Measuring the Risk of Vulnerabilities Exploitation-Reference-Cited by-同舟云学术

Measuring the Risk of Vulnerabilities Exploitation

Published:2023-12-24 Issue:1 Volume:4 Page:20-54
ISSN:2673-9909
Container-title:AppliedMath
language:en
Short-container-title:AppliedMath

Author:

Brilhante Maria de Fátima¹²^ORCID,Pestana Dinis²³⁴^ORCID,Pestana Pedro⁵⁶^ORCID,Rocha Maria Luísa⁷⁸^ORCID

Affiliation:

1. Faculdade de Ciências e Tecnologia, Universidade dos Açores, Rua da Mãe de Deus, 9500-321 Ponta Delgada, Portugal

2. Centro de Estatística e Aplicações, Universidade de Lisboa (CEAUL), Campo Grande, 1749-016 Lisboa, Portugal

3. Faculdade de Ciências, Universidade de Lisboa, Campo Grande, 1749-016 Lisboa, Portugal

4. Instituto de Investigação Científica Bento da Rocha Cabral, Calçada Bento da Rocha Cabral 14, 1250-012 Lisboa, Portugal

5. Departamento de Ciências e Tecnologia, Universidade Aberta, Rua Almirante Barroso 38, 1000-013 Lisboa, Portugal

6. Centro de Investigação em Ciência e Tecnologia das Artes (CITAR), Rua de Diogo Botelho 1327, 4169-005 Porto, Portugal

7. Faculdade de Economia e Gestão, Universidade dos Açores, Rua da Mãe de Deus, 9500-321 Ponta Delgada, Portugal

8. Centro de Estudos de Economia Aplicada do Atlântico (CEEAplA), Rua da Mãe de Deus, 9500-321 Ponta Delgada, Portugal

Abstract

Modeling the vulnerabilities lifecycle and exploitation frequency are at the core of security of networks evaluation. Pareto, Weibull, and log-normal models have been widely used to model the exploit and patch availability dates, the time to compromise a system, the time between compromises, and the exploitation volumes. Random samples (systematic and simple random sampling) of the time from publication to update of cybervulnerabilities disclosed in 2021 and in 2022 are analyzed to evaluate the goodness-of-fit of the traditional Pareto and log-normal laws. As censoring and thinning almost surely occur, other heavy-tailed distributions in the domain of attraction of extreme value or geo-extreme value laws are investigated as suitable alternatives. Goodness-of-fit tests, the Akaike information criterion (AIC), and the Vuong test, support the statistical choice of log-logistic, a geo-max stable law in the domain of attraction of the Fréchet model of maxima, with hyperexponential and general extreme value fittings as runners-up. Evidence that the data come from a mixture of differently stretched populations affects vulnerabilities scoring systems, specifically the common vulnerabilities scoring system (CVSS).

Funder

Fundação para a Ciência e Tecnologia

Publisher

MDPI AG

Link

https://www.mdpi.com/2673-9909/4/1/2/pdf

Reference72 articles.

1. CVSS (2023, August 07). Common Vulnerability Scoring System, Version 3.1. Available online: https://first.org/cvss/calculator/3.1.

2. Frei, S., May, M., Fiedler, U., and Plattner, B. (2006, January 11–15). Large-scale vulnerability analysis. Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense, ACM, Pisa, Italy.

3. A large-scale study of the time required to compromise a computer system;Holm;IEEE Trans. Dependable Secur. Comput.,2013

4. Piessens, F., Caballero, J., and Bielova, N. (2015). Engineering Secure Software and Systems, ESSoS 2015. Lecture Notes in Computer Science 8978, Springer.

5. A look at the time delays in CVSS vulnerability scoring;Ruohonen;Appl. Comput. Inform.,2019