A Proposal for Common Vulnerability Classification Scheme Based on Analysis of Taxonomic Features in Vulnerability Databases

Shared by: ijcsiseditor

Stats

views:: 144
posted:: 7/5/2011
language:: English
pages:: 6

Public Domain

Document Sample

(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 6, June 2011

A Proposal for Common Vulnerability Classification
Scheme Based on Analysis of Taxonomic Features in
Vulnerability Databases

Anshu Tripathi Umesh Kumar Singh
Department of Information Technology Institute of Computer Science
Mahakal Institute of Technology Vikram University
Ujjain, India Ujjain, India
anshu _ tripathi@yahoo.com umeshsingh@rediffmail.com

Abstract— A proper vulnerability classification scheme aids in locations [3]. Results from previous researches [3-6] clearly
improving system security evaluation process. Many indicate that quantitative security evaluation of risks on
vulnerability classification schemes exist but there is lacking of vulnerability datasets partitioned in well defined classes is a
a standard classification scheme. Focus of this work is to devise meaningful metric. In [4], results of categorized vulnerability
a common classification scheme by combining characteristics
analysis shown that some vulnerability classes are more
derived from classification schemes of prominent vulnerability
databases in effective way. In order to identify a balanced set severe, this fact can be used to design optimal security
of characteristics for proposed scheme comparative analysis of solution by prioritizing severe classes. A proper
existing classification schemes done on five major vulnerability classification scheme facilitates distribution of vulnerabilities
databases. A set of taxonomic features and classes extracted as and help in prioritizing mitigation efforts according to
a result of analysis. Further a common vulnerability severity level. Efficiency of security evaluation process can
classification scheme proposed by harmonizing extracted set of be measured by its objectivity and vulnerability coverage. A
taxonomic features and classes. Mapping of proposed scheme proper classification scheme plays a major role in this regard
to existing classification schemes also presented to eliminate by increasing both objectivity and vulnerability coverage.
inconsistencies across selected set of databases.
Taxonomy is a way to classify vulnerabilities in a well
Keywords- Vulnerabilit; Classification scheme; Vulnerability formed structure so that categorization and generalization
databases; Taxonomy; Security evaluation. can be achieved [7]. In our previous work [8], we analyzed
prominent vulnerability taxonomies published with respect
I. INTRODUCTION to standard criteria and highlight issues which make them not
so usable in today's scenario. This study on past efforts at
Proper assessment and mitigation of vulnerabilities is developing such taxonomy indicates that these efforts prove
essential in order to ensure the system security. to be insufficient to address security issues associated with
Vulnerabilities are “design and implementation errors in current software products due to theoretical approach or
information systems that can result in a compromise of the being focused on limited domain.
confidentiality, integrity or availability of information stored There are many different vulnerability databases set up with
upon or transmitted over the affected system” [1]. In view of different standards and capabilities that records
the increasing population of vulnerabilities [2], it is vulnerabilities and characterize them by several attributes.
necessary to prioritize them and first remediate those that These databases serve the need of updated collection of
pose the greatest risk. Vulnerability prioritization requires vulnerability data for research. Some of the most popular
evaluation of risk levels posed by presence of vulnerabilities. databases include National Vulnerability Database (NVD)
Quantitative evaluation of system security in terms of risk [9], The Open Source Vulnerability Database (OSVDB)
levels due to presence of vulnerabilities is gaining [10], and IBM ISS-X Force[11].But there are many
importance because of objective and on time result challenges in extracting common patterns from these
generation. One of the ways for fast security evaluation is to vulnerability databases due to discrepancies involved in the
find out potential weak areas of the system. It is essential to way the information is kept. Many different classification
focus mitigation efforts in area that have a greater number of schemes used by databases to classify vulnerabilities and
vulnerabilities to meet budget and time constraints. These there is lacking of a common classification scheme. Detailed
areas can be identified by proper vulnerability classification study on the issues involved in this regard can be found in
and thus leads to identify root causes of the weaknesses. [12]. Objective of this work is to analyze vulnerability
Vulnerabilities share common properties and similar classification schemes in some most popular databases and
characteristics in generic aspects like causes, impacts, devise a common classification scheme. Main aim of

