Skip to main content
SpringerLink
Log in

Vulnerability Assessment Methods – A Review

  • Conference paper
Advances in Network Security and Applications (CNSA 2011)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 196))

Included in the following conference series:

Abstract

This paper reviews the major contributions in the field of Vulnerability Assessment from 1990 onwards. Even well administered networks are vulnerable to attack .Vulnerabilities are weaknesses in the requirements, design, and implementation, which attackers exploit to compromise the system. Researchers have proposed a variety of methods like graph-based algorithms to generate attack trees (or graphs), “black-box” and “whitebox” analysis, using Mobile Ambients, using Honepots, different Vulnerability tools and their Scoring System’s, and so on. After surveying lot of research papers in the field, the amount of existing works for each method is identified and classified. Especially, the graph-based algorithms itself is a major area for researchers. The paper concludes with some inferences and results obtained in each method so can be used as a guideline for researchers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Network and Host-based Vulnerability Assessment - A guide for information systems and network security professionals, ISS, Atlanta

    Google Scholar 

  2. Anderson, R.: Security Engineering: a Guide to Building Dependable Distributed Systems. John Wiley and Sons, Chichester (2001)

    Google Scholar 

  3. IBM Global Technology Services, IBM Internet Security Systems X-Force 2007 Trend Statistics (2008)

    Google Scholar 

  4. Mell, P., Grance, T.: NVD National Vulnerability Database, http://nvd.nist.gov

  5. SANS, http://www.sans.org/

  6. Common Weakness Enumeration, http://cwe.mitre.org/

  7. Common Vulnerability Scoring System, http://www.first.org/cvss/

  8. Jurjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)

    MATH  Google Scholar 

  9. Liu, L., Yu, E., Mylopoulos, J.: Security and Privacy Requirements Analysis within a Social Setting. In: Proceedings of the 11th IEEE International Conference on Requirements Engineering, pp. 151–161. IEEE Computer Society, Los Alamitos (2003)

    Google Scholar 

  10. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Requirements Engineering for Trust Management: Model Methodology and Reasoning. International Journal of Information Security 5(4), 257–274 (2006)

    Article  MATH  Google Scholar 

  11. Sindre, G., Opdahl, A.: Eliciting security requirements with misuse cases. Requirements Engineering 10(1), 34–44 (2005)

    Article  Google Scholar 

  12. Schneier, B.: Attack trees. Dr. Dobb’s Journal 24(12), 21–29 (1999)

    Google Scholar 

  13. Lamsweerde, A.V.: Elaborating Security Requirements by Construction of Intentional Anti-Models. In: Proceedings of the 26th International Conference on Software Engineering, pp. 148–157. IEEE Computer Society, Los Alamitos (2004)

    Chapter  Google Scholar 

  14. Asnar, Y., Moretti, R., Sebastianis, M., Zannone, N.: Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach. In: Proceedings of the 2008 Third International Conference on Availability Reliability and Security, pp. 1240–1248. IEEE Computer Society, Los Alamitos (2008)

    Chapter  Google Scholar 

  15. Matulevicius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 541–555. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  16. Braber, F., Hogganvik, I., Lund, M.S., Stolen, K., Vraalsen, F.: Model-based security analysis in seven steps – a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)

    Article  Google Scholar 

  17. Braber, F., Dimitrakos, T., Gran, B.A., Lund, M.S., Stolen, K., Aagedal, J.O.: The CORAS methodology: model-based risk assessment using UML and UP. In: UML and the Unified Process, pp. 332–357. IGI Publishing (2003)

    Google Scholar 

  18. Matulevicius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 541–555. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  19. Elahi, G., Yu, E., Zannone, N.: A Vulnerability-Centric Requirements Engineering Framework: Analyzing Security Attacks Countermeasures and Requirements Based on Vulnerabilities. Requirements Eng. 15, 41–62 (2010)

    Article  Google Scholar 

  20. Beale, J., Deraison, R., Meer, H., Temingh, R., Walt, C.: Nessus Network Auditing. Syngress Pub. (2004)

    Google Scholar 

  21. Klaus, C.: Internet Security System, http://www.iss.net

  22. Chasin, S.: Bugtrag mailing list, http://www.securityfocus.com/archive/

  23. Ammann, P., Pamula, J., Street, J., Ritchey, R.: A host-based approach to network attack chaining analysis. In: Proc. of the 21st Annual Computer Security Applications Conference, pp. 72–84 (2005)

    Google Scholar 

  24. Ingols, K., Lippmann, R., Piwowarski, K.: Practical Attack Graph Generation for Network Defense. In: Proc. of Comp. Sec. App. Conf., pp. 121–130 (2006)

    Google Scholar 

  25. Hewett, K.R., Kijsanayothin, P.: Host-Centric Model Checking for Network Vulnerability Analysis. In: IEEE Annual Computer Security Applications Conference (2008)

