A Proposal for Common Vulnerability Classification Scheme Based on Analysis of Taxonomic Features in Vulnerability Databases

Document Sample
A Proposal for Common Vulnerability Classification Scheme Based on Analysis of Taxonomic Features in Vulnerability Databases Powered By Docstoc
					                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                  Vol. 9, No. 6, June 2011

A Proposal for Common Vulnerability Classification
Scheme Based on Analysis of Taxonomic Features in
             Vulnerability Databases

                    Anshu Tripathi                                                            Umesh Kumar Singh
       Department of Information Technology                                               Institute of Computer Science
         Mahakal Institute of Technology                                                        Vikram University
                   Ujjain, India                                                                    Ujjain, India
           anshu _ tripathi@yahoo.com                                                     umeshsingh@rediffmail.com


Abstract— A proper vulnerability classification scheme aids in             locations [3]. Results from previous researches [3-6] clearly
improving system security evaluation process. Many                         indicate that quantitative security evaluation of risks on
vulnerability classification schemes exist but there is lacking of         vulnerability datasets partitioned in well defined classes is a
a standard classification scheme. Focus of this work is to devise          meaningful metric. In [4], results of categorized vulnerability
a common classification scheme by combining characteristics
                                                                           analysis shown that some vulnerability classes are more
derived from classification schemes of prominent vulnerability
databases in effective way. In order to identify a balanced set            severe, this fact can be used to design optimal security
of characteristics for proposed scheme comparative analysis of             solution by prioritizing severe classes. A proper
existing classification schemes done on five major vulnerability           classification scheme facilitates distribution of vulnerabilities
databases. A set of taxonomic features and classes extracted as            and help in prioritizing mitigation efforts according to
a result of analysis. Further a common vulnerability                       severity level. Efficiency of security evaluation process can
classification scheme proposed by harmonizing extracted set of             be measured by its objectivity and vulnerability coverage. A
taxonomic features and classes. Mapping of proposed scheme                 proper classification scheme plays a major role in this regard
to existing classification schemes also presented to eliminate             by increasing both objectivity and vulnerability coverage.
inconsistencies across selected set of databases.
                                                                           Taxonomy is a way to classify vulnerabilities in a well
    Keywords- Vulnerabilit; Classification scheme; Vulnerability           formed structure so that categorization and generalization
databases; Taxonomy; Security evaluation.                                  can be achieved [7]. In our previous work [8], we analyzed
                                                                           prominent vulnerability taxonomies published with respect
                      I.    INTRODUCTION                                   to standard criteria and highlight issues which make them not
                                                                           so usable in today's scenario. This study on past efforts at
Proper assessment and mitigation of vulnerabilities is                     developing such taxonomy indicates that these efforts prove
essential in order to ensure the system security.                          to be insufficient to address security issues associated with
Vulnerabilities are “design and implementation errors in                   current software products due to theoretical approach or
information systems that can result in a compromise of the                 being focused on limited domain.
confidentiality, integrity or availability of information stored           There are many different vulnerability databases set up with
upon or transmitted over the affected system” [1]. In view of              different standards and capabilities that records
the increasing population of vulnerabilities [2], it is                    vulnerabilities and characterize them by several attributes.
necessary to prioritize them and first remediate those that                These databases serve the need of updated collection of
pose the greatest risk. Vulnerability prioritization requires              vulnerability data for research. Some of the most popular
evaluation of risk levels posed by presence of vulnerabilities.            databases include National Vulnerability Database (NVD)
Quantitative evaluation of system security in terms of risk                [9], The Open Source Vulnerability Database (OSVDB)
levels due to presence of vulnerabilities is gaining                       [10], and IBM ISS-X Force[11].But there are many
importance because of objective and on time result                         challenges in extracting common patterns from these
generation. One of the ways for fast security evaluation is to             vulnerability databases due to discrepancies involved in the
find out potential weak areas of the system. It is essential to            way the information is kept. Many different classification
focus mitigation efforts in area that have a greater number of             schemes used by databases to classify vulnerabilities and
vulnerabilities to meet budget and time constraints. These                 there is lacking of a common classification scheme. Detailed
areas can be identified by proper vulnerability classification             study on the issues involved in this regard can be found in
and thus leads to identify root causes of the weaknesses.                  [12]. Objective of this work is to analyze vulnerability
Vulnerabilities share common properties and similar                        classification schemes in some most popular databases and
characteristics in generic aspects like causes, impacts,                   devise a common classification scheme. Main aim of




