Title:
Expressing impact of vulnerabilities: an expert-filled dataset and vector changer framework for modelling multistage attacks, based on cve, cvss and cwe
Authors:
- Tomasz Machalewski
- Marcin Szymanek
- Adam Czubak
- Tomasz Turba
Published in:
(2024). ECMS 2024, 38th Proceedings
Edited by: Daniel Grzonka, Natalia Rylko, Grazyna Suchacka, Vladimir Mityushev, European Council for Modelling and Simulation.
DOI: http://doi.org/10.7148/2024
ISSN: 2522-2422 (ONLINE)
ISSN: 2522-2414 (PRINT)
ISSN: 2522-2430 (CD-ROM)
ISBN: 978-3-937436-84-5
ISBN: 978-3-937436-83-8 (CD) Communications of the ECMS Volume 38, Issue 1, June 2024, Cracow, Poland June 4th – June 7th, 2024
DOI:
https://doi.org/10.7148/2024-0569
Citation format:
Tomasz machalewski, Marcin szymanek, Adam czubak, Tomasz turba (2024). EXPRESSING IMPACT OF VULNERABILITIES: AN EXPERT-FILLED DATASET AND VECTOR CHANGER FRAMEWORK FOR MODELLING MULTISTAGE ATTACKS, BASED ON CVE, CVSS and CWE, ECMS 2024, Proceedings Edited by: Daniel Grzonka, Natalia Rylko, Grazyna Suchacka, Vladimir Mityushev, European Council for Modelling and Simulation. doi:10.7148/2024-0569
Abstract:
In this work we focus on measuring and attributing impacts to vulnerabilities. We do it in a two-fold way. First, we introduce a concept of Vector Changer – a CVSS-based measure of how successful exploitation of a vulnerability could lead to usage of consecutive vulnerabilities. The consecutive nature being crucial for analysis of multi-stage attacks and creation of attack graphs. Secondly, we present an expert-filled dataset containing CVE-attributed: Technical Impacts, CVSS and Vector Changer. The dataset contains data for 22 CVEs, each filled separately by three experts (66 CVE datapoints total). Each vulnerability has been assessed on four increasing levels of information availability. Finally, we present a lookup table that enables easy attribution of Vector Changers to vulnerabilities. We present initial findings for our dataset and efficiency of our lookup table in respect to the formulated dataset.