论文信息 - A Structured Approach to Classifying Security Vulnerabilities

A Structured Approach to Classifying Security Vulnerabilities

Abstract : Understanding vulnerabilities is critical to understanding the threats they represent. Vulnerabilities classification enables collection of frequency data; trend analysis of vulnerabilities; correlation with incidents, exploits, and artifacts; and evaluation of the effectiveness of countermeasures. Existing classification schemes are based on vulnerability reports and not on an engineering analysis of the problem domain. In this report a classification scheme that uses attribute-value pairs to provide a multidimensional view of vulnerabilities is proposed. Attributes and values are selected based on engineering distinctions that allow vulnerabilities to be exploited by a given technique or determine which countermeasures are effective. Successful classification of vulnerabilities should lead to greater automation in analyzing code vulnerabilities and supporting effective communication between geographically remote vulnerability handling teams and vendors.

Robert C. Seacord | Allen D. Householder | R. Seacord | A. Householder

[1] William L. Fithen,et al. Formal modeling of vulnerability , 2004, Bell Labs Technical Journal.

[2] R. P. Abbott,et al. Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[3] Grace A. Lewis,et al. Building systems from commercial components , 2002, ICSE '02.

[4] Deborah L. McGuinness,et al. OWL Web ontology language overview , 2004 .

[5] Matt Bishop,et al. A Taxonomy of UNIX System and Network Vulnerabilities , 1997 .

[6] Matt Bishop,et al. A Critical Analysis of Vulnerability Taxonomies , 1996 .

[7] Mary Shaw,et al. Truth vs. knowledge: the difference between what a component does and what we know it does , 1996, Proceedings of the 8th International Workshop on Software Specification and Design.

[8] Carl E. Landwehr,et al. A taxonomy of computer program security flaws , 1993, CSUR.

[9] Jeremy J. Carroll,et al. Resource description framework (rdf) concepts and abstract syntax , 2003 .