Vulnerability scoring metric of CVSS needs to be adjusted per each product: our analysis on Linux and Apache
Notice bibliographique
Résumé
To safeguard software products against security risks, it is imperative for organizations to prioritize and rank vulnerabilities in a systematic manner. The Common Vulnerability Scoring System stands as a widely embraced open standard for assessing and classifying vulnerabilities in computer systems. The precision of the CVSS methodology is of paramount importance, enabling security experts to appropriately prioritize vulnerabilities and make well-informed decisions in response to security threats. Despite the utilization of a standardized approach in the computation of the CVSS formula, it is noteworthy that certain shortcomings persist, which have not yet been adequately addressed in previous research. This paper presents a fresh perspective on these aforementioned limitations and presents innovative remedies aimed at enhancing the precision of vulnerability severity scores. The absence of these enhancements precludes the attainment of desirable outcomes. Our empirical investigation, which involves an in-depth analysis of CVSS outcomes for both Linux and Apache products, emphasizes the need to tailor the CVSS formula individually for each product to ensure the accurate determination of vulnerability severity scores. In our study, we reveal two distinctive insights that have the potential to increase the effectiveness of the CVSS methodology. The first insight revolves around the consideration of module frequency within a product, coupled with vigilant monitoring of vulnerability occurrences within those specific modules. This approach allows the calculation of severity scores to deviate for modules characterized by elevated vulnerability levels, as opposed to other modules governed by identical CVSS parameters. The second insight pertains to the nuanced weighting of parameter values within the foundational metrics of the CVSS methodology. Our evaluation findings emphasize that the majority of attacks on the Linux product do not require any elevated privileges, whereas for the Apache product, a minimum threshold of permission is a prerequisite. Thus, the formulation of this weighting mechanism should take inspiration from the historical behavior of past vulnerabilities within the product. In conclusion, the accurate assessment and prioritization of vulnerabilities are critical in fortifying software products against potential security breaches. The Common Vulnerability Scoring System serves as an established framework in this endeavor, yet its imperfections persist. Our study aims to address these shortcomings and introduce novel perspectives that can amplify the precision of vulnerability severity scores. By tailoring the CVSS formula on a product-specific basis and incorporating insights derived from module frequency and historical vulnerability behaviors, the proposed enhancements aim to empower security experts to make more informed and effective decisions in mitigating software vulnerabilities.
Récupéré en direct depuis OpenAlex et désinversé. Les résumés ne sont pas conservés dans cette base de données : les index inversés représentent 8,6 Go des 9,3 Go de texte de la base, et le serveur dispose de 13 Go libres.
Comment cette classification a été obtenuedéplier
Prédiction distillée sur la base complète
Imitation des enseignantsNi prévalence calibrée, ni vérité terrain. Validation humaine à venir. Apprise à partir de 10 348 étiquettes directes de Codex et de 10 348 étiquettes directes de Gemma. Le mode candidate est l'union des têtes enseignantes seuillées; le consensus est leur intersection. Ces sorties portent le statut machine_predicted_unvalidated et ne sont ni des étiquettes humaines ni des étiquettes directes de modèles de pointe.
Scores Codex et Gemma par catégorie
| Catégorie | Codex | Gemma |
|---|---|---|
| Métarecherche | 0,001 | 0,001 |
| Méta-épidémiologie (sens strict) | 0,000 | 0,000 |
| Méta-épidémiologie (sens large) | 0,000 | 0,000 |
| Bibliométrie | 0,002 | 0,007 |
| Études des sciences et des technologies | 0,000 | 0,000 |
| Communication savante | 0,000 | 0,002 |
| Science ouverte | 0,000 | 0,000 |
| Intégrité de la recherche | 0,000 | 0,000 |
| Charge utile insuffisante (le modèle a refusé de juger) | 0,000 | 0,000 |
Scores machine (provisoires)
Les deux têtes enseignantes du modèle étudiant, lues sur ce travail. Un score ordonne la base pour la relecture; il n'affirme jamais une catégorie, et le statut de validation accompagne chaque rangée tel quel.
Scores de référence d'un modèle non mature (critères de maturité non atteints, 7 itérations). Un score ordonne; il n'affirme jamais une catégorie.
score_only:v0-immature-baseline · tel quel depuis la passe de notation : score_only signifie que le nombre peut ordonner les travaux, et qu'aucune étiquette de catégorie n'en découleClassification
machine, non validéePrédiction automatique; un appel candidat d’une seule tête enseignante, pas un consensus.
Le détail, modèle par modèle et score par score, se trouve en fin de page sous « Comment cette classification a été obtenue ».