Entry Allodi:2014:CVS from tissec.bib
Last update: Sun Oct 15 02:58:48 MDT 2017
Top |
Symbols |
Numbers |
Math |
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z
BibTeX entry
@Article{Allodi:2014:CVS,
author = "Luca Allodi and Fabio Massacci",
title = "Comparing Vulnerability Severity and Exploits Using
Case-Control Studies",
journal = j-TISSEC,
volume = "17",
number = "1",
pages = "1:1--1:??",
month = aug,
year = "2014",
CODEN = "ATISBQ",
DOI = "https://doi.org/10.1145/2630069",
ISSN = "1094-9224 (print), 1557-7406 (electronic)",
ISSN-L = "1094-9224",
bibdate = "Mon Aug 11 19:17:17 MDT 2014",
bibsource = "http://portal.acm.org/;
http://www.math.utah.edu/pub/tex/bib/tissec.bib",
abstract = "(U.S.) Rule-based policies for mitigating software
risk suggest using the CVSS score to measure the risk
of an individual vulnerability and act accordingly. A
key issue is whether the `danger' score does actually
match the risk of exploitation in the wild, and if and
how such a score could be improved. To address this
question, we propose using a case-control study
methodology similar to the procedure used to link lung
cancer and smoking in the 1950s. A case-control study
allows the researcher to draw conclusions on the
relation between some risk factor (e.g., smoking) and
an effect (e.g., cancer) by looking backward at the
cases (e.g., patients) and comparing them with controls
(e.g., randomly selected patients with similar
characteristics). The methodology allows us to quantify
the risk reduction achievable by acting on the risk
factor. We illustrate the methodology by using publicly
available data on vulnerabilities, exploits, and
exploits in the wild to (1) evaluate the performances
of the current risk factor in the industry, the CVSS
base score; (2) determine whether it can be improved by
considering additional factors such the existence of a
proof-of-concept exploit, or of an exploit in the black
markets. Our analysis reveals that (a) fixing a
vulnerability just because it was assigned a high CVSS
score is equivalent to randomly picking vulnerabilities
to fix; (b) the existence of proof-of-concept exploits
is a significantly better risk factor; (c) fixing in
response to exploit presence in black markets yields
the largest risk reduction.",
acknowledgement = ack-nhfb,
articleno = "1",
fjournal = "ACM Transactions on Information and System Security",
journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789",
}
Related entries
- act,
11(1)2,
14(4)31,
16(4)15
- acting,
13(4)38,
13(4)41
- actually,
9(2)181,
10(3)10,
12(3)19,
16(3)10,
18(1)1
- additional,
2(1)3,
