ABSTRACT
NVD and Exploit-DB are the de facto standard databases used for research on vulnerabilities, and the CVSS score is the standard measure for risk. On open question is whether such databases and scores are actually representative of attacks found in the wild. To address this question we have constructed a database (EKITS) based on the vulnerabilities currently used in exploit kits from the black market and extracted another database of vulnerabilities from Symantec's Threat Database (SYM). Our final conclusion is that the NVD and EDB databases are not a reliable source of information for exploits in the wild, even after controlling for the CVSS and exploitability subscore. An high or medium CVSS score shows only a significant sensitivity (i.e. prediction of attacks in the wild) for vulnerabilities present in exploit kits (EKITS) in the black market. All datasets exhibit a low specificity.
- G. A. Akerlof. The market for "lemons": Quality uncertainty and the market mechanism. The Quarterly Jour. of Econ., 84:pp. 488--500, 1970.Google ScholarCross Ref
- O. Alhazmi and Y. Malaiya. Application of vulnerability discovery models to major operating systems. IEEE Trans., 57(1):14--22, march 2008.Google Scholar
- M. Bozorgi, L. K. Saul, S. Savage, and G. M. Voelker. Beyond heuristics: learning to classify vulnerabilities and predict exploits. In Proc. of SIGKDD'10, pages 105--114. ACM, 2010. Google ScholarDigital Library
- J. Franklin, V. Paxson, A. Perrig, and S. Savage. An inquiry into the nature and causes of the wealth of internet miscreants. In Proc. of CCS'07, pages 375--388, 2007. Google ScholarDigital Library
- S. Frei, M. May, U. Fiedler, and B. Plattner. Large-scale vulnerability analysis. In Proc. of LSAD'06, pages 131--138. ACM, 2006. Google ScholarDigital Library
- L. Gallon. Vulnerability discrimination using cvss framework. In Proc. of NTMS'11, pages 1--6, 2011.Google ScholarCross Ref
- C. Herley and D. Florencio. Nobody sells gold for the price of silver: Dishonesty, uncertainty and the underground economy. Springer Econ. of Inf. Sec. and Priv., 2010.Google Scholar
- M. Howard, J. Pincus, and J. Wing. Measuring relative attack surfaces. Comp. Sec. in the 21st Century, pages 109--137, 2005.Google ScholarCross Ref
- F. Massacci and V. Nguyen. An independent validation of vulnerability discovery models. In Proc. of ASIACCS'12, 2012. Google ScholarDigital Library
- P. Mell and K. Scarfone. A Complete Guide to the Common Vulnerability Scoring System Version 2.0. Carnegie Mellon University, 2007.Google Scholar
- C. Miller. The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In Proc. of WEIS'07, 2007.Google Scholar
- M. Motoyama, D. McCoy, S. Savage, and G. M. Voelker. An analysis of underground forums. In Proc. of IMC'11, 2011. Google ScholarDigital Library
- D. E. Perry, A. A. Porter, and L. G. Votta. Empirical studies of software engineering: a roadmap. In Proc. of ICSE'00, pages 345--355. ACM, 2000. Google ScholarDigital Library
- S. D. Quinn, K. A. Scarfone, M. Barrett, and C. S. Johnson. Sp 800-117. guide to adopting and using the security content automation protocol (scap) version 1.0. Technical report, 2010. Google ScholarDigital Library
- R Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria, 2012. ISBN 3-900051-07-0.Google Scholar
- K. Scarfone and P. Mell. An analysis of cvss version 2 vulnerability scoring. In Proc. of ESEM'09, pages 516--525, 2009. Google ScholarDigital Library
- M. Shahzad, M. Z. Shafiq, and A. X. Liu. A large scale exploratory analysis of software vulnerability life cycles. In Proc. of ICSE'12, pages 771--781. IEEE Press, 2012. Google ScholarDigital Library
- Symantec. Analysis of Malicious Web Activity by Attack Toolkits. Symantec, Available on the web at http://www.symantec.com/threatreport/topic.jsp?id=threat_activity_trends&aid=analysis_of_malicious_web_activity, online edition, 2011. Accessed on June 1012.Google Scholar
- L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia. An attack graph-based probabilistic security metric. In Proc. of DAS'08, volume 5094 of LNCS, pages 283--296. Springer, 2008. Google ScholarDigital Library
Index Terms
- A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets
Recommendations
Comparing Vulnerability Severity and Exploits Using Case-Control Studies
(U.S.) Rule-based policies for mitigating software risk suggest using the CVSS score to measure the risk of an individual vulnerability and act accordingly. A key issue is whether the ‘danger’ score does actually match the risk of exploitation in the ...
Analysis and implementation of semi-automatic model for vulnerability exploitations of threat agents in NIST databases
AbstractProactive security plays a vital role in preventing the attack before entering active mode. In the modern information environment, it depends on the vulnerability management practitioners of an organization in which the critical factor is the ...
Measuring and ranking attacks based on vulnerability analysis
As the number of software vulnerabilities increases, the research on software vulnerabilities becomes a focusing point in information security. A vulnerability could be exploited to attack the information asset with the weakness related to the ...
Comments