INTERSECTION APPROACH TO VULNERABILITY HANDLING

Michał Chora

1,3

, Salvatore d’Antonio

, Rafał Kozik

and Witold Hołubowicz

ITTI Ltd., Pozna

n, Poland

Consorzio Interuniversitario Nazionale per l’Informatica CINI, Naples, Italy

Institute of Telecommunications, University of Technology & Life Sciences, Bydgoszcz, Poland

Adam Mickiewicz University, Pozna

n, Poland

Keywords:

Network security, Heterogeneous network, Vulnerability database, Ontology management, INTERSECTION.

Abstract:

In this paper our approach to heterogeneous networks vulnerability handling is presented. Vulnerabilities

of heterogeneous networks like satellite, GSM/GPRS, UMTS, wireless sensor networks and the Internet

have been identiﬁed, classiﬁed and described in the framework of the European co-funded project, named

INTERSECTION (INfrastructure for heTErogeneous, Resilient, SEcure, Complex, Tightly Inter−Operating

Networks). Since computer security incidents usually occur across administrative domains and interconnected

networks it is quite clear that it would be advantageous for different organizations and network operators to be

able to share data on network vulnerabilities. The exchange of vulnerability information and statistics would

be crucial for proactive identiﬁcation of trends that can lead to incident prevention. Network operators have al-

ways been reticent to disclose information about attacks on their systems or through their networks. However,

this tendency seems to be overcome by the new awareness that it is only through cooperation that networking

infrastructures can be made robust to attacks and failures. Starting from these considerations, we developed

two components, namely INTERSECTION Vulnerability Database (IVD) and Project INTERSECTION Vul-

nerability Ontology Tool (PIVOT), for vulnerability data management and classiﬁcation. Both tools will be

presented in this paper.

1 INTRODUCTION

INTERSECTION (INfrastructure for heTEro-

geneous, Resilient, SEcure, Complex, Tightly

Inter-Operating Networks) is a European co-funded

project in the area of secure, dependable and trusted

infrastructures. The main objective of INTERSEC-

TION is to design and implement an innovative

network security framework which comprises differ-

ent tools and techniques for intrusion detection and

tolerance.

The INTERSECTION framework as well as the

developed system called IDT S (Intrusion Detection

and Tolerance System) consists of two layers: in-

network layer and off-network layer. The in-network

layer is a distributed system comprising a number of

components aiming at detecting and tolerating intru-

sions in real-time and automated fashion, while the

role of the off-network layer is to support network

operators in controlling complex heterogeneous and

interconnected networks and real-time security pro-

cesses such as network monitoring, intrusion detec-

tion, reaction and remediation.

The knowledge about vulnerabilities is needed to

more effectively cope with threats and attacks, and to

enhance networks security. Therefore network vul-

nerabilities should be identiﬁed, described, classiﬁed,

stored and analyzed. To achieve these goals, a vul-

nerability database and vulnerability ontology are re-

quired. The framework operator should be able to

control in-network processes and trigger/stop their

reactions on the basis of the vulnerability knowl-

edge provided by vulnerability ontology and vul-

nerability repository. Therefore, both vulnerabil-

ity database and vulnerability ontology are devel-

oped and implemented within the INTERSECTION

security-resiliency system.

In this paper we focus on presenting off-network

layer components devoted to handling network vul-

nerabilities. In Section 2 INTERSECTION Vulner-

ability Database will be presented. In Section 3

ontology-based approach to handle identiﬁed vulner-

171

ChorÃ ˛as M., dâ

ZAntonio S., Kozik R. and HoÅ

Cubowicz W.

INTERSECTION APPROACH TO VULNERABILITY HANDLING.

DOI: 10.5220/0002790601710174

In Proceedings of the 6th International Conference on Web Information Systems and Technology (WEBIST 2010), page

ISBN: 978-989-674-025-2

abilities will be shown. The practical aspects of both

components offered to project end-users will be pro-

vided.

