skip to main content
10.1145/1558607.1558646acmotherconferencesArticle/Chapter ViewAbstractPublication PagescsiirwConference Proceedingsconference-collections
research-article

OVM: an ontology for vulnerability management

Published: 13 April 2009 Publication History

Abstract

In order to reach the goals of the Information Security Automation Program (ISAP) [1], we propose an ontological approach to capturing and utilizing the fundamental concepts in information security and their relationship, retrieving vulnerability data and reasoning about the cause and impact of vulnerabilities. Our ontology for vulnerability management (OVM) has been populated with all vulnerabilities in NVD [2] with additional inference rules, knowledge representation, and data-mining mechanisms. With the seamless integration of common vulnerabilities and their related concepts such as attacks and countermeasures, OVM provides a promising pathway to making ISAP successful.

References

[1]
NIST, Information Security Automation Program (ISAP), Automating Vulnerability Management, Security Measurement, and Compliance, Version 1.0 Beta, revised on May 22, 2007.
[2]
NHS and NIST, National Vulnerability Database (NVD), automating vulnerability management, security measurement, and compliance checking, http://nvd.nist.gov/scap.cfm.
[3]
The MITRE Corporation, Common Weakness Enumeration (CWE). http://cwe.mitre.org/, February, 2009.
[4]
Peter Mell, Karen Scarfone, and Sasha Romanosky, A Complete Guide to the Common Vulnerability Scoring System (CVSS), Version 2.0, Forum of Incident Response and Security Teams, http://www.first.org/cvss/cvss-guide.html (July 2007).
[5]
The MITRE Corporation, Common Platform Enumeration (CPE). http://cpe.mitre.org/, November, 2008.
[6]
J. A. Wang, M. Xia, and F. Zhang, "Metrics for Information Security Vulnerabilities, Journal of Applied Global Research, Volume 1, No. 1, 2008, pp. 48--58.
[7]
J. A. Wang, Fengwei Zhang and Min Xia, "Temporal Metrics for Software Vulnerabilities," in Proceedings of CSIIRW'08, May 12--14, 2008, Oak Ridge, TN, USA.
[8]
Ekelhart A. et al., "Security Ontologies: Improving Quantitative Risk Analysis," in Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07), 2007.
[9]
Goluch G. et al., "Integration of an Ontological Information Security Concept in Risk-Aware Business Process Management," in Proceedings of the 41st Hawaii International Conference on System Sciences, 2008.
[10]
Franz Baader et al. Description Logic Handbook: Theory, Implementation and Application. Cambridge University Press, 2003.
[11]
N. F. Noy and D. L. McGuinness. Ontology Development 101: A Guide to Creating Your First Ontology. Standford Knowledge Systems Laboratory Technical Report KSL-01-05.
[12]
T. Gruber. Towards Principles for the Design of Ontologies used for Knowledge Sharing. International Journal of Human-Computer Studies, 1995. 43(5/6): 907--928.
[13]
Stefan Fenz et. al., "Fortification of IT Security by Automatic Security Advisory Processing", in Proceedings of 22nd International Conference on Advanced Information Networking and Applications, March 25--28, 2008, Japan.
[14]
The MITRE Corporation, Common Vulnerabilities and Exposures. Available at http://cve.mitre.org/.
[15]
The MITRE Corporation, Common Attack Pattern Enumeration and Classification, available at http://capec.mitre.org/.
[16]
Matt Bishop, Computer Security, Art and Science, Addison-Wesley, 2003. ISBN 0201440997.

Cited By

View all
  • (2024)Improving Vulnerability Management Through Process MiningApplied Sciences10.3390/app14231139214:23(11392)Online publication date: 6-Dec-2024
  • (2024)Automated Security Findings Management: A Case Study in Industrial DevOpsProceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice10.1145/3639477.3639744(312-322)Online publication date: 14-Apr-2024
  • (2024)OntoCPS4PMS: Ontology modeling for collaborative cyber‐physical threat defense in power monitoring systemSystems Engineering10.1002/sys.21777Online publication date: 13-Aug-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
CSIIRW '09: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
April 2009
952 pages
ISBN:9781605585185
DOI:10.1145/1558607
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2009

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. ontology
  2. security vulnerability
  3. semantic technology
  4. vulnerability analysis
  5. vulnerability analysis and management

Qualifiers

  • Research-article

Conference

CSIIRW '09

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)69
  • Downloads (Last 6 weeks)8
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Improving Vulnerability Management Through Process MiningApplied Sciences10.3390/app14231139214:23(11392)Online publication date: 6-Dec-2024
  • (2024)Automated Security Findings Management: A Case Study in Industrial DevOpsProceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice10.1145/3639477.3639744(312-322)Online publication date: 14-Apr-2024
  • (2024)OntoCPS4PMS: Ontology modeling for collaborative cyber‐physical threat defense in power monitoring systemSystems Engineering10.1002/sys.21777Online publication date: 13-Aug-2024
  • (2023)A Smart Grid Ontology: Vulnerabilities, Attacks, and Security Policies2023 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS59707.2023.10289085(1-6)Online publication date: 2-Oct-2023
  • (2023)An automatic vulnerability classification framework based on BiGRU-TextCNNProcedia Computer Science10.1016/j.procs.2023.08.176222:C(377-386)Online publication date: 1-Jan-2023
  • (2023)The anatomy of a vulnerability database: A systematic mapping studyJournal of Systems and Software10.1016/j.jss.2023.111679201(111679)Online publication date: Jul-2023
  • (2023)SAEOn: An Ontological Metamodel for Quantitative Security Assurance EvaluationComputer Security. ESORICS 2022 International Workshops10.1007/978-3-031-25460-4_35(605-624)Online publication date: 18-Feb-2023
  • (2022)Towards System Security: What a Comparison of National Vulnerability Databases Reveals2022 17th Iberian Conference on Information Systems and Technologies (CISTI)10.23919/CISTI54924.2022.9820232(1-6)Online publication date: 22-Jun-2022
  • (2022)Multiontology Construction and Application of Threat Model Based on Adversarial Attack and Defense Under ISO/IEC 27032IEEE Access10.1109/ACCESS.2022.322063710(117955-117972)Online publication date: 2022
  • (2022)Digital Healthcare - Cyberattacks in Asian Organizations: An Analysis of Vulnerabilities, Risks, NIST Perspectives, and RecommendationsIEEE Access10.1109/ACCESS.2022.314537210(12345-12364)Online publication date: 2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media