Skip to main content
SpringerLink
Log in

Vulnerability Response Decision Assistance

  • Conference paper
Proceedings of the 3rd European Conference on Computer Network Defense

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 30))

  • 264 Accesses

Abstract

Each year, thousands of new software vulnerabilities are reported, and affected organizations must analyze them and decide how to respond. Many organizations employ ad hoc systems of decision making, which often result in inconsistent decisions that do not properly reflect the concerns of the organization at large. VRDA (Vulnerability Response Decision Assistance) allows organizations to leverage the analysis effort at other organizations and to structure decision-making. VRDA enables organizations to spend less time analyzing vulnerabilities in which they are not interested, to make decisions more consistently, and to structure their decision making to better align with the goals of the organization. VRDA consists of a data exchange format, a decision making model, a decision model creation technique, and a tool embodying these concepts. One response team is employing a basic form of VRDA to cut the number of vulnerabilities analyzed by a factor of two. Another response team is developing and testing a VRDA implementation within their organization.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. CERT/CC Statistics 1988 – 2006, http://www.cert.org/stats/

  2. National Vulnerability Database (NVD) Statistics, http://nvd.nist.gov/statistics.cfm

  3. Terada, M.: VULDEF: The VULnerability Data publication and Exchange Format data model, http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html

  4. Russell, S., Norvig P.: Artificial Intelligence: A Modern Approach. Prentice-Hall, Englewood Cliff, NJ (1995)

    MATH  Google Scholar 

  5. Moore, A.: Decision Trees, http://www.autonlab.org/tutorials/dtree.html

  6. Forum of Incident Response Teams: Common Vulnerability Scoring System (CVSS), http://www.first.org/cvss/, http://www.first.org/cvss/cvss-guide.html

  7. RUS-CERT: Common Announcement Interchange Format (CAIF), http://www.caif.info/

  8. Grobauer, B.: CVE, CME,..., CMSI? – Standardizing System Information, http://www.first.org/conference/2005/papers/dr.-bernd-grobauer-paper-1.pdf

  9. European Information Security Promotion Programme (EISPP): Common Advisory Format Description 2.0, http://www.eispp.org/commonformat_2_0.pdf

  10. Deutscher CERT-Verbund: Deutsches Advisory Format (DAF), http://www.cert-verbund.de/daf/index.html, 2004.

  11. CERIAS Cassandra tool, https://cassandra.cerias.purdue.edu/main/index.html

  12. US-CERT Vulnerability Notes Field Descriptions – Metric, http://www.kb.cert.org/vuls/html/fieldhelp#metric

  13. Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org/

  14. Vulnerability and Assessment Language (OVAL), http://oval.mitre.org/

  15. ICAT Metabase, http://icat.nist.gov/icat_documentation.htm, http://web.archive.org/web/20050320143644/http://icat.nist.gov/icat_documentation.htm

  16. Vulnerability and eXposure Markup Language (VuXML), http://www.vuxml.org/

  17. OSVDB: The Open Source Vulnerability Database, http://osvdb.org/

  18. SIGVI, http://sigvi.sourceforge.net/what_is.php

Download references

Author information

Authors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, PA, USA

    Hal Burch & Art Manion

  2. Japan Computer Emergency Response Team Coordination Center, Tokyo, Japan

    Yurie Ito

Authors
  1. Hal Burch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Art Manion
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yurie Ito
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hal Burch .

Editor information

Editors and Affiliations

  1. Inst. Computer Science, Foundation for Research & Technology, Hellas, PO Box 1385, 711 10, Iraklion, Crete, Greece

    Vasilios Siris , Kostas Anagnostakis  & Sotiris Ioannidis ,  & 

  2. European Network & Information Security Agency (ENISA), PO Box 1309, 710 01, Iraklion, Crete, Greece

    Panagiotis Trimintzios

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer Science+Business Media, LLC

About this paper

Cite this paper

Burch, H., Manion, A., Ito, Y. (2009). Vulnerability Response Decision Assistance. In: Siris, V., Anagnostakis, K., Ioannidis, S., Trimintzios, P. (eds) Proceedings of the 3rd European Conference on Computer Network Defense. Lecture Notes in Electrical Engineering, vol 30. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-85555-4_6

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-85555-4_6

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-85554-7

  • Online ISBN: 978-0-387-85555-4

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation