article

An OVAL-based active vulnerability assessment system for enterprise computer networks

Authors:

Xiaohong GuanAuthors Info & Claims

Information Systems Frontiers, Volume 10, Issue 5

Pages 573 - 588

https://doi.org/10.1007/s10796-008-9111-6

Published: 01 November 2008 Publication History

Abstract

Many security problems are caused by vulnerabilities hidden in enterprise computer networks. It is very important for system administrators to have knowledge about the security vulnerabilities. However, current vulnerability assessment methods may encounter the issues of high false positive rates, long computational time, and requirement of developing attack codes. Moreover, they are only capable of locating individual vulnerabilities on a single host without considering correlated effect of these vulnerabilities on a host or a section of network with the vulnerabilities possibly distributed among different hosts. To address these issues, an active vulnerability assessment system NetScope with C/S architecture is developed for evaluating computer network security based on open vulnerability assessment language instead of simulating attacks. The vulnerabilities and known attacks with their prerequisites and consequences are modeled based on predicate logic theory and are correlated so as to automatically construct potential attack paths with strong operation power of relational database management system. The testing results from a series of experiments show that this system has the advantages of a low false positive rate, short running periods, and little impact on the performance of audited systems and good scalability. The security vulnerabilities, undetectable if assessed individually in a network, are discovered without the need to simulate attacks. It is shown that the NetScope system is well suited for vulnerability assessment of large-scale computer networks such as campus networks and enterprise networks. Moreover, it can also be easily integrated with other security tools based on relational databases.

References

[1]

Ammann, P., Wijesekera, D., & Kaushik, S. (2002). Scalable, graph-based network vulnerability analysis. Proceedings of 9th ACM Conference on Computer and Communication Security, Washington, D.C., USA.

[2]

Baldwin, R. (1994). Kuang: Rule based security checking. Cambridge: MIT Technical Report, MIT Lab for Computer Science, Programming Systems Research Group.

[3]

CERT Coordination Center (2006). CERT/CC statistics 1988-2004. Pittsburgh: CERT Coordination Center accessed September 24, 2006, from http://www.cert.org/stats/cert_stats.html.

[4]

Deraison, R., Gula, R., & Hayton, T. (2005). Passive vulnerability scanning: Introduction to NeVO. Accessed June 10, 2005, http:// www.tenablesecurity.com/white_papers/passive_scanning_ten able.pdf.

[5]

Farmer, D., & Spafford, E. H. (1991). The cops security checker system. West Lafayette: Purdue University Technical report, CSD-TR-993.

[6]

Fithen, W. L., Hernan, S. V., O'Rourke, P. F., et al. (2004). Formal modeling of vulnerabilities. Bell Labs Technical Journal, 8(4), 173-186.

[7]

Geng, S., Qu, W., & Zhang, L. (2001). Discrete mathematics pp. 34- 56. Beijing: Tsinghua University Press.

[8]

Help and Support Home, Microsoft (2004). Microsoft baseline security analyzer (MBSA) version 1.2.1 is available. Accessed October 6, 2004, from http://support.microsoft.com/kb/320454/en-us.

[9]

Hsu, C., & Wallace, W. (2007). An industrial network flow information integration model for supply chain management and intelligent transportation. Enterprise Information Systems, 1 (3), 327-351.

Digital Library

[10]

International Institute of Standards and Technology (2004). ICAT metabase-your CVE vulnerability search engine. Accessed June 10, 2004, from http://icat.nist.gov/.

[11]

Internet Security Systemsä (2005). Vulnerability assessment. Accessed March 10, 2005, from http://www.iss.net/find_products/ vulnerability_assessment.php.

[12]

Jajodia, S., Noel, S., & O'Berry, B. (2003). Topological analysis of network attack vulnerability. Managing cyber threats: Issues, approaches and challenges, chapter 5. Norwell: Kluwer Academic.

[13]

Kotenko, I. (2003). Active vulnerability assessment of computer networks by simulation of complex remote attacks. International Conference on Computer Networks and Mobile Computing, pp. 40-47, October 20-23, Shanghai, China.

[14]

Li, T., Feng, S., & Li, L. (2001). Information visualization for intelligent decision support systems. Knowledge-Based Systems, 14(5-6), 259-262.

Digital Library

[15]

Martin, R. A. (2003). Integrating your information security vulnerability management capabilities through industry standards (CVE & OVAL). IEEE International Conference on Systems, Man and Cybernetics, 2, 1528-1533, October 5-8.

[16]

McAfee (2003). CyberCop AsaP. Accessed May 10, 2003, from http:// www.mcafeeasap.com/intl/EN/content/cybercop_asap/default.asp.

[17]

Microsoft Corporation (2004). List of issues that are fixed in Internet Explorer 6 service packs. Retrieved September 16, 2004, from http://support.microsoft.com/default.aspx?scid=kb;en-us;326489.

[18]

Mitre Corporation. (2005). Download the definition interpreter. Accessed January 10, 2005, from http://oval.mitre.org/oval/ download/interpreter.html.

[19]

Mitre Corporation (2006). OVAL-ID: OVAL199. Accessed July 6, 2006, from http://oval.mitre.org/oval/definitions/sql/OVAL199.html.

[20]

Nessus Project (2004). Nessus. Accessed June 20, 2004, from http:// www.nessus.org/intro.html.

[21]

Ning, P., & Cui, Y. (2002). An intrusion alert correlator based on prerequisites of intrusions. Raleigh: North Carolina State University Technical Report, TR-2002-01, Department of Computer Science.