106 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 6, June 2011

proposing common classification scheme is to provide a schemes. First tier include categories Location, Attack
stepping stone in security risk analysis by strategically Type, Impact, Solution, Exploit, Disclosure, OSVDB.
mitigating risks. Location includes nine subcategories, Attack Type includes
The paper is organized as follows. Section 2 provides ten subcategories, Impact includes four subcategories,
overview of vulnerability classification schemes in major Solution includes seven subcategories, Disclosure includes
vulnerability databases. Section 3 presents comparison of eight subcategories and OSVDB include six subcategories.
classification schemes under taxonomic features in OSVDB supports a rich search feature under every category
prominent vulnerability databases introduced in section 2. for trend analysis. Secunia [17] is a private organization that
Section 4 presents a proposal for common classification provides services in security company defense and
scheme based on comparison in section 3 by extracting vulnerability analysis. Secunia Categorize vulnerabilities
appropriate taxonomic features and classes. Further mapping under features Impact, Critical Levels, and Exploitation
of proposed scheme to existing ones also given. Finally Location. Vulnerabilities under impact are associated to
section 5 concludes the work with directions for future work. twelve classes. Criticality levels can be five ranging from
extremely critical to not critical and attack vector
II. RELATED WORK classification includes three classes.
There are number of vulnerability classification schemes As we can see classification schemes supported by these
adopted by different vulnerability databases maintained by major vulnerability databases are disparate in terms of
various organizations. In this part we will introduce classification criteria and dimensionality. Moreover there is
classification schemes in five major vulnerability databases: no interoperability among them. Therefore it is challenging
IBM ISS X-Force, NVD, SecurityFocus, OSVDB and to compare or combine information across these databases. A
Secunia. common classification scheme can help in this regard. In
IBM ISS X-Force database [11] is one of the world‟s most next section these databases are compared and analyzed with
comprehensive threats and vulnerabilities database. At the respect to generic taxonomic features in order to extract
end of 2010, there were 54,604 vulnerabilities in the X-Force pertinent information for development of a common
Database, covering 24,607 distinct software products from classification scheme.
12,562 vendors. IBM ISS X-Force database doesn‟t include
any class or category information explicitly. Or in other III. EXTRACTION OF TAXONOMIC FEATURES AND CLASSES
words it doesn‟t specify any classification scheme. But it One of the objectives of this work is to identify a set of
inherently supports taxonomic features: impact and severity characteristics for a very specific classification scheme, one
level. In all eleven categories proposed under impact and it that can be used effectively in quantitative security
assigns risk levels in three categories: High, Medium and evaluation of system. This goal requires analysis of existing
Low. National vulnerability database [9] is managed by the schemes to deduce possible common features that will aid in
National Institute of Standards and Technology of the United security evaluation. A comparative study provides insight
States and is associated with the CVE [13]. It records into the pros and cons of the different kind of classification
vulnerabilities since 1999, total 46176 vulnerabilities listed schemes. This section compares classification schemes in
under CVE names. NVD is using CWE [14] as a major vulnerability databases introduced in previous section
classification mechanism; each individual CWE represents a under generic taxonomic features. Taxonomic features
single vulnerability type. There are total 23 vulnerability identified for analysis are: cause, impact, exploitation
types in NVD classification scheme, which are based on location and severity levels. Comparisons of features done
taxonomic features vulnerability cause and vulnerability under various heads are summarized in Table II to V. These
impact. SecurityFocus vulnerability database [15] is a vendor heads have been numbered for greater legibility and their
neutral vulnerability database managed by Symantec correspondence is shown in Table I.
Corporation from 2002. It contains more than 40,000
recorded vulnerabilities (spanning more than two decades) TABLE I. TABLE SHOWING CORRESPONDENCE OF COMPARISON
HEADS
affecting more than 105,000 technologies from more than
14,000 vendors. SecurityFocus supports a classification No. of Head Name of Head
scheme under the taxonomic feature cause. Total eleven 1 Explicit
2 Dimensionality
vulnerability categories specified based on taxonomy of 3 Class Code
security faults in Unix operating system by Taimur Aslam 4 Class Details
[16]. Other taxonomy feature supported by SecurityFocus is 5 Multivariate
exploitation location with two categories remote and local. 6 Approximate Population Percentage
Open Source Vulnerability Data Base [10] is an open source
A. Vulnerability cause
database created in 2002 by the Black Hat Conference
people, currently covers 70,789 vulnerabilities, spanning Vulnerabilities grouped under the taxonomic feature cause
32,272 products from 4,735 researchers, over 46 years. help in understanding common type of errors and conditions
OSVDB provides two tier vulnerability classification that are reason for existence of majority of vulnerabilities.

