A preliminary analysis of vulnerability scores for attacks in wild: The EKITS and SYM datasets

L. Allodi, F. Massacci

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

28 Citations (Scopus)

Abstract

NVD and Exploit-DB are the de facto standard databases used for research on vulnerabilities, and the CVSS score is the standard measure for risk. On open question is whether such databases and scores are actually representative of attacks found in the wild. To address this question we have constructed a database (EKITS) based on the vulnerabilities currently used in exploit kits from the black market and extracted another database of vulnerabilities from Symantec's Threat Database (SYM). Our final conclusion is that the NVD and EDB databases are not a reliable source of information for exploits in the wild, even after controlling for the CVSS and exploitability subscore. An high or medium CVSS score shows only a significant sensitivity (i.e. prediction of attacks in the wild) for vulnerabilities present in exploit kits (EKITS) in the black market. All datasets exhibit a low specificity.

Original languageEnglish
Title of host publicationBADGERS'12 - Proceedings of the Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
Pages17-24
Number of pages8
DOIs
Publication statusPublished - 2012
Externally publishedYes
Event2012 ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2012 - Raleigh, NC, United States
Duration: 15 Oct 201215 Oct 2012

Conference

Conference2012 ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2012
CountryUnited States
CityRaleigh, NC
Period15/10/1215/10/12

Keywords

  • CVSS
  • Security metrics
  • Vulnerability datasets

Cite this

Allodi, L., & Massacci, F. (2012). A preliminary analysis of vulnerability scores for attacks in wild: The EKITS and SYM datasets. In BADGERS'12 - Proceedings of the Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (pp. 17-24) https://doi.org/10.1145/2382416.2382427