                                                                     106                               http://sites.google.com/site/ijcsis/
                                                                                                       ISSN 1947-5500
                                                        (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                            Vol. 9, No. 6, June 2011

proposing common classification scheme is to provide a                 schemes. First tier include categories Location, Attack
stepping stone in security risk analysis by strategically              Type, Impact, Solution, Exploit, Disclosure, OSVDB.
mitigating risks.                                                      Location includes nine subcategories, Attack Type includes
The paper is organized as follows. Section 2 provides                  ten subcategories, Impact includes four subcategories,
overview of vulnerability classification schemes in major              Solution includes seven subcategories, Disclosure includes
vulnerability databases. Section 3 presents comparison of              eight subcategories and OSVDB include six subcategories.
classification schemes under taxonomic features in                     OSVDB supports a rich search feature under every category
prominent vulnerability databases introduced in section 2.             for trend analysis. Secunia [17] is a private organization that
Section 4 presents a proposal for common classification                provides services in security company defense and
scheme based on comparison in section 3 by extracting                  vulnerability analysis. Secunia Categorize vulnerabilities
appropriate taxonomic features and classes. Further mapping            under features Impact, Critical Levels, and Exploitation
of proposed scheme to existing ones also given. Finally                Location. Vulnerabilities under impact are associated to
section 5 concludes the work with directions for future work.          twelve classes. Criticality levels can be five ranging from
                                                                       extremely critical to not critical and attack vector
                    II.   RELATED WORK                                 classification includes three classes.
There are number of vulnerability classification schemes               As we can see classification schemes supported by these
adopted by different vulnerability databases maintained by             major vulnerability databases are disparate in terms of
various organizations. In this part we will introduce                  classification criteria and dimensionality. Moreover there is
classification schemes in five major vulnerability databases:          no interoperability among them. Therefore it is challenging
IBM ISS X-Force, NVD, SecurityFocus, OSVDB and                         to compare or combine information across these databases. A
Secunia.                                                               common classification scheme can help in this regard. In
IBM ISS X-Force database [11] is one of the world‟s most               next section these databases are compared and analyzed with
comprehensive threats and vulnerabilities database. At the             respect to generic taxonomic features in order to extract
end of 2010, there were 54,604 vulnerabilities in the X-Force          pertinent information for development of a common
Database, covering 24,607 distinct software products from              classification scheme.
12,562 vendors. IBM ISS X-Force database doesn‟t include
any class or category information explicitly. Or in other               III.   EXTRACTION OF TAXONOMIC FEATURES AND CLASSES
words it doesn‟t specify any classification scheme. But it             One of the objectives of this work is to identify a set of
inherently supports taxonomic features: impact and severity            characteristics for a very specific classification scheme, one
level. In all eleven categories proposed under impact and it           that can be used effectively in quantitative security
assigns risk levels in three categories: High, Medium and              evaluation of system. This goal requires analysis of existing
Low. National vulnerability database [9] is managed by the             schemes to deduce possible common features that will aid in
National Institute of Standards and Technology of the United           security evaluation. A comparative study provides insight
States and is associated with the CVE [13]. It records                 into the pros and cons of the different kind of classification
vulnerabilities since 1999, total 46176 vulnerabilities listed         schemes. This section compares classification schemes in
under CVE names. NVD is using CWE [14] as a                            major vulnerability databases introduced in previous section
classification mechanism; each individual CWE represents a             under generic taxonomic features. Taxonomic features
single vulnerability type. There are total 23 vulnerability            identified for analysis are: cause, impact, exploitation
types in NVD classification scheme, which are based on                 location and severity levels. Comparisons of features done
taxonomic features vulnerability cause and vulnerability               under various heads are summarized in Table II to V. These
impact. SecurityFocus vulnerability database [15] is a vendor          heads have been numbered for greater legibility and their
neutral vulnerability database managed by Symantec                     correspondence is shown in Table I.
Corporation from 2002. It contains more than 40,000
recorded vulnerabilities (spanning more than two decades)                TABLE I.      TABLE SHOWING CORRESPONDENCE OF COMPARISON
                                                                                                    HEADS
affecting more than 105,000 technologies from more than
14,000 vendors. SecurityFocus supports a classification                         No. of Head             Name of Head
scheme under the taxonomic feature cause. Total eleven                          1             Explicit
                                                                                2             Dimensionality
vulnerability categories specified based on taxonomy of                         3             Class Code
security faults in Unix operating system by Taimur Aslam                        4             Class Details
[16]. Other taxonomy feature supported by SecurityFocus is                      5             Multivariate
exploitation location with two categories remote and local.                     6             Approximate Population Percentage
Open Source Vulnerability Data Base [10] is an open source
                                                                       A. Vulnerability cause
database created in 2002 by the Black Hat Conference
people, currently covers 70,789 vulnerabilities, spanning              Vulnerabilities grouped under the taxonomic feature cause
32,272 products from 4,735 researchers, over 46 years.                 help in understanding common type of errors and conditions
OSVDB provides two tier vulnerability classification                   that are reason for existence of majority of vulnerabilities.




                                                                 107                               http://sites.google.com/site/ijcsis/
                                                                                                   ISSN 1947-5500
                                                                (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                    Vol. 9, No. 6, June 2011

Paying attention to common errors and mistakes result in                      C. Exploitation Location
mitigating multiple of vulnerabilities and also avoid future                  Exploitation location is main feature affecting risk level of
vulnerabilities caused by same reason. SecurityFocus                          system as it determines attacker community and in turn
classifies vulnerabilities explicitly under feature cause and                 mitigation strategies. Databases SecurityFocus, OSVDB and
NVD and OSVDB also incorporates this feature in their                         Secunia explicitly classify vulnerabilities under this feature
classification scheme partially. Table II provides results of                 ranging from 2 to 9 classes. Table IV provides results of
comparative study of classification under feature cause in                    comparative study of classification under feature
these three databases.                                                        Exploitation location in these databases.
B. Vulnerability Impact                                                       D. Severity level
Exploitation of vulnerabilities results in degradation of                      Different vulnerabilities have different level of impact on
performance of system. Different vulnerabilities have                         the CIA of the system, which is measured by severity level.
different kind of impact on system performance. So                            Severity level information provided by databases
classification of vulnerabilities under the feature impact can                qualitatively or quantitatively. Number of classes is
provide useful insights. The taxonomic feature vulnerability                  inconsistent in databases for the feature severity level
impact is used as classification criteria in X-Force, Secunia,                varying from 3 to 5 in case of qualitative as shown in
NVD and OSVDB databases. Table III provides results of                        column 3 of Table IV. OSVDB provides severity ratings in
comparative study of classification under feature impact in                   terms of CVSS scores [18] only while SecurityFocus
these databases.                                                              doesn‟t include this information. Table V provides results of
                                                                              comparative study of classification under feature Severity
   TABLE II.       COMPARISON OF CLASSIFICATION SCHEMES UNDER
               TAXONOMIC FEATURE VULNERABILITY CAUSE
                                                                              level in these databases.
 VDB       1     2       3                  4               5     6              TABLE III.      COMPARISON OF CLASSIFICATION SCHEMES UNDER
                      C-SF1    Configuration Error              1.19                        TAXONOMIC FEATURE VULNERABILITY IMPACT
                      C-SF2    Boundary        Condition        16.70
                               Error                                           VDB      1     2       3                   4                 5     6
                      C-SF3    Environment Error              0.31                                 I-X1     Gain Access                         49.25
                      C-SF4    Input Validation Error         45.59                                I-X2     Gain Privileges                     4.0
                      C-SF5    Design Error                   18.81                                I-X3     Bypass Security                     5.75
Security                                                                                           I-X4     File Manipulation                   1.25
           Y 11       C-SF6    Race Condition Error         N 1.10
Focus                                                                                              I-X5     Data Manipulation                   16.42
                      C-SF7    Origin Validation Error        0.50
                      C-SF8    Access Validation Error        5.60            X-Force   N     11   I-X6     Obtain Information              N   9.0
                      C-SF9    Failure     to     Handle      10.09                                I-X7     Denial of Service                   12.0
                               Exceptional Conditions                                              I-X8     Configuration                       0.08
