Measuring and ranking attacks based on vulnerability analysis

As the number of software vulnerabilities increases, the research on software vulnerabilities becomes a focusing point in information security. A vulnerability could be exploited to attack the information asset with the weakness related to the vulnerability. However, multiple attacks may target one software product at the same time, and it is necessary to rank and prioritize those attacks in order to establish a better defense. This paper proposes a similarity measurement to compare and categorize vulnerabilities, and a set of security metrics to rank attacks based on vulnerability analysis. The vulnerability information is retrieved from a vulnerability management ontology integrating commonly used standards like CVE (http://www.cve.mitre.org/), CWE (http://www.cwe.mitre.org/), CVSS (http://www.first.org/cvss/), and CAPEC (http://www.capec.mitre.org/). This approach can be used in many areas of vulnerability management to secure information systems and e-business, such as vulnerability classification, mitigation and patching, threat detection and attack prevention.