Skip to main content
SpringerLink
Log in

Towards Unifying Vulnerability Information for Attack Graph Construction

  • Conference paper
Information Security (ISC 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5735))

Included in the following conference series:

Abstract

Attack graph is used as an effective method to model, analyze, and evaluate the security of complicated computer systems or networks. The attack graph workflow consists of three parts: information gathering, attack graph construction, and visualization. To construct an attack graph, runtime information on the target system or network environment should be monitored, gathered, and later evaluated with existing descriptions of known vulnerabilities. The output will be visualized into a graph structure for further measurements. Information gatherer, vulnerability repository, and the visualization module are three important components of an attack graph constructor. However, high quality attack graph construction relies on up-to-date vulnerability information. There are already some existing databases maintained by security companies, a community, or governments. Such databases can not be directly used for generating attack graph, due to missing unification of the provided information. This paper challenged the automatic extraction of meaningful information from various existing vulnerability databases. After comparing existing vulnerability databases, a new method is proposed for automatic extraction of vulnerability information from textual descriptions. Finally, a prototype was implemented to proof the applicability of the proposed method for attack graph construction.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Schneier, B.: Attack Trees: Modeling Security Threats. Journal Dr. Dobb’s Journal (December 1999), http://www.ddj.com/architect/184411129

  2. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated Generation and Analysis of Attack Graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), pp. 273–284. IEEE Press, Washington (2002)

    Chapter  Google Scholar 

  3. Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC 2004), pp. 109–118. ACM, Washington (2004)

    Chapter  Google Scholar 

  4. Ou, X., Govindavajhala, S., Appel, A.: MulVAL: A Logic-based Network Security Analyzer. In: Proceedings of 14th USENIX Security Symposium, p. 8. USENIX Association, Baltimore (2005)

    Google Scholar 

  5. Secunia Advisories, http://secunia.com/advisories/ (accessed March 3, 2009)

  6. OSV Database, Open source vulnerability database. OSVDB, http://osvdb.org/ (accessed March 2009)

  7. Mitre Corporation, Common vulnerabilities and exposures. CVE, http://cve.mitre.org/ (accessed March 2009)

  8. Mitre Corporation, Open Vulnerability and Assessment Language, OVAL, http://oval.mitre.org/ (accessed March 3, 2009)

  9. SecurityFocus, Security Focus Bugtraq, http://www.securityfocus.com/ (accessed March 2009)

  10. ISS, X-force, http://xforce.iss.net/ (accessed March 2009)

  11. NIST, National Vulnerability Database, NVD, http://nvd.nist.gov/ (accessed March 3, 2009)

  12. US CERT, US-CERT vulnerability notes database, http://www.kb.cert.org/vuls/ (accessed March 2009)

  13. Mell, P., Scarfone, K., Romanosky, S.: A complete guide to the common vulnerability scoring system version 2.0 (2007), http://www.first.org/cvss/ (accessed March 3, 2009)

  14. Mitre Corporation, CVE-2008-4250 (accessed March 2009)

    Google Scholar 

  15. Franqueira, V.N.L., van Keulen, M.: Analysis of the nist database towards the composition of vulnerabilities in attack scenarios. Technical Report TR-CTIT-08-08, University of Twente, Enschede (February 2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Hasso Plattner Institute (HPI), University of Potsdam, P.O. Box 900460, 14440, Potsdam, Germany

    Sebastian Roschke, Feng Cheng, Robert Schuppenies & Christoph Meinel

Authors
  1. Sebastian Roschke
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Feng Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Robert Schuppenies
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Christoph Meinel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Tecnologie dell’ Informazione, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, (CR), Italy

    Pierangela Samarati

  2. Computer Science Department, Google Inc. and Columbia University, Room 464, S.W. Mudd Building, 10027, New York, NY, USA

    Moti Yung

  3. Information Security Group, Pisa Research Area, Istituto di Informatica e Telematica - IIT Consiglio Nazionale delle Ricerche - C.N.R., Via. G. Moruzzi 1, 56125, Pisa, Italy

    Fabio Martinelli

  4. Dipartimento di Tecnologie dell’Informazione, Università degli Studi di Milano, Via Bramante, 65, 26013, Crema, (CR), Italy

    Claudio A. Ardagna

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Roschke, S., Cheng, F., Schuppenies, R., Meinel, C. (2009). Towards Unifying Vulnerability Information for Attack Graph Construction. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds) Information Security. ISC 2009. Lecture Notes in Computer Science, vol 5735. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04474-8_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04474-8_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04473-1

  • Online ISBN: 978-3-642-04474-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation