Refining CVSS-Based Network Security Metrics by Examining the Base Scores

A network security metric enables the direct measurement of the effectiveness of network security solutions. Combining CVSS scores of individual vulnerabilities provides a measurement of the overall security of networks with respect to potential attacks. However, most existing approaches to combining such scores, either based on attack graphs or Bayesian networks, share two limitations. First, a dependency relationship between vulnerabilities will either be ignored, or modeled in an arbitrary way. Second, only one aspect of the scores, the probability of successful attacks, has been considered. In this chapter, we address those issues as follows. First, instead of taking each base score as an input, our approach works at the underlying base metric level where dependency relationships have well-defined semantics. Second, our approach interprets and combines scores in three different aspects, namely, probability, effort, and skill, which may broaden the scope of applications for CVSS and allow users to weigh different aspects of the score for their specific needs. Finally, we evaluate our approach through simulation.