Abstract
Each year, thousands of new software vulnerabilities are reported, and affected organizations must analyze them and decide how to respond. Many organizations employ ad hoc systems of decision making, which often result in inconsistent decisions that do not properly reflect the concerns of the organization at large. VRDA (Vulnerability Response Decision Assistance) allows organizations to leverage the analysis effort at other organizations and to structure decision-making. VRDA enables organizations to spend less time analyzing vulnerabilities in which they are not interested, to make decisions more consistently, and to structure their decision making to better align with the goals of the organization. VRDA consists of a data exchange format, a decision making model, a decision model creation technique, and a tool embodying these concepts. One response team is employing a basic form of VRDA to cut the number of vulnerabilities analyzed by a factor of two. Another response team is developing and testing a VRDA implementation within their organization.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
CERT/CC Statistics 1988 – 2006, http://www.cert.org/stats/
National Vulnerability Database (NVD) Statistics, http://nvd.nist.gov/statistics.cfm
Terada, M.: VULDEF: The VULnerability Data publication and Exchange Format data model, http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html
Russell, S., Norvig P.: Artificial Intelligence: A Modern Approach. Prentice-Hall, Englewood Cliff, NJ (1995)
Moore, A.: Decision Trees, http://www.autonlab.org/tutorials/dtree.html
Forum of Incident Response Teams: Common Vulnerability Scoring System (CVSS), http://www.first.org/cvss/, http://www.first.org/cvss/cvss-guide.html
RUS-CERT: Common Announcement Interchange Format (CAIF), http://www.caif.info/
Grobauer, B.: CVE, CME,..., CMSI? – Standardizing System Information, http://www.first.org/conference/2005/papers/dr.-bernd-grobauer-paper-1.pdf
European Information Security Promotion Programme (EISPP): Common Advisory Format Description 2.0, http://www.eispp.org/commonformat_2_0.pdf
Deutscher CERT-Verbund: Deutsches Advisory Format (DAF), http://www.cert-verbund.de/daf/index.html, 2004.
CERIAS Cassandra tool, https://cassandra.cerias.purdue.edu/main/index.html
US-CERT Vulnerability Notes Field Descriptions – Metric, http://www.kb.cert.org/vuls/html/fieldhelp#metric
Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org/
Vulnerability and Assessment Language (OVAL), http://oval.mitre.org/
ICAT Metabase, http://icat.nist.gov/icat_documentation.htm, http://web.archive.org/web/20050320143644/http://icat.nist.gov/icat_documentation.htm
Vulnerability and eXposure Markup Language (VuXML), http://www.vuxml.org/
OSVDB: The Open Source Vulnerability Database, http://osvdb.org/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer Science+Business Media, LLC
About this paper
Cite this paper
Burch, H., Manion, A., Ito, Y. (2009). Vulnerability Response Decision Assistance. In: Siris, V., Anagnostakis, K., Ioannidis, S., Trimintzios, P. (eds) Proceedings of the 3rd European Conference on Computer Network Defense. Lecture Notes in Electrical Engineering, vol 30. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-85555-4_6
Download citation
DOI: https://doi.org/10.1007/978-0-387-85555-4_6
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-85554-7
Online ISBN: 978-0-387-85555-4
eBook Packages: EngineeringEngineering (R0)