论文信息 - Information Security Assessment by Quantifying Risk Level of Network Vulnerabilities

Information Security Assessment by Quantifying Risk Level of Network Vulnerabilities

With increasing dependency on IT infrastructure, the main objective of a system administrator is to maintain a stable and secure network, with ensure that the network is robust enough against malicious network users like attackers and intruders. Security risk management provides way to manage the growing threats to infrastructures or system. This paper proposes a framework for risk level estimation that uses vulnerability database National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS). The proposedframework measuresthe frequency of vulnerability exploitation; converges this measured frequency with standard CVSS score and estimates the security risk levelwhich helps in automated and reasonable security management. In this paper, equation for the Temporal score calculation with respect to availability of remediation plan is derived and further, frequency of exploitation is calculated with determined temporal score. The frequency of exploitation along with CVSS score is used to calculate the security risk level of the system. The proposed framework uses the CVSS vectors for risk level estimation and measures the security level of specific network environment, which assists system administrator for

Umesh Singh | Chanchala Joshi | Neha Gaud

[1] Carsten Maple,et al. Methodologies to Develop Quantitative Risk Evaluation Metrics , 2012 .

[2] Ramayya Krishnan,et al. An Empirical Analysis of Software Vendors' Patching Behavior: Impact of Vulnerability Disclosure , 2006, ICIS.

[3] A. Tripathi,et al. On prioritization of vulnerability categories based on CVSS scores , 2011, 2011 6th International Conference on Computer Sciences and Convergence Information Technology (ICCIT).

[4] Kapil Tarey,et al. A Review on Taxonomies of Attacks and Vulnerability in Computer and Network System , 2015 .

[5] P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[6] Xinming Ou,et al. Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[7] Tripathi Anshu,et al. Analyzing Trends in Vulnerability Classes across CVSS Metrics , 2011 .

[8] Bin Wu,et al. EVMAT: an OVAL and NVD based enterprise vulnerability modeling and assessment tool , 2011, ACM-SE '11.

[9] Umesh Singh,et al. ADMIT- A Five Dimensional Approach towards Standardization of Network and Computer Attack Taxonomies , 2014 .

[10] Ehab Al-Shaer,et al. A Novel Quantitative Approach For Measuring Network Security , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[11] Umesh Kumar Singh,et al. Estimating risk levels for vulnerability categories using CVSS , 2012 .