Font Size: a A A

The Design And Implementation Of The Standard Vulnerability Database And The Research Of Security Vulnerability Severity Assessment

Posted on:2017-04-08Degree:DoctorType:Dissertation
Country:ChinaCandidate:T WenFull Text:PDF
GTID:1108330488957190Subject:Information security
Abstract/Summary:PDF Full Text Request
Security vulnerabilities are the core of information security technology, most of the network attacks are often initiated exploiting vulnerabilities. With the sharp increase in the number of vulnerabilities and the speed of discovery, collation and utilization of existing vulnerabilities becomes more important:1. Standardized vulnerability data can integrate world wide range of vulnerabilities, provide examples to vulnerability mining for reference, avoid vulnerability seekers doing repetitive work on discovered vulnerabilities, and infer potential unknown vulnerabilities based on published vulnerabilities to improve efficiency at the same time.2. Standardized vulnerability data can provide security tools, safety equipment and network equipment for necessary data source, provide vulnerability seekers and IT vendors with a standardized communication bridge between them, and help IT vendors to develop more secure products.3. With standardized vulnerability data, current network security situation can be evaluated, and network security strategies can be generated; and with an influential standardized database of vulnerabilities, more latest discovered vulnerabilities can be submitted by international security workers.However,1. since the standard vulnerability protocol is still not mature enough, vulnerabilities cannot be descripted and retrieved easily in a standard form; 2. the structure of current Vulnerability Databases is seriously heterogeneous, so they are not compatible with each other; 3. data processing of vulnerability needs to be done manually, therefore, it will consume a lot of time and the subjectivity can not be avoided.In order to address above problems, we have discussed in-depth around "the standardization of vulnerability and automation of vulnerability data processing" in following aspects:(1) Technology of vulnerability data standardization. Quantitative vulnerability assessment system was studied, and 70 thousand of vulnerabilities in NVD werecollected and collated. Based on these, the problems of Common Vulnerability Scoring System (CVSS), which is a quantitative vulnerability assessment system, have been analyzed in the following several aspects, such as metric evaluation, severity value distribution, valuedispersityand objectivity.We proposed four criteria which metrics need to meet,corrected CVSS based on PCA (Principal Component Analysis) and proposed a new severity assessment system named CVSS_PCA, which can meet the criteria of the metrics, obtain better severity distribution, dispersion and objectivity.(2) Technology of vulnerability data standardization. CVSS is one of the most representative quantitative assessment algorithm for security vulnerabilities. The calculated value of vulnerability harm according to the given index and formula. However, there is still insufficient objectivity of CVSS. Expert System is a kind of expert system for vulnerabilities, the severity of vulnerability can be assessed by experts based on Expert System. The objectivity of Expert System and CVSS is analyzed and CVSS is revised based on Expert System. The relationship between above systems and the CWE, and between above systems and Product are analyzed respectively in the process. A new way of using Expert System is put forward based on CWE, namely CWE Cycle Sorting Algorithm in order to sort the average of vulnerability severity. Meanwhile, CWE Sort Factor is put forward based on CWE Cycle Sorting Algorithm to modify CVSS. The result is closer to the Expert System in terms of objectivity.(3) Related technology of construction of standard Vulnerability Database (VDB).The advantages and disadvantages of current international mainstream VDB are analyzed in many aspects, with 26 VDBs involved. Criteria for Assessing VDB is proposed, which contains data volume and comprehensiveness, independence of data source, referenced state, field comprehensiveness, the situation of SCAP support, and the situation of POC support. Mainstream VDBs were assessed and compared according to the above criteria. Finally, the construction mode of standard VDB is put forward, contains design of data source, fields, overall architecture, module function, and mode of service.(4) Related technology of vulnerabilities relevance and automatic duplication removal. Relevance of 842 thousand vulnerabilities from 15 VDBs were analyzed, and heterogeneity of vulnerability text type fields was analyzed; Topological structure of vulnerability referencewas sorted out, and main relationship was summarized by topological structure; Based on text mining algorithm, rule of vulnerability removal duplication and UVDA (vulnerability database integration framework) were proposed. UVDA has been applied to VDB NIPC, which is attached toNational Computer Network Intrusion Prevention Center.(5) Automatic vulnerability severity assessment technology based on text classification and new features.160 thousand vulnerabilities from main VDBs were analyzed, a new automated vulnerability severity assessment framework ASVA is proposed based on text mining algorithm. ASVA processes data automatically, and can be applied in a wide range, contains case of insufficient information. Basing on the statistical distribution of large data, ASVA avoids the subjectivity of human beings largely. Based on ASVA, three novelty feature extraction models were proposed, namely, Direct Mode, Original Mode, Combined Mode and Combined Mode. Rules of combination of metric is proposed for Combined Mode to optimize selection strategy and improve the accuracy of ASVA.(6) Automatic vulnerability classification technology based on text classification and new features.160 thousand vulnerabilities from main VDBs were analyzed,a new automated vulnerability classification framework named ASVC is proposed based on text mining algorithm. ASVC can classify vulnerabilities automatically and in batch, and can classify insufficient information vulnerabilities. Compared with a small data set disposed artificially, ASVC is more objective and reliable; Based on ASVC, an auxiliary VDB is introduced, and an algorithm of indirect text classification feature extraction was proposed; Empirical parameters were optimized to adapt to vulnerability classification standard CWE; Four automatic classification frameworks (BNVC, LVCM, OSBC and CVCF) were tested, and compared with ASVA in two aspects (accuracy and coverage). Experiment result can draw the conclusion that ASVC has higher accuracy and coverage than the other four.
Keywords/Search Tags:Vulnerability Database, Vulnerability Standardization, Vulnerability Relevance, Vulnerability classification, Vulnerability Severity Assessment
PDF Full Text Request
Related items