[22]

Ou, X, Govindavajhala, S., & Appel, A. W. (2005). Policy-based multihost, multistage vulnerability analysis. Accessed March 12, 2005, from http://www.cs.princeton.edu/~xou/ publications/ou05.pdf.

[23]

Phillips, C., & Swiler, L. P. (1998). A graph-based system for network-vulnerability analysis. NSPW '98: Proceedings of the 1998 workshop on new security paradigms pp. 71-79. New York: ACM.

[24]

Ramakrishnan, C. R., & Sekar, R. (2002). Model-based analysis of configuration vulnerabilities. Journal of Computer Security, 10 (1), 189-209.

Digital Library

[25]

Ritchey, R., & Ammann, P. (2000). Using model checking to analyze network vulnerabilities. Proceedings of IEEE Symposium on Security and Privacy pp. 156-165. Oakland: IEEE.

[26]

Ritchey, R., Berry, B., & Noel, S. (2002). Representing TCP/IP connectivity for topological analysis of network security. The 18th Annual Computer Security Applications Conference, December 9-13,San Diego, CA, USA.

[27]

Russell, S., & Norvig, P. (2004). Artificial intelligence: a modern approach pp. 185-200. Upper Saddle River: Pearson Education.

[28]

Sheyner, O., Haines, J., Jha, S., et al. (2002). Automated generation and analysis of attack graphs (pp. 254-265). Proceedings of IEEE Symposium on Security and Privacy, May 12-15, Berkeley, CA, USA.

[29]

Sourcefire (2003). Snort rule search. Accessed July 6, 2003, from http://www.snort.org/pub-bin/sigs-search. cgi?cve=.

[30]

Swiler, L. P., Phillips, C., Ellis, D., et al. (2001). Computer-attack graph generation tool. DARPA Information Survivability Conference and Exposition (DISCEX II'01), 2, 307-321 Anaheim, CA, USA.

[31]

Templeton, S. J., & Levitt, K. (2000). A requires/provides model for computer attacks (pp. 31-38). Proceedings of the 2000 Workshop On New Security Paradigms, Cork Ireland.

[32]

Tripunitara, M. V., Dutta, P., & Spafford, G. (2002). Security assessment of IP-based networks: A holistic approach. Accessed January 19, 2002, from http://www.cerias.purdue.edu/coast/papers/99-02.pdf.

[33]

Wojcik, M., Bergeron, T., Wittbold, T., et al. (2005). Introduction to OVAL: A new language to determine the presence of software vulnerabilities. Accessed July 10, 2005, from http://oval.miter. org/documents/doc-03/intro/intro.html.

[34]

Zerkle, D., & Levitt, K. (1996). Netkuang-a multi-host configuration vulnerability checker. Proceedings of the 6th USENIX Security Symposium, San Jose, California, USA.

Cited By

Bang C(2018)Information systems frontiersInformation Systems Frontiers10.1007/s10796-014-9544-z17:1(217-237)Online publication date: 24-Dec-2018
https://dl.acm.org/doi/10.1007/s10796-014-9544-z
Wu BWang AGoda BSobiesk EConnolly R(2011)A multi-layer tree model for enterprise vulnerability managementProceedings of the 2011 conference on Information technology education10.1145/2047594.2047661(257-262)Online publication date: 20-Oct-2011
https://dl.acm.org/doi/10.1145/2047594.2047661
Wu BWang AClincy VHoganson KGarrido JDasigi V(2011)EVMATProceedings of the 49th annual ACM Southeast Conference10.1145/2016039.2016074(115-120)Online publication date: 24-Mar-2011
https://dl.acm.org/doi/10.1145/2016039.2016074

Index Terms

An OVAL-based active vulnerability assessment system for enterprise computer networks

Recommendations

Insider Threat Assessment: a Model-Based Methodology

Security is a major challenge for today's companies, especially ICT ones which manage large scale cyber-critical systems. Amongst the multitude of attacks and threats to which a system is potentially exposed, there are insider attackers i.e., users with ...
A planner-based approach to generate and analyze minimal attack graph

In the present scenario, even well administered networks are susceptible to sophisticated cyber attacks. Such attack combines vulnerabilities existing on different systems/services and are potentially more harmful than single point attacks. One of the ...
Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks

The Common Vulnerability Scoring System (CVSS) is a widely used and well-established standard for classifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database (NVD) are scored ...

Comments

Information & Contributors

Information

Published In

cover image Information Systems Frontiers

Information Systems Frontiers Volume 10, Issue 5

Nov 2008

121 pages

ISSN:1387-3326

Issue’s Table of Contents

Copyright © Copyright © 2008 Springer Science+Business Media, LLC.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 November 2008

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bang C(2018)Information systems frontiersInformation Systems Frontiers10.1007/s10796-014-9544-z17:1(217-237)Online publication date: 24-Dec-2018
https://dl.acm.org/doi/10.1007/s10796-014-9544-z
Wu BWang AGoda BSobiesk EConnolly R(2011)A multi-layer tree model for enterprise vulnerability managementProceedings of the 2011 conference on Information technology education10.1145/2047594.2047661(257-262)Online publication date: 20-Oct-2011
https://dl.acm.org/doi/10.1145/2047594.2047661
Wu BWang AClincy VHoganson KGarrido JDasigi V(2011)EVMATProceedings of the 49th annual ACM Southeast Conference10.1145/2016039.2016074(115-120)Online publication date: 24-Mar-2011
https://dl.acm.org/doi/10.1145/2016039.2016074

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents