(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 6, June 2011
proposing common classification scheme is to provide astepping stone in security risk analysis by strategicallymitigating risks.The paper is organized as follows. Section 2 providesoverview of vulnerability classification schemes in majorvulnerability databases. Section 3 presents comparison of classification schemes under taxonomic features inprominent vulnerability databases introduced in section 2.Section 4 presents a proposal for common classificationscheme based on comparison in section 3 by extractingappropriate taxonomic features and classes. Further mappingof proposed scheme to existing ones also given. Finallysection 5 concludes the work with directions for future work.II.
There are number of vulnerability classification schemesadopted by different vulnerability databases maintained byvarious organizations. In this part we will introduceclassification schemes in five major vulnerability databases:IBM ISS X-Force, NVD, SecurityFocus, OSVDB andSecunia.IBM ISS X-
Force database  is one of the world‟s most
comprehensive threats and vulnerabilities database. At theend of 2010, there were 54,604 vulnerabilities in the X-ForceDatabase, covering 24,607 distinct software products from12,562 vendors. IBM ISS X-
Force database doesn‟t include
any class or category information explicitly. Or in other
words it doesn‟t
specify any classification scheme. But itinherently supports taxonomic features: impact and severitylevel. In all eleven categories proposed under impact and itassigns risk levels in three categories: High, Medium andLow. National vulnerability database  is managed by theNational Institute of Standards and Technology of the UnitedStates and is associated with the CVE . It recordsvulnerabilities since 1999, total 46176 vulnerabilities listedunder CVE names. NVD is using CWE  as aclassification mechanism; each individual CWE represents asingle vulnerability type. There are total 23 vulnerabilitytypes in NVD classification scheme, which are based ontaxonomic features vulnerability cause and vulnerabilityimpact. SecurityFocus vulnerability database  is a vendorneutral vulnerability database managed by SymantecCorporation from 2002. It contains more than 40,000recorded vulnerabilities (spanning more than two decades)affecting more than 105,000 technologies from more than14,000 vendors. SecurityFocus supports a classificationscheme under the taxonomic feature cause. Total elevenvulnerability categories specified based on taxonomy of security faults in Unix operating system by Taimur Aslam. Other taxonomy feature supported by SecurityFocus isexploitation location with two categories remote and local.Open Source Vulnerability Data Base  is an open sourcedatabase created in 2002 by the Black Hat Conferencepeople, currently covers 70,789 vulnerabilities, spanning32,272 products from 4,735 researchers, over 46 years.OSVDB provides two tier vulnerability classificationschemes. First tier include categories Location, Attack Type, Impact, Solution, Exploit, Disclosure, OSVDB.Location includes nine subcategories, Attack Type includesten subcategories, Impact includes four subcategories,Solution includes seven subcategories, Disclosure includeseight subcategories and OSVDB include six subcategories.OSVDB supports a rich search feature under every categoryfor trend analysis. Secunia  is a private organization thatprovides services in security company defense andvulnerability analysis. Secunia Categorize vulnerabilitiesunder features Impact, Critical Levels, and ExploitationLocation. Vulnerabilities under impact are associated totwelve classes. Criticality levels can be five ranging fromextremely critical to not critical and attack vectorclassification includes three classes.As we can see classification schemes supported by thesemajor vulnerability databases are disparate in terms of classification criteria and dimensionality. Moreover there isno interoperability among them. Therefore it is challengingto compare or combine information across these databases. Acommon classification scheme can help in this regard. Innext section these databases are compared and analyzed withrespect to generic taxonomic features in order to extractpertinent information for development of a commonclassification scheme.III.
EXTRACTION OF TAXONOMIC FEATURES AND CLASSES
One of the objectives of this work is to identify a set of characteristics for a very specific classification scheme, onethat can be used effectively in quantitative securityevaluation of system. This goal requires analysis of existingschemes to deduce possible common features that will aid insecurity evaluation. A comparative study provides insightinto the pros and cons of the different kind of classificationschemes. This section compares classification schemes inmajor vulnerability databases introduced in previous sectionunder generic taxonomic features. Taxonomic featuresidentified for analysis are: cause, impact, exploitationlocation and severity levels. Comparisons of features doneunder various heads are summarized in Table II to V. Theseheads have been numbered for greater legibility and theircorrespondence is shown in Table I.
TABLE I. T
ABLE SHOWING CORRESPONDENCE OF COMPARISONHEADS
No. of Head Name of Head
1 Explicit2 Dimensionality3 Class Code4 Class Details5 Multivariate6 Approximate Population Percentage
Vulnerabilities grouped under the taxonomic feature causehelp in understanding common type of errors and conditionsthat are reason for existence of majority of vulnerabilities.