107 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 6, June 2011

Paying attention to common errors and mistakes result in C. Exploitation Location
mitigating multiple of vulnerabilities and also avoid future Exploitation location is main feature affecting risk level of
vulnerabilities caused by same reason. SecurityFocus system as it determines attacker community and in turn
classifies vulnerabilities explicitly under feature cause and mitigation strategies. Databases SecurityFocus, OSVDB and
NVD and OSVDB also incorporates this feature in their Secunia explicitly classify vulnerabilities under this feature
classification scheme partially. Table II provides results of ranging from 2 to 9 classes. Table IV provides results of
comparative study of classification under feature cause in comparative study of classification under feature
these three databases. Exploitation location in these databases.
B. Vulnerability Impact D. Severity level
Exploitation of vulnerabilities results in degradation of Different vulnerabilities have different level of impact on
performance of system. Different vulnerabilities have the CIA of the system, which is measured by severity level.
different kind of impact on system performance. So Severity level information provided by databases
classification of vulnerabilities under the feature impact can qualitatively or quantitatively. Number of classes is
provide useful insights. The taxonomic feature vulnerability inconsistent in databases for the feature severity level
impact is used as classification criteria in X-Force, Secunia, varying from 3 to 5 in case of qualitative as shown in
NVD and OSVDB databases. Table III provides results of column 3 of Table IV. OSVDB provides severity ratings in
comparative study of classification under feature impact in terms of CVSS scores [18] only while SecurityFocus
these databases. doesn‟t include this information. Table V provides results of
comparative study of classification under feature Severity
TABLE II. COMPARISON OF CLASSIFICATION SCHEMES UNDER
TAXONOMIC FEATURE VULNERABILITY CAUSE
level in these databases.
VDB 1 2 3 4 5 6 TABLE III. COMPARISON OF CLASSIFICATION SCHEMES UNDER
C-SF1 Configuration Error 1.19 TAXONOMIC FEATURE VULNERABILITY IMPACT
C-SF2 Boundary Condition 16.70
Error VDB 1 2 3 4 5 6
C-SF3 Environment Error 0.31 I-X1 Gain Access 49.25
C-SF4 Input Validation Error 45.59 I-X2 Gain Privileges 4.0
C-SF5 Design Error 18.81 I-X3 Bypass Security 5.75
Security I-X4 File Manipulation 1.25
Y 11 C-SF6 Race Condition Error N 1.10
Focus I-X5 Data Manipulation 16.42
C-SF7 Origin Validation Error 0.50
C-SF8 Access Validation Error 5.60 X-Force N 11 I-X6 Obtain Information N 9.0
C-SF9 Failure to Handle 10.09 I-X7 Denial of Service 12.0
Exceptional Conditions I-X8 Configuration 0.08
C-SF10 Atomicity Error 0.03 I-X9 Informational 0.05
C-SF11 Unknown 0.08 I-X10 Other 1.5
C-N1 Authentication Issues 2.48 I-X11 None 0.7
C-N2 Credentials Management 1.01 I-S1 Brute force 0.21
C-N3 Buffer Errors 11.65 I-S2 Cross site scripting 17.5
C-N4 Cryptographic Issues 1.23 I-S3 Denial of Service 13.0
C-N5 Path Traversal 5.38 I-S4 Exposure of sensitive 14.23
C-N6 Code Injection 6.05 information
C-N7 Format String 0.53 I-S5 Exposure of system 2.67
Vulnerability information
Secunia Y 12 Y
C-N8 Configuration 0.89 I-S6 Hijacking 0.40
NVD P 16 N I-S7 Manipulation of data 15.87
C-N9 Input Validation 6.79
C-N10 Numeric Errors 3.01 I-S8 Privilege escalation 5.82
C-N11 OS Command Injections 0.24 I-S9 Security bypass 5.88
C-N12 Race Conditions 0.56 I-S10 Spoofing 1.56
C-N13 Resource Management 4.94 I-S11 System Access 21.46
Errors I-S12 Unknown 1.40
C-N14 SQL Injections 13.17 I-N1 Permissions, Privileges 7.49
C-N15 Link Following 1.28 and Access Control
C-N16 Design Error 2.45 I-N2 Cross Site Request Forgery 1.49
NVD P 04 N
C-O1 Authentication 2.18 I-N3 Cross site scripting 12.60
Management I-N4 Information leak/ 3.22
OSVDB P 04 C-O2 Cryptographic N 1.62 disclosure
C-O3 Misconfiguration 0.89 I-O1 Denial of Service 11.44
C-O4 Race Condition 1.39 I-O2 Information disclosure 18.66
OSVDB P 04 N
I-O3 Infrastructure 0.15
I-O4 Input manipulation 60.64

