Gotta Catch 'em All: Aggregating CVSS Scores
- URL: http://arxiv.org/abs/2310.02062v1
- Date: Tue, 3 Oct 2023 14:04:40 GMT
- Title: Gotta Catch 'em All: Aggregating CVSS Scores
- Authors: Angel Longueira-Romero, Jose Luis Flores, Rosa Iglesias, I\~naki
Garitano
- Abstract summary: We propose aCVSS aggregation algorithm that integrates information aboutthe functionality of the SUT, exploitation difficulty,existence of exploits, and the context where the SUT operates.
The aggregation algorithm was applied to OpenPLC V3, showing that it is capable of filtering out vulnerabilities that cannot beexploited in the real conditions of deployment.
- Score: 1.5839621757142595
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Security metrics are not standardized, but inter-national proposals such as
the Common Vulnerability ScoringSystem (CVSS) for quantifying the severity of
known vulnerabil-ities are widely used. Many CVSS aggregation mechanisms
havebeen proposed in the literature. Nevertheless, factors related tothe
context of the System Under Test (SUT) are not taken intoaccount in the
aggregation process; vulnerabilities that in theoryaffect the SUT, but are not
exploitable in reality. We propose aCVSS aggregation algorithm that integrates
information aboutthe functionality disruption of the SUT, exploitation
difficulty,existence of exploits, and the context where the SUT operates.The
aggregation algorithm was applied to OpenPLC V3, showingthat it is capable of
filtering out vulnerabilities that cannot beexploited in the real conditions of
deployment of the particularsystem. Finally, because of the nature of the
proposed algorithm,the result can be interpreted in the same way as a normal
CVSS.
Related papers
- Data-Driven Distributionally Robust Safety Verification Using Barrier Certificates and Conditional Mean Embeddings [0.24578723416255752]
We develop scalable formal verification algorithms without shifting the problem to unrealistic assumptions.
In a pursuit of developing scalable formal verification algorithms without shifting the problem to unrealistic assumptions, we employ the concept of barrier certificates.
We show how to solve the resulting program efficiently using sum-of-squares optimization and a Gaussian process envelope.
arXiv Detail & Related papers (2024-03-15T17:32:02Z) - Coding-Based Hybrid Post-Quantum Cryptosystem for Non-Uniform Information [53.85237314348328]
We introduce for non-uniform messages a novel hybrid universal network coding cryptosystem (NU-HUNCC)
We show that NU-HUNCC is information-theoretic individually secured against an eavesdropper with access to any subset of the links.
arXiv Detail & Related papers (2024-02-13T12:12:39Z) - Open-Vocabulary Segmentation with Semantic-Assisted Calibration [73.39366775301382]
We study open-vocabulary segmentation (OVS) through calibrating in-vocabulary and domain-biased embedding space with contextual prior of CLIP.
We present a Semantic-assisted CAlibration Network (SCAN) to achieve state-of-the-art performance on open-vocabulary segmentation benchmarks.
arXiv Detail & Related papers (2023-12-07T07:00:09Z) - SABLE: Secure And Byzantine robust LEarning [9.455980760111498]
Homomorphic encryption (HE) has emerged as a leading security measure to preserve privacy in distributed learning.
This paper introduces SABLE, the first homomorphic and Byzantine robust distributed learning algorithm.
arXiv Detail & Related papers (2023-09-11T11:54:42Z) - Ensembling Uncertainty Measures to Improve Safety of Black-Box
Classifiers [3.130722489512822]
SPROUT is a Safety wraPper thROugh ensembles of UncertainTy measures.
It suspects misclassifications by computing uncertainty measures on the inputs and outputs of a black-box classifier.
The resulting impact on safety is that SPROUT transforms erratic outputs (misclassifications) into data omission failures.
arXiv Detail & Related papers (2023-08-23T11:24:28Z) - Capsa: A Unified Framework for Quantifying Risk in Deep Neural Networks [142.67349734180445]
Existing algorithms that provide risk-awareness to deep neural networks are complex and ad-hoc.
Here we present capsa, a framework for extending models with risk-awareness.
arXiv Detail & Related papers (2023-08-01T02:07:47Z) - On Leave-One-Out Conditional Mutual Information For Generalization [122.2734338600665]
We derive information theoretic generalization bounds for supervised learning algorithms based on a new measure of leave-one-out conditional mutual information (loo-CMI)
Contrary to other CMI bounds, our loo-CMI bounds can be computed easily and can be interpreted in connection to other notions such as classical leave-one-out cross-validation.
We empirically validate the quality of the bound by evaluating its predicted generalization gap in scenarios for deep learning.
arXiv Detail & Related papers (2022-07-01T17:58:29Z) - CVSS-BERT: Explainable Natural Language Processing to Determine the
Severity of a Computer Security Vulnerability from its Description [0.0]
Cybersecurity experts provide an analysis of the severity of a vulnerability using the Common Vulnerability Scoring System (CVSS)
We propose to leverage recent advances in the field of Natural Language Processing (NLP) to determine the CVSS vector and the associated severity score of a vulnerability in an explainable manner.
arXiv Detail & Related papers (2021-11-16T14:31:09Z) - Subsystem analysis of continuous-variable resource states [0.0]
Continuous-variable (CV) cluster states are a universal resource for fault-tolerant quantum computation.
We generalize the recently introduced subsystem decomposition of a bosonic code to analyze CV cluster-state quantum computing.
arXiv Detail & Related papers (2021-02-21T03:50:10Z) - Unsupervised Domain Adaptation for Speech Recognition via Uncertainty
Driven Self-Training [55.824641135682725]
Domain adaptation experiments using WSJ as a source domain and TED-LIUM 3 as well as SWITCHBOARD show that up to 80% of the performance of a system trained on ground-truth data can be recovered.
arXiv Detail & Related papers (2020-11-26T18:51:26Z) - Risk-Constrained Thompson Sampling for CVaR Bandits [82.47796318548306]
We consider a popular risk measure in quantitative finance known as the Conditional Value at Risk (CVaR)
We explore the performance of a Thompson Sampling-based algorithm CVaR-TS under this risk measure.
arXiv Detail & Related papers (2020-11-16T15:53:22Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.