    Google Scholar 

  26. Brackney, R.C., Anderson, R.H.: Understanding the Insider Threat. In: Proceedings Corporation Conference, RAND National Security Research Division, Santa Monica, California (2004)

    Google Scholar 

  27. Meng, P.C.W.: Network Exploration and Vulnerability Assessment using a Combined Blackbox and Whitebox Analysis Approach. Naval Postgraduate School Monterey California (2010)

    Google Scholar 

  28. Skousen, R.A.: Information Assurance Tools Report - Vulnerability Analysis, 5th edn (2009)

    Google Scholar 

  29. Dornseif, M., Gärtner, F.C., Holz, T.: Vulnerability Assessment using Honepots. K.G. Saur Verlag, München (2004)

    Google Scholar 

  30. RedSeal Systems Inc., http://www.redseal.net/

  31. Skybox Security Inc., http://www.skyboxsecurity.com

  32. Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proceedings Computer Security Applications Conference, pp. 121–130 (2006)

    Google Scholar 

  33. Noel, S., Jajodia, S.: Understanding complex network attack graphs through clustered adjacency matrices. In: Proceedings Computer Security Applications Conference (ACSAC), pp. 160–169 (2005)

    Google Scholar 

  34. Ou, X., Govindavajhala, S., Appel, A.W.: Mulval: a logic- based network security analyzer. In: Proceedings of the 14th Usenix Security Symposium 2005, pp. 113–128 (2005)

    Google Scholar 

  35. Jha, S., Sheyner, O., Wing, J.: Two Formal Analyses of Attack Graphs. In: Proceedings of 15th IEEE Computer Security Foundations Workshop (2002)

    Google Scholar 

  36. Zakeri, R., Abolhassani, H., Shahriari, R.H., Jalili, R.: Using Description Logics for Network Vulnerability Analysis. In: Proceedings of the International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (2006)

    Google Scholar 

  37. Campbell, C.: A stateful framework for multi-stage network attack modeling. University of Tulsa (2003)

    Google Scholar 

  38. Baader, F., Calvanese, D., McGuinness, D., Nardi, D., Patel-Schneider, P.F.: The Description Logic Handbook: Theory, Implementation and Applications. Cambridge University Press, Cambridge (2003)

    MATH  Google Scholar 

  39. Qu, G., JayaPrakash, R., Hariri, S., Raghavendra, C.S.: A Framework for Network Vulnerability Analysis. Scientific Commons (2008)

    Google Scholar 

  40. Wang, T., Wei, T., Lin, Z., Zou, W.: IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution. LNCS, vol. 5927, pp. 336–345 (2009)

    Google Scholar 

  41. Ramakrishnan, C.R., Sekar, R.: Model-Based Vulnerability Analysis of Computer Systems. In: Proceedings of the Second International Workshop on Verification, Model Checking and Abstract Interpretation (1998)

    Google Scholar 

  42. The Honeynet Project, Know Your Enemy: Defining Virtual Honeynets, http://www.honeynet.org/papers/virtual/

  43. Stoll, C.: Stalking the wily hacker. CACM 31(5), 484–497 (1988)

    Article  MathSciNet  Google Scholar 

  44. Cheswick, W.: An Evening with Berferd in which a cracker is Lured Endured and Studied. In: Proceedings of USENIX (1990)

    Google Scholar 

  45. Guo, F., Yu, Y., Chiueh, T.: Automated and Safe Vulnerability Assessment. In: Proceedings of the 21st Annual Computer Security Applications Conference on ACSAC 2005 (2005)

    Google Scholar 

  46. Shahriari, H.R., Sadoddin, R., Jalili, R., Zakeri, R., Omidian, A.R.: Network vulnerability analysis through vulnerability take-grant model (VTG). In: Qing, S., Mao, W., López, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 256–268. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. TIFAC CORE in Cyber Security Centre, Amrita School of Engineering Coimbatore, India

    Hiran V. Nath

Authors
  1. Hiran V. Nath
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Southeastern Louisiana University, 70402, Hammond, LA, USA

    David C. Wyld

  2. Chair of Systems and Computer Networks, Wroclaw University of Technology, Wybrzeze Wyspianskiego 27, 50-370, Wroclaw, Poland

    Michal Wozniak

  3. University of Calcutta, Calcutta, India

    Nabendu Chaki

  4. Jackson State University, 39217, Jackson, MS, USA

    Natarajan Meghanathan

  5. Wireilla Net Solutions PTY Ltd, Melbourne, Victoria, Australia

    Dhinaharan Nagamalai

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Nath, H.V. (2011). Vulnerability Assessment Methods – A Review. In: Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D. (eds) Advances in Network Security and Applications. CNSA 2011. Communications in Computer and Information Science, vol 196. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22540-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-22540-6_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-22539-0

  • Online ISBN: 978-3-642-22540-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation