Issuu on Google+

International Journal of Computer Networking, Wireless and Mobile Communications (IJCNWMC) ISSN 2250-1568 Vol. 3, Issue 4, Oct 2013, 7-16 © TJPRC Pvt. Ltd.

STUDY AND AMALGAMATION OF VARIOUS VULNERABILITY DATABASE B. S. PANCHABHAI1 & A. N. PATIL2 1

Department of Computer Science, R. C. Patel Arts, Commerce and Science College, Shirpur, Maharashtra, India 2

Vasantrao Naik Arts and Science College, Shahada, Maharashtra, India

ABSTRACT In modern days, the rapid growth of information technology and the increase of internet access. Information security issues have increased extensively. With the reference of vulnerability database, information security related investigator and managing persons will make effective information for repairing security holes in software and hardware. They can accelerate defensive measures, and assist analysis of such attack. This information can provide the important reference direction for events forensic and follow up trace, and moreover reduces the rate of information security issues. The purpose of this paper focuses on the integration of various vulnerability databases. Through an automatic retrieval system for retrieving and comparing data with different vulnerability databases. Among of vulnerability information, the system tries to separate the differences, compile similar vulnerability information, and carry out repetitive updates. This study looks forward to providing more complete information, and combine with Google translation service that will translate a portion of the vulnerability information into the verbal communication which users can easily understand. The system provides user’s internet subscriptions, a keyword notification from email and search function, makes reference and use of the vulnerability information more useful and suitable.

KEYWORDS: Vulnerability Database, Information Security, Vulnerability Information INTRODUCTION In network security, vulnerabilities play an individual role. Vulnerability means a bug, a flaw, a weakness, or an exposure of an application, system, device, or service which could lead to a failure of confidentiality, integrity, or availability. Attackers can exploit some vulnerability to endanger your computer system’s security [4]. In order to reduce the losses due to vulnerabilities, IT management must identify and assess vulnerabilities across many different hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored using different scales, how can IT managers convert this mountain of vulnerability data into actionable information? Historically, vendors have used their own methods for scoring Software vulnerabilities, usually without detailing their criteria or Processes [9]. Over the past several years, a number of large computer security vendors and not-for-profit organizations have developed, promoted, and implemented procedures to rank information system vulnerabilities. Because of the importance of information security, government, non-governmental units, and information security related companies have held information security training courses aggressively. All of them set up vulnerability databases separately, and some even hire experts or invest in research resource to focus on vulnerability information related collection, analysis, compiling, and publishing. The famous vulnerability databases are Security Focus, CERT, IBM ISS X-Force, Vupen Security and National Vulnerability database (NVD).These resources are relevant to a very rich and plenty of data about vulnerability information. It’s difficult to find complete data of one vulnerability from one place. CVE is a vulnerability database that the many of the above mentioned organizations have referred to sets up a standard system of nomenclature for known vulnerabilities. Not all vulnerability


8

B. S. Panchabhai & A. N. Patil

databases only use CVE-ID numbers to identify vulnerability, but there are some vulnerabilities can assign too many of CVE-ID numbers. Publishing formats among these organizations are not the same. NVD uses CVE’s nomenclature system, and integrate many research features of vulnerability. They hope to achieve a complete vulnerability information database system in order to make it easier to refer and be used in the research field of information security. We create a vulnerability database and reference from NVD. This system use automatic retrieval to retrieve content from different vulnerability databases, separate the differences, compile the similarities information together, and hope to have a complete understanding to strengthen the readability of vulnerability information, make use of and referencing of vulnerability information more practical and convenient, and combine with Google translation service to translate a portion of the information into local language.

RELATED WORKS Most vulnerability in order is posted from web sites on the internet. It provides security information and defensive measures for users to reference to, but some more detailed information is for members only. The original post format of the vulnerability information is quite versatile. The famous vulnerability research organizations have provided flexible format of vulnerability database for future use. There are RSS, Atom, text file, database export file, XML, or other data exchange protocol like SOAP, SIDEx [8], etc. It’s often used this common way to achieve resource sharing, information data exchange and even the combined protective purposes.

