Measuring vulnerabilities and their exploitation cycle

Abstract In a world ruled by chaotic causality, Heisenberg's uncertainty principle is only a natural limitation. Analysts only have their personal logic, experience and intuition to depend on in order to make judgments regarding the safety of a system. However, today's analysts are getting bombarded with large amounts of data coming from all kinds of security-related products, such as vulnerability scanners, anti-viruses, firewalls etc, causing information overload and data congestion. Thus, the question remains: How can analysts make a correct judgment regarding the vulnerabilities from which a system is suffering, especially when all the ammunition he/she possesses can not deal with such a complex, ever-changing environment? To this end, we believe that structuring knowledge/information regarding a specific domain in an object-oriented hierarchy tree, and providing a formal model to reason and construct possible scenarios of attacks, will provide an analyst with the necessary ammunition.

[1]  Peter G. Neumann,et al.  Computer-related risks , 1994 .

[2]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[3]  Ray Farmer,et al.  Object-Oriented Systems Analysis and Design Using UML , 2001 .

[4]  David W. Embley,et al.  Object-oriented systems analysis - a model-driven approach , 1991, Yourdon Press Computing series.

[5]  Neil R. Storey,et al.  Safety-critical computer systems , 1996 .

[6]  Edward Yourdon,et al.  Object-oriented analysis , 2012 .

[7]  Stephen Hinde Cyberthreats: Perceptions, Reality and Protection , 2001, Comput. Secur..

[8]  George Kurtz,et al.  Hacking Exposed: Network Security Secrets & Solutions , 1999 .

[9]  Frank Rees New perspective on computer hackers , 1996 .

[10]  Stuart McClure,et al.  Hacking Exposed Windows 2000: Network Security Secrets and Solutions , 2001 .

[11]  Hitesh Tewari,et al.  Electronic payment systems , 1997 .

[12]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[13]  Russell Merris,et al.  Graph Theory , 2000 .

[14]  Judy Pearsall,et al.  The Concise Oxford Dictionary , 1999 .

[15]  Berni Dwan Implementing IPsec — making security work on VPNs, intranets and extranets Elizabeth Kaufman and Andrew Newman Wiley, 1999, £32.50 , 2000 .

[16]  William Stallings,et al.  Network Security Essentials , 1999 .

[17]  Richard Barber,et al.  Hacking Techniques: The tools that hackers use, and how they are evolving to become more sophisticated. , 2001 .

[18]  Dario Forte Information Security Assessment: Procedures and Methodology , 2000 .

[19]  H. Raiffa,et al.  Decisions with Multiple Objectives , 1993 .

[20]  August Bequai,et al.  Organized Crime Goes Cyber , 2001, Comput. Secur..

[21]  Peter Hoath,et al.  Hacking: Motivation and deterrence, part II , 1998 .

[22]  Richard Barber,et al.  Intrusion Detection Systems , 2001 .

[23]  Gordon F. Royle,et al.  Algebraic Graph Theory , 2001, Graduate texts in mathematics.

[24]  Andrew P. Moore,et al.  Attack Modeling for Information Security and Survivability , 2001 .

[25]  Mark S. Manasse,et al.  The Millicent Protocols for Electronic Commerce , 1995, USENIX Workshop on Electronic Commerce.