Nunes Leal Franqueira, V. and van Keulen, M.
Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios.
Technical Report TR-CTIT-08-08,
Centre for Telematics and Information Technology University of Twente, Enschede.
Full text available as:
The composition of vulnerabilities in attack scenarios has
been traditionally performed based on detailed pre- and post-conditions.
Although very precise, this approach is dependent on human analysis, is
time consuming, and not at all scalable. We investigate the NIST National
Vulnerability Database (NVD) with three goals: (i) understand
the associations among vulnerability attributes related to impact, exploitability,
privilege, type of vulnerability and clues derived from plaintext
descriptions, (ii) validate our initial composition model which is
based on required access and resulting effect, and (iii) investigate the
maturity of XML database technology for performing statistical analyses
like this directly on the XML data. In this report, we analyse 27,273
vulnerability entries (CVE ) from the NVD. Using only nominal information,
we are able to e.g. identify clusters in the class of vulnerabilities
with no privilege which represent 52% of the entries.
|Item Type:||Internal Report (Technical Report)|
|Research Group:||EWI-IS: Information Systems, EWI-DB: Databases|
|Research Program:||CTIT-ISTRICE: Integrated Security and Privacy in a Networked World, CTIT-NICE: Natural Interaction in Computer-mediated Environments|
|Research Project:||IPID: Integrated Policy-based Intrusion Detection, MultimediaN/N3: Multimedia databases|
|Deposited On:||04 March 2008|
Export this item as:
To correct this item please ask your editor
Repository Staff Only: edit this item