research-article

WIVSS: a new methodology for scoring information systems vulnerabilities

Authors:

Georgios Spanos,

Angeliki Sioziou,

Lefteris AngelisAuthors Info & Claims

PCI '13: Proceedings of the 17th Panhellenic Conference on Informatics

Pages 83 - 90

https://doi.org/10.1145/2491845.2491871

Published: 19 September 2013 Publication History

Abstract

Vulnerabilities of information systems constitute an ever-increasing problem that IT security management must solve. As the number of vulnerabilities is growing exponentially, their ranking and prioritization is a crucial task for organizations and researchers that are involved with the security of computer systems. The open standard to score and rank the vulnerabilities is the Common Vulnerability Scoring System (CVSS) while the focus of this research is to investigate ways to improve it by achieving higher diversity of values and better accuracy. In this paper it is introduced a new vulnerability scoring system, called WIVSS (Weighted Impact Vulnerability Scoring System). The methodology uses a different approach to score vulnerabilities, depending on the different impact of vulnerabilities characteristics. The methodology WIVSS is applied to the most recent 9455 vulnerabilities and the results show improvement in comparison with CVSS.

References

[1]

Cox, M. February 2004. Classification of Security Issues. Available at: http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/5e76ea2e7f000001397bc9e8eb926b37/1/jcr:frozenNode/rh:pdfFile.pdf.

[2]

First. March 2013. Common Vulnerability Scoring System, V3 Development Update. Available at: http://www.first.org/cvss/v3/development.

[3]

First. March, 2013. First is the global Forum for Incident Response and Security Teams. Available at: http://www.first.org/.

[4]

Google. Severity Guidelines for Security Issues. Available at: http://dev.chromium.org/developers/severity-guidelines.

[5]

IBM. X-Force frequently asked questions. Available at: http://www-935.ibm.com/services/us/iss/xforce/faqs.html.

[6]

Jones, J. 2008. CVSS Severity Analysis. Available at: http://www.first.org/cvss/jones-jeff-slides.pdf.

[7]

Liu, Q., & Zhang, Y. (2011). VRSS: A new system for rating and scoring vulnerabilities. Computer Communications, 34(3), 264--273.

Digital Library

[8]

Liu, Q., Zhang, Y., Kong, Y., & Wu, Q. (2012). Improving VRSS-based vulnerability prioritization using analytic hierarchy process. Journal of Systems and Software.

Digital Library

[9]

Mell, P., & Scarfone, K. (2007). Improving the common vulnerability scoring system. IET Information Security, 1(3), 119--127.

[10]

Mell, P., Scarfone, K., & Romanosky, S. June, 2007. A complete guide to the common vulnerability scoring system version 2.0. Available at: http://www.first.org/cvss/cvss-guide.html.

[11]

Microsoft. May, 2012. Security Bulletin Severity Rating System. Available at: http://technet.microsoft.com/en-us/security/gg309177.aspx.

[12]

Mozilla Foundation. March, 2013. Mozilla Foundation Security Advisories. Available at: http://www.mozilla.org/security/announce/.

[13]

NIST. February, 2012. Vulnerability Summary for CVE-2012-0364. Available at: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0364.

[14]

NIST. March, 2012. Vulnerability Summary for CVE-2011-4878. Available at: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4878.

[15]

NIST. March, 2013. National Vulnerability Database Version 2.2. Available at: http://nvd.nist.gov/.

[16]

NIST. May, 2013. CWE -- Common Weakness Enumaration. Available at: http://nvd.nist.gov/cwe.cfm#cwes.

[17]

NIST. June, 2007. NVD Common Vulnerability System Support v2. Available at: http://nvd.nist.gov/cvss.cfm.

[18]

NIST. October, 2012. Vulnerability Summary for CVE-2012-4660. Available at: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4660.

[19]

Qualys. Severities KnowledgeBase. Available at: http://www.qualys.com/research/knowledge/severity/.

[20]

Scarfone, K., & Mell, P. (2009, October). An analysis of CVSS version 2 vulnerability scoring. In Empirical Software Engineering and Measurement, 2009. ESEM 2009. 3rd International Symposium on (pp. 516--525). IEEE.

Digital Library

[21]

Schiffman, M., & Cisco, C. I. A. G. June, 2005. A complete guide to the common vulnerability scoring system (cvss). Available at: http://www.first.org/cvss/v1/guide.

[22]

Secunia. Terminology. Available at: http://secunia.com/community/advisories/terminology/.

[23]

Symantec. Threat Severity Assessment. Available at: http://www.symantec.com/security_response/severityassessment.jsp.

[24]

US-CERT. Vulnerabilities Notes Database Fields Descriptions. Available at: http://www.kb.cert.org/vuls/html/fieldhelp.

[25]

Wang, Y., & Yang, Y. (2012). PVL: A Novel Metric for Single Vulnerability Rating and Its Application in IMS. Journal of Computational Information Systems, 8(2), 579--590.