Vulnerability Database In network security, vulnerabilities play an individual role. Vulnerability means a bug, a flaw, a weakness, or an exposure of an application, system, device, or service which could lead to a failure of confidentiality, integrity, or availability. Attackers can exploit some vulnerability to endanger your computer system’s security [3]. In to fix, with each being scored using different scales, how can IT managers order to reduce the losses due to vulnerabilities, IT management must identify and assess vulnerabilities across many different hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many convert this mountain of vulnerability data into actionable information? Historically, vendors have used their own methods for scoring Software vulnerabilities, usually without detailing their criteria or Processes. Over the past several years, a number of large computer security vendors and not-for-profit organizations have developed, promoted, and implemented procedures to rank information system vulnerabilities. Such as National Vulnerability Database [11], USCERT, SANS , Secunia, ISS X-Force, VupenSecurity, Symantec, Microsoft, Sun, Red hat, and so on. Unfortunately, there has been no cohesion or interoperability among these systems. Also, existing systems tend to be limited in scope as to what they cover. In recent years due to the improvement of computer hardware design, and the consideration of the decrease in production cost, most use open and modular design architecture [10]. Many like factory control facilities and communication equipment have been found the similar vulnerabilities. Not only has the problem occurred in software design but also in hardware. To compile software and hardware related vulnerability into a knowledge base database which can be named vulnerability database can be used as a reference source for related person and units. Such vulnerability databases need experts to compile widely amounts of vulnerability information, and depend on expert’ and groups’ continual research and in depth analysis. Each vulnerability database has its own nomenclature system for vulnerability information, different categories, and use different analytical techniques to strengthen such distinctions. So it is exist their produce mutually differences and incompatibilities. 2009. The different purpose of vulnerability database can be divided


Study and Amalgamation of Various Vulnerability Database

9

into four categories [3]: Collection of security detection for network scanning and auditing. Example: Snort Management of intrusion events and vulnerability information. Example: Nesses Signature patterns for intrusion detection. Example: (Security Focus, CERT, IBM ISS X-Force, Vupen Security and National Vulnerability Database (NVD)) Information used on attack strategies. Example: Milworm CVE CVE (Common Vulnerabilities and Exposures) is now sponsored by US Homeland Security’s National Cyber Security Division. CVE is operated by MITRE Company. CVE is internationally and publicly recognized as the standard vulnerability nomenclature system. CVE assigns each known vulnerability a unique identification number (example: CVE2008-4878). CVE use two classifying rules: CVE (Formal Serial Number) and CAN (Candidate Serial Number). When a new vulnerability is reported, first assign a CAN serial number for it. After the analysis process, MITRE gives the CAN serial number to the CVE Editorial Board, and if accepted, the candidate serial number becomes a formal serial number. After October 19, 2005, CVE has changed this nomenclature process. Now all CVE number starts with a CVE. When the vulnerability has been verified, status field can be identified. In figure 1, the first four numbers represent the year, and the last four numbers are the vulnerability distinguishing serial number. Until now, the version 20061101 has announced by CVE which can be looked up by formal CVE-ID serial number is CVE-2004-0356; the approval is clearly very slow. Figure 1. shows that CVE vulnerability information content is comparably simpler, another problem is the approval is very slow. It provides vulnerability information searches and vulnerability database downloads. The downloadable databases are CSV, TEXT, HTML and XML format. In CERIAS/Purdue University provides a downloadable repository of CVE serial number change logs. It provides downloadable types include daily and monthly changes [2].

Figure 1: CVE Record Description


10

B. S. Panchabhai & A. N. Patil

NVD The NIST National Vulnerability Database (NVD) is a comprehensive cyber security vulnerability database that integrates all publicly available federal government vulnerability resources and provides references to industry resources. The NVD website is http://nvd.nist.gov/. The NVD is based on and synchronized with the Common Vulnerabilities and Exposures (CVE) vulnerability dictionary of software flaws. NVD provides vulnerability summaries for all CVE vulnerabilities. The NVD includes a fine-grained search engine that allows users to search for vulnerabilities by various characteristics. The NVD provides specific CVSS scores for publicly known vulnerabilities. With this link, the NVD provides valuable information to information system managers, users, system administrators, and other security professionals to help them learn about vulnerabilities and take steps to correct them. NVD is publicly available, so any organization or individual may freely use its CVSS base scores with environment-specific information. The present version of NVD is 2.2. It provides vulnerability information search, RSS feeds and vulnerability database downloads in XML format. This vulnerability database has been around since 2002. NVD provides vulnerability information 2009. Classification and analysis techniques and research to improve vulnerability identification and defense. There is example as like CVSS [5], CWE [7], CPE [6], XCCDF [16], and OVAL [12] work in compatibility with NVD. NVD vulnerability information classification uses CVSS version 2.0 that has been announced by FIRST. OSVDB OSVDB (The Open Source Vulnerability Database) is a non-profit foundation operating under OSF (Open Security Foundation). It is an independent and open source database created by and for the security community. The goal is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. This project focuses on promoting corporate and individual cooperation. OSVDB is designed to reduce the complicated and large workload, and reduce costs usually spent on the vulnerability database development and maintenance. OSVDB is not only interested in collecting data on flaws in open source software. Instead, this project collects information on vulnerabilities on all types of products, including commercial software as well. The present version of OSVDB is version 2.0. It provides vulnerability information search and vulnerability database downloads. The download formats are CSV, SQLite, MySQL, and XML. OSVDB classifies vulnerability information into 7 categories.

Related Technology and Automatic Retrieval Technique XML XML (extensible Markup Language) is an extensible markup language. At the end of 1996, it was W3C’s standard. In 1998, W3C formally suggested XML version 1.0. It is a simplified derivative of SGML, and it is also a type of meta-language. Thus, it can be used to define any markup language. XML was set up to improve the inability of HTML to self-label and can only be used to display information issue. XML is thus better suited for complex documents and online information exchange. XML removes the complicated and infrequently used rules of SGML, and allows users to define it according to the style of document they are using. XML has semi-structured data type, self description ability, typesetting can collocate style sheet effects. Most vulnerability databases use this format as first choice for information exchange [1].


Study and Amalgamation of Various Vulnerability Database

11

XML Shredding XML “Shredding” [15] is the process of transaction a XML document into a relational database. As in figure 2, the elements and attributes of an XML document must be completely transformed to prevent risk of data loss. The three common types of mapping XML document to relation models are: the first save an XML document as text into a database table, the second is to destruct the XML document and map to relational database tables, and the third is relational database with native XML support, so the data is saved according to the original scheme defined structure.

Figure 2: XML Shredding Socket Socket is a PHP library addition. It has been provided inter process communication through BSD 2009 socket as the low level socket interface. The socket server provides capability to connect to customers, online socket service, joint communication capability, and sets up socket online application system or thread of execution. Socket works under the operating system’s provided TCP/IP approved stack and application program or thread of execution interface. Simple XML Simple XML [13] is a PHP library extension. It can be set up through the XML parser. It did not come around until after PHP 5.0. It allows computer programmers to access XML files in a simple manner. Through Simple XML, XML files can be converted into object oriented data types, and the programmer can maintain the XML data in an object method. Simple Pie RSS (Really Simple Syndication) is a type of web feed format. Users select the type of RSS published from web feed that they want to subscribe to, and through RSS, like iGoogle, and other tools that users can read the newest updated information. There is no need to search related websites again. You can even compile your frequently read RSS feeds onto a single interface. Many RSS feeds even offer automatic publishing functions. Simple Pie [14] is a library that was written by PHP. The goal is to allow software developers to easily maintain RSS and Atom feeds.

Literature Review The more the developed the transportation of the internet is, the higher level information technology of this country is Government and corporations units through the internet in order to provide uninterrupted service even more convenient. Many personal computers and information system connect to the internet more frequently than before. Due to the abandon of management and individuals, perhaps due to lack of knowledge, hackers have maliciously attacked servers and personal information equipment influence by viruses and worms. They frequently cause danger and damage now [18].


12

B. S. Panchabhai & A. N. Patil

Through the internet, they can cross physical boundaries and barriers. An attack can occur at anytime or geography [9]. When they encounter zero-day attacks [19], perhaps related security defense measures become inefficiency. The war for information security is endless. Intruders will attempt to find a way for attack in whatever reason. Impermeable defense measures are difficult to achieve. Through continual learning and improving, and we can reduce the chance that intruders have success to exploit. The collection of vulnerability data through vulnerability databases can be seen as a type of information base database. In the already wide field of information security related research, many researchers point out different research directions for further study.

