1

How can I find risk and probability from CVE (https://cve.mitre.org/)? I read an article and it says (pg 14),

The cost is derived from the attack tree, and risk and probability are based on CVE

The article is about DoS attack and IoT networks.

Vilius Povilaika
  • 972
  • 8
  • 20
hamed sharafi
  • 21
  • 3

2 Answers2

3

CVE is not going to provide that level of information, as you probably saw. CVSS, on the other hand, does. CVE often links to the NVD, which uses CVSS scoring, so it might be an easy mistake to make.

Many information security people confuse "risk" with "impact". So, if we assume that they meant "impact and probability are based on CVSS", then everything makes sense.

Here's an example: https://nvd.nist.gov/vuln/detail/CVE-2017-14888

Impact
CVSS v3.0 Severity and Metrics:
Base Score: 7.8 HIGH 
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (V3 legend) 
Impact Score: 5.9 
Exploitability Score: 1.8

Attack Vector (AV): Local 
Attack Complexity (AC): Low 
Privileges Required (PR): Low 
User Interaction (UI): None 
Scope (S): Unchanged 
Confidentiality (C): High 
Integrity (I): High 
Availability (A): High

The long string of codes helps to define the problem.

Impact and probability are often determined directly from the "Impact Score" and "Exploitability Score" of the vulnerability. Whether they should do that is another issue entirely. But it is a common practice and a straightforward thing to do for consistency in a research paper.

schroeder
  • 123,438
  • 55
  • 284
  • 319
1

I think they actually meant risk and probability, and not impact and probability, because in the article we have several formulas to calculate impact.

see the formula to calculate impact here...

risk and impact have different values in this article. so i don't think they made a mistake!

schroeder
  • 123,438
  • 55
  • 284
  • 319
hamed sharafi
  • 21
  • 3
  • 1
    Then if they do not define what they mean by "risk", you need to contact them about what they mean. – schroeder Jan 29 '19 at 15:03
  • 1
    I still think they mean the CVSS impact score, but they calculate "impact" separately in their paper, so they needed a different term. But, I'm guessing, and you need to contact the authors. – schroeder Jan 29 '19 at 15:05
  • i send email to authors. they see my mail but don't answer me! How long does it take for authors answer me? any idea? – hamed sharafi Jan 31 '19 at 07:16