CFP last date
20 December 2024
Reseach Article

Methodologies to Develop Quantitative Risk Evaluation Metrics

by Thaier Hamid, Carsten Maple, Paul Sant
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 48 - Number 14
Year of Publication: 2012
Authors: Thaier Hamid, Carsten Maple, Paul Sant
10.5120/7416-0413

Thaier Hamid, Carsten Maple, Paul Sant . Methodologies to Develop Quantitative Risk Evaluation Metrics. International Journal of Computer Applications. 48, 14 ( June 2012), 17-24. DOI=10.5120/7416-0413

@article{ 10.5120/7416-0413,
author = { Thaier Hamid, Carsten Maple, Paul Sant },
title = { Methodologies to Develop Quantitative Risk Evaluation Metrics },
journal = { International Journal of Computer Applications },
issue_date = { June 2012 },
volume = { 48 },
number = { 14 },
month = { June },
year = { 2012 },
issn = { 0975-8887 },
pages = { 17-24 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume48/number14/7416-0413/ },
doi = { 10.5120/7416-0413 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T20:44:03.117633+05:30
%A Thaier Hamid
%A Carsten Maple
%A Paul Sant
%T Methodologies to Develop Quantitative Risk Evaluation Metrics
%J International Journal of Computer Applications
%@ 0975-8887
%V 48
%N 14
%P 17-24
%D 2012
%I Foundation of Computer Science (FCS), NY, USA
Abstract

The goal of this work is to advance a new methodology to measure a severity cost for each host using the Common Vulnerability Scoring System (CVSS) based on base, temporal and environmental metrics by combining related sub-scores to produce a unique severity cost by modeling the problem's parameters in to a mathematical framework. We build our own CVSS Calculator using our equations to simplify the calculations of the vulnerabilities scores and to benchmark with other models. We design and develop a new approach to represent the cost assigned to each host by dividing the scores of the vulnerabilities to two main levels of privileges, user and root, and we classify these levels into operational levels to identify and calculate the severity cost of multi steps vulnerabilities. Finally we implement our framework on a simple network, using Nessus scanner as tool to discover known vulnerabilities and to implement the results to build and represent our cost centric attack graph.

References
  1. Bin WU, Andy Ju An WANG. EVMAT: An OVAL and NVD Based Enterprise Vulnerability Modeling and Assessment Tool, In Proceedings of ACMSE, Kennesaw, GA, USA, March 24-25, 2011.
  2. Remco R. Bouckaert, Eibe Frank, Mark Hall, Richard Kirkby, Peter Reutemann, Alex Seewald, and David Scuse. WEKA Manual for Version 3. 7. The University of Waikato, 2010.
  3. Thaier Hamid and Carsten Maple, IJCA Special Issue on Network Security and Cryptography Number 1 2011, ISBN: 978-93-80865-66-7.
  4. Risk Assessment and Mapping Guidelines for Disaster Management, COMMISSION STAFF WORKING PAPER, Brussels, 2010.
  5. Microsoft, Security TechCenter, Security Bulletin Severity Rating System Available from:http://www. microsoft. com/technet/security/bulletin/rating. mspx [06. 2012].
  6. Elizabeth Van and Karen Scarfone, the Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities, NIST Interagency Report, 2009
  7. Peter Mell, Karen Scarfone, A Complete Guide to the Common Vulnerability Scoring System Version 2. 0, June, 2007.
  8. NVD, "National vulnerability database v2. 2, http://nvd. nist. gov/ [06. 2012].
  9. Renaud Deraison (Tenable Network Security), "Nessus 4. 4. 1 Released," URL: http://blog. tenablesecurity. com/2011/03/nessus-441-released. html [06. 2012].
Index Terms

Computer Science
Information Sciences

Keywords

Quantifying Security Cvssv2 Overall Cvss Score Attack Graph