The composition of vulnerabilities in attack scenarios has
been traditionally performed based on detailed pre- and post-conditions.
Although very precise, this approach is dependent on human analysis, is
time consuming, and not at all scalable. We investigate the NIST National
Vulnerability Database (NVD) with three goals: (i) understand
the associations among vulnerability attributes related to impact, exploitability,
privilege, type of vulnerability and clues derived from plaintext
descriptions, (ii) validate our initial composition model which is
based on required access and resulting effect, and (iii) investigate the
maturity of XML database technology for performing statistical analyses
like this directly on the XML data. In this report, we analyse 27,273
vulnerability entries (CVE ) from the NVD. Using only nominal information,
we are able to e.g. identify clusters in the class of vulnerabilities
with no privilege which represent 52% of the entries.
|Name||CTIT Technical Report Series|
|Publisher||University of Twente, Centre for Telematics and Information Technology (CTIT)|