Remodeling Vulnerability Information
This paper addresses the challenges to formally specify the vulnerability information and unify text-based vulnerability descriptions, which might be available in various commercial, governmental, or open source vulnerability databases, into a generic information model. Our motivation is to utilize the remodeled vulnerability data for automating the construction of attack graph, which has been recognized as an effective method for visualizing, analyzing, and measuring the security of complicated computer systems or networks. A formal data structure is proposed based on a comprehensive conceptual analysis on normal computer infrastructure and related vulnerabilities. The newly proposed vulnerability representation, which contains most of meaningful properties extracted from textual descriptions of actual vulnerability items, can be directly fed into the reasoning engine of attack graph tools. A lightweight information extraction mechanism is designed to automatically transform textual vulnerability descriptions into the proposed data structure. Several Reader and Writer plugins are implemented to enable the communication with known vulnerability repositories.
KeywordsSystem Property Network Address Attack Graph Path Canonicalization Vulnerability Information
Unable to display preview. Download preview PDF.
- 1.CERT Vulnerability Analysis Blog, http://www.cert.org/blogs/vuls/ (accessed August 2009)
- 2.CVE Website, http://cve.mitre.org/ (accessed August 2009)
- 3.OVAL Website, http://oval.mitre.org/ (accessed August 2009)
- 4.Mell, P., Scarfone, K., Romanosky, S.: A Complete Guide to the Common Vulnerability Scoring System, Version 2.0. Technical Report, FIRST (June 2007)Google Scholar
- 5.Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format, Internet Draft. Technical Report, IETF Intrusion Detection Exchange Format Working Group (July 2004)Google Scholar
- 6.Martin, R.A.: Transformational Vulnerability Management Through Standards Technical Report, MITRE Corporation (May 2005)Google Scholar
- 9.Sheyner, O.M.: Scenario Graphs and Attack Graphs. PhD Thesis, CMU-CS-04-122, Carnegie Mellon University, USA (April 2004)Google Scholar
- 11.Schneier, B.: Attack Trees: Modeling Security Threats. Journal Dr. Dobb’s Journal, http://www.ddj.com/architect/184411129 (December 1999)
- 14.Hale, J., Tidwell, T., Larson, R., Fitch, K.: Modeling Internet Attacks. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (IAS 2000), pp. 54–59. IEEE Press, West Point (June 2001)Google Scholar
- 15.Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: A Logic-based Network Security Analyzer. In: Proceedings of the 14th Usenix Security Symposium (SSYM 2005), p. 8. USENIX Association, Berkeley (August 2005)Google Scholar