论文信息 - Identifying Potentially-Impacted Area by Vulnerabilities in Networked Systems Using CVSS

Identifying Potentially-Impacted Area by Vulnerabilities in Networked Systems Using CVSS

CVSS (Common Vulnerability Scoring System) is a framework scoring IT vulnerabilities. CVSS is composed of three metric groups: Base, Temporal, and Environmental. Although, the environmental score which gives risk of vulnerabilities in network environment of each user should be used for prioritizing actions, only base score is currently used. One of the reason for unused of environmental score is hard to score uniquely, because the criterion for determining ”Target Distribution (TD),” which is a parameter indicating impacted proportion, is vague. We propose a method for identifying the potentially-impacted area enabling TD measurement in networked systems in terms of three security objectives: confidentiality, integrity and availability. We also apply the method to some model cases of networked systems, and assess their TD. The results correspond to a popular wisdom that trilayer structure is more secure.

[1] Stephen Tyree,et al. Strata-Gem: risk assessment through mission modeling , 2008, QoP '08.

[2] Marco Domenico Aime,et al. AMBRA: automated model-based risk analysis , 2007, QoP '07.

[3] Yeu-Pong Lai,et al. Using the vulnerability information of computer systems to improve the network security , 2007, Comput. Commun..

[4] Karen Scarfone,et al. Vulnerability scoring for security configuration settings , 2008, QoP '08.

[5] Eiji Okamoto,et al. Extraction of Parameters from Well Managed Networked System in Access Control , 2009, 2009 Fourth International Conference on Internet Monitoring and Protection.