Confidence score calculation for hardware vulnerability assessment
Confidence Score is displayed for partially matched assessments, vulnerable items (VITs), and ignored assessments.
About Confidence Score Calculation
HVA uses a scoring mechanism called Confidence Score to indicate the accuracy of the CVE data matching the CPE-mapped normalized content of an OT device. Confidence Score is an aggregated calculation of the matching scores created by the matching algorithm in HVA.
- Fully matched assessments: The Confidence Score is 1 for full assessments as all the parameters in the CVE information matches the device discovery model values available for the OT device.
- Partially matched assessments: The Confidence Score is less than 1 for partial assessments as all the parameters in the CPE information doesn’t match the device discovery model values available for the OT device.
Following is an example of calculating the confidence score from the Common Platform Enumeration (CPE) information available for an OT device.
The following is a sample of a vulnerability assessment record, CVE-2019-13946:
The following is a sample of information available in CPE Firmware mapped to the OT device, OT_device_demo_internal_963:
The following is a sample of the information available in discovery model for the OT device, OT_device_demo_internal_963:
How to calculate the confidence score
- There is only a partial match for the Model information. Due to a partial match, the model score is assigned a value of 20.
- The Version information doesn't match so the version score is assigned a value of 0.
((BASE SCORE) + (publisher score) + (model score) + (version score)) / 100((25) + (25) + (20) + (0)) / 10070 / 100.70