                      C-SF10   Atomicity Error                  0.03                               I-X9     Informational                       0.05
                      C-SF11   Unknown                          0.08                               I-X10    Other                               1.5
                      C-N1     Authentication Issues            2.48                               I-X11    None                                0.7
                      C-N2     Credentials Management           1.01                               I-S1     Brute force                         0.21
                      C-N3     Buffer Errors                    11.65                              I-S2     Cross site scripting                17.5
                      C-N4     Cryptographic Issues             1.23                               I-S3     Denial of Service                   13.0
                      C-N5     Path Traversal                   5.38                               I-S4     Exposure of sensitive               14.23
                      C-N6     Code Injection                   6.05                                        information
                      C-N7     Format              String       0.53                               I-S5     Exposure       of     system        2.67
                               Vulnerability                                                                information
                                                                              Secunia   Y     12                                            Y
                      C-N8     Configuration                    0.89                               I-S6     Hijacking                           0.40
NVD        P    16                                          N                                      I-S7     Manipulation of data                15.87
                      C-N9     Input Validation                 6.79
                      C-N10    Numeric Errors                   3.01                               I-S8     Privilege escalation                5.82
                      C-N11    OS Command Injections            0.24                               I-S9     Security bypass                     5.88
                      C-N12    Race Conditions                  0.56                               I-S10    Spoofing                            1.56
                      C-N13    Resource      Management         4.94                               I-S11    System Access                       21.46
                               Errors                                                              I-S12    Unknown                             1.40
                      C-N14    SQL Injections                   13.17                              I-N1     Permissions,       Privileges       7.49
                      C-N15    Link Following                   1.28                                        and Access Control
                      C-N16    Design Error                     2.45                               I-N2     Cross Site Request Forgery          1.49
                                                                              NVD       P     04                                            N
                      C-O1     Authentication                   2.18                               I-N3     Cross site scripting                12.60
                               Management                                                          I-N4     Information             leak/       3.22
OSVDB      P    04    C-O2     Cryptographic                N 1.62                                          disclosure
                      C-O3     Misconfiguration               0.89                                 I-O1     Denial of Service                   11.44
                      C-O4     Race Condition                 1.39                                 I-O2     Information disclosure              18.66
                                                                              OSVDB     P     04                                            N
                                                                                                   I-O3     Infrastructure                      0.15
                                                                                                   I-O4     Input manipulation                  60.64




                                                                        108                                http://sites.google.com/site/ijcsis/
                                                                                                           ISSN 1947-5500
                                                          (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                              Vol. 9, No. 6, June 2011

