Evaluating the Data Inconsistency of Open-Source Vulnerability Repositories

Proceedings of the 16th International Conference on Availability, Reliability and Security Pub Date : 2021-08-16 DOI:10.1145/3465481.3470093

Yuning Jiang, M. Jeusfeld, Jianguo Ding

{"title":"Evaluating the Data Inconsistency of Open-Source Vulnerability Repositories","authors":"Yuning Jiang, M. Jeusfeld, Jianguo Ding","doi":"10.1145/3465481.3470093","DOIUrl":null,"url":null,"abstract":"Modern security practices promote quantitative methods to provide prioritisation insights and support predictive analysis, which is supported by open-source cybersecurity databases such as the Common Vulnerabilities and Exposures (CVE), the National Vulnerability Database (NVD), CERT, and vendor websites. These public repositories provide a way to standardise and share up-to-date vulnerability information, with the purpose to enhance cybersecurity awareness. However, data quality issues of these vulnerability repositories may lead to incorrect prioritisation and misemployment of resources. In this paper, we aim to empirically analyse the data quality impact of vulnerability repositories for actual information technology (IT) and operating technology (OT) systems, especially on data inconsistency. Our case study shows that data inconsistency may misdirect investment of cybersecurity resources. Instead, correlated vulnerability repositories and trustworthiness data verification bring substantial benefits for vulnerability management.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"49 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 16th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3465481.3470093","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

Modern security practices promote quantitative methods to provide prioritisation insights and support predictive analysis, which is supported by open-source cybersecurity databases such as the Common Vulnerabilities and Exposures (CVE), the National Vulnerability Database (NVD), CERT, and vendor websites. These public repositories provide a way to standardise and share up-to-date vulnerability information, with the purpose to enhance cybersecurity awareness. However, data quality issues of these vulnerability repositories may lead to incorrect prioritisation and misemployment of resources. In this paper, we aim to empirically analyse the data quality impact of vulnerability repositories for actual information technology (IT) and operating technology (OT) systems, especially on data inconsistency. Our case study shows that data inconsistency may misdirect investment of cybersecurity resources. Instead, correlated vulnerability repositories and trustworthiness data verification bring substantial benefits for vulnerability management.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

开源漏洞库数据不一致性评估

现代安全实践促进了定量方法，以提供优先级见解和支持预测分析，这得到了开源网络安全数据库的支持，如通用漏洞和暴露(CVE)、国家漏洞数据库(NVD)、CERT和供应商网站。这些公共存储库提供了一种标准化和共享最新漏洞信息的方法，目的是提高网络安全意识。然而，这些漏洞存储库的数据质量问题可能导致资源的不正确优先级和误用。本文旨在实证分析漏洞库对实际信息技术(IT)和操作技术(OT)系统数据质量的影响，特别是对数据不一致的影响。我们的案例研究表明，数据不一致可能会误导网络安全资源的投资。相反，相关漏洞库和可信数据验证为漏洞管理带来了实质性的好处。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Proceedings of the 16th International Conference on Availability, Reliability and Security

自引率

0.00%

发文量