Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

Software Vulnerability Taxonomy Consolidation

Thesis/Dissertation ·
DOI:https://doi.org/10.2172/15020074· OSTI ID:15020074
 [1]
  1. Carnegie Mellon Univ., Pittsburgh, PA (United States)
+ Show Author Affiliations
In today's environment, computers and networks are increasing exposed to a number of software vulnerabilities. Information about these vulnerabilities is collected and disseminated via various large publicly available databases such as BugTraq, OSVDB and ICAT. Each of these databases, individually, do not cover all aspects of a vulnerability and lack a standard format among them, making it difficult for end-users to easily compare various vulnerabilities. A central database of vulnerabilities has not been available until today for a number of reasons, such as the non-uniform methods by which current vulnerability database providers receive information, disagreement over which features of a particular vulnerability are important and how best to present them, and the non-utility of the information presented in many databases. The goal of this software vulnerability taxonomy consolidation project is to address the need for a universally accepted vulnerability taxonomy that classifies vulnerabilities in an unambiguous manner. A consolidated vulnerability database (CVDB) was implemented that coalesces and organizes vulnerability data from disparate data sources. Based on the work done in this paper, there is strong evidence that a consolidated taxonomy encompassing and organizing all relevant data can be achieved. However, three primary obstacles remain: lack of referencing a common ''primary key'', un-structured and free-form descriptions of necessary vulnerability data, and lack of data on all aspects of a vulnerability. This work has only considered data that can be unambiguously extracted from various data sources by straightforward parsers. It is felt that even with the use of more advanced, information mining tools, which can wade through the sea of unstructured vulnerability data, this current integration methodology would still provide repeatable, unambiguous, and exhaustive results. Though the goal of coalescing all available data, which would be of use to system administrators, software developers and vulnerability researchers is not yet achieved, this work has resulted in the most exhaustive collection of vulnerability data to date.
Research Organization:
Lawrence Livermore National Lab. (LLNL), Livermore, CA (United States)
Sponsoring Organization:
USDOE
DOE Contract Number:
W-7405-ENG-48
OSTI ID:
15020074
Report Number(s):
UCRL-TH--208822
Country of Publication:
United States
Language:
English

Similar Records

Toward unification of taxonomy databases in a distributed computer environment
Technical Report · Fri Dec 30 23:00:00 EST 1994 · OSTI ID:377148
Taxonomy of USA east coast fishing communities in terms of social vulnerability and resilience
Journal Article · Sat Nov 14 23:00:00 EST 2015 · Environmental Impact Assessment Review · OSTI ID:22479768
Taxonomy for Common-Cause Failure Vulnerability and Mitigation
Technical Report · Tue Sep 01 00:00:00 EDT 2015 · OSTI ID:1252139

Related Subjects

97 MATHEMATICS AND COMPUTING
COMPUTERS
MINING
ORGANIZING
TAXONOMY
VULNERABILITY