    TABLE IV.    COMPARISON OF CLASSIFICATION SCHEMES UNDER             database‟s vulnerability information under head „where‟.
            TAXONOMIC FEATURE EXPLOITATION LOCATION
                                                                        Severity level feature considered as univariate and classified
  VDB       1   2      3                 4            5     6           in four classes: critical, high, medium and low. Classes
Security             E-SF1   Remote                       80            under severity level feature are based on CVSS scores and
           Y    02                                    N
Focus                E-SF2   Local                        20
                     E-O1    Physical access              0.45
                                                                        can be associated with severity levels defined by other
                     E-O2    Local access                 8.50          databases on the basis of CVSS scores only.
                     E-O3    Remote/network access        77.42         During the harmonization process, we have merged classes
                     E-O4    Local/Remote                 4.37          with minor vulnerability population in nearest relevant
                     E-O5    Context dependent            6.36          classes with the objective to produce a classification that
OSVDB      Y    09                                    N
                     E-O6    Dial up access               0.06
                                                                        helps in focusing on main causes and impact areas. Class
                     E-O7    Wireless Vector              0.27
                     E-O8    Mobile Phone/Hand held       0.15          Other is included to keep the scope for expansion.
                             device                                     Table VI presents concise view of proposed classification
                     E-O9    Unknown                      2.39          scheme and mapping information.
                     E-S1    Remote                       84.0
Secunia    Y    03   E-S2    Local network            N   8.0           B. Discussion
                     E-S3    Local system                 8.0           To proactively secure any system it is crucial to focus on
                                                                        root causes of vulnerabilities. It signifies the classification
    TABLE V.      COMPARISON OF CLASSIFICATION SCHEMES UNDER
                TAXONOMIC FEATURE SEVERITY LEVEL                        under feature vulnerability cause. But as we can see in Table
                                                                        II only SecurityFocus classifies vulnerabilities explicitly
  VDB       1    2     3                   4          5      6
                     S-X1     High                         34
                                                                        under this feature. NVD and OSVDB include few classes
X-Force     Y   03   S-X2     Medium                  N    59           associated with cause in their classification scheme. It‟s
                     S-X3     Low                          07           obvious from class details given in column 5 of Table II that
                     S-N1     High                         44.6         information across these three databases is highly
NVD         Y   03   S-N2     Medium                  N    48.0         incompatible. Moreover many taxonomies exists [16, 19-22]
                     S-N3     Low                          7.40
                                                                        that classify vulnerabilities under feature cause.
                     S-S1     Extremely critical           4.0
                     S-S2     Highly critical              19.0
                                                                        Classification in these taxonomies based on classification
Secunia     Y   05   S-S3     Moderately critical     N    39.0         given by Landwehr et. al. in [19]. SecurityFocus‟s
                     S-S4     Less critical                35.0         vulnerability classification scheme is based on taxonomy of
                      S-S5           Not critical           3.0         security faults in Unix operating system by Taimur Aslam
                                                                        [16]. So in proposed scheme we opted to select the
                                                                        classification given by SecurityFocus as basis. In all eleven
   IV.     PROPOSED CLASSIFICATION SCHEME AND MAPPING
                                                                        classes selected as specified in column 4 of Table 6. Feature
Analysis of classification schemes in major vulnerability               is listed as univariate. Classes of NVD and OSVDB mapped
databases, in section III suggests that main taxonomic                  nearly due to incompatibility as specified in column 5 of
features in classification at highest level in hierarchy should         Table VI. Few of the classes can‟t be mapped (see column 7
be vulnerability causes, vulnerability impact, exploitation             of Table VI).
location and severity level. We propose a two level                          Taxonomic feature impact is used by most of the
vulnerability classification scheme based on this observation.          databases, but Secunia is the only database that uses it
Further, mapping of classes in proposed scheme to the                   explicitly as classification criteria (see Table 3). Proposed
classes in analyzed vulnerability databases also presented, to          scheme classify vulnerabilities under the feature
resolve the discrepancy. Summary of complete scheme                     vulnerability impact based on Secunia. X-force‟s information
presented below.                                                        about consequences is compatible with Secunia but in
                                                                        contrast in treating classes as multivariate/univariate. NVD
A. Overview of scheme                                                   and OSVDB include few classes under feature impact. After
Vulnerability cause feature considered as univariate and                identifying impact classes from both databases they are
classified in eleven classes specified in column IV of Table            mapped on classification based on Secunia and X-Force. In
VI. Classes under the feature vulnerability cause are based             all nine main categories identified as listed in column 4 of
on SecurityFocus‟s classification scheme. Vulnerability                 Table VI, that cover main impact classes included in these
impact feature considered as multivariate and classified in             four databases. Mapping information given in column 5 of
                                                                        Table VI specifies that classes File manipulation and data
nine classes, listed in column IV of Table VI. Classes under
                                                                        manipulation in X-Force are merged into a single category
feature vulnerability impact are based on classification
                                                                        and mapped onto manipulation of data class of Secunia.
scheme of Secunia database and vulnerability consequence
information provided by X-Force database. Exploitation
location considered as univariate and classified in three
classes: remote, local network and local. Classes under
feature exploitation location are based on Secunia




                                                                  109                               http://sites.google.com/site/ijcsis/
                                                                                                    ISSN 1947-5500
                                                            (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                Vol. 9, No. 6, June 2011



                                      TABLE VI.      PROPOSED CLASSIFICATION SCHEME AND MAPPING
   Taxonomic
                  2    5                    4                                    Mapping                             Comments
    Feature
                         Configuration Error                       C-SF1, C-N8, C-O3                      Crptographic issues cann‟t be
                         Boundary Condition Error                  C-SF2, C-N13, C-N10, C-N3              mapped directly because they
                         Environment Error                         C-SF3                                  can be associated with different
                         Input Validation Error                    C-SF4, C-N5, C-N9, C-N11, C-N14        causes for ex. Numeric errors,
                         Design Error                              C-SF5, C-N16                           boundary condition etc. So they
  Vulnerability          Race Condition Error                      C-SF6, C-N12, C-O4                     are required to be as per reason
                  11   N                                                                                  associated.
  Cause                  Origin Validation Error                   C-SF7, C-N1, C-N2, C-N6, C-N7, C-O1
                         Access Validation Error                   C-SF8, C-N15
                         Failure     to     Handle   Exceptional   C-SF9
                         Conditions
                         Atomicity Error                           C-SF10
                         Other                                     C-SF11
                         Gain system access                        I-X1, I-S6, I-S11                      Classes with minor population
                         Gain privileges                           I-X2, I-S8, I-N1                       are merged to relevant class.
                         Bypass security                           I-X3, I-S9                             Purpose is to objectively focus
                         Data manipulation                         I-X4, I-X5, I-S7, I-O4                 on main impact areas.
  Vulnerability
                  09   Y Exposure of information                   I-X6, I-S1, I-S4, I-S5, I-N4, I-O2
  Impact
                         Denial of service                         I-X7, I-S5, I-O1
                         Cross site scripting                      I-S2, I-N2, I-N3
                         Spoofing                                  I-S10
                         Other                                     I-X8, I-X9, I-X10, I-S12, I-O3
                         Remote                                    E-S1, E-O3, E-O6, E-O7, E-O8, E-SF1    E-SF1 need to be categorized
  Attack                 Local Network                             E-S2, E-O4, E-SF1                      depending on network type
                  03   N
  Vector                 Local                                     E-S3, E-O1, E-O2, E-SF2                (LAN/WAN). Definition of E-
                                                                                                          O5 is ambiguous.
                           Critical                                S-X1, S-N1, S-S1, S-S2                 Mapping based on CVSS scores.
  Severity                 High                                    S-X1, S-N1, S-S3                       Critical (9-10), High (7-8.9),
                  04   N                                                                                  Medium (4-6.9), Low (0-3.9)
  Level                    Medium                                  S-X2, S-N2, S-S4
                           Low                                     S-X3, S-N3, S-S5
Similarly Exposure of sensitive information and Exposure                 classes and further of vulnerabilities in them. Severity level
of system information of Secunia are merged and mapped                   feature information included in almost all databases but
onto Obtain information of X-Force. After reviewing                      number of levels vary from 3 to 5 (see Table V). To remove
population distribution given in column 7 of Table III,                  the inconsistency in a balanced way after analyzing the
Configuration, Informational classes of X-Force are mapped               population distribution specified in column 7 of Table V,
onto others because of minor population (0.05-0.08) and                  four level grading proposed. Further mapping of severity
these classes are also covered in feature cause.                         levels to CVSS scores given in column 6 of Table VI that
Hijacking of Secunia is basically gaining access and brute               will resolve disparity and give both qualitative and
force is obtaining information. Spoofing is kept as a                    quantitative classification. Severity level can be univariate
separate category because it bypasses security as well as                only.
escalates privileges. A single vulnerability can impact in
multiple ways so the feature is listed as multivariate as                         V.          CONCLUSION AND FUTURE WORK
specified in column 3 of Table VI.                                       Efficiency of security evaluation process depends on its
Attack vector not only determines exploitation location but              objectivity and vulnerability coverage. A proper
also inform about attacker class which in turn reflects attack           vulnerability classification scheme can be helpful in this
techniques. It is an important feature that affects severity             regard by increasing both objectivity and vulnerability
level and also guides in designing security solution plans.              coverage. Moreover a proper classification scheme also
Although all databases cover this feature but high disparity             helpful in categorization of newly discovered vulnerabilities
involved (see Table IV). Classes range from 2 to 9 as listed             and trend analysis. Effectiveness of a classification scheme
in column 5 of Table IV. Proposed scheme suggests three                  mainly depends on the taxonomic features selected as a base
levels: local, local network and remote (see column 4 of                 for classification. Different classification schemes exist in
Table VI). These three levels cover all the significant attack           different vulnerability databases based on variety of criteria.
dimensions and accordingly security plans can be developed               There is lacking of a standard classification scheme. Five
depending on exposure of machine to LAN or WAN or                        major vulnerability databases are selected in this work and
physical. Various vulnerabilities although listed under same             classification schemes adopted by them are analyzed.
cause or impact class can damage system in different
severity levels. So classification under feature severity level
is necessary in order to understand impact level of different