108 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 6, June 2011

TABLE IV. COMPARISON OF CLASSIFICATION SCHEMES UNDER database‟s vulnerability information under head „where‟.
TAXONOMIC FEATURE EXPLOITATION LOCATION
Severity level feature considered as univariate and classified
VDB 1 2 3 4 5 6 in four classes: critical, high, medium and low. Classes
Security E-SF1 Remote 80 under severity level feature are based on CVSS scores and
Y 02 N
Focus E-SF2 Local 20
E-O1 Physical access 0.45
can be associated with severity levels defined by other
E-O2 Local access 8.50 databases on the basis of CVSS scores only.
E-O3 Remote/network access 77.42 During the harmonization process, we have merged classes
E-O4 Local/Remote 4.37 with minor vulnerability population in nearest relevant
E-O5 Context dependent 6.36 classes with the objective to produce a classification that
OSVDB Y 09 N
E-O6 Dial up access 0.06
helps in focusing on main causes and impact areas. Class
E-O7 Wireless Vector 0.27
E-O8 Mobile Phone/Hand held 0.15 Other is included to keep the scope for expansion.
device Table VI presents concise view of proposed classification
E-O9 Unknown 2.39 scheme and mapping information.
E-S1 Remote 84.0
Secunia Y 03 E-S2 Local network N 8.0 B. Discussion
E-S3 Local system 8.0 To proactively secure any system it is crucial to focus on
root causes of vulnerabilities. It signifies the classification
TABLE V. COMPARISON OF CLASSIFICATION SCHEMES UNDER
TAXONOMIC FEATURE SEVERITY LEVEL under feature vulnerability cause. But as we can see in Table
II only SecurityFocus classifies vulnerabilities explicitly
VDB 1 2 3 4 5 6
S-X1 High 34
under this feature. NVD and OSVDB include few classes
X-Force Y 03 S-X2 Medium N 59 associated with cause in their classification scheme. It‟s
S-X3 Low 07 obvious from class details given in column 5 of Table II that
S-N1 High 44.6 information across these three databases is highly
NVD Y 03 S-N2 Medium N 48.0 incompatible. Moreover many taxonomies exists [16, 19-22]
S-N3 Low 7.40
that classify vulnerabilities under feature cause.
S-S1 Extremely critical 4.0
S-S2 Highly critical 19.0
Classification in these taxonomies based on classification
Secunia Y 05 S-S3 Moderately critical N 39.0 given by Landwehr et. al. in [19]. SecurityFocus‟s
S-S4 Less critical 35.0 vulnerability classification scheme is based on taxonomy of
S-S5 Not critical 3.0 security faults in Unix operating system by Taimur Aslam
[16]. So in proposed scheme we opted to select the
classification given by SecurityFocus as basis. In all eleven
IV. PROPOSED CLASSIFICATION SCHEME AND MAPPING
classes selected as specified in column 4 of Table 6. Feature
Analysis of classification schemes in major vulnerability is listed as univariate. Classes of NVD and OSVDB mapped
databases, in section III suggests that main taxonomic nearly due to incompatibility as specified in column 5 of
features in classification at highest level in hierarchy should Table VI. Few of the classes can‟t be mapped (see column 7
be vulnerability causes, vulnerability impact, exploitation of Table VI).
location and severity level. We propose a two level Taxonomic feature impact is used by most of the
vulnerability classification scheme based on this observation. databases, but Secunia is the only database that uses it
Further, mapping of classes in proposed scheme to the explicitly as classification criteria (see Table 3). Proposed
classes in analyzed vulnerability databases also presented, to scheme classify vulnerabilities under the feature
resolve the discrepancy. Summary of complete scheme vulnerability impact based on Secunia. X-force‟s information
presented below. about consequences is compatible with Secunia but in
contrast in treating classes as multivariate/univariate. NVD
A. Overview of scheme and OSVDB include few classes under feature impact. After
Vulnerability cause feature considered as univariate and identifying impact classes from both databases they are
classified in eleven classes specified in column IV of Table mapped on classification based on Secunia and X-Force. In
VI. Classes under the feature vulnerability cause are based all nine main categories identified as listed in column 4 of
on SecurityFocus‟s classification scheme. Vulnerability Table VI, that cover main impact classes included in these
impact feature considered as multivariate and classified in four databases. Mapping information given in column 5 of
Table VI specifies that classes File manipulation and data
nine classes, listed in column IV of Table VI. Classes under
manipulation in X-Force are merged into a single category
feature vulnerability impact are based on classification
and mapped onto manipulation of data class of Secunia.
scheme of Secunia database and vulnerability consequence
information provided by X-Force database. Exploitation
location considered as univariate and classified in three
classes: remote, local network and local. Classes under
feature exploitation location are based on Secunia