Cited By

Bennouk KAit Aali NEl Bouzekri El Idrissi YSebai BFaroukhi AMahouachi D(2024)A Comprehensive Review and Assessment of Cybersecurity Vulnerability Detection MethodologiesJournal of Cybersecurity and Privacy10.3390/jcp40400404:4(853-908)Online publication date: 7-Oct-2024
https://doi.org/10.3390/jcp4040040
Milousi KKiriakidis PMengidis NRizos GMazi MVoulgaridis AVotis KTzovaras D(2024)Evaluating Cybersecurity Risk: A Comprehensive Comparison of Vulnerability Scoring MethodologiesProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670915(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670915
Elder SRahman MFringer GKapoor KWilliams L(2024)A Survey on Software Vulnerability Exploitability AssessmentACM Computing Surveys10.1145/364861056:8(1-41)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3648610
Show More Cited By

Index Terms

WIVSS: a new methodology for scoring information systems vulnerabilities
1. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems

Recommendations

Vulnerability severity scoring and bounties: why the disconnect?
SWAN 2016: Proceedings of the 2nd International Workshop on Software Analytics

The Common Vulnerability Scoring System (CVSS) is the de facto standard for vulnerability severity measurement today and is crucial in the analytics driving software fortification. Required by the U.S. National Vulnerability Database, over 75,000 ...
Vulnerability scoring for security configuration settings
QoP '08: Proceedings of the 4th ACM workshop on Quality of protection

The best-known vulnerability scoring standard, the Common Vulnerability Scoring System (CVSS), is designed to quantify the severity of security-related software flaw vulnerabilities. This paper describes our efforts to determine if CVSS could be adapted ...
Attack Potential in Impact and Complexity
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

Vulnerability exploitation is reportedly one of the main attack vectors against computer systems. Yet, most vulnerabilities remain unexploited by attackers. It is therefore of central importance to identify vulnerabilities that carry a high 'potential ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

PCI '13: Proceedings of the 17th Panhellenic Conference on Informatics

September 2013

359 pages

ISBN:9781450319690

DOI:10.1145/2491845

General Chairs:
Panayiotis H. Ketikidis
Greek Computer Society
,
Kostas Margaritis
University of Macedonia
,
Ioannis Vlahavas
Aristotle University of Thessaloniki
,
Program Chairs:
Alexandros Chatzigeorgiou
University of Macedonia
,
George Eleftherakis
The University of Sheffield
,
Ioannis Stamelos
Aristotle University of Thessaloniki

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

University of Macedonia
Aristotle University of Thessaloniki
The University of Sheffield: The University of Sheffield
Alexander TEI of Thessaloniki

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 September 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

PCI 2013

Sponsor:

The University of Sheffield

PCI 2013: 17th Panhellenic Conference on Informatics

September 19 - 21, 2013

Thessaloniki, Greece

Acceptance Rates

Overall Acceptance Rate 190 of 390 submissions, 49%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
471
Total Downloads

Downloads (Last 12 months)38
Downloads (Last 6 weeks)4

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bennouk KAit Aali NEl Bouzekri El Idrissi YSebai BFaroukhi AMahouachi D(2024)A Comprehensive Review and Assessment of Cybersecurity Vulnerability Detection MethodologiesJournal of Cybersecurity and Privacy10.3390/jcp40400404:4(853-908)Online publication date: 7-Oct-2024
https://doi.org/10.3390/jcp4040040
Milousi KKiriakidis PMengidis NRizos GMazi MVoulgaridis AVotis KTzovaras D(2024)Evaluating Cybersecurity Risk: A Comprehensive Comparison of Vulnerability Scoring MethodologiesProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670915(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670915
Elder SRahman MFringer GKapoor KWilliams L(2024)A Survey on Software Vulnerability Exploitability AssessmentACM Computing Surveys10.1145/364861056:8(1-41)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3648610
Kekül HErgen BArslan H(2024)Estimating vulnerability metrics with word embedding and multiclass classification methodsInternational Journal of Information Security10.1007/s10207-023-00734-723:1(247-270)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1007/s10207-023-00734-7
Pereira JVieira M(2023)An Approach to Characterize the Security of Open-Source Functions using LSP2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE59848.2023.00073(137-147)Online publication date: 9-Oct-2023
https://doi.org/10.1109/ISSRE59848.2023.00073
Aggarwal M(2023)A Study of CVSS v4.0: A CVE Scoring System2023 6th International Conference on Contemporary Computing and Informatics (IC3I)10.1109/IC3I59117.2023.10397701(1180-1186)Online publication date: 14-Sep-2023
https://doi.org/10.1109/IC3I59117.2023.10397701
Sharma ASabharwal SNagpal S(2023)A hybrid scoring system for prioritization of software vulnerabilitiesComputers and Security10.1016/j.cose.2023.103256129:COnline publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103256
Ahmadi Mehri VArlos PCasalicchio E(2022)Automated Context-Aware Vulnerability Risk Management for Patch PrioritizationElectronics10.3390/electronics1121358011:21(3580)Online publication date: 2-Nov-2022
https://doi.org/10.3390/electronics11213580
Shin GHong SLee JHan IKim HOh H(2022)Network Security Node-Edge Scoring System Using Attack Graph Based on Vulnerability CorrelationApplied Sciences10.3390/app1214685212:14(6852)Online publication date: 6-Jul-2022
https://doi.org/10.3390/app12146852
Le TChen HBabar M(2022)A Survey on Data-driven Software Vulnerability Assessment and PrioritizationACM Computing Surveys10.1145/352975755:5(1-39)Online publication date: 3-Dec-2022
https://dl.acm.org/doi/10.1145/3529757
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents