Logo ECMS

Digital Library

of the European Council for Modelling and Simulation

Title:

Expressing impact of vulnerabilities: an expert-filled dataset and vector changer framework for modelling multistage attacks, based on cve, cvss and cwe

Authors:
  • Tomasz Machalewski
  • Marcin Szymanek
  • Adam Czubak
  • Tomasz Turba
Published in:

(2024). ECMS 2024, 38th Proceedings
Edited by: Daniel Grzonka, Natalia Rylko, Grazyna Suchacka, Vladimir Mityushev, European Council for Modelling and Simulation.
DOI: http://doi.org/10.7148/2024
ISSN: 2522-2422 (ONLINE)
ISSN: 2522-2414 (PRINT)
ISSN: 2522-2430 (CD-ROM)
ISBN: 978-3-937436-84-5
ISBN: 978-3-937436-83-8 (CD) Communications of the ECMS Volume 38, Issue 1, June 2024, Cracow, Poland June 4th – June 7th, 2024

DOI:

https://doi.org/10.7148/2024-0569

Citation format:

Tomasz machalewski, Marcin szymanek, Adam czubak, Tomasz turba (2024). EXPRESSING IMPACT OF VULNERABILITIES: AN EXPERT-FILLED DATASET AND VECTOR CHANGER FRAMEWORK FOR MODELLING MULTISTAGE ATTACKS, BASED ON CVE, CVSS and CWE, ECMS 2024, Proceedings Edited by: Daniel Grzonka, Natalia Rylko, Grazyna Suchacka, Vladimir Mityushev, European Council for Modelling and Simulation. doi:10.7148/2024-0569

Abstract:

In this work we focus on measuring and attributing impacts to vulnerabilities. We do it in a two-fold way. First, we introduce a concept of Vector Changer – a CVSS-based measure of how successful exploitation of a vulnerability could lead to usage of consecutive vulnerabilities. The consecutive nature being crucial for analysis of multi-stage attacks and creation of attack graphs. Secondly, we present an expert-filled dataset containing CVE-attributed: Technical Impacts, CVSS and Vector Changer. The dataset contains data for 22 CVEs, each filled separately by three experts (66 CVE datapoints total). Each vulnerability has been assessed on four increasing levels of information availability. Finally, we present a lookup table that enables easy attribution of Vector Changers to vulnerabilities. We present initial findings for our dataset and efficiency of our lookup table in respect to the formulated dataset.

Full text: Download full text download paper in pdf