SYSTEM DESIGN AND IMPLEMENTATION NVD XML Schema Analyses Through NVD/CVE XML schema file nvdcve.xsd, you can analysis the structure definition for downloadable of XML file. This is a example for version 1.2, see figure 3. The nvd root node is divided into attributes and first child node: entry, cve: entry nodes can contain from 0 to many vulnerability entry records. Every cve: entry node includes attributes and 8 child nodes. A summary description of the 8 child nodes as following. Every vulnerability entry has contained a group of 8 child nodes, records information about vulnerability, but only desc and refs child nodes are necessary items, the other 6 child nodes are not necessary. Only when there is related information will be recorded. Every child node may contain attributes and other child nodes. You can refer to nvdcve.xsd 2009. For more detail.

Figure 3: NVD Root Element Analysis

Database Table The MySQL database system uses the default chart set utf-8. We set up 15 tables in database. In accordance with NVD XML schema version 1.2, it uses analysis to achieve results. Through XML Shredding manner, mapping XML child elements and attributes to the relational database that contains 10 tables in. Besides the logs, pending, prefs, user, and resource table are added in this research. In the other table like desc, this research add localize and other fields as necessary. There are the descriptions of tables, see table 1.


Study and Amalgamation of Various Vulnerability Database

13

Table 1: Database Table Description Name Desc entry impacts Logs loss types pending prefs range refs resource sols user vers Vulnsoft

Description describe for vulnerability entry record, include CVSS impact for user event logs effect protect type spend vulnerability entries for process pend refs for vulnerability entries vulnerability effect range external reference link resource type solve method user and right effect software version effect software name

System Architecture The system has implemented in the FreeBSD operating system, installed lighttpd web server and enable fast-cgi module to use PHP script language. The database uses MySQL database server. For the entire system architecture, see figure 4. The system process is dividing into two parts, see below for more details.

Figure 4: System Architecture Foreground Part This portion uses lighttpd web server, PHP script language and backend MySQL database server. This provides the user with a browser method to search for related vulnerability information, keyword subscription service. The information input from users has to be inspected to avoid XSS or SQL injection. System managers can also use the browser method for maintaining user data and correcting vulnerability information, and reviewing system event logs. Background Part This portion uses UNIX’s cron schedule mechanism, PHP script language and backend MySQL database. The goal is to maintain vulnerability database information and perform continual systematic updates. This is achieved by coordination with the data fetch module, data analysis module and data write module. The information has been retrieved from external resource and these data must be inspected to avoid XSS or SQL injection. It adds system event logs to the


14

B. S. Panchabhai & A. N. Patil

appropriate period, and allows manager to review them for system operating. In order to avoid malicious intrusion or network scanning, we use FreeBSD build in firewall system is PF to allow sshd service, and filter unauthorized access.

System Procedure Modules When developed the system, we use open source PHP script language. Because it uses SimpleXML module, the PHP version 5.0 or above has to be used. The system architecture is divided into four primary parts, see below. Data Fetch Module The mass of modules use UNIX cron schedule mechanism. Because the original of vulnerability related information is diverse and complex, it is difficult to fully understand a single vulnerability from one source. Through the program’s automation step and retrieves the latest information from the announcement resource, like RSS or other web sites. We use regular expression and string comparison for finding the latest news about vulnerability information, the first step will filter and compile the information, and place data in the pending table. The probability information is more duplication of this vulnerability, because the same vulnerability has announced from many different resource, or in different discovery date. Data Analysis Module Besides comparing vulnerability information in pending and prefs table, it also deletes and integrates vulnerability information. After a period time, this vulnerability is assigned a tag. The point of waiting is to allow the vulnerability information origin to be update completely for the benefit of writing to vulnerability information. The fully compare flow process, below is divided into two parts, the first is update NVD strategies, the second is update others strategies. Data Write Module Here is divided into two parts. The first, the system compare newest nvdce-modified.xml permanently available on the NVD website. The system has to download the updated file if necessary. When done, it will automatically update the vulnerability database. It will delete the old versions when the new data is existed, and copy necessary updated information to the pending and prefs tables, and wait for the new analysis. The second, the data can write into the database system after data analysis module has complete analysis, and it either can write the entire database into an XML file. User Search and Subscribe Module The website interface allows the user to search for relative vulnerability information in the browser. The user can log in and report keywords, or send an email to report vulnerability related key words.

