Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios

V. Nunes Leal Franqueira, Maurice van Keulen

Research output: Book/ReportReportProfessional

82 Downloads (Pure)

Abstract

The composition of vulnerabilities in attack scenarios has been traditionally performed based on detailed pre- and post-conditions. Although very precise, this approach is dependent on human analysis, is time consuming, and not at all scalable. We investigate the NIST National Vulnerability Database (NVD) with three goals: (i) understand the associations among vulnerability attributes related to impact, exploitability, privilege, type of vulnerability and clues derived from plaintext descriptions, (ii) validate our initial composition model which is based on required access and resulting effect, and (iii) investigate the maturity of XML database technology for performing statistical analyses like this directly on the XML data. In this report, we analyse 27,273 vulnerability entries (CVE [1]) from the NVD. Using only nominal information, we are able to e.g. identify clusters in the class of vulnerabilities with no privilege which represent 52% of the entries.
Original languageUndefined
Place of PublicationEnschede
PublisherCentre for Telematics and Information Technology (CTIT)
Number of pages27
Publication statusPublished - Feb 2008

Publication series

NameCTIT Technical Report Series
PublisherUniversity of Twente, Centre for Telematics and Information Technology (CTIT)
No.TR-CTIT-08-08
ISSN (Print)1381-3625

Keywords

  • EWI-12061
  • METIS-250896
  • IR-64664

Cite this

Nunes Leal Franqueira, V., & van Keulen, M. (2008). Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios. (CTIT Technical Report Series; No. TR-CTIT-08-08). Enschede: Centre for Telematics and Information Technology (CTIT).
Nunes Leal Franqueira, V. ; van Keulen, Maurice. / Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios. Enschede : Centre for Telematics and Information Technology (CTIT), 2008. 27 p. (CTIT Technical Report Series; TR-CTIT-08-08).
@book{48e933ebc5674f5695d9200db284cc95,
title = "Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios",
abstract = "The composition of vulnerabilities in attack scenarios has been traditionally performed based on detailed pre- and post-conditions. Although very precise, this approach is dependent on human analysis, is time consuming, and not at all scalable. We investigate the NIST National Vulnerability Database (NVD) with three goals: (i) understand the associations among vulnerability attributes related to impact, exploitability, privilege, type of vulnerability and clues derived from plaintext descriptions, (ii) validate our initial composition model which is based on required access and resulting effect, and (iii) investigate the maturity of XML database technology for performing statistical analyses like this directly on the XML data. In this report, we analyse 27,273 vulnerability entries (CVE [1]) from the NVD. Using only nominal information, we are able to e.g. identify clusters in the class of vulnerabilities with no privilege which represent 52{\%} of the entries.",
keywords = "EWI-12061, METIS-250896, IR-64664",
author = "{Nunes Leal Franqueira}, V. and {van Keulen}, Maurice",
note = "http://eprints.ewi.utwente.nl/12061",
year = "2008",
month = "2",
language = "Undefined",
series = "CTIT Technical Report Series",
publisher = "Centre for Telematics and Information Technology (CTIT)",
number = "TR-CTIT-08-08",
address = "Netherlands",

}

Nunes Leal Franqueira, V & van Keulen, M 2008, Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios. CTIT Technical Report Series, no. TR-CTIT-08-08, Centre for Telematics and Information Technology (CTIT), Enschede.

Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios. / Nunes Leal Franqueira, V.; van Keulen, Maurice.

Enschede : Centre for Telematics and Information Technology (CTIT), 2008. 27 p. (CTIT Technical Report Series; No. TR-CTIT-08-08).

Research output: Book/ReportReportProfessional

TY - BOOK

T1 - Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios

AU - Nunes Leal Franqueira, V.

AU - van Keulen, Maurice

N1 - http://eprints.ewi.utwente.nl/12061

PY - 2008/2

Y1 - 2008/2

N2 - The composition of vulnerabilities in attack scenarios has been traditionally performed based on detailed pre- and post-conditions. Although very precise, this approach is dependent on human analysis, is time consuming, and not at all scalable. We investigate the NIST National Vulnerability Database (NVD) with three goals: (i) understand the associations among vulnerability attributes related to impact, exploitability, privilege, type of vulnerability and clues derived from plaintext descriptions, (ii) validate our initial composition model which is based on required access and resulting effect, and (iii) investigate the maturity of XML database technology for performing statistical analyses like this directly on the XML data. In this report, we analyse 27,273 vulnerability entries (CVE [1]) from the NVD. Using only nominal information, we are able to e.g. identify clusters in the class of vulnerabilities with no privilege which represent 52% of the entries.

AB - The composition of vulnerabilities in attack scenarios has been traditionally performed based on detailed pre- and post-conditions. Although very precise, this approach is dependent on human analysis, is time consuming, and not at all scalable. We investigate the NIST National Vulnerability Database (NVD) with three goals: (i) understand the associations among vulnerability attributes related to impact, exploitability, privilege, type of vulnerability and clues derived from plaintext descriptions, (ii) validate our initial composition model which is based on required access and resulting effect, and (iii) investigate the maturity of XML database technology for performing statistical analyses like this directly on the XML data. In this report, we analyse 27,273 vulnerability entries (CVE [1]) from the NVD. Using only nominal information, we are able to e.g. identify clusters in the class of vulnerabilities with no privilege which represent 52% of the entries.

KW - EWI-12061

KW - METIS-250896

KW - IR-64664

M3 - Report

T3 - CTIT Technical Report Series

BT - Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios

PB - Centre for Telematics and Information Technology (CTIT)

CY - Enschede

ER -

Nunes Leal Franqueira V, van Keulen M. Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios. Enschede: Centre for Telematics and Information Technology (CTIT), 2008. 27 p. (CTIT Technical Report Series; TR-CTIT-08-08).