An Ontology-based Approach to Model Common Vulnerabilities and Exposures in Information Security

Machine understandable security vulnerabilities are in need for security content automation [2]. Common Vulnerabilities and Exposures (CVE) is an industry standard of common names for publicly known information security vulnerabilities, and has been widely adopted by organizations to provide better coverage, easier interoperability, and enhanced security [1]. In this paper, we focus our research on the problem domain of software vulnerability and propose an ontology-based approach to model security vulnerabilities listed in NVD [2], providing machine understandable CVE vulnerability knowledge and reusable security vulnerabilities interoperability. We illustrate the major design ideas of our ontology and give examples to illustrate how the ontology can be populated with the knowledge from standards. In addition, we also give examples to demonstrate the benefit of using ontology to study the nature of vulnerabilities and the relationships between vulnerabilities and its related areas.

[1]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[2]  Edward G. Amoroso,et al.  Fundamentals of computer security technology , 1994 .

[3]  Thomas R. Gruber,et al.  Toward principles for the design of ontologies used for knowledge sharing? , 1995, Int. J. Hum. Comput. Stud..

[4]  John Mylopoulos,et al.  Information systems as social structures , 2001, FOIS.

[5]  Anupam Joshi,et al.  Modeling Computer Attacks: An Ontology for Intrusion Detection , 2003, RAID.

[6]  Haralambos Mouratidis,et al.  An Ontology for Modelling Security: The Tropos Approach , 2003, KES.

[7]  Timothy W. Finin,et al.  Security for DAML Web Services: Annotation and Matchmaking , 2003, SEMWEB.

[8]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[9]  Timothy W. Finin,et al.  Security in the Semantic Web using OWL , 2005, Inf. Secur. Tech. Rep..

[10]  Myong H. Kang,et al.  Security Ontology for Annotating Resources , 2005, OTM Conferences.

[11]  Robin A. Gandhi,et al.  Building problem domain ontology from security requirements in regulatory documents , 2006, SESS '06.

[12]  Dimitris Gritzalis,et al.  Towards an Ontology-based Security Management , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[13]  Jun Han,et al.  Security Attack Ontology for Web Services , 2006, SKG.

[14]  Carlos Bazílio,et al.  An Ontology-based Approach to the Formalization of Information Security Policies , 2006, 2006 10th IEEE International Enterprise Distributed Object Computing Conference Workshops (EDOCW'06).

[15]  Edgar R. Weippl,et al.  Security Ontologies: Improving Quantitative Risk Analysis , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[16]  Eric Yu,et al.  Modeling Strategic Relationships for Process Reengineering , 1995, Social Modeling for Requirements Engineering.