suri, N.: Predictive vulnerability scoring in the context of insufficient information availability. In: Proceedings of 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 1–8. IEEE (2013)

    Google Scholar 

  11. Hu, H., Zhang, H., Liu, Y., Wang, Y.: Quantitative method for network security situation based on attack prediction. Secur. Commun. Netw. 2017, 1–19 (2017)

    Google Scholar 

  12. Huang, H., Zhao, F., Ye, M.: Estimate the influential level of vulnerability instance based on hybrid ranking for dynamic network attacking scenarios. In: Proceedings of the 10th International Conference on Information Sciences Signal Processing and their Applications (ISSPA), pp. 586–589. IEEE (2010)

    Google Scholar 

  13. Khazaei, A., Ghasemzadeh, M., Derhami, V.: An automatic method for CVSS score prediction using vulnerabilities description. J. Intell. Fuzzy Syst. 30(1), 89–96 (2016)

    Article  Google Scholar 

  14. Luk, C., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of Conference on Programming Language Design and Implementation, pp. 190–200. ACM (2005)

    Google Scholar 

  15. Luo, J., Lo, K., Qu, H.: A software vulnerability rating approach based on the vulnerability database. J. Appl. Math. 2014, 932397:1–932397:9 (2014)

    Article  Google Scholar 

  16. Ross, D.M., Wollaber, A.B., Trepagnier, P.C.: Latent feature vulnerability ranking of CVSS vectors. In: Proceedings of the Summer Simulation Multi-Conference, pp. 19:1–19:12. Society for Computer Simulation International (2017)

    Google Scholar 

  17. Spanos, G., Sioziou, A., Angelis, L.: WIVSS: a new methodology for scoring information systems vulnerabilities. In: Proceedings of the 17th Panhellenic Conference on Informatics, pp. 83–90. ACM (2013)

    Google Scholar 

  18. Tripathi, A., Singh, U.K.: Estimating risk levels for vulnerability categories using CVSS. Int. J. Internet Technol. Secured Trans. 4(4), 272–289 (2012)

    Article  Google Scholar 

  19. Younis, A.A., Malaiya, Y.K.: Comparing and evaluating CVSS base metrics and Microsoft rating system. In: Proceedings of the IEEE International Conference on Software Quality, Reliability and Security (QRS), pp. 252–261. IEEE (2015)

    Google Scholar 

  20. Younis, A.A., Malaiya, Y.K., Ray, I.: Using attack surface entry points and reachability analysis to assess the risk of software vulnerability exploitability. In: Proceedings of the 15th International Symposium on High-Assurance Systems Engineering (HASE), pp. 1–8. IEEE (2014)

    Google Scholar 

  21. Younis, A.A., Malaiya, Y.K., Ray, I.: Assessing vulnerability exploitability risk using software properties. Software Qual. J. 24(1), 159–202 (2016)

    Article  Google Scholar 

  22. Younis, A., Malaiya, Y.K., Ray, I.: Evaluating CVSS base score using vulnerability rewards programs. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 62–75. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33630-5_5

    Chapter  Google Scholar 

Download references

Acknowledgments

This paper is supported by the National Key Research & Development (R&D) Plan of China under grant No. 2017YFB0802205, the National Science Foundation of China under grant No. 61672249, and the Shenzhen Fundamental Research Program under grant No. JCYJ20170413114215614.

Author information

Authors and Affiliations

  1. National Engineering Research Center for Big Data Technology and System, Services Computing Technology and System Lab, Cluster and Grid Computing Lab, Big Data Security Engineering Research Center, Huazhong University of Science and Technology, Wuhan, China

    Deqing Zou, Ju Yang, Zhen Li, Hai Jin & Xiaojing Ma

  2. Shenzhen Huazhong University of Science and Technology Research Institute, Shenzhen, China

    Deqing Zou

  3. School of Cyber Security and Computer, Hebei University, Baoding, China

    Zhen Li

Authors
  1. Deqing Zou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ju Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhen Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hai Jin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Xiaojing Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhen Li .

Editor information

Editors and Affiliations

  1. Federal University of Uberlândia, Uberlândia, Brazil

    Rodrigo Miani

  2. Federal University of Uberlândia, Uberlândia, Brazil

    Lasaro Camargos

  3. State University of Londrina, Londrina, Brazil

    Bruno Zarpelão

  4. Federico Santa María Technical University, San Joaquin, Chile

    Erika Rosas

  5. Federal University of Uberlândia, Uberlândia, Brazil

    Rafael Pasquini

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Cite this paper

Zou, D., Yang, J., Li, Z., Jin, H., Ma, X. (2019). AutoCVSS: An Approach for Automatic Assessment of Vulnerability Severity Based on Attack Process. In: Miani, R., Camargos, L., Zarpelão, B., Rosas, E., Pasquini, R. (eds) Green, Pervasive, and Cloud Computing. GPC 2019. Lecture Notes in Computer Science(), vol 11484. Springer, Cham. https://doi.org/10.1007/978-3-030-19223-5_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-19223-5_17

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-19222-8

  • Online ISBN: 978-3-030-19223-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation