A Structured Approach to Classifying Security Vulnerabilities

Abstract

Understanding vulnerabilities is critical to understanding the threats they represent. Vulnerabilities classification enables collection of frequency data; trend analysis of vulnerabilities; correlation with incidents, exploits, and artifacts; and evaluation of the effectiveness of countermeasures. Existing classification schemes are based on vulnerability reports and not on an engineering analysis of the problem domain. In this report a classification scheme that uses attribute-value pairs to provide a multidimensional view of vulnerabilities is proposed. Attributes and values are selected based on engineering distinctions that allow vulnerabilities to be exploited by a given technique or determine which countermeasures are effective. Successful classification of vulnerabilities should lead to greater automation in analyzing code vulnerabilities and supporting effective communication between geographically remote vulnerability handling teams and vendors.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2005
Accession Number
ADA430968

Entities

People

  • Allen D. Householder
  • Robert C. Seacord

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber
  • Weapons Technologies

DTIC Thesaurus Topics

  • Application Software
  • Artifacts
  • Automation
  • Classification
  • Computer Programming
  • Computer Programs
  • Computer Science
  • Computers
  • Control Systems
  • Cybersecurity
  • Engineering
  • Information Systems
  • Operating Systems
  • Software Development
  • Standards
  • Vulnerability
  • Web Browsers

Fields of Study

  • Computer science

Readers

  • Computer Vision.
  • Nuclear Civil Defense.
  • Strategic Security Studies