9(2)181,
10(4)4,
11(2)3,
11(2)6,
12(3)18,
13(4)33,
15(2)6
- address,
2(1)65,
2(4)390,
10(2)8,
10(3)12,
11(1)4,
11(2)3,
11(3)12,
12(2)11,
13(3)22,
13(3)26,
13(4)31,
13(4)38,
13(4)40,
14(1)3,
15(1)2,
15(2)6,
15(2)8,
16(3)11,
16(4)14,
17(1)2,
17(1)4,
17(2)8,
17(3)11
- allow,
2(4)390,
9(2)181,
10(3)10,
10(4)2,
10(4)3,
11(1)2,
11(2)2,
11(2)4,
12(1)3,
12(1)6,
12(2)8,
12(2)10,
12(3)16,
12(3)18,
12(3)19,
13(3)21,
13(4)34,
13(4)38,
13(4)39,
13(4)41,
14(1)3,
14(1)5,
14(1)10,
14(3)25,
14(3)26,
14(3)27,
14(4)28,
14(4)29,
15(2)6,
15(2)9,
15(2)10,
16(1)3,
16(2)5,
16(3)9,
16(4)13,
16(4)17,
17(2)5,
17(3)10,
17(3)11,
17(4)16,
18(3)10
- analysis,
1(1)66,
2(1)34,
2(2)138,
2(3)230,
2(3)332,
4(1)1,
6(4)443,
7(2)175,
7(4)489,
8(3)312,
9(3)292,
9(4)391,
10(1)2,
10(3)9,
10(3)10,
10(3)11,
10(4)2,
10(4)6,
11(2)3,
11(3)13,
11(3)15,
11(4)17,
11(4)18,
11(4)23,
12(1)4,
12(2)10,
12(3)16,
13(1)10,
13(3)25,
13(3)26,
13(3)27,
13(4)41,
14(1)6,
14(1)8,
14(1)13,
14(2)15,
14(4)28,
15(3)14,
15(4)17,
15(4)18,
16(1)2,
16(1)4,
16(2)8,
16(3)10,
16(3)11,
16(4)14,
16(4)17,
17(1)4,
17(2)7,
17(3)9,
17(4)14,
18(1)1,
18(1)4,
18(2)6
- assigned,
10(1)2,
15(2)6,
15(4)15,
18(1)1
- available,
1(1)3,
2(3)295,
12(1)1,
13(3)22,
13(3)25,
16(3)11,
17(3)9,
17(3)11,
18(1)2,
18(4)12
- b,
9(2)162,
12(2)9,
15(3)14
- backward,
14(1)11
- base,
11(4)18,
15(1)4
- because,
1(1)66,
2(3)269,
10(4)5,
11(4)18,
11(4)21,
12(1)2,
12(2)10,
14(1)3,
14(4)29,
16(2)7,
17(1)4,
17(3)10
- better,
10(4)5,
11(1)4,
11(4)20,
11(4)23,
13(4)40,
17(4)14,
17(4)15,
18(1)1,
18(3)10
- black,
16(4)15,
18(1)1
- c,
9(2)162
- case,
7(2)206,
9(4)391,
10(4)2,
11(3)14,
11(4)19,
11(4)21,
12(1)1,
12(1)5,
12(2)10,
12(4)20,
13(4)32,
13(4)34,
14(1)14,
14(2)18,
14(4)28,
15(1)5,
15(2)7,
15(3)13,
16(1)4,
17(2)7,
18(1)1,
18(1)2,
18(1)4
- characteristic,
2(4)416,
11(4)17,
12(2)13,
13(4)30,
13(4)32,
18(4)12
- comparing,
9(4)461,
12(1)2,
13(3)22,
14(2)19
- concept, proof-of-,
11(1)3,
12(2)11
- conclusions,
11(3)13
- considering,
14(4)28,
15(1)5,
16(1)2
- could,
1(1)26,
7(2)319,
10(3)11,
12(2)9,
14(1)10,
17(4)14,
18(4)14
- current,
2(1)34,
2(1)65,
2(2)177,
2(4)390,
11(4)18,
11(4)20,
11(4)22,
12(2)8,
12(2)10,
13(3)20,
13(4)35,
15(3)12,
16(3)10,
16(4)13,
16(4)16,
17(1)2,
17(2)6,
17(3)9
- danger,
11(2)3,
11(4)20
- determine,
1(1)3,
11(2)3,
11(2)6,
11(3)16,
12(4)20,
13(3)26,
13(4)38,
13(4)40,
14(1)2,
14(4)32,
16(2)5,
17(2)8
- do,
2(3)230,
2(3)269,
9(4)421,
10(4)1,
11(1)4,
11(2)2,
11(4)19,
12(1)3,
12(2)10,
13(2)13,
13(4)33,
13(4)35,
14(3)23,
14(3)27,
14(4)28,
16(1)1,
16(3)12,
16(4)13,
18(3)9
- e.g.,
1(1)66,
2(2)177,
2(3)230,
2(4)354,
2(4)390,
10(4)1,
11(4)22,
12(1)1,
12(2)10,
12(2)12,
