Marjan Keramati

One of the key factors that endangers network security is software vulnerabilities. So, increasing growth of vulnerability emergence is a critical challenge in security management. Also, organizations constantly encounter the limited budget problem. Therefore, to do network hardening in a cost-benefit manner, quantitative vulnerability assessment for finding the most critical vulnerabilities is a vital issue. The most prominent vulnerability scoring systems is CVSS (Common Vulnerability Scoring System) that ranks vulnerabilities based on their intrinsic characteristics. But in CVSS, Temporal features or the effect of existing patches and exploit tools in risk estimation of vulnerabilities are ignored. So, CVSS scores are not accurate. Another deficiency with CVSS that limits its application in real networks is that, in CVSS, only a small set of scores is used for discriminating between numerous numbers of vulnerabilities.  To improve the difficulties with existing scoring systems, here some security metrics are defined that rank vulnerabilities by considering their temporal features beside their intrinsic ones. Also, by the aim of improving scores diversity in CVSS, a new method is proposed for Impact estimation of vulnerability exploitation on security parameters of the network. Performing risk assessment by considering the type of the attacker which endangers the network security most is another novelty of this paper.

CVSS, Risk, Vulnerability, Impact, Network Hardening, Security Metric, exploit, patch