Abstract
Many security problems are caused by vulnerabilities hidden in enterprise computer networks. It is very important for system administrators to have knowledge about the security vulnerabilities. However, current vulnerability assessment methods may encounter the issues of high false positive rates, long computational time, and requirement of developing attack codes. Moreover, they are only capable of locating individual vulnerabilities on a single host without considering correlated effect of these vulnerabilities on a host or a section of network with the vulnerabilities possibly distributed among different hosts. To address these issues, an active vulnerability assessment system NetScope with C/S architecture is developed for evaluating computer network security based on open vulnerability assessment language instead of simulating attacks. The vulnerabilities and known attacks with their prerequisites and consequences are modeled based on predicate logic theory and are correlated so as to automatically construct potential attack paths with strong operation power of relational database management system. The testing results from a series of experiments show that this system has the advantages of a low false positive rate, short running periods, and little impact on the performance of audited systems and good scalability. The security vulnerabilities, undetectable if assessed individually in a network, are discovered without the need to simulate attacks. It is shown that the NetScope system is well suited for vulnerability assessment of large-scale computer networks such as campus networks and enterprise networks. Moreover, it can also be easily integrated with other security tools based on relational databases.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Ammann, P., Wijesekera, D., & Kaushik, S. (2002). Scalable, graph-based network vulnerability analysis. Proceedings of 9th ACM Conference on Computer and Communication Security, Washington, D.C., USA.
Baldwin, R. (1994). Kuang: Rule based security checking. Cambridge: MIT Technical Report, MIT Lab for Computer Science, Programming Systems Research Group.
CERT Coordination Center (2006). CERT/CC statistics 1988–2004. Pittsburgh: CERT Coordination Center accessed September 24, 2006, from http://www.cert.org/stats/cert_stats.html.
Deraison, R., Gula, R., & Hayton, T. (2005). Passive vulnerability scanning: Introduction to NeVO. Accessed June 10, 2005, http://www.tenablesecurity.com/white_papers/passive_scanning_tenable.pdf.
Farmer, D., & Spafford, E. H. (1991). The cops security checker system. West Lafayette: Purdue University Technical report, CSD-TR-993.
Fithen, W. L., Hernan, S. V., O’Rourke, P. F., et al. (2004). Formal modeling of vulnerabilities. Bell Labs Technical Journal, 8(4), 173–186.
Geng, S., Qu, W., & Zhang, L. (2001). Discrete mathematics pp. 34–56. Beijing: Tsinghua University Press.
Help and Support Home, Microsoft (2004). Microsoft baseline security analyzer (MBSA) version 1.2.1 is available. Accessed October 6, 2004, from http://support.microsoft.com/kb/320454/en-us.
Hsu, C., & Wallace, W. (2007). An industrial network flow information integration model for supply chain management and intelligent transportation. Enterprise Information Systems, 1(3), 327–351.
International Institute of Standards and Technology (2004). ICAT metabase-your CVE vulnerability search engine. Accessed June 10, 2004, from http://icat.nist.gov/.
Internet Security Systemsä (2005). Vulnerability assessment. Accessed March 10, 2005, from http://www.iss.net/find_products/vulnerability_assessment.php.
Jajodia, S., Noel, S., & O’Berry, B. (2003). Topological analysis of network attack vulnerability. Managing cyber threats: Issues, approaches and challenges, chapter 5. Norwell: Kluwer Academic.
Kotenko, I. (2003). Active vulnerability assessment of computer networks by simulation of complex remote attacks. International Conference on Computer Networks and Mobile Computing, pp. 40–47, October 20–23, Shanghai, China.
Li, T., Feng, S., & Li, L. (2001). Information visualization for intelligent decision support systems. Knowledge-Based Systems, 14(5–6), 259–262.
Martin, R. A. (2003). Integrating your information security vulnerability management capabilities through industry standards (CVE & OVAL). IEEE International Conference on Systems, Man and Cybernetics, 2, 1528–1533, October 5–8.
McAfee (2003). CyberCop AsaP. Accessed May 10, 2003, from http://www.mcafeeasap.com/intl/EN/content/cybercop_asap/default.asp.