109 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 6, June 2011

TABLE VI. PROPOSED CLASSIFICATION SCHEME AND MAPPING
Taxonomic
2 5 4 Mapping Comments
Feature
Configuration Error C-SF1, C-N8, C-O3 Crptographic issues cann‟t be
Boundary Condition Error C-SF2, C-N13, C-N10, C-N3 mapped directly because they
Environment Error C-SF3 can be associated with different
Input Validation Error C-SF4, C-N5, C-N9, C-N11, C-N14 causes for ex. Numeric errors,
Design Error C-SF5, C-N16 boundary condition etc. So they
Vulnerability Race Condition Error C-SF6, C-N12, C-O4 are required to be as per reason
11 N associated.
Cause Origin Validation Error C-SF7, C-N1, C-N2, C-N6, C-N7, C-O1
Access Validation Error C-SF8, C-N15
Failure to Handle Exceptional C-SF9
Conditions
Atomicity Error C-SF10
Other C-SF11
Gain system access I-X1, I-S6, I-S11 Classes with minor population
Gain privileges I-X2, I-S8, I-N1 are merged to relevant class.
Bypass security I-X3, I-S9 Purpose is to objectively focus
Data manipulation I-X4, I-X5, I-S7, I-O4 on main impact areas.
Vulnerability
09 Y Exposure of information I-X6, I-S1, I-S4, I-S5, I-N4, I-O2
Impact
Denial of service I-X7, I-S5, I-O1
Cross site scripting I-S2, I-N2, I-N3
Spoofing I-S10
Other I-X8, I-X9, I-X10, I-S12, I-O3
Remote E-S1, E-O3, E-O6, E-O7, E-O8, E-SF1 E-SF1 need to be categorized
Attack Local Network E-S2, E-O4, E-SF1 depending on network type
03 N
Vector Local E-S3, E-O1, E-O2, E-SF2 (LAN/WAN). Definition of E-
O5 is ambiguous.
Critical S-X1, S-N1, S-S1, S-S2 Mapping based on CVSS scores.
Severity High S-X1, S-N1, S-S3 Critical (9-10), High (7-8.9),
04 N Medium (4-6.9), Low (0-3.9)
Level Medium S-X2, S-N2, S-S4
Low S-X3, S-N3, S-S5
Similarly Exposure of sensitive information and Exposure classes and further of vulnerabilities in them. Severity level
of system information of Secunia are merged and mapped feature information included in almost all databases but
onto Obtain information of X-Force. After reviewing number of levels vary from 3 to 5 (see Table V). To remove
population distribution given in column 7 of Table III, the inconsistency in a balanced way after analyzing the
Configuration, Informational classes of X-Force are mapped population distribution specified in column 7 of Table V,
onto others because of minor population (0.05-0.08) and four level grading proposed. Further mapping of severity
these classes are also covered in feature cause. levels to CVSS scores given in column 6 of Table VI that
Hijacking of Secunia is basically gaining access and brute will resolve disparity and give both qualitative and
force is obtaining information. Spoofing is kept as a quantitative classification. Severity level can be univariate
separate category because it bypasses security as well as only.
escalates privileges. A single vulnerability can impact in
multiple ways so the feature is listed as multivariate as V. CONCLUSION AND FUTURE WORK
specified in column 3 of Table VI. Efficiency of security evaluation process depends on its
Attack vector not only determines exploitation location but objectivity and vulnerability coverage. A proper
also inform about attacker class which in turn reflects attack vulnerability classification scheme can be helpful in this
techniques. It is an important feature that affects severity regard by increasing both objectivity and vulnerability
level and also guides in designing security solution plans. coverage. Moreover a proper classification scheme also
Although all databases cover this feature but high disparity helpful in categorization of newly discovered vulnerabilities
involved (see Table IV). Classes range from 2 to 9 as listed and trend analysis. Effectiveness of a classification scheme
in column 5 of Table IV. Proposed scheme suggests three mainly depends on the taxonomic features selected as a base
levels: local, local network and remote (see column 4 of for classification. Different classification schemes exist in
Table VI). These three levels cover all the significant attack different vulnerability databases based on variety of criteria.
dimensions and accordingly security plans can be developed There is lacking of a standard classification scheme. Five
depending on exposure of machine to LAN or WAN or major vulnerability databases are selected in this work and
physical. Various vulnerabilities although listed under same classification schemes adopted by them are analyzed.
cause or impact class can damage system in different
severity levels. So classification under feature severity level
is necessary in order to understand impact level of different

