A taxonomy framework based on ITU-TX-805 security architecture for quantitative determination of computer network vulnerabilities

Network vulnerability taxonomy has become increasingly important in the area of information and data exchange for its potential use not only in identification of vulnerabilities but also in their assessment and prioritization. Computer networks play an important role in information and communication infrastructure. However, they are constantly exposed to a variety of vulnerability risks. In their attempts to create secure information exchange systems, scientists have concentrated on understanding the nature and typology of these vulnerabilities. Their efforts aimed at establishing secure networks have led to the development of a variety of methods and techniques for quantifying vulnerability. The objectives of the present paper are twofold: (1) to develop a taxonomy framework for the classification of network vulnerabilities on the basis of the ITU-TX-805 security architecture and (2) to develop a method on the basis of the second edition of Common Vulnerability Scoring System for the quantification of vulnerabilities within the proposed taxonomy framework. It is expected that the framework proposed in this paper will provide a comprehensive taxonomic structure that can be extended to all the different aspects of network vulnerability. Furthermore, it will help in the identification and effective management of vulnerabilities by their quantification. Copyright © 2012 John Wiley & Sons, Ltd.

[1]  M. P. Ristenbatt Methodology for network communication vulnerability analysis , 1988, MILCOM 88, 21st Century Military Communications - What's Possible?'. Conference record. Military Communications Conference.

[2]  Tomi Männistö,et al.  Improving CVSS-based vulnerability prioritization and response with context information , 2009, ESEM 2009.

[3]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[4]  Andrew R. McGee,et al.  A framework for ensuring network security , 2004, Bell Labs Technical Journal.

[5]  Alex Talevski,et al.  Taxonomy of Wireless Sensor Network Cyber Security Attacks in the Oil and Gas Industries , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[6]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[7]  Eiji Okamoto,et al.  Identifying Potentially-Impacted Area by Vulnerabilities in Networked Systems Using CVSS , 2010, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet.

[8]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[9]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[10]  Darwin Edward Ammala Derivation of metrics for effective evaluation of vulnerability assessment technology , 2004 .

[11]  Ray Hunt,et al.  A taxonomy of network and computer attacks , 2005, Comput. Secur..

[12]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[13]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[14]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[15]  D. L. Lough,et al.  A taxonomy of computer attacks with applications to wireless networks , 2001 .

[16]  Hossein Rouhani Zeidanloo,et al.  A taxonomy of Botnet detection techniques , 2010, 2010 3rd International Conference on Computer Science and Information Technology.

[17]  Karen Scarfone,et al.  Improving the Common Vulnerability Scoring System , 2007, IET Inf. Secur..

[18]  Laurent Gallon On the Impact of Environmental Metrics on CVSS Scores , 2010, 2010 IEEE Second International Conference on Social Computing.

[19]  Bora A. Akyol,et al.  A vulnerability taxonomy for network protocols: Corresponding engineering best practice countermeasures , 2004, Communications, Internet, and Information Technology.

[20]  Siv Hilde Houmb,et al.  Estimating ToE Risk Level Using CVSS , 2009, 2009 International Conference on Availability, Reliability and Security.

[21]  Abbass Asosheh,et al.  A comprehensive taxonomy of DDOS attacks and defense mechanism applying in a smart classification , 2008 .

[22]  Tae Hwan Oh,et al.  A multi-dimensional classification framework for developing context-specific Wireless Local Area Network attack taxonomies , 2009, Int. J. Mob. Commun..

[23]  Johannes Sametinger,et al.  A Security Design Pattern Taxonomy based on Attack Patterns - Findings of a Systematic Literature Review , 2009, SECRYPT.

[24]  Adrian V. Gheorghe,et al.  Towards QVA – Quantitative Vulnerability Assessment: a generic practical model , 2004 .

[25]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[26]  Karen A. Scarfone,et al.  An analysis of CVSS version 2 vulnerability scoring , 2009, ESEM 2009.

[27]  Matt Bishop,et al.  A Taxonomy of UNIX System and Network Vulnerabilities , 1997 .

[28]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.