2 INTERSECTION

VULNERABILITY DATABASE

One of the INTERSECTION framework components

is the vulnerability database, which stores the infor-

mation about design vulnerabilities of heterogeneous

and interconnected networks.

Design vulnerabilities differ from implementation

vulnerabilities (i.e. application faults) on which NV D

(National Vulnerabilities Database) is focused. The

INTERSECTION Vulnerability Database (IV D) is

based on the CV E (Common Vulnerabilities and Ex-

posures) vulnerability naming standard and uses the

following SCAP (Security Content Automation Pro-

tocol) standards:

• Common Conﬁguration Enumeration (CC E)

• Common Platform Enumeration (CPE)

• Common Vulnerability Scoring System (CVSS)

The Common Conﬁguration Enumeration pro-

vides common identiﬁers to system conﬁgurations in

order to facilitate fast and accurate correlation of con-

ﬁguration data across multiple information sources

and tools. CCE is primarily used to identify security

related conﬁguration issues. The Common Platform

Enumeration is a structured naming scheme for infor-

mation technology systems, software, and packages.

Finally, the Common Vulnerability Scoring System is

an open standard for assigning a score to a vulnera-

bility that indicates its relative severity compared to

other vulnerabilities.

The use of such standards enables automated

vulnerability management, measurement, and pol-

icy compliance evaluation and allows the INTER-

SECTION vulnerability database to interoperate with

other databases, such as NV D (National Vulnerabil-

ity Database) and OSVDB (Open Source Vulnerabil-

ity Database).

The INTERSECTION Vulnerability Database is

accessible by end-users, such as telecom providers

and network operators, via web browser.

IV D enables most of standard database function-

alities (browsing, querying), however some of the

functionalities are available for registered users only.

The database is composed of the following main

tables:

• Vulnerability,

• CV SS,

• CCE,

• Network Asset,

• Solution.

Vulnerability table contains information about

discovered vulnerabilities. The type of vulnerabil-

ity, the threats and attacks exploiting the vulnerabil-

ity, the discovery date and the likelihood of the vul-

nerability are some of the attributes used to describe

a vulnerability. CVSS table provides an overall CV SS

score for each identiﬁed vulnerability. Base metrics

and temporal metrics deﬁned by the CV SS standard

are employed in this table to score the impact of each

vulnerability. CCE table provides information about

network system mis-conﬁgurations which generate a

vulnerability. The mis-conﬁguration is speciﬁed by

means of values of speciﬁc conﬁguration parameters.

Technical mechanisms to get the correct values of

such parameters are also described. Network Asset

table is used to provide information about network

platforms, systems, and devices affected by vulner-

abilities. Finally, solution table contains a description

of the patches, solutions, and countermeasures which

are recommended to ﬁx a vulnerability.

The INTERSECTION Vulnerability Database is

available at: htt p : //192.167.9.116 : 81/ivd/.

3 VULNERABILITY HANDLING -

ONTOLOGY-BASED

APPROACH

In both computer science and information science, an

ontology is a form of representing data model of a

speciﬁc domain and it can be used to e.g.: reason

about the objects in that domain and the relations be-

tween them. Since nowadays, we can observe the in-

creasing complexity and heterogeneity of the commu-

nication networks and systems, there is a need to use

high-level meta description of relations in such het-

erogeneous networks. This need and requirement is

particularly apparent in the context of Future Internet

and Next Generation Networks development. From

operators point of view, two important issues concern-

ing communications networks are: security and Qual-

ity of Service.

In the past years critical infrastructures were phys-

ically and logically separate systems with little inter-

dependence. As digital information gained more and

more importance for the operation of such infrastruc-

tures especially on the communication part. Com-

munication part of critical infrastructures are the one

of the most important part that represents the infor-

WEBIST 2010 - 6th International Conference on Web Information Systems and Technologies

172

mation infrastructure on which critical infrastructures

rely and depend.

