Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Download
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
1Activity
×
0 of .
Results for:
No results containing your search query
P. 1
A Proposal for Common Vulnerability Classification Scheme Based on Analysis of Taxonomic Features in Vulnerability Databases

A Proposal for Common Vulnerability Classification Scheme Based on Analysis of Taxonomic Features in Vulnerability Databases

Ratings: (0)|Views: 379|Likes:
Published by ijcsis
A proper vulnerability classification scheme aids in improving system security evaluation process. Many vulnerability classification schemes exist but there is lacking of a standard classification scheme. Focus of this work is to devise a common classification scheme by combining characteristics derived from classification schemes of prominent vulnerability databases in effective way. In order to identify a balanced set of characteristics for proposed scheme comparative analysis of existing classification schemes done on five major vulnerability databases. A set of taxonomic features and classes extracted as a result of analysis. Further a common vulnerability classification scheme proposed by harmonizing extracted set of taxonomic features and classes. Mapping of proposed scheme to existing classification schemes also presented to eliminate inconsistencies across selected set of databases.
A proper vulnerability classification scheme aids in improving system security evaluation process. Many vulnerability classification schemes exist but there is lacking of a standard classification scheme. Focus of this work is to devise a common classification scheme by combining characteristics derived from classification schemes of prominent vulnerability databases in effective way. In order to identify a balanced set of characteristics for proposed scheme comparative analysis of existing classification schemes done on five major vulnerability databases. A set of taxonomic features and classes extracted as a result of analysis. Further a common vulnerability classification scheme proposed by harmonizing extracted set of taxonomic features and classes. Mapping of proposed scheme to existing classification schemes also presented to eliminate inconsistencies across selected set of databases.

More info:

Published by: ijcsis on Jul 07, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See More
See less

05/24/2012

pdf

text

original

 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 6, June 2011
 A Proposal for Common Vulnerability ClassificationScheme Based on Analysis of Taxonomic Features inVulnerability Databases
 Anshu Tripathi
Department of Information TechnologyMahakal Institute of TechnologyUjjain, Indiaanshu _tripathi@yahoo.com
Umesh Kumar Singh
Institute of Computer ScienceVikram UniversityUjjain, Indiaumeshsingh@rediffmail.com
 Abstract
 — 
 
A proper vulnerability classification scheme aids inimproving system security evaluation process. Manyvulnerability classification schemes exist but there is lacking of a standard classification scheme. Focus of this work is to devisea common classification scheme by combining characteristicsderived from classification schemes of prominent vulnerabilitydatabases in effective way. In order to identify a balanced setof characteristics for proposed scheme comparative analysis of existing classification schemes done on five major vulnerabilitydatabases. A set of taxonomic features and classes extracted asa result of analysis. Further a common vulnerabilityclassification scheme proposed by harmonizing extracted set of taxonomic features and classes. Mapping of proposed schemeto existing classification schemes also presented to eliminateinconsistencies across selected set of databases.
 Keywords- Vulnerabilit; Classification scheme; Vulnerability databases; Taxonomy; Security evaluation.
I.
 
I
NTRODUCTION
Proper assessment and mitigation of vulnerabilities isessential in order to ensure the system security.
Vulnerabilities are “design and implementation errors in
information systems that can result in a compromise of theconfidentiality, integrity or availability of information storedupon or transmitted
over the affected system” [1]. In view of 
the increasing population of vulnerabilities [2], it isnecessary to prioritize them and first remediate those thatpose the greatest risk. Vulnerability prioritization requiresevaluation of risk levels posed by presence of vulnerabilities.Quantitative evaluation of system security in terms of risk levels due to presence of vulnerabilities is gainingimportance because of objective and on time resultgeneration. One of the ways for fast security evaluation is tofind out potential weak areas of the system. It is essential tofocus mitigation efforts in area that have a greater number of vulnerabilities to meet budget and time constraints. Theseareas can be identified by proper vulnerability classificationand thus leads to identify root causes of the weaknesses.Vulnerabilities share common properties and similarcharacteristics in generic aspects like causes, impacts,locations [3]. Results from previous researches [3-6] clearlyindicate that quantitative security evaluation of risks onvulnerability datasets partitioned in well defined classes is ameaningful metric. In [4], results of categorized vulnerabilityanalysis shown that some vulnerability classes are moresevere, this fact can be used to design optimal securitysolution by prioritizing severe classes. A properclassification scheme facilitates distribution of vulnerabilitiesand help in prioritizing mitigation efforts according toseverity level. Efficiency of security evaluation process canbe measured by its objectivity and vulnerability coverage. Aproper classification scheme plays a major role in this regardby increasing both objectivity and vulnerability coverage.Taxonomy is a way to classify vulnerabilities in a wellformed structure so that categorization and generalizationcan be achieved [7]. In our previous work [8], we analyzedprominent vulnerability taxonomies published with respectto standard criteria and highlight issues which make them notso usable in today's scenario. This study on past efforts atdeveloping such taxonomy indicates that these efforts proveto be insufficient to address security issues associated withcurrent software products due to theoretical approach orbeing focused on limited domain.There are many different vulnerability databases set up withdifferent standards and capabilities that recordsvulnerabilities and characterize them by several attributes.These databases serve the need of updated collection of vulnerability data for research. Some of the most populardatabases include National Vulnerability Database (NVD)[9], The Open Source Vulnerability Database (OSVDB)[10], and IBM ISS-X Force[11].But there are manychallenges in extracting common patterns from thesevulnerability databases due to discrepancies involved in theway the information is kept. Many different classificationschemes used by databases to classify vulnerabilities andthere is lacking of a common classification scheme. Detailedstudy on the issues involved in this regard can be found in[12]. Objective of this work is to analyze vulnerabilityclassification schemes in some most popular databases anddevise a common classification scheme. Main aim of 
106http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 6, June 2011
proposing common classification scheme is to provide astepping stone in security risk analysis by strategicallymitigating risks.The paper is organized as follows. Section 2 providesoverview of vulnerability classification schemes in majorvulnerability databases. Section 3 presents comparison of classification schemes under taxonomic features inprominent vulnerability databases introduced in section 2.Section 4 presents a proposal for common classificationscheme based on comparison in section 3 by extractingappropriate taxonomic features and classes. Further mappingof proposed scheme to existing ones also given. Finallysection 5 concludes the work with directions for future work.II.
 
RELATED WORK
There are number of vulnerability classification schemesadopted by different vulnerability databases maintained byvarious organizations. In this part we will introduceclassification schemes in five major vulnerability databases:IBM ISS X-Force, NVD, SecurityFocus, OSVDB andSecunia.IBM ISS X-
Force database [11] is one of the world‟s most
comprehensive threats and vulnerabilities database. At theend of 2010, there were 54,604 vulnerabilities in the X-ForceDatabase, covering 24,607 distinct software products from12,562 vendors. IBM ISS X-
Force database doesn‟t include
any class or category information explicitly. Or in other
words it doesn‟t
specify any classification scheme. But itinherently supports taxonomic features: impact and severitylevel. In all eleven categories proposed under impact and itassigns risk levels in three categories: High, Medium andLow. National vulnerability database [9] is managed by theNational Institute of Standards and Technology of the UnitedStates and is associated with the CVE [13]. It recordsvulnerabilities since 1999, total 46176 vulnerabilities listedunder CVE names. NVD is using CWE [14] as aclassification mechanism; each individual CWE represents asingle vulnerability type. There are total 23 vulnerabilitytypes in NVD classification scheme, which are based ontaxonomic features vulnerability cause and vulnerabilityimpact. SecurityFocus vulnerability database [15] is a vendorneutral vulnerability database managed by SymantecCorporation from 2002. It contains more than 40,000recorded vulnerabilities (spanning more than two decades)affecting more than 105,000 technologies from more than14,000 vendors. SecurityFocus supports a classificationscheme under the taxonomic feature cause. Total elevenvulnerability categories specified based on taxonomy of security faults in Unix operating system by Taimur Aslam[16]. Other taxonomy feature supported by SecurityFocus isexploitation location with two categories remote and local.Open Source Vulnerability Data Base [10] is an open sourcedatabase created in 2002 by the Black Hat Conferencepeople, currently covers 70,789 vulnerabilities, spanning32,272 products from 4,735 researchers, over 46 years.OSVDB provides two tier vulnerability classificationschemes. First tier include categories Location, Attack Type, Impact, Solution, Exploit, Disclosure, OSVDB.Location includes nine subcategories, Attack Type includesten subcategories, Impact includes four subcategories,Solution includes seven subcategories, Disclosure includeseight subcategories and OSVDB include six subcategories.OSVDB supports a rich search feature under every categoryfor trend analysis. Secunia [17] is a private organization thatprovides services in security company defense andvulnerability analysis. Secunia Categorize vulnerabilitiesunder features Impact, Critical Levels, and ExploitationLocation. Vulnerabilities under impact are associated totwelve classes. Criticality levels can be five ranging fromextremely critical to not critical and attack vectorclassification includes three classes.As we can see classification schemes supported by thesemajor vulnerability databases are disparate in terms of classification criteria and dimensionality. Moreover there isno interoperability among them. Therefore it is challengingto compare or combine information across these databases. Acommon classification scheme can help in this regard. Innext section these databases are compared and analyzed withrespect to generic taxonomic features in order to extractpertinent information for development of a commonclassification scheme.III.
 
EXTRACTION OF TAXONOMIC FEATURES AND CLASSES
 One of the objectives of this work is to identify a set of characteristics for a very specific classification scheme, onethat can be used effectively in quantitative securityevaluation of system. This goal requires analysis of existingschemes to deduce possible common features that will aid insecurity evaluation. A comparative study provides insightinto the pros and cons of the different kind of classificationschemes. This section compares classification schemes inmajor vulnerability databases introduced in previous sectionunder generic taxonomic features. Taxonomic featuresidentified for analysis are: cause, impact, exploitationlocation and severity levels. Comparisons of features doneunder various heads are summarized in Table II to V. Theseheads have been numbered for greater legibility and theircorrespondence is shown in Table I.
TABLE I. T
ABLE SHOWING CORRESPONDENCE OF COMPARISONHEADS
 
No. of Head Name of Head
 1 Explicit2 Dimensionality3 Class Code4 Class Details5 Multivariate6 Approximate Population Percentage
 A.
 
