Abstract
Vulnerability assessment is a vital part of the risk management process. The accuracy and reliability of calculated risk depends on comprehensive and correct assessment of system vulnerabilities. Current vulnerability assessment techniques fail to consider systems in their entirety and consequently are unable to identify complex vulnerabilities (i.e. those vulnerabilities that are due to configuration settings and unique system environments). Complex vulnerabilities can exist for example when a unique combination of system components are present in a system and configured in such a way that they can be collectively misused to compromise a system.
Ontologies have emerged as a useful means for modeling domains of interest. This research shows that taking an ontological approach to vulnerability assessment results in improved identification of complex vulnerabilities. By ontologically modeling the domain of vulnerability assessment, the resulting ontology can be instantiated with a system of interest. The process of instantiating the ontology doubles as a technique for methodically discovering complex vulnerabilities present in the given system. Furthermore, it is suggested that the instantiated ontology will also be able to be queried in order to discover additional complex vulnerabilities present in the system by reasoning through implicit knowledge captured by the instantiated ontology.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Antón, P.S., et al.: Finding & Fixing Vulnerabilities in Information Systems: The vulnerability assessment & mitigation methodology. RAND National Defence Research Institute (2003)
Bagchi, A., Atluri, V. (eds.): ICISS 2006. LNCS, vol. 4332. Springer, Heidelberg (2006)
Beaver, K.: Security scan results: Take them with a grain of salt, Windows Security Tips (2006), http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1227130,00.html
Cobb, M.: Should every flaw in a vulnerability scanner report be addressed? Ask The Security Expert: Questions & Answers. (2006), http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1244322,00.html
Ekelhart, A., et al.: Security Ontologies: Improving Quantitative Risk Analysis. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS 2007). IEEE Computer Society, Los Alamitos (2007)
Funabashi, M., Grzech, A. (eds.): Employing Ontologies for the Development of Security Critical Applications IFIP 2005, I3E 2005, vol. 189. Springer, Heidelberg (2005)
Gruber, T.R.: Toward principles for the design of ontologies used for knowledge sharing. In: Guarino, N., Poli, R. (eds.) Formal Ontology in Conceptual Analysis and Knowledge Representation, pp. 907–928. Academic Press, Inc., London (1995)
JNSM. Call for Papers: Journal of Network and System Management. Special Issue on Security Configuration Management (2008), http://www.mnlab.cs.depaul.edu/events/JNSM-secmgmt/
Karyda, M., et al.: An ontology for secure e-government applications. In: First International Conference on Availability, Reliability and Security (ARES 2006). IEEE Computer Society, Los Alamitos (2006)
Kim, A., Luo, J., Kang, M.: Security Ontology for Annotating Resources. In: 4th International Conference on Ontologies, Databases, and Applications of Semantics (ODBASE 2005), Agia Napa, Cyprus. Springer, Heidlberg (2005)
Manandhar, S., Austin, J., Desai, U., Oyanagi, Y., Talukder, A.K. (eds.): AACC 2004. LNCS, vol. 3285. Springer, Heidelberg (2004)
Nilsson, J.: Vulnerability Scanners, Master of Science Thesis at Department of Computer and Systems Sciences, Royal Institute of Technology, Kista, Sweden (2006)
Peltier, T.R.: Information Security Risk Analysis, Auerbach (2001)
Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 4th edn. Prentice Hall, Westford (2006)
Raskin, V., et al.: Ontology in information security: a useful theoretical foundation and methodological tool. In: Proceedings of the 2001 workshop on New security paradigms. ACM Press, Cloudcroft (2001)
Shah, S.: Detecting Web Application Security Vulnerabilities. O’Reilly SysAdmin (2006), http://www.oreillynet.com/pub/a/sysadmin/2006/11/02/webapp_security_scans.html
Stoneburner, G., Goguen, A., Feringa, A.: SP 800-30 Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology (2002)
Tenable. Nessus: The network vulnerability scanner. Accessed (February 2008), http://www.tenablesecurity.com/nessus/
Tsoumas, B., Gritzalis, D.: Towards an Ontology-based Security Management. In: Proceedings of the 20th International Conference on Advanced Information Networking and Applications (AINA 2006). IEEE Computer Society, Los Alamitos (2006)
Tsoumas, B., et al.: Security and Privacy in Dynamic Environments. In: Fischer-Hubner, S., Rannenberg, K., Yngstrom, L., Lindskog, L. (eds.) IFIP International Federation for Information Processing, pp. 99–110. Springer, Boston (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Steele, A. (2008). Ontological Vulnerability Assessment. In: Hartmann, S., Zhou, X., Kirchberg, M. (eds) Web Information Systems Engineering – WISE 2008 Workshops. WISE 2008. Lecture Notes in Computer Science, vol 5176. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85200-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-540-85200-1_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85199-8
Online ISBN: 978-3-540-85200-1
eBook Packages: Computer ScienceComputer Science (R0)