Microsoft Corporation (2004). List of issues that are fixed in Internet Explorer 6 service packs. Retrieved September 16, 2004, from http://support.microsoft.com/default.aspx?scid=kb;en-us;326489.
Mitre Corporation. (2005). Download the definition interpreter. Accessed January 10, 2005, from http://oval.mitre.org/oval/download/interpreter.html.
Mitre Corporation (2006). OVAL-ID: OVAL199. Accessed July 6, 2006, from http://oval.mitre.org/oval/definitions/sql/OVAL199.html.
Nessus Project (2004). Nessus. Accessed June 20, 2004, from http://www.nessus.org/intro.html.
Ning, P., & Cui, Y. (2002). An intrusion alert correlator based on prerequisites of intrusions. Raleigh: North Carolina State University Technical Report, TR-2002-01, Department of Computer Science.
Ou, X, Govindavajhala, S., & Appel, A. W. (2005). Policy-based multihost, multistage vulnerability analysis. Accessed March 12, 2005, from http://www.cs.princeton.edu/~xou/ publications/ou05.pdf.
Phillips, C., & Swiler, L. P. (1998). A graph-based system for network-vulnerability analysis. NSPW ’98: Proceedings of the 1998 workshop on new security paradigms pp. 71–79. New York: ACM.
Ramakrishnan, C. R., & Sekar, R. (2002). Model-based analysis of configuration vulnerabilities. Journal of Computer Security, 10(1), 189–209.
Ritchey, R., & Ammann, P. (2000). Using model checking to analyze network vulnerabilities. Proceedings of IEEE Symposium on Security and Privacy pp. 156–165. Oakland: IEEE.
Ritchey, R., Berry, B., & Noel, S. (2002). Representing TCP/IP connectivity for topological analysis of network security. The 18th Annual Computer Security Applications Conference, December 9–13,San Diego, CA, USA.
Russell, S., & Norvig, P. (2004). Artificial intelligence: a modern approach pp. 185–200. Upper Saddle River: Pearson Education.
Sheyner, O., Haines, J., Jha, S., et al. (2002). Automated generation and analysis of attack graphs (pp. 254–265). Proceedings of IEEE Symposium on Security and Privacy, May 12–15, Berkeley, CA, USA.
Sourcefire (2003). Snort rule search. Accessed July 6, 2003, from http://www.snort.org/pub-bin/sigs-search. cgi?cve=.
Swiler, L. P., Phillips, C., Ellis, D., et al. (2001). Computer-attack graph generation tool. DARPA Information Survivability Conference and Exposition (DISCEX II’01), 2, 307–321 Anaheim, CA, USA.
Templeton, S. J., & Levitt, K. (2000). A requires/provides model for computer attacks (pp. 31–38). Proceedings of the 2000 Workshop On New Security Paradigms, Cork Ireland.
Tripunitara, M. V., Dutta, P., & Spafford, G. (2002). Security assessment of IP-based networks: A holistic approach. Accessed January 19, 2002, from http://www.cerias.purdue.edu/coast/papers /99–02.pdf.
Wojcik, M., Bergeron, T., Wittbold, T., et al. (2005). Introduction to OVAL: A new language to determine the presence of software vulnerabilities. Accessed July 10, 2005, from http://oval.miter.org/documents/doc-03/intro/ intro.html.
Zerkle, D., & Levitt, K. (1996). Netkuang—a multi-host configuration vulnerability checker. Proceedings of the 6th USENIX Security Symposium, San Jose, California, USA.
Acknowledgements
The authors would like to thank Mr. Michael Serwatka for his careful proof reading of the paper.
Author information
Authors and Affiliations
Corresponding author
Additional information
The research presented in this paper is supported in part by the NSFC (60243001, 60574087, 60605019, 60633020) and 863 High Tech Development Plan (2007AA01Z475, 2007AA01Z480, 2007AA01Z464).
Rights and permissions
About this article
Cite this article
Chen, X., Zheng, Q. & Guan, X. An OVAL-based active vulnerability assessment system for enterprise computer networks. Inf Syst Front 10, 573–588 (2008). https://doi.org/10.1007/s10796-008-9111-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-008-9111-6