Vulnerability cause
Vulnerabilities grouped under the taxonomic feature causehelp in understanding common type of errors and conditionsthat are reason for existence of majority of vulnerabilities.
107http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 6, June 2011
Paying attention to common errors and mistakes result inmitigating multiple of vulnerabilities and also avoid futurevulnerabilities caused by same reason. SecurityFocusclassifies vulnerabilities explicitly under feature cause andNVD and OSVDB also incorporates this feature in theirclassification scheme partially. Table II provides results of comparative study of classification under feature cause inthese three databases.
 B.
 
Vulnerability Impact 
Exploitation of vulnerabilities results in degradation of performance of system. Different vulnerabilities havedifferent kind of impact on system performance. Soclassification of vulnerabilities under the feature impact canprovide useful insights. The taxonomic feature vulnerabilityimpact is used as classification criteria in X-Force, Secunia,NVD and OSVDB databases. Table III provides results of comparative study of classification under feature impact inthese databases.
TABLE II. C
OMPARISON OF CLASSIFICATION SCHEMES UNDERTAXONOMIC FEATURE VULNERABILITY CAUSE
 
VDB 1 2 3 4 5 6
SecurityFocusY 11C-SF1 Configuration ErrorN1.19C-SF2 Boundary ConditionError16.70C-SF3 Environment Error 0.31C-SF4 Input Validation Error 45.59C-SF5 Design Error 18.81C-SF6 Race Condition Error 1.10C-SF7 Origin Validation Error 0.50C-SF8 Access Validation Error 5.60C-SF9 Failure to HandleExceptional Conditions10.09C-SF10 Atomicity Error 0.03C-SF11 Unknown 0.08NVD P 16C-N1 Authentication IssuesN2.48C-N2 Credentials Management 1.01C-N3 Buffer Errors 11.65C-N4 Cryptographic Issues 1.23C-N5 Path Traversal 5.38C-N6 Code Injection 6.05C-N7 Format StringVulnerability0.53C-N8 Configuration 0.89C-N9 Input Validation 6.79C-N10 Numeric Errors 3.01C-N11 OS Command Injections 0.24C-N12 Race Conditions 0.56C-N13 Resource ManagementErrors4.94C-N14 SQL Injections 13.17C-N15 Link Following 1.28C-N16 Design Error 2.45OSVDB P 04C-O1 AuthenticationManagementN2.18C-O2 Cryptographic 1.62C-O3 Misconfiguration 0.89C-O4 Race Condition 1.39
C.
 
 Exploitation Location
Exploitation location is main feature affecting risk level of system as it determines attacker community and in turnmitigation strategies. Databases SecurityFocus, OSVDB andSecunia explicitly classify vulnerabilities under this featureranging from 2 to 9 classes. Table IV provides results of comparative study of classification under featureExploitation location in these databases.
 D.
 
Severity level
Different vulnerabilities have different level of impact onthe CIA of the system, which is measured by severity level.Severity level information provided by databasesqualitatively or quantitatively. Number of classes isinconsistent in databases for the feature severity levelvarying from 3 to 5 in case of qualitative as shown incolumn 3 of Table IV. OSVDB provides severity ratings interms of CVSS scores [18] only while SecurityFocus
doesn‟t include this information. Table V provides results of 
comparative study of classification under feature Severitylevel in these databases.
TABLE III. C
OMPARISON OF CLASSIFICATION SCHEMES UNDERTAXONOMIC FEATURE VULNERABILITY IMPACT
 
VDB 1 2 3 4 5 6
X-Force N 11I-X1 Gain AccessN49.25I-X2 Gain Privileges 4.0I-X3 Bypass Security 5.75I-X4 File Manipulation 1.25I-X5 Data Manipulation 16.42I-X6 Obtain Information 9.0I-X7 Denial of Service 12.0I-X8 Configuration 0.08I-X9 Informational 0.05I-X10 Other 1.5I-X11 None 0.7Secunia Y 12I-S1 Brute forceY0.21I-S2 Cross site scripting 17.5I-S3 Denial of Service 13.0I-S4 Exposure of sensitiveinformation14.23I-S5 Exposure of systeminformation2.67I-S6 Hijacking 0.40I-S7 Manipulation of data 15.87I-S8 Privilege escalation 5.82I-S9 Security bypass 5.88I-S10 Spoofing 1.56I-S11 System Access 21.46I-S12 Unknown 1.40NVD P 04I-N1 Permissions, Privilegesand Access ControlN7.49I-N2 Cross Site Request Forgery 1.49I-N3 Cross site scripting 12.60I-N4 Information leak/ disclosure3.22OSVDB P 04I-O1 Denial of ServiceN11.44I-O2 Information disclosure 18.66I-O3 Infrastructure 0.15I-O4 Input manipulation 60.64
108http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->