Abstract
As the number of software vulnerabilities increases, the research on software vulnerabilities becomes a focusing point in information security. A vulnerability could be exploited to attack the information asset with the weakness related to the vulnerability. However, multiple attacks may target one software product at the same time, and it is necessary to rank and prioritize those attacks in order to establish a better defense. This paper proposes a similarity measurement to compare and categorize vulnerabilities, and a set of security metrics to rank attacks based on vulnerability analysis. The vulnerability information is retrieved from a vulnerability management ontology integrating commonly used standards like CVE (http://www.cve.mitre.org/), CWE (http://www.cwe.mitre.org/), CVSS (http://www.first.org/cvss/), and CAPEC (http://www.capec.mitre.org/). This approach can be used in many areas of vulnerability management to secure information systems and e-business, such as vulnerability classification, mitigation and patching, threat detection and attack prevention.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
An X, Li W, Pan W (2008) Code based software security vulnerability analyzing and detecting based on similar characteristic. In: Proceedings of the 3rd international conference on intelligent system and knowledge engineering, pp 584–589
Byers D, Ardi S, Shahmehri N, Duma C (2006) Modeling software vulnerabilities with vulnerability cause graphs. In: Proceedings of 22nd IEEE international conference on software maintenance (ICSM’06)
CERT, Computer Emergency Response Team at Carnegie Mellon University’s Software Engineering Institute. http://www.cert.org/stats/
Common Attack Pattern Enumeration and Classification (CAPEC), the MITRE Corporation (2009). Available http://www.capec.mitre.org/. Accessed May 2009
Common Platform Enumeration (CPE) (2008) http://www.cpe.mitre.org/. Nov 2008
Common Vulnerabilities and Exposures (CVE) [Online]. The MITRE Corporation. Available http://www.cve.mitre.org/
Common Weakness Enumeration (CWE) (2009) http://www.cwe.mitre.org/. Feb 2009
Common Weakness Enumeration (CWE), the MITRE Corporation (2009) Top 25 Most dangerous programming errors. http://www.cwe.mitre.org/. Revised Aug 2009
Ganesan P, Garcia-Molina H, Widom J (2003) Exploiting hierarchical domain structure to compute similarity. ACM Trans Inf Syst 21(1):64–93
Gegick M, Williams L (2008) Ranking attack-prone components with a predictive model. In: Proceedings of the 19th international symposium on software reliability engineering, 2008
Gegick M, Williams L, Osborne J, Vouk M (2008) Prioritizing software security fortification through code-level security metrics. In: Proceedings of the 4th ACM workshop on quality of protection, 2008
Igure VM, Williams RD (2008) Taxonomies of attacks and vulnerabilities in computer systems. IEEE communications surveys, 1st quarter, 10(1):12–17
Mehta V, Bartzis C, Zhu H, Clarke E, Wing J (2006) Ranking attack graphs. In: Proceedings of recent advances in intrusion detection, 2006
Mell P, Scarfone K, Romanosky S (2007) A complete guide to the common vulnerability scoring system (CVSS), version 2.0, forum of incident response and security teams, http://www.first.org/cvss/cvss-guide.html. July 2007
MITRE Corporation, Common Vulnerability Scoring System (CVSS) (2009). http://www.first.org/cvss/ Accessed May 2009
Neuhaus S, Zimmermann T, Zeller A (2007) Predicting vulnerable software components, In: CCS’07: proceedings of the 14th ACM conference on computer and communications security, 2007
NHS and NIST, National Vulnerability Database (NVD), automating vulnerability management, security measurement, and compliance checking http://www.nvd.nist.gov/scap.cfm
NIST, Information Security Automation Program (ISAP) (2007) Automating vulnerability management, security measurement, and compliance, version 1.0 Beta. Revised 22 May 2007
SANS Institute (2009) SANS Top-20 2007 security risks, version 8.0, November 28, 2007. Web Page: http://www.sans.org/top20/. Accessed May 2009
Spybot—Search & Destroy (S&D) forum (2009) http://www.forums.spybot.info/blog.php?b=5. Accessed Aug 2009
Vamosi R (2007) Popular add-ons to Firefox are the latest criminal attack vector. CNET.com. http://www.news.cnet.com/8301-10784_3-9723824-7.html. Accessed Aug 2009
Wang JA, Guo M (2009) An ontology for vulnerability management, In: Proceedings of CSIIRW’09, Oak Ridge, TN, USA, 13–15 April 2009
Wang Y, Yang F, Sun Q (2008) Measuring network vulnerability based on pathology. In: Proceedings of the ninth international conference on web-age information management
Wang JA, Guo M, Wang H, Xia M, Zhou L (2009) Ontology-based security assessment for software products. In: Proceedings of CSIIRW’09, Oak Ridge, Tennessee, USA, 13–15 April 2009
Whittaker J, Thompson H (2003) How to break software security. Addison Wesley, Boston. http://www.amazon.com/Break-Software-Security-James-Whittaker/dp/0321194330/ref=ntt_at_ep_dpt_3
Acknowledgments
The authors would like to express their gratitude to anonymous reviewers of this paper for their thoughtful comments and suggestions. This paper is based upon work supported by the National Science Foundation under Grant No. 0722157 and 0941900. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Wang, J.A., Guo, M., Wang, H. et al. Measuring and ranking attacks based on vulnerability analysis. Inf Syst E-Bus Manage 10, 455–490 (2012). https://doi.org/10.1007/s10257-011-0173-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10257-011-0173-5