14(1)2,
15(2)6,
16(2)7,
16(4)14,
17(3)12,
17(4)15,
18(3)9
- effect,
10(4)1,
11(2)3,
12(3)17,
13(1)10,
13(3)20,
14(1)10,
15(3)12
- equivalent,
7(2)319,
11(2)4,
16(1)4
- evaluate,
2(2)138,
2(4)354,
10(4)3,
11(2)3,
11(3)12,
11(3)14,
13(3)26,
13(4)30,
13(4)35,
14(1)3,
15(3)13,
15(4)17,
16(1)2,
16(2)6,
17(2)8,
17(4)14,
18(4)14
- existence,
11(2)4,
11(2)6,
13(3)25
- exploit,
2(4)416,
12(1)1,
12(2)11,
12(4)22,
13(3)28,
15(1)2,
16(4)13,
17(3)11
- exploitation,
17(4)16
- factor,
9(4)461,
10(4)4,
10(4)5,
12(3)18,
13(4)37,
17(2)8
- high,
1(1)3,
11(3)13,
11(3)15,
11(4)18,
11(4)20,
12(2)11,
14(4)31,
15(2)7,
15(3)12,
16(2)6,
16(2)8,
16(3)11,
17(3)11,
17(4)16,
18(2)7,
18(4)12
- how,
2(1)3,
2(2)138,
2(3)269,
7(2)319,
10(2)5,
10(2)8,
10(4)1,
10(4)2,
10(4)5,
11(3)13,
11(4)18,
12(1)2,
12(2)9,
12(2)12,
12(3)18,
12(3)19,
13(1)10,
13(2)13,
13(3)25,
13(4)31,
13(4)36,
14(1)2,
14(3)26,
15(1)5,
15(3)14,
15(4)15,
16(1)3,
16(2)5,
16(2)8,
17(1)2,
17(1)3,
17(4)15,
18(1)1,
18(1)3,
18(2)6,
18(3)9,
18(4)14
- illustrate,
1(1)26,
9(2)162,
11(4)19,
13(3)25,
14(1)8,
15(2)10,
18(1)2
- improved,
9(1)1,
9(4)461,
10(2)6,
11(2)1,
12(1)3,
13(4)29,
15(2)7,
17(1)4
- individual,
2(3)295,
10(1)4,
10(4)6,
11(1)3,
11(4)18,
14(3)26,
17(2)8,
18(2)6
- industry,
12(2)13,
14(4)32
- issue,
1(1)66,
2(1)65,
2(4)354,
8(4)349,
10(1)1,
10(3)12,
11(1)2,
12(1)5,
12(2)7,
12(3)15,
12(4)22,
13(1)1,
13(2)11,
13(3)22,
13(3)26,
13(4)32,
15(1)1,
15(2)7,
16(2)7,
16(3)12,
17(1)2
- just,
7(2)242,
9(2)181,
10(3)9,
17(3)9
- largest,
10(4)1,
11(3)12
- link,
10(4)6,
11(3)13,
17(2)6
- market,
2(1)34,
17(4)14
- measure,
2(3)269,
2(3)295,
9(2)162,
10(4)5,
11(4)17,
12(3)17,
12(4)22,
13(3)22,
13(4)36,
15(1)2,
16(2)6,
18(1)1,
18(2)5
- methodology,
5(4)458,
10(2)7,
15(3)12,
16(1)2,
16(4)17,
17(4)16
- mitigating,
10(4)6
- of-concept, proof-,
12(2)11
- performance,
1(1)3,
1(1)26,
1(1)66,
2(3)269,
4(3)289,
5(4)458,
7(3)457,
9(4)461,
10(1)3,
10(4)4,
11(1)2,
11(1)3,
11(2)1,
11(4)17,
11(4)19,
12(3)14,
12(3)16,
13(3)24,
13(3)25,
13(4)32,
13(4)35,
13(4)38,
14(1)3,
15(1)4,
16(1)1,
16(2)6,
16(2)8,
16(3)9,
16(4)16,
17(2)8,
17(3)9,
17(4)13,
17(4)15
- presence,
11(3)16,
15(1)4,
15(2)9,
15(3)14,
17(3)9
- procedure,
9(4)421,
11(4)18,
16(1)2,
17(2)5,
17(2)6
- proof-of-concept,
11(1)3,
12(2)11
- propose,
1(1)26,
2(1)65,
2(2)138,
2(3)269,
9(2)162,
9(4)391,
9(4)421,
10(1)3,
10(1)4,
10(3)12,
10(4)1,
10(4)3,
10(4)4,
10(4)6,
11(1)3,
11(1)4,
11(3)12,
11(3)15,
11(4)18,
11(4)19,
11(4)23,
12(1)4,
12(2)8,
12(2)11,
12(2)13,
12(3)18,
13(3)28,
13(4)32,
13(4)36,
13(4)40,
13(4)41,
14(1)5,
14(1)10,
14(1)11,
14(3)24,
14(3)26,
14(4)30,
15(2)7,
15(4)17,
16(1)2,
16(4)15,
16(4)16,
