{"created":"2025-01-19T01:34:50.259659+00:00","updated":"2025-01-19T10:06:25.692356+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00233411","sets":["1164:1579:11464:11527"]},"path":["11527"],"owner":"44499","recid":"233411","title":["ソフトウェア脆弱性リスクの時間変化モデルのCVSS4評価基準への対応\\n"],"pubdate":{"attribute_name":"公開日","attribute_value":"2024-03-14"},"_buckets":{"deposit":"b0426aad-d233-4613-8869-99252bbb14dd"},"_deposit":{"id":"233411","pid":{"type":"depid","value":"233411","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"ソフトウェア脆弱性リスクの時間変化モデルのCVSS4評価基準への対応\\n","author_link":["633943","633945","633944","633942","633941","633946"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"ソフトウェア脆弱性リスクの時間変化モデルのCVSS4評価基準への対応\\n"},{"subitem_title":"Software Vulnerability Risk Growth Model for CVSS 4 Metrics","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"高信頼性","subitem_subject_scheme":"Other"}]},"item_type_id":"4","publish_date":"2024-03-14","item_4_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"拓殖大学工学部情報工学科"},{"subitem_text_value":"拓殖大学工学部情報工学科"},{"subitem_text_value":"拓殖大学工学部情報工学科"}]},"item_4_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Department of Computer Science, Takushoku University","subitem_text_language":"en"},{"subitem_text_value":"Department of Computer Science, Takushoku University","subitem_text_language":"en"},{"subitem_text_value":"Department of Computer Science, Takushoku University","subitem_text_language":"en"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/233411/files/IPSJ-ARC24256026.pdf","label":"IPSJ-ARC24256026.pdf"},"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-ARC24256026.pdf","filesize":[{"value":"2.1 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"0","billingrole":"16"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_login","version_id":"28490e5b-5d4d-4852-9798-d735c414fa7f","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2024 by the Institute of Electronics, Information and Communication Engineers This SIG report is only available to those in membership of the SIG."}]},"item_4_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"岡田, 宇宙"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"蓑原, 隆"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"島川, 昌也"}],"nameIdentifiers":[{}]}]},"item_4_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Sora, Okada","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Takashi, Minohara","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Masaya, Shimakawa","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_4_source_id_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_source_identifier":"AN10096105","subitem_source_identifier_type":"NCID"}]},"item_4_textarea_12":{"attribute_name":"Notice","attribute_value_mlt":[{"subitem_textarea_value":"SIG Technical Reports are nonrefereed and hence may later appear in any journals, conferences, symposia, etc."}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_18gh","resourcetype":"technical report"}]},"item_4_source_id_11":{"attribute_name":"ISSN","attribute_value_mlt":[{"subitem_source_identifier":"2188-8574","subitem_source_identifier_type":"ISSN"}]},"item_4_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"情報システムを管理する者は管理対象のシステムに関するセキュリティ脆弱性情報に注意し適切に対策を施さなければならない．しかしセキュリティ脆弱性の報告件数の増加に伴い対策実施にかかる時間も増大しており，効率的な対策を行うには，リスクを評価し対策実施の優先順位をつける必要がある．このとき，脆弱性発見から攻撃手法の確立そして攻撃実行という時間経過を考えると，リスク評価は時間経過に対する変化を考慮しなければならない．脆弱性リスクの評価基準として共通脆弱性評価システム (CVSS) が使われているが，時間的な変化に十分に対応しているとは言えない．我々は，脆弱性リスクの時間的変化について脆弱性情報の共通 ID である CVE の予約時刻と情報公開時刻の差に注目した脆弱性リスク成長モデルを提案している．このモデルは CVSS 3.1 に基づいているが，今後の脆弱性の評価は，2023 年に決定された CVSS 4.0 に移行していくと考えられる．そこで，本研究では，脆弱性リスク成長モデルを CVSS 4.0 に対応させるための検討を行った．また，CVSS 4.0 の評価例に適用した結果についても報告する．","subitem_description_type":"Other"}]},"item_4_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"Information system administrators must pay attention to system vulnerability information and take appropriate measures against security attacks on the systems they manage. However, as the number of security vulnerability reports increases, the time required to implement vulnerability remediation also increases, therefore vulnerability risks must be assessed and prioritized. Especially in the early stages of vulnerability discovery, such as zero-day attacks, the risk assessment must consider changes over time，since it takes time for the attack and countermeasures to spread. The Common Vulnerability Scoring System (CVSS) is used widely for vulnerability risk assessment, but it cannot be said that it can sufficiently cope with temporal changes of risk of attacks. We have proposed a software vulnerability risk growth model that focuses on the difference between the reservation time and the publication time of CVEs. The model is based on CVSS version 3.1, but the official specification of CVSS version 4.0 was published in 2023. CVSS 3.1 will be replaced by version 4.0 in the near future. In this study, we examined how to adapt our vulnerability risk growth model to CVSS 4.0. We also report the results of applying the model to CVSS 4.0 examples.","subitem_description_type":"Other"}]},"item_4_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"6","bibliographic_titles":[{"bibliographic_title":"研究報告システム・アーキテクチャ（ARC）"}],"bibliographicPageStart":"1","bibliographicIssueDates":{"bibliographicIssueDate":"2024-03-14","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"26","bibliographicVolumeNumber":"2024-ARC-256"}]},"relation_version_is_last":true,"weko_creator_id":"44499"},"id":233411,"links":{}}