DOI QR코드

DOI QR Code

A Study on Layered Weight Based Vulnerability Impact Assessment Scoring System

계층적 가중 기반의 취약점 영향성 평가 스코어링 시스템에 대한 연구

  • 김영종 (숭실대학교 소프트웨어학부)
  • Received : 2019.01.24
  • Accepted : 2019.03.13
  • Published : 2019.07.31

Abstract

A typical vulnerability scoring system is Common Vulnerability Scoring System(CVSS). However, since CVSS does not differentiate among the individual vulnerability impact of the asset and give higher priority for the more important assets, it is impossible to respond effectively and quickly to high-risk vulnerabilities on large systems. We propose a Layered weight based Vulnerability impact assessment Scoring System which can hierarchically group the importance of assets and weight the number of layers and the number of assets to effectively manage the impact of vulnerabilities on a per asset basis.

JBCRIN_2019_v8n7_177_f0001.png 이미지

Fig. 1. CVE-2017-14012, Data from National Institute of Standards and Technology, U.S. Department of Commerce[3]

JBCRIN_2019_v8n7_177_f0002.png 이미지

Fig. 2. CVSS v3.0 Metric Groups, Data from FIRST.Org, Inc.[4]

JBCRIN_2019_v8n7_177_f0003.png 이미지

Fig. 3. CVSS Metrics and Equations, Data from FIRST.Org, Inc.[4]

JBCRIN_2019_v8n7_177_f0004.png 이미지

Fig. 4. The Components of the CVSS Score for CVE-2017-14012 Data from FIRST.Org, Inc.[5]

Table 1. Detail Information of Layer for Classification

JBCRIN_2019_v8n7_177_t0001.png 이미지

Table 2. Environments for Simulation Experiments

JBCRIN_2019_v8n7_177_t0002.png 이미지

Table 3. Detail Information of Simulation Cases for No. of Affected Assets on Classification of Sitting Postures

JBCRIN_2019_v8n7_177_t0003.png 이미지

Table 4. Comparison the Scores of CVSS and LVSS in Case 1, 2, 3, 4

JBCRIN_2019_v8n7_177_t0004.png 이미지

References

  1. Enterprise Risk Management - Integrated Framework - COSO [Internet], https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf.
  2. Common Vulnerabilities and Exposure(CVE) [Internet], https://cve.mitre.org/about/index.html.
  3. CVE-2017-14012 Detail [Internet], https://nvd.nist.gov/vuln/detail/CVE-2017-14012.
  4. Common Vulnerability Scoring System v3.0: Specification Document [Internet], https://www.first.org/cvss/cvss-v30-specification-v1.8.pdf.
  5. Common Vulnerability Scoring System Calculator [Internet], https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2017-14012&vector=AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
  6. NATIONAL VULNERABILITY DATABASE [Internet], https://nvd.nist.gov/.