The communication part is typically related to

telecom operators or separate department inside com-

pany that manages the network. The last decade has

seen major change in telecommunication market in

most of European countries. There are two main fac-

tors that cause those changes:

• market deregulation enables new telecom

providers to enter the market

• new technologies and solutions lower costs, new

services, increase telecom trafﬁc.

This provides to create many different networks that

uses different technologies and equipment that have

to cooperate each other. Unfortunately, the increasing

complexity and heterogeneity of the communication

networks and systems increase their level of vulnera-

bility.

Furthermore, the progressive disuse of dedicated

communication infrastructures and proprietary net-

worked components, together with the growing adop-

tion of IP-based solutions, exposes critical informa-

tion infrastructures to cyber attacks coming from the

Internet and other IP based networks. From the tele-

com provider point of view the security and depend-

ability of their network and IT systems depends on

two main factors security and dependability of their

own solutions and interconnections to other.

To deal with those problems there is a need to

create good information security management system

that will allow the administrators to deal with a great

amount of security information and make the decision

process effective and efﬁcient. To support those tasks

we propose to develop the security framework con-

sisting of several modules as well as of the applied

ontology.

3.1 Intersection Vulnerability

Ontology - IVO

One of the goals of the INTERSECTION project is

to identify and classify heterogeneous network vul-

nerabilities (0). To match this goal we have pro-

posed a vulnerability ontology. The major aim of our

ontology is to describe vulnerabilities beyond single

domain networks and to extend relations/restrictions

onto heterogeneous networks.

Networks vulnerabilities tend to be often mistaken

with threats and attacks. Therefore we decided to

clearly deﬁne vulnerability as asset-related network

weakness. Obviously, then such weaknesses are ex-

ploited by threats and attacks. Such vulnerability def-

inition is based on ISO/IEC 13335 standard (0).

Networks assets should also be deﬁned and de-

scribed. We decided to use Shared Information/Data

(SID) Model in which networks assets and relations

between them are deﬁned. SID Model provides Phys-

ical Resource Business Entity Deﬁnitions (0). SID

assets description is speciﬁed in UML and visualized

using UML diagrams.

In our ontology approach, we found Resources

and Vulnerabilities classes as a the most important

components. Class Resources is based on division

proposed in SID (Shared Information/Data Model).

It includes following subclasses:

• Physical Resources,

• Logical Resources,

• Software

• Service.

Class Vulnerabilities is connected with Resources

(exposed by them). That is why subclasses of Vulner-

ability class are:

• Physical Resources Vulnerabilities,

• Logical Resources Vulnerabilities,

• Software Vulnerabilities.

We propose to apply ontology into the security-

resiliency framework. Ontology knowledge and

PIVOT (Project INTERSECTION Vulnerability On-

tology Tool) are crucial elements of the off-network

part of the INTERSECTION framework (so called

off-network Intrusion Detection Tolerance System).

In our understanding, to successfully apply the

created ontology, the following elements have to be

taken into account:

• Classes and their attributes with restrictions (cre-

ated in OW L (0))

• Rules for these classes and attributes (created in

SW RL (0))

• Instances stored in a related relational database.

To apply the ontology, restrictions and rules are cru-

cial without them ontology would not be functional.

3.2 Ontology-based Tool - PIVOT

PIVOT (Project INTERSECTION Vulnerability On-

tology Tool) is the ontology-logic based manager tool.

Our goal was to apply ontology in a real-life applica-

tion.

It is end-user oriented application, which allows

to modify and browse the vulnerability ontology. One

of the biggest advantages is tool has client-server ar-

chitecture, what allows to share one ontology by mul-

tiple users (e.g. by network operators). The ontology

interface built in PIVOT is user-friendly and intuitive.