17(3)10,
17(3)11,
17(3)12,
17(4)13,
17(4)14,
18(1)2,
18(2)7
- publicly,
12(2)9,
15(2)9,
18(4)12
- quantify,
12(2)12,
15(3)14
- question,
10(4)1,
11(2)3,
11(4)21,
13(4)35,
14(3)26,
15(4)18,
17(3)11,
18(3)9
- randomly,
12(2)10
- reduction,
2(3)295,
9(4)391,
9(4)461,
12(3)18,
13(4)29,
16(1)4
- relation,
1(1)93,
2(4)390,
10(1)4,
10(4)2,
13(3)27,
14(1)4,
14(4)30
- researcher,
2(3)332,
11(1)2,
12(1)2,
12(3)17,
13(4)36,
16(3)10,
16(4)16
- response,
9(4)461,
12(3)17,
17(2)6
- reveal,
12(1)6,
12(2)13,
13(1)10,
13(4)30,
15(4)17
- risk,
2(3)269,
3(1)1,
10(1)3,
18(2)5
- rule-based,
6(3)404
- score,
12(1)6,
15(4)17
- selected,
2(3)295,
17(1)2,
18(1)1
- significantly,
1(1)93,
9(2)181,
9(4)461,
11(2)3,
12(3)17,
13(4)29,
14(1)7,
15(1)4,
15(2)9,
15(2)10,
15(3)11,
16(3)9,
18(1)1
- similar,
9(4)391,
10(4)1,
11(4)18,
13(1)10,
16(1)1,
17(1)2
- software,
1(1)3,
2(1)3,
2(1)34,
2(1)105,
2(2)138,
2(2)177,
2(3)295,
2(4)354,
3(1)51,
11(1)2,
12(2)11,
12(2)12,
12(3)14,
12(3)19,
14(1)8,
14(3)24,
14(4)32,
15(2)8,
17(3)11
- study,
2(3)230,
2(4)416,
7(2)206,
10(2)5,
10(4)5,
11(1)3,
11(2)3,
11(4)23,
12(1)6,
12(3)14,
12(4)20,
13(4)40,
14(1)7,
14(2)18,
14(2)19,
15(1)5,
15(2)7,
15(2)8,
15(2)10,
15(3)13,
17(2)7,
17(3)12,
17(4)14,
18(1)1,
18(1)2,
18(1)4,
18(2)5,
18(2)7,
18(3)9,
18(4)13
- suggest,
2(3)332,
10(4)5,
12(1)5,
16(1)4
- used,
1(1)3,
2(1)65,
2(4)416,
7(2)319,
9(2)181,
10(1)2,
10(2)5,
10(2)7,
10(2)8,
10(4)2,
11(1)2,
11(1)3,
11(2)3,
11(3)14,
11(3)15,
11(3)16,
11(4)21,
11(4)22,
12(2)8,
12(3)15,
13(1)10,
13(3)22,
13(3)25,
13(4)29,
13(4)34,
14(1)3,
14(1)12,
14(1)13,
14(3)27,
15(1)3,
15(1)5,
15(3)12,
15(4)17,
15(4)18,
16(2)7,
16(2)8,
16(3)10,
17(2)7,
17(3)9,
17(4)13,
18(1)3,
18(2)5,
18(2)6,
18(3)9,
18(4)13,
18(4)14
- using,
2(2)138,
2(2)177,
2(3)332,
4(3)289,
6(2)258,
6(3)327,
9(2)113,
9(2)162,
9(2)181,
9(3)292,
9(3)325,
9(4)461,
10(1)4,
10(2)8,
10(3)11,
10(4)3,
10(4)6,
11(1)2,
11(2)1,
11(2)2,
11(2)3,
11(3)14,
11(4)19,
11(4)21,
12(2)10,
12(2)11,
13(1)2,
13(1)8,
13(3)20,
13(3)26,
13(4)31,
13(4)35,
13(4)39,
14(1)3,
14(1)12,
14(1)14,
14(3)27,
15(1)2,
15(3)11,
15(3)12,
15(4)15,
15(4)17,
16(1)1,
16(1)2,
16(1)4,
16(2)5,
16(2)6,
16(3)10,
16(4)17,
17(2)5,
17(3)10,
17(3)11,
17(4)13,
17(4)14,
17(4)16,
18(2)7,
18(2)8,
18(3)10,
18(3)11,
18(4)14
- vulnerability,
2(4)416,
7(2)319,
12(2)11,
13(4)38,
14(1)7,
14(1)13,
17(3)11
- was,
2(1)105,
11(1)2,
12(3)16,
13(1)10,
14(1)8,
16(3)10,
16(3)11,
16(4)16,
18(1)3,
18(4)13
- whether,
1(1)3,
1(1)26,
10(2)5,
10(4)2,
10(4)5,
11(2)3,
11(2)6,
11(3)16,
12(1)1,
12(4)20,
13(3)26,
13(4)40,
14(3)25,
14(4)32,
16(1)3,
16(1)4,
17(1)2
- wild,
16(3)9
- yield,
2(4)416,
11(4)17,
18(1)4