RESULTS After completely analyzing and compiling vulnerability data from numerous resources of the vulnerability database. We found that vulnerability database information update and alteration are with high frequency, and vulnerability data can’t be completely collected in a short period. Many research units use different analysis strategies, test method, and assign to different rules of nomenclature with the same vulnerability information. Its important reference points that vulnerability databases can provide complete and accuracy of vulnerability information. NVD vulnerability database uses nomenclature rules of CVE and it’s the U.S. government repository of standards based vulnerability management data. Its vulnerability information is accuracy with highly dependable and has been tested. OSVDB has provided vulnerability information, besides reference burls; also include seven classification categories of vulnerability and scanning tools for vulnerability information collection. The amalgamation of this information is the important part of this research. The


Study and Amalgamation of Various Vulnerability Database

15

vulnerability information can be translated into the local language through Google translation service that can make vulnerability information be easier to understand.

CONCLUSIONS Vulnerability database provides a lot of importance data for information security research units and persons. It also provides reference material about many existed vulnerabilities and prevention measures. Following the ever-change of technology, people will be aware of such vulnerability information, abuse it, and use it to develop new attack methods. The construction of vulnerability database has also become comparatively important. By providing knowledge of vulnerability, those information securities related fields can use it to their advantage, and can increase the rate of identification of vulnerabilities, and reduce the rate of information security incidents. We try to use automatic retrieval technology, carry out continual updates, retrieved and compared different resource of vulnerability databases, compiled related vulnerability information, and translated a portion of the vulnerability information into local language. We hope this information could be complete and useful to others. However the changes of publishing format of vulnerability. We try to use automatic retrieval technology, carry out continual updates, retrieved and compared different resource of vulnerability databases, compiled related vulnerability information, and translated a portion of the vulnerability information into local language. We hope this information could be complete and useful to others. However the changes of publishing format of vulnerability database may cause automatic process become inefficiency or the accuracy of the translation of the vulnerability information into local language may not be guaranteed.

REFERENCES 1.

A. Blyth, “An XML-based Architecture to Perform Data Integration and Data Unification in Vulnerability Assessments,” Information Security Technical Report 2003, Vol. 8, No. 4.

2.

CERIAS/Purdue University CVE Change Logs, https://cassandra.cerias.purdue.edu/CVE_changes/

3.

C. Y. Lee, B. R. Lee and T. Y. Lee, “Research and Implementation of Vulnerability Automatic Integration,” ECommerce and Digital Live 2006, pp. 15.

4.

Common Vulnerabilities and Exposures, http://cve.mitre.org/

5.

Common Vulnerability Scoring System, http://www.first.org/cvss/

6.

Common Platform Enumeration, http://cpe.mitre.org/

7.

Common Weakness Enumeration, http://nvd.nist.gov/cwe.cfm

8.

Information and Communication Security Technology Center, http://www.icst.org.tw/

9.

K. J. FAM, C. H. Yang and C.Y. Hsu, “Base on Information Sharing and Analysis center – Preview of vulnerability Database”-2007.

10. National Institute of Standards and Technology, NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, 2th Ed Public Draft. NIST, 2007. 11. National Vulnerability Database, http://nvd.nist.gov/ 12. Open Vulnerability and Assessment Language, http://oval.mitre.org/ 13. PHP: Hypertext Preprocessor, http://www.php.net/


16

B. S. Panchabhai & A. N. Patil

14. Simple Pie, http://simplepie.org/ 15. S. Lanka and P. Parikh, “XML Shredding,” http://cs1.cs.nyu.edu/ms_students/pp386/XMLShredding20001022.htm 16. The Extensible Configuration Checklist Description Format, http://nvd.nist.gov/xccdf.cfm/ 17. The Open Source Vulnerability Database, http://osvdb.org/ 18. Y. P. Lai and P. L. Hsia, “Using the Vulnerability Information of Computer Systems to Improve the Network Security,” Computer Communications 2007, Vol. 30, pp. 2032–2047. 19. Zero Day Attack, http://en.wikipedia.org/wiki/Zero_day_attack


2 study and amalgamation full