110 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 6, June 2011

ACKNOWLEDGMENT [9] NHS and NIST, National Vulnerability Database (NVD), automating
vulnerability management, security Measurement, and compliance
We would like to thank the anonymous reviewers who checking, http://nvd.nist.gov/scap.cfm , (Accessed on 10-05-2011).
provided helpful feedback on our manuscript. [10] http://osvdb.org/ (Accessed on 10-05-2011).
[11] Internet Security Services Online database X-Force, 2008. [Online]
REFERENCES Available: http://www.iss.net/xforce/ (Accessed on 10-05-2011)
[12] Tripathi, A. Singh, U.K., “Taxonomic Analysis of Classification
Schemes in Vulnerability Databases” (Communicated)
[1] D. Turner, M. Fossi, E. Johnson, T. Mack, J. Blackbird, S. Entwisle, [13] The MITRE Corporation (2008) Common vulnerabilities and
M. K. Low, D. McKinney, and C Wueest, "Symantec global internet exposures. [Online] Available:http://cve.mitre.org/ (Accessed on 10-
security threat report: Trends for july to december 2007," Symantec, 05-2011)
Tech. Rep., 2008.
[14] R.A. Martin, Common Weakness Enumeration (CWE v1.8). 2010,
[2] Secunia. Secunia yearly report 2010, http:// National Cyber Security Division of the U.S. Department of
secunia.com/gfx/pdf/Secunia_Yearly_Report_2010.pdf, 2011. Homeland Security.
[3] Zhongqiang Chen, Yuan Zhang, Zhongrong Chen, A Categorization
Framework for Commom Vulnerabilities and Exposures. In the [15] Security Focus Vulnerability Database. [Online] Available:
computer Journal Advance Access published online on May 7, 2009, http://www.securityfocus.com, (Accessed on 10-05-2011)
http://comjnl.oxfordjournals.org,doilO.1093/comjnl/bxp040 [16] T. Aslam, "A Taxonomy of Security Faults in the Unix Operating
[4] Alhazmi, O. H., Woo, S-W., Malaiya, Y. K., “Security Vulnerability System," M.S. thesis, Dept. of Compo Sci., Purdue Univ., Coast TR
Categories in Major Software Systems”, Proc. Third IASTED 95-09, 1995
International Conference Proceedings Communication, Network, and [17] Secunia. [Online] Available: http://secunia.com, (Accessed on 10-05-
Information Security, 2006, pp. 138-143. 2011)
[5] Lutz Lowis, Rafael Accorsi, "On a Classification Approach for SOA [18] Forum Of Incident Response And Security Teams (FIRST),
Vulnerabilities," Proc. 33rd Annual IEEE International Computer “Common vulnerability scoring system 2.0,” 2007. [Online].
Software and Applications Conference, vol. 2, 2009, pp.439-444. Available: http://www.first.org/cvss
