Towards Unifying Vulnerability Information for Attack Graph Construction
Attack graph is used as an effective method to model, analyze, and evaluate the security of complicated computer systems or networks. The attack graph workflow consists of three parts: information gathering, attack graph construction, and visualization. To construct an attack graph, runtime information on the target system or network environment should be monitored, gathered, and later evaluated with existing descriptions of known vulnerabilities. The output will be visualized into a graph structure for further measurements. Information gatherer, vulnerability repository, and the visualization module are three important components of an attack graph constructor. However, high quality attack graph construction relies on up-to-date vulnerability information. There are already some existing databases maintained by security companies, a community, or governments. Such databases can not be directly used for generating attack graph, due to missing unification of the provided information. This paper challenged the automatic extraction of meaningful information from various existing vulnerability databases. After comparing existing vulnerability databases, a new method is proposed for automatic extraction of vulnerability information from textual descriptions. Finally, a prototype was implemented to proof the applicability of the proposed method for attack graph construction.
Unable to display preview. Download preview PDF.
- 1.Schneier, B.: Attack Trees: Modeling Security Threats. Journal Dr. Dobb’s Journal (December 1999), http://www.ddj.com/architect/184411129
- 4.Ou, X., Govindavajhala, S., Appel, A.: MulVAL: A Logic-based Network Security Analyzer. In: Proceedings of 14th USENIX Security Symposium, p. 8. USENIX Association, Baltimore (2005)Google Scholar
- 5.Secunia Advisories, http://secunia.com/advisories/ (accessed March 3, 2009)
- 6.OSV Database, Open source vulnerability database. OSVDB, http://osvdb.org/ (accessed March 2009)
- 7.Mitre Corporation, Common vulnerabilities and exposures. CVE, http://cve.mitre.org/ (accessed March 2009)
- 8.Mitre Corporation, Open Vulnerability and Assessment Language, OVAL, http://oval.mitre.org/ (accessed March 3, 2009)
- 9.SecurityFocus, Security Focus Bugtraq, http://www.securityfocus.com/ (accessed March 2009)
- 10.ISS, X-force, http://xforce.iss.net/ (accessed March 2009)
- 11.NIST, National Vulnerability Database, NVD, http://nvd.nist.gov/ (accessed March 3, 2009)
- 12.US CERT, US-CERT vulnerability notes database, http://www.kb.cert.org/vuls/ (accessed March 2009)
- 13.Mell, P., Scarfone, K., Romanosky, S.: A complete guide to the common vulnerability scoring system version 2.0 (2007), http://www.first.org/cvss/ (accessed March 3, 2009)
- 14.Mitre Corporation, CVE-2008-4250 (accessed March 2009)Google Scholar
- 15.Franqueira, V.N.L., van Keulen, M.: Analysis of the nist database towards the composition of vulnerabilities in attack scenarios. Technical Report TR-CTIT-08-08, University of Twente, Enschede (February 2008)Google Scholar