Loading [MathJax]/extensions/MathMenu.js
A CVSS-based Vulnerability Assessment Method for Reducing Scoring Error | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >2021 2nd International Confer...

A CVSS-based Vulnerability Assessment Method for Reducing Scoring Error

PDF
Shaofeng Kai; Jinghua Zheng; Fan Shi; Zhifan Lu
All Authors

Abstract:

Vulnerability assessment is one of the important topics in cyberspace security, which mainly includes threat assessment, risk level assessment, vulnerability rating score...Show More

Metadata

Abstract:

Vulnerability assessment is one of the important topics in cyberspace security, which mainly includes threat assessment, risk level assessment, vulnerability rating score, etc. CVSS (Common Vulnerability Scoring System) is a commonly used vulnerability assessment method in academia and industry. However, CVSS has the following problems. First, CVSS is not very versatile in practical scoring. The value of the metrics will be different depending on the people with different domain knowledge and different working experience, which will lead to error in the final score. Second, the weight of CVSS metrics is more subjective. To reduce scoring error, in this paper, we propose a CVSS-based vulnerability assessment method to reduce the dimension of vulnerability metrics. This method contains a vulnerability evaluation model based on decision tree, which can reduce the error caused by manual scoring. The experiments show that the reduction of vulnerability metrics leads to a reduction in scoring error.
Published in: 2021 2nd International Conference on Electronics, Communications and Information Technology (CECIT)
Date of Conference: 27-29 December 2021
Date Added to IEEE Xplore: 01 April 2022
ISBN Information:
DOI: 10.1109/CECIT53797.2021.00013
Conference Location: Sanya, China

Keywords assist with retrieval of results and provide a means to discovering other relevant content. Learn more.

Contents

I. Introduction

Vulnerability assessment has high research value, and its results can be used for network situational awareness, vulnerability patching, and auxiliary decision-making. Currently, the academic community has researched from different perspectives on vulnerability assessment. There are vulnerability assessment methods based on expert system, which commonly invite well-known experts to list the metrics that may affect the vulnerability assessment score and assign corresponding weights [1]. This is the approach taken by CVSS [2]–[6]. However, the vulnerability assessment based on expert system will inevitably involve manual participation, and human subjective factors will bring scoring error. At present, the relevant methods based on expert system can not completely solve this problem. There are machine learning-based vulnerability assessment methods, where machine learning-related algorithms can discover features common to vulnerabilities in a large amount of data to form machine learning-based models, which generally have only a limited number of inputs, avoiding the situation where a large number of feature inputs need to be selected for manual scoring. The models formed based on machine learning can be optimized as the data samples change, and the parameters can be adjusted as the task and assessment requirements change so that the relevant models can be adapted to the task. Such models have advantages in terms of scalability and ease of use. However, the accuracy of vulnerability assessment method based on machine learning is not as good as that based on expert system, and it is difficult to obtain relevant vulnerability data sets.

Keywords assist with retrieval of results and provide a means to discovering other relevant content. Learn more.

Contact IEEE to Subscribe
More Like This
Industry Correlation Analysis of Chinese Stock Market Based on Copula-GARCH Model

2023 International Conference on Computer Applications Technology (CCAT)

Published: 2023

Speed measurement by cross correlation--Theoretical aspects and applications in the paper industry

IEEE Transactions on Acoustics, Speech, and Signal Processing

Published: 1983

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.