                                                                   110                               http://sites.google.com/site/ijcsis/
                                                                                                     ISSN 1947-5500
                                                                      (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                          Vol. 9, No. 6, June 2011

                           ACKNOWLEDGMENT                                             [9]    NHS and NIST, National Vulnerability Database (NVD), automating
                                                                                             vulnerability management, security Measurement, and compliance
     We would like to thank the anonymous reviewers who                                      checking, http://nvd.nist.gov/scap.cfm , (Accessed on 10-05-2011).
  provided helpful feedback on our manuscript.                                        [10]   http://osvdb.org/ (Accessed on 10-05-2011).
                                                                                      [11]   Internet Security Services Online database X-Force, 2008. [Online]
                               REFERENCES                                                    Available: http://www.iss.net/xforce/ (Accessed on 10-05-2011)
                                                                                      [12]   Tripathi, A. Singh, U.K., “Taxonomic Analysis of Classification
                                                                                             Schemes in Vulnerability Databases” (Communicated)
  [1]   D. Turner, M. Fossi, E. Johnson, T. Mack, J. Blackbird, S. Entwisle,          [13]   The MITRE Corporation (2008) Common vulnerabilities and
        M. K. Low, D. McKinney, and C Wueest, "Symantec global internet                      exposures. [Online] Available:http://cve.mitre.org/ (Accessed on 10-
        security threat report: Trends for july to december 2007," Symantec,                 05-2011)
        Tech. Rep., 2008.
                                                                                      [14]   R.A. Martin, Common Weakness Enumeration (CWE v1.8). 2010,
  [2]   Secunia.       Secunia       yearly       report    2010,     http://                National Cyber Security Division of the U.S. Department of
        secunia.com/gfx/pdf/Secunia_Yearly_Report_2010.pdf, 2011.                            Homeland Security.
  [3]   Zhongqiang Chen, Yuan Zhang, Zhongrong Chen, A Categorization
        Framework for Commom Vulnerabilities and Exposures. In the                    [15]   Security Focus Vulnerability Database. [Online] Available:
        computer Journal Advance Access published online on May 7, 2009,                     http://www.securityfocus.com, (Accessed on 10-05-2011)
        http://comjnl.oxfordjournals.org,doilO.1093/comjnl/bxp040                     [16]   T. Aslam, "A Taxonomy of Security Faults in the Unix Operating
  [4]   Alhazmi, O. H., Woo, S-W., Malaiya, Y. K., “Security Vulnerability                   System," M.S. thesis, Dept. of Compo Sci., Purdue Univ., Coast TR
        Categories in Major Software Systems”, Proc. Third IASTED                            95-09, 1995
        International Conference Proceedings Communication, Network, and              [17]   Secunia. [Online] Available: http://secunia.com, (Accessed on 10-05-
        Information Security, 2006, pp. 138-143.                                             2011)
  [5]   Lutz Lowis, Rafael Accorsi, "On a Classification Approach for SOA             [18]   Forum Of Incident Response And Security Teams (FIRST),
        Vulnerabilities," Proc. 33rd Annual IEEE International Computer                      “Common vulnerability scoring system 2.0,” 2007. [Online].
        Software and Applications Conference, vol. 2, 2009, pp.439-444.                      Available: http://www.first.org/cvss
  [6]   Somak Bhattacharya, S.K. Ghosh, "Security Threat Prediction in a              [19]   C. E. Landwehr et al., “A Taxonomy of Computer Program Security
