The Effect of Common Vulnerability Scoring System Metrics on Vulnerability Exploit Delay
2018 Sixth International Symposium on Computing and Networking (CANDAR)(2018)
摘要
Modern system administrators need to monitor disclosed software vulnerabilities and address applicable vulnerabilities via patching, reconfiguration and other measures. In 2017, over 14,000 new vulnerabilities were disclosed, so, a key question for administrators is which vulnerabilities to prioritise. The Common Vulnerability Scoring System (CVSS) is often used to decide which vulnerabilities pose the greatest risk and hence inform patching policy. A CVSS score is indicative of a vulnerability severity, but it doesn't predict the time to exploit for a vulnerability. A prediction of exploit delay would greatly assist vendors in prioritising their patch releases and system administrators in prioritising the installation of these patches. In this paper, we study the effect of CVSS metrics on the time until a proof of concept exploit is developed. We use the National Vulnerability Database (NVD) and the Exploit Database, which represent two of the largest listings of vulnerabilities and exploit data, to show how CVSS metrics can provide better insight into exploit delay. We also investigate the time lag associated with populating CVSS metrics and find that the median delay has increased rapidly from a single day prior to 2017 to 19 days in 2018. This is an alarming trend, given the rapid decline in median vulnerability exploit time from 296 days in 2005 to six days in 2018.
更多查看译文
关键词
vulnerability exploits, exploit delay, cvss metrics
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络