[6] Somak Bhattacharya, S.K. Ghosh, "Security Threat Prediction in a [19] C. E. Landwehr et al., “A Taxonomy of Computer Program Security
Local Area Network Using Statistical Model," Proc. IEEE Flaws,” ACM Comp. Surveys, vol. 26, no. 3, Sept. 1994, pp. 211–
International Parallel and Distributed Processing Symposium, 2007, 254.
pp.425-432. [20] K. Jiwnani and M. Zelkowitz, “Maintaining Software with a Security
[7] Aslam,T., Krsul, I. and Spafford, E.H., “Use ofATaxonomy of Perspective,” Proc. Int’l Conf. Software Maintenance, 3–6 Oct. 2002,
Security Faults”, Proc. 19th National Information Systems Security pp. 194–203.
Conf., Baltimore, USA. , 1996, pp. 551–560. [21] W. Du and A. P. Mathur, “Categorization of Software Errors that Led
[8] Tripathi, A. Singh, U.K., “Towards Standardization of Vulnerability to Security Breaches,” Proc. 21st Nat’l Info. Sys. Sec.Conf., 1998.
Taxonomy”, Proc. 2nd International Conference on Computer [22] S. Kamara et al., “Analysis of Vulnerabilities in Internet Firewalls,”
Technology and Development, Cairo, Egypt, 2010, pp. 379-384. Comp. & Sec., vol. 22, no. 3, 2003, pp. 214–232

AUTHORS PROFILE
training division of CMC Ltd., New Delhi in initial years of his career. He has
authored a book on “ Internet and Web technology “ and his various research
Anshu Tripathi holds M.Tech. degree in Computer Science from Banasthali
papers are published in national and international journals of repute. He is
Vidyapith, Banasthali-INDIA. She is currently Pursuing Ph.D. in Computer
reviewer of International Journal of Network Security (IJNS), IJCSIS,
Science from Institute of Computer Science, Vikram University,Ujjain-
reviewer and member of conference committee of European Conference of
INDIA. Her research interest includes proactive network security, security
Knowledge Management (ECKM) since 2007. He is also reviewer of 4th IEEE
measurement, and risk analysis.
International Conference on Computer Science and Information Technology
and 2011 3rd International Conference on Machine Learning and Computing.
His research interest includes Computer Networks, Network Security,
Umesh Kumar Singh received his Ph.D. in Computer Science from Devi
Internet & Web Technology, Client-Server Computing and IT based
Ahilya University, Indore-INDIA. Presently he is Director in Institute of
education.
Computer Science, Vikram University, Ujjain-INDIA. He served as Professor
in Computer Science and Principal in Mahakal Institute of Computer Sciences
(MICS-MIT), Ujjain. He has served as Engineer (E&T) in education and

111 http://sites.google.com/site/ijcsis/
ISSN 1947-5500