Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Can the Common Vulnerability Scoring System be Trusted?: A Bayesian Analysis
KTH, School of Electrical Engineering (EES), Electric Power and Energy Systems. (Software Systems Architecture & Security)ORCID iD: 0000-0002-3293-1681
KTH, School of Electrical Engineering and Computer Science (EECS), Network and Systems engineering. (Software Systems Architecture & Security)ORCID iD: 0000-0003-3089-3885
KTH, School of Electrical Engineering (EES), Electric Power and Energy Systems. (Software Systems Architecture & Security)ORCID iD: 0000-0003-3922-9606
SICS.
2018 (English)In: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 15, no 6, p. 1002-1015, article id 7797152Article in journal (Refereed) Published
Abstract [en]

The Common Vulnerability Scoring System (CVSS) is the state-of-the art system for assessing software vulnerabilities. However, it has been criticized for lack of validity and practitioner relevance. In this paper, the credibility of the CVSS scoring data found in five leading databases – NVD, X-Force, OSVDB, CERT-VN, and Cisco – is assessed. A Bayesian method is used to infer the most probable true values underlying the imperfect assessments of the databases, thus circumventing the problem that ground truth is not known. It is concluded that with the exception of a few dimensions, the CVSS is quite trustworthy. The databases are relatively consistent, but some are better than others. The expected accuracy of each database for a given dimension can be found by marginalizing confusion matrices. By this measure, NVD is the best and OSVDB is the worst of the assessed databases.

Place, publisher, year, edition, pages
IEEE Press, 2018. Vol. 15, no 6, p. 1002-1015, article id 7797152
Keywords [en]
cyber security, software vulnerability, CVSS, information security
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:kth:diva-200695DOI: 10.1109/TDSC.2016.2644614ISI: 000449980000008Scopus ID: 2-s2.0-85056520813OAI: oai:DiVA.org:kth-200695DiVA, id: diva2:1070329
Funder
EU, FP7, Seventh Framework Programme, 607109Swedish Civil Contingencies Agency, 2015-6986
Note

QC 20170202

Available from: 2017-02-01 Created: 2017-02-01 Last updated: 2018-11-28Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records BETA

Johnson, PontusLagerström, RobertEkstedt, Mathias

Search in DiVA

By author/editor
Johnson, PontusLagerström, RobertEkstedt, Mathias
By organisation
Electric Power and Energy SystemsNetwork and Systems engineering
In the same journal
IEEE Transactions on Dependable and Secure Computing
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 183 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf