Refining CVSS-Based Network Security Metrics by Examining the Base Scores

  • Pengsu Cheng
  • Lingyu WangEmail author
  • Sushil Jajodia
  • Anoop Singhal


A network security metric enables the direct measurement of the effectiveness of network security solutions. Combining CVSS scores of individual vulnerabilities provides a measurement of the overall security of networks with respect to potential attacks. However, most existing approaches to combining such scores, either based on attack graphs or Bayesian networks, share two limitations. First, a dependency relationship between vulnerabilities will either be ignored, or modeled in an arbitrary way. Second, only one aspect of the scores, the probability of successful attacks, has been considered. In this chapter, we address those issues as follows. First, instead of taking each base score as an input, our approach works at the underlying base metric level where dependency relationships have well-defined semantics. Second, our approach interprets and combines scores in three different aspects, namely, probability, effort, and skill, which may broaden the scope of applications for CVSS and allow users to weigh different aspects of the score for their specific needs. Finally, we evaluate our approach through simulation.



Authors with Concordia University were partially supported by the Natural Sciences and Engineering Research Council of Canada under Discovery Grant N01035. Sushil Jajodia was partially supported by the by Army Research Office grants W911NF-13-1-0421 and W911NF-15-1-0576, by the Office of Naval Research grant N00014-15-1-2007, National Institutes of Standard and Technology grant 60NANB16D287, and by the National Science Foundation grant IIP-1266147.


  1. 1.
    P. Ammann, D. Wijesekera, S. Kaushik, Scalable, graph-based network vulnerability analysis, in Proceedings of CCS’02 (2002)Google Scholar
  2. 2.
    Boston university representative internet topology generator. Available at
  3. 3.
    M. Frigault, L. Wang, A. Singhal, S. Jajodia, Measuring network security using dynamic Bayesian network, in Proceedings of ACM workshop on Quality of protection (2008)Google Scholar
  4. 4.
    L. Gallon, Vulnerability discrimination using CVSS framework, in 2011 4th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Feb (2011), pp. 1–6Google Scholar
  5. 5.
    Georgia tech internetwork topology models topology generator. Available at
  6. 6.
    S. Jajodia, S. Noel, B. O’Berry, Topological analysis of network attack vulnerability, in Managing Cyber Threats: Issues, Approaches and Challenges, ed. by V. Kumar, J. Srivastava, A. Lazarevic (Kluwer Academic Publisher, 2003)Google Scholar
  7. 7.
    P. Mell, K. Scarfone, S. Romanosky, Common vulnerability scoring system. IEEE Secur. Privacy Mag. 4(6), 85–89 (2006)CrossRefGoogle Scholar
  8. 8.
    National vulnerability database. Available at:,May9,2008Google Scholar
  9. 9.
    L. Wang, T. Islam, T. Long, A. Singhal, S. Jajodia, An attack graph-based probabilistic security metric, in Proceedings of The 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec’08) (2008)Google Scholar
  10. 10.
    L. Wang, S. Jajodia, A. Singhal, S. Noel, k-zero day safety: measuring the security risk of networks against unknown attacks, in Proceedings of the 15th European Symposium on Research in Computer Security (ESORICS’10) (2010)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Pengsu Cheng
    • 1
  • Lingyu Wang
    • 1
    Email author
  • Sushil Jajodia
    • 2
  • Anoop Singhal
    • 3
  1. 1.Concordia Institute for Information Systems EngineeringConcordia UniversityMontrealCanada
  2. 2.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA
  3. 3.Computer Security DivisionNISTGaithersburgUSA

Personalised recommendations