Abstract

Software vulnerabilities have significant costs associated with them. To aid in the prioritization of vulnerabilities, analysts often utilize Common Vulnerability Scoring System’s Base severity scores. However, the Base scores provided from the National Vulnerability Database are subjective and may incorrectly convey the severity of the vulnerability in an organization's network. This thesis proposes a method to statically analyze context-aware network graphs to increase accuracy of CVSS severity scores. Through experimentation of the proposed methodology, it is determined that context-aware network graphs can capture the required metrics to generate modified severity scores. The proposed approach has some accuracy to it, but leaves room for additional network context to further refine Environmental severity scores.

Publication Date

12-15-2021

Document Type

Thesis

Student Type

Graduate

Degree Name

Software Engineering (MS)

Department, Program, or Center

Software Engineering (GCCIS)

Advisor

J Scott Hawker

Advisor/Committee Member

Mehdi Mirakhorli

Advisor/Committee Member

Mohamed Wiem Mkaouer

Campus

RIT – Main Campus

Share

COinS