        Local Area Network Using Statistical Model," Proc. IEEE                              Flaws,” ACM Comp. Surveys, vol. 26, no. 3, Sept. 1994, pp. 211–
        International Parallel and Distributed Processing Symposium, 2007,                   254.
        pp.425-432.                                                                   [20]   K. Jiwnani and M. Zelkowitz, “Maintaining Software with a Security
  [7]   Aslam,T., Krsul, I. and Spafford, E.H., “Use ofATaxonomy of                          Perspective,” Proc. Int’l Conf. Software Maintenance, 3–6 Oct. 2002,
        Security Faults”, Proc. 19th National Information Systems Security                   pp. 194–203.
        Conf., Baltimore, USA. , 1996, pp. 551–560.                                   [21]   W. Du and A. P. Mathur, “Categorization of Software Errors that Led
  [8]   Tripathi, A. Singh, U.K., “Towards Standardization of Vulnerability                  to Security Breaches,” Proc. 21st Nat’l Info. Sys. Sec.Conf., 1998.
        Taxonomy”, Proc. 2nd International Conference on Computer                     [22]   S. Kamara et al., “Analysis of Vulnerabilities in Internet Firewalls,”
        Technology and Development, Cairo, Egypt, 2010, pp. 379-384.                         Comp. & Sec., vol. 22, no. 3, 2003, pp. 214–232



                           AUTHORS PROFILE
                                                                                      training division of CMC Ltd., New Delhi in initial years of his career. He has
                                                                                      authored a book on “ Internet and Web technology “ and his various research
Anshu Tripathi holds M.Tech. degree in Computer Science from Banasthali
                                                                                      papers are published in national and international journals of repute. He is
Vidyapith, Banasthali-INDIA. She is currently Pursuing Ph.D. in Computer
                                                                                      reviewer of International Journal of Network Security (IJNS), IJCSIS,
Science from Institute of Computer Science, Vikram University,Ujjain-
                                                                                      reviewer and member of conference committee of European Conference of
INDIA. Her research interest includes proactive network security, security
                                                                                      Knowledge Management (ECKM) since 2007. He is also reviewer of 4th IEEE
measurement, and risk analysis.
                                                                                      International Conference on Computer Science and Information Technology
                                                                                      and 2011 3rd International Conference on Machine Learning and Computing.
                                                                                      His research interest includes Computer Networks, Network Security,
Umesh Kumar Singh received his Ph.D. in Computer Science from Devi
                                                                                      Internet & Web Technology, Client-Server Computing and IT based
Ahilya University, Indore-INDIA. Presently he is Director in Institute of
                                                                                      education.
Computer Science, Vikram University, Ujjain-INDIA. He served as Professor
in Computer Science and Principal in Mahakal Institute of Computer Sciences
(MICS-MIT), Ujjain. He has served as Engineer (E&T) in education and




                                                                                111                                      http://sites.google.com/site/ijcsis/
                                                                                                                         ISSN 1947-5500