Abstract
Discovering, disclosing, and patching vulnerabilities in computer systems play a key role in the security area, but now vulnerability information from different sources is usually ambiguous text-based description that can’t be efficiently shared and used in automated process. After explaining a model of vulnerability life cycle, this paper presents an XML-based common vulnerability markup language (CVML) describing vulnerabilities in a more structural way. Besides regular information contained in most of current vulnerability databases, information about classification, evaluation, checking existence and attack generation is also given in CVML. So it supports automated vulnerability assessment and remedy. A prototype of automated vulnerability management architecture based on CVML has been implemented. More manageable vulnerability databases will be built; promulgating and sharing of vulnerability knowledge will be easier; comparison and fusion of vulnerability information from different sources will be more efficient; moreover automated scanning and patching of vulnerabilities will lead to self-managing systems.
Chapter PDF
Similar content being viewed by others
References
IEEE.: The IEEE Standard Dictionary of Electrical and Electronics Terms. Sixth Edition. Institute of Electrical and Electronics Engineers Inc., New York NY, 373 (1996)
Amoroso, E.G.: Fundamentals of Computer Security Technology. Prentice-Hall PTR, Upper Saddle River (1994)
John, D.H., Thomas, A.L.: A Common Language for Computer Security Incidents. Sandia Report, Sand98-8667. Livermore CA USA (1998)
Carl, L.: A Taxonomy of Computer Program Security Flaws. Technical Report. Naval Research Laboratory (1993)
Brian, M.: A Survey of Software Fault Surveys. Technical Report, UIUCDCS-R-90-1651. University of Illinios at Urbana-Champaign (1990)
Taimur, A. (ed.): Use of A Taxonomy of Security Faults. Technical Report, TR96-051. COAST Laboratory, Department of Computer Sciences, Purdue University (1996)
Eckmann, S., Vigna, G., Kemmerer, R.: STATL. Technical Report, UCSB (2000)
Cuppens, F., Ortalo, R.: Lambda: A Language to Model a Database for Detection of Attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 197. Springer, Heidelberg (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tian, H., Huang, L., Zhou, Z., Zhang, H. (2003). Common Vulnerability Markup Language. In: Zhou, J., Yung, M., Han, Y. (eds) Applied Cryptography and Network Security. ACNS 2003. Lecture Notes in Computer Science, vol 2846. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45203-4_18
Download citation
DOI: https://doi.org/10.1007/978-3-540-45203-4_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20208-0
Online ISBN: 978-3-540-45203-4
eBook Packages: Springer Book Archive