Author
L. Ma, S.Mandujano, G. Song, P.Meunier
Abstract
Software vulnerabilities are potential attack points in computing systems that can lead to
considerable losses and severe security incidents.The way in which the information
describing these vulnerabilities is handled is extremely important.Vulnerability data is
very sensitive and therefore should be disclosed to the right people in the right
circumstances.However,information sharing is currently mostly unidirectional;the
present paper discusses a new approach for handling software vulnerability information:a
cooperative system supported by a vulnerability classification.The system is composed by
internal protocols that determine state transitions through which new vulnerability
information is submitted,classified,verified,and made available via a Web Interface.
Based on features like effects and nature,vulnerabilities in the collection can also be
assigned a type.The proposed type system is a set of sub-classes that contain features of
well-known vulnerability groups.Vulnerabilities can be linked together through these
types and can be referenced as a group when retrieving or storing entries,hereby,
speeding up the process.A voting mechanism allows a set of cooperating arbiters to
review the information submitted from different sources.Approved descriptions of
vulnerabilities can then be made available to the members of the cooperative system.The
data model storing the vulnerability information is composed of a comprehensive set of
features whose values are selected through decision trees.The leaves of the trees represent
the most detailed qualities of a vulnerability.