INTERSECTION APPROACH TO VULNERABILITY HANDLING

173

PIVOT is designed to be serve transactional op-

erations over single ontology model. To accom-

plish this goal transactional SQL database is adopted

to store ontology model and make dramatic perfor-

mance improvements during I/O operations. Trans-

actional provide also better ontology model integrity.

Client-server architecture allows to share one ontol-

ogy model with multiple users.

PIVOT basic functionalities:

• Searching vulnerabilities matching prompted cri-

teria

• Adding, modifying ontology instances

• Removing ontology instances

• Searching instances that relations matches partic-

ular criteria

Current version of PIVOT allows to establish two

types of connection - the RMI and the HTTP. RMI

(Java Remote Method Invocation API) is a Java ap-

plication programming interface for performing the

remote procedure calls. This type of PIVOT inter-

face was developed to be use with other components

in local network. This gives opportunity to share

ontology among other processes running on remotes

machines. The HTTP interface is developed to per-

form easy OWL model maintenance and management

through the web browser.

PIVOT beneﬁts from easy XML document gen-

eration. This format allows to deﬁne own elements

and to help share structured information via network,

what makes PIVOT more universal. That gives oppor-

tunity to create interaction with other systems running

in the network (such as IDS-Intrusion Detection Sys-

tem), that can take advantage from information stored

in ontology and reconﬁgure if necessary.

4 CONCLUSIONS

In this paper we presented the results of FP7 ICT

Project INTERSECTION.

Firstly, INTERSECTION Vulnerability Database

(IV D) has been developed and described. The major

contribution of this paper is a new approach to vulner-

ability description and handling based on the ontol-

ogy logic. INTERSECTION Vulnerability Ontology

has been motivated and presented in detail. We also

showed how to apply IVO in the security-resiliency

framework. Moreover, PIVOT - ontology-logic based

application has been developed and presented.

Both, IVD and PIVOT, can be used by end-users

such as networks operators and telecoms to share and

use knowledge about vulnerabilities as well as related

threats and attacks affecting heterogeneous, complex

and interconnected networks.

It is worth to mention that identiﬁed, classiﬁed and

stored vulnerabilities have been provided by opera-

tors involved in the INTERSECTION Project (Polska

Telefonia Cyfrowa, Telefonica, Telespazio). There-

fore, IVD, IVO and PIVOT are based on real-life and

actual information repositories.

ACKNOWLEDGEMENTS

The research leading to these results has received

funding from the European Community’s Seventh

Framework Programme (FP7/2007-2013) under grant

agreement no. 216585 (INTERSECTION Project).

REFERENCES

Chora

s M. (Ed.), Deliverable D.2.2 Identiﬁcation and Clas-

siﬁcation of Vulnerabilities of Network Infrastruc-

tures, INTERSECTION Project, July, 2008.

ISO/IEC 13335-1:2004, Information Technology Security

Techniques Management of information and commu-

nications technology security Part 1: Concepts and

models for information and communications technol-

ogy security management.

Shared Information/Data Model (SID), TeleManagement

Forum, October 2002.

OWL Web Ontology Language Semantics and Ab-

stract Syntax, June 2006, http://www.w3.org/TR/owl-

features/.

SWRL: A Semantic Web Rule Language Combning

OWL and RuleML, W3C Member Submission,

http://www.w3.org/Submission/SWRL/.

Chora

s M., Renk R., Flizikowski A., Hołubowicz W.

(2008), ”Ontology-based description of networks vul-

nerabilities” , Polish Journal of Environmental Stud-

ies, vol. 5c.

Chora

s M., Kozik R., Flizikowski A., Renk R., Hołubowicz

W. (2009), ”Ontology-based Decision Support for Se-

curity Management in Heterogeneous Networks”, In:

Huang, D.-S. et al. (Eds.): Emerging Intelligent Com-

puting Technology and Applications. With Aspects of

Artiﬁcial Intelligence, LNAI 5755, Springer.

WEBIST 2010 - 6th International Conference on Web Information Systems and Technologies

174