Entry Allodi:2014:CVS from tissec.bib

Last update: Sun Oct 15 02:58:48 MDT 2017                Valid HTML 3.2!

Index sections

Top | Symbols | Numbers | Math | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

BibTeX entry

@Article{Allodi:2014:CVS,
  author =       "Luca Allodi and Fabio Massacci",
  title =        "Comparing Vulnerability Severity and Exploits Using
                 Case-Control Studies",
  journal =      j-TISSEC,
  volume =       "17",
  number =       "1",
  pages =        "1:1--1:??",
  month =        aug,
  year =         "2014",
  CODEN =        "ATISBQ",
  DOI =          "https://doi.org/10.1145/2630069",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Aug 11 19:17:17 MDT 2014",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "(U.S.) Rule-based policies for mitigating software
                 risk suggest using the CVSS score to measure the risk
                 of an individual vulnerability and act accordingly. A
                 key issue is whether the `danger' score does actually
                 match the risk of exploitation in the wild, and if and
                 how such a score could be improved. To address this
                 question, we propose using a case-control study
                 methodology similar to the procedure used to link lung
                 cancer and smoking in the 1950s. A case-control study
                 allows the researcher to draw conclusions on the
                 relation between some risk factor (e.g., smoking) and
                 an effect (e.g., cancer) by looking backward at the
                 cases (e.g., patients) and comparing them with controls
                 (e.g., randomly selected patients with similar
                 characteristics). The methodology allows us to quantify
                 the risk reduction achievable by acting on the risk
                 factor. We illustrate the methodology by using publicly
                 available data on vulnerabilities, exploits, and
                 exploits in the wild to (1) evaluate the performances
                 of the current risk factor in the industry, the CVSS
                 base score; (2) determine whether it can be improved by
                 considering additional factors such the existence of a
                 proof-of-concept exploit, or of an exploit in the black
                 markets. Our analysis reveals that (a) fixing a
                 vulnerability just because it was assigned a high CVSS
                 score is equivalent to randomly picking vulnerabilities
                 to fix; (b) the existence of proof-of-concept exploits
                 is a significantly better risk factor; (c) fixing in
                 response to exploit presence in black markets yields
                 the largest risk reduction.",
  acknowledgement = ack-nhfb,
  articleno =    "1",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

Related entries