Abstract
This paper reviews the major contributions in the field of Vulnerability Assessment from 1990 onwards. Even well administered networks are vulnerable to attack .Vulnerabilities are weaknesses in the requirements, design, and implementation, which attackers exploit to compromise the system. Researchers have proposed a variety of methods like graph-based algorithms to generate attack trees (or graphs), “black-box” and “whitebox” analysis, using Mobile Ambients, using Honepots, different Vulnerability tools and their Scoring System’s, and so on. After surveying lot of research papers in the field, the amount of existing works for each method is identified and classified. Especially, the graph-based algorithms itself is a major area for researchers. The paper concludes with some inferences and results obtained in each method so can be used as a guideline for researchers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Network and Host-based Vulnerability Assessment - A guide for information systems and network security professionals, ISS, Atlanta
Anderson, R.: Security Engineering: a Guide to Building Dependable Distributed Systems. John Wiley and Sons, Chichester (2001)
IBM Global Technology Services, IBM Internet Security Systems X-Force 2007 Trend Statistics (2008)
Mell, P., Grance, T.: NVD National Vulnerability Database, http://nvd.nist.gov
SANS, http://www.sans.org/
Common Weakness Enumeration, http://cwe.mitre.org/
Common Vulnerability Scoring System, http://www.first.org/cvss/
Jurjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)
Liu, L., Yu, E., Mylopoulos, J.: Security and Privacy Requirements Analysis within a Social Setting. In: Proceedings of the 11th IEEE International Conference on Requirements Engineering, pp. 151–161. IEEE Computer Society, Los Alamitos (2003)
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Requirements Engineering for Trust Management: Model Methodology and Reasoning. International Journal of Information Security 5(4), 257–274 (2006)
Sindre, G., Opdahl, A.: Eliciting security requirements with misuse cases. Requirements Engineering 10(1), 34–44 (2005)
Schneier, B.: Attack trees. Dr. Dobb’s Journal 24(12), 21–29 (1999)
Lamsweerde, A.V.: Elaborating Security Requirements by Construction of Intentional Anti-Models. In: Proceedings of the 26th International Conference on Software Engineering, pp. 148–157. IEEE Computer Society, Los Alamitos (2004)
Asnar, Y., Moretti, R., Sebastianis, M., Zannone, N.: Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach. In: Proceedings of the 2008 Third International Conference on Availability Reliability and Security, pp. 1240–1248. IEEE Computer Society, Los Alamitos (2008)
Matulevicius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 541–555. Springer, Heidelberg (2008)
Braber, F., Hogganvik, I., Lund, M.S., Stolen, K., Vraalsen, F.: Model-based security analysis in seven steps – a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)
Braber, F., Dimitrakos, T., Gran, B.A., Lund, M.S., Stolen, K., Aagedal, J.O.: The CORAS methodology: model-based risk assessment using UML and UP. In: UML and the Unified Process, pp. 332–357. IGI Publishing (2003)
Matulevicius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 541–555. Springer, Heidelberg (2008)
Elahi, G., Yu, E., Zannone, N.: A Vulnerability-Centric Requirements Engineering Framework: Analyzing Security Attacks Countermeasures and Requirements Based on Vulnerabilities. Requirements Eng. 15, 41–62 (2010)
Beale, J., Deraison, R., Meer, H., Temingh, R., Walt, C.: Nessus Network Auditing. Syngress Pub. (2004)
Klaus, C.: Internet Security System, http://www.iss.net
Chasin, S.: Bugtrag mailing list, http://www.securityfocus.com/archive/
Ammann, P., Pamula, J., Street, J., Ritchey, R.: A host-based approach to network attack chaining analysis. In: Proc. of the 21st Annual Computer Security Applications Conference, pp. 72–84 (2005)
Ingols, K., Lippmann, R., Piwowarski, K.: Practical Attack Graph Generation for Network Defense. In: Proc. of Comp. Sec. App. Conf., pp. 121–130 (2006)
Hewett, K.R., Kijsanayothin, P.: Host-Centric Model Checking for Network Vulnerability Analysis. In: IEEE Annual Computer Security Applications Conference (2008)
Brackney, R.C., Anderson, R.H.: Understanding the Insider Threat. In: Proceedings Corporation Conference, RAND National Security Research Division, Santa Monica, California (2004)
Meng, P.C.W.: Network Exploration and Vulnerability Assessment using a Combined Blackbox and Whitebox Analysis Approach. Naval Postgraduate School Monterey California (2010)
Skousen, R.A.: Information Assurance Tools Report - Vulnerability Analysis, 5th edn (2009)
Dornseif, M., Gärtner, F.C., Holz, T.: Vulnerability Assessment using Honepots. K.G. Saur Verlag, München (2004)
RedSeal Systems Inc., http://www.redseal.net/
Skybox Security Inc., http://www.skyboxsecurity.com
Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proceedings Computer Security Applications Conference, pp. 121–130 (2006)
Noel, S., Jajodia, S.: Understanding complex network attack graphs through clustered adjacency matrices. In: Proceedings Computer Security Applications Conference (ACSAC), pp. 160–169 (2005)
Ou, X., Govindavajhala, S., Appel, A.W.: Mulval: a logic- based network security analyzer. In: Proceedings of the 14th Usenix Security Symposium 2005, pp. 113–128 (2005)
Jha, S., Sheyner, O., Wing, J.: Two Formal Analyses of Attack Graphs. In: Proceedings of 15th IEEE Computer Security Foundations Workshop (2002)
Zakeri, R., Abolhassani, H., Shahriari, R.H., Jalili, R.: Using Description Logics for Network Vulnerability Analysis. In: Proceedings of the International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (2006)
Campbell, C.: A stateful framework for multi-stage network attack modeling. University of Tulsa (2003)
Baader, F., Calvanese, D., McGuinness, D., Nardi, D., Patel-Schneider, P.F.: The Description Logic Handbook: Theory, Implementation and Applications. Cambridge University Press, Cambridge (2003)
Qu, G., JayaPrakash, R., Hariri, S., Raghavendra, C.S.: A Framework for Network Vulnerability Analysis. Scientific Commons (2008)
Wang, T., Wei, T., Lin, Z., Zou, W.: IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution. LNCS, vol. 5927, pp. 336–345 (2009)
Ramakrishnan, C.R., Sekar, R.: Model-Based Vulnerability Analysis of Computer Systems. In: Proceedings of the Second International Workshop on Verification, Model Checking and Abstract Interpretation (1998)
The Honeynet Project, Know Your Enemy: Defining Virtual Honeynets, http://www.honeynet.org/papers/virtual/
Stoll, C.: Stalking the wily hacker. CACM 31(5), 484–497 (1988)
Cheswick, W.: An Evening with Berferd in which a cracker is Lured Endured and Studied. In: Proceedings of USENIX (1990)
Guo, F., Yu, Y., Chiueh, T.: Automated and Safe Vulnerability Assessment. In: Proceedings of the 21st Annual Computer Security Applications Conference on ACSAC 2005 (2005)
Shahriari, H.R., Sadoddin, R., Jalili, R., Zakeri, R., Omidian, A.R.: Network vulnerability analysis through vulnerability take-grant model (VTG). In: Qing, S., Mao, W., López, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 256–268. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nath, H.V. (2011). Vulnerability Assessment Methods – A Review. In: Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D. (eds) Advances in Network Security and Applications. CNSA 2011. Communications in Computer and Information Science, vol 196. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22540-6_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-22540-6_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22539-0
Online ISBN: 978-3-642-22540-6
eBook Packages: Computer ScienceComputer Science (R0)