New Vulnerability Scoring System for dynamic security evaluation

Currently, because of the exponential growth of vulnerabilities, one of the most essential requirements for IT managers is to improve network security by eliminating vulnerabilities that are most hazardous. Achieving this goal requires ranking vulnerabilities based on their peril to the network. Today, this target has become possible by introducing open standards such as Common Vulnerability Scoring System (CVSS) for ranking vulnerabilities. But, CVSS suffers from basic and serious problems that limits use of it for efficient vulnerability scoring. One constraint is its limited diversity of scores that a small set of discrete values are used for ranking large amount of vulnerabilities. Another challenge is that, CVSS does not score features of the vulnerability that change over time such as availability of exploit tools. By considering these limitations, in this paper a Vulnerability Scoring System has developed that assess the risk of each known vulnerability based on its intrinsic and temporal features. Also, in this paper a novel method is proposed for the Impact estimation of vulnerability exploiting that improves the diversity of risk scores considerably.