CVSS

Abstract: In this paper, we investigate the effects of heterogeneous connectivity structures and information delays on the dynamics of connected vehicle systems (CVSs), which are composed of vehicles equipped with connected cruise control (CCC) as well as conventional vehicles. First, a general framework is presented for CCC design that incorporates information delays and allows a large variety of connectivity structures. Then, we present delay-dependent criteria for plant stability and head-to-tail string stability of CVSs. The stability conditions are visualized by using stability diagrams, which allow one to evaluate the robustness of vehicle networks against information delays. To achieve modular and scalable design of large networks, we also propose a motif-based approach. Our results demonstrate the advantages of CCC vehicles in improving traffic efficiency, but also show that increasing the penetration of CCC vehicles does not necessarily improve the robustness if the connectivity structure or the control gains are not appropriately designed.

Abstract: (U.S.) Rule-based policies for mitigating software risk suggest using the CVSS score to measure the risk of an individual vulnerability and act accordingly. A key issue is whether the ‘danger’ score does actually match the risk of exploitation in the wild, and if and how such a score could be improved. To address this question, we propose using a case-control study methodology similar to the procedure used to link lung cancer and smoking in the 1950s. A case-control study allows the researcher to draw conclusions on the relation between some risk factor (e.g., smoking) and an effect (e.g., cancer) by looking backward at the cases (e.g., patients) and comparing them with controls (e.g., randomly selected patients with similar characteristics). The methodology allows us to quantify the risk reduction achievable by acting on the risk factor. We illustrate the methodology by using publicly available data on vulnerabilities, exploits, and exploits in the wild to (1) evaluate the performances of the current risk factor in the industry, the CVSS base score; (2) determine whether it can be improved by considering additional factors such the existence of a proof-of-concept exploit, or of an exploit in the black markets. Our analysis reveals that (a) fixing a vulnerability just because it was assigned a high CVSS score is equivalent to randomly picking vulnerabilities to fix; (b) the existence of proof-of-concept exploits is a significantly better risk factor; (c) fixing in response to exploit presence in black markets yields the largest risk reduction.

Abstract: The Common Vulnerability Scoring System (CVSS) is a specification for measuring the relative severity of software vulnerabilities. Finalized in 2007, CVSS version 2 was designed to address deficiencies found during analysis and use of the original CVSS version. This paper analyzes how effectively CVSS version 2 addresses these deficiencies and what new deficiencies it may have. This analysis is based primarily on an experiment that applied both version 1 and version 2 scoring to a large set of recent vulnerabilities. Theoretical characteristics of version 1 and version 2 scores were also examined. The results show that the goals for the changes were met, but that some changes had a negligible effect on scoring while complicating the scoring process. The changes also had unintended effects on organizations that prioritize vulnerability remediation based primarily on CVSS scores.

Abstract: The proliferation of technologies embedded in connected and autonomous vehicles (CAVs) increases the potential of cyber-attacks. The communication systems between vehicles and infrastructure present remote attack access for malicious hackers to exploit system vulnerabilities. Increased connectivity combined with autonomous driving functions pose a considerable threat to the vast socioeconomic benefits promised by CAVs. However, the absence of historical information on cyber-attacks mean that traditional risk assessment methods are rendered ineffective. This paper proposes a proactive CAV cyber-risk classification model which overcomes this issue by incorporating known software vulnerabilities contained within the US National Vulnerability Database into model building and testing phases. This method uses a Bayesian Network (BN) model, premised on the variables and causal relationships derived from the Common Vulnerability Scoring Scheme (CVSS), to represent the probabilistic structure and parameterisation of CAV cyber-risk. The resulting BN model is validated with an out-of-sample test demonstrating nearly 100% prediction accuracy of the quantitative risk score and qualitative risk level. The model is then applied to the use-case of GPS systems of a CAV with and without cryptographic authentication. In the use case, we demonstrate how the model can be used to predict the effect of risk reduction measures.