{"title":"Time-related vulnerability lookahead extension to the CVE","authors":"Thanapon Bhuddtham, Pirawat Watanapongse","doi":"10.1109/JCSSE.2016.7748927","DOIUrl":null,"url":null,"abstract":"Software scanning against the vulnerability database is one of the regular activities required by all information security management standards. However, the nature of the scanning system itself is reactive; a vulnerability has to be found, then the announcement made, with (and sometimes without) fixes. However, there exist classes of knowledge that are significant, reliable, and can be easily obtained, but are not represented in the vulnerability database. One such knowledge is the time-related vulnerabilities that signify the increasing risk of the system through time. We therefore explore the design and implementation in representing and appending this information, and thus propose an extension to the original Common Vulnerabilities and Exposures (CVE) database, called Time-Related Vulnerability Lookahead Extension to the CVE (T-CVE). This extension would complement the classical CVE in providing a publicly early-warning system so that the information security managers will be able to proactively assess their resources' C-I-A risks through trend analysis and will be able to mitigate them in a timely fashion. This work will initially focus on four proactive time-related information categories, namely the obsolete (software) platform, out-of-date (malware) signature, (hardware) degradation due to wear-and-tear, and (software) expiry. Obviously, other categories can later be similarly appended based on this framework.","PeriodicalId":321571,"journal":{"name":"2016 13th International Joint Conference on Computer Science and Software Engineering (JCSSE)","volume":"19 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-07-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 13th International Joint Conference on Computer Science and Software Engineering (JCSSE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/JCSSE.2016.7748927","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 5
Abstract
Software scanning against the vulnerability database is one of the regular activities required by all information security management standards. However, the nature of the scanning system itself is reactive; a vulnerability has to be found, then the announcement made, with (and sometimes without) fixes. However, there exist classes of knowledge that are significant, reliable, and can be easily obtained, but are not represented in the vulnerability database. One such knowledge is the time-related vulnerabilities that signify the increasing risk of the system through time. We therefore explore the design and implementation in representing and appending this information, and thus propose an extension to the original Common Vulnerabilities and Exposures (CVE) database, called Time-Related Vulnerability Lookahead Extension to the CVE (T-CVE). This extension would complement the classical CVE in providing a publicly early-warning system so that the information security managers will be able to proactively assess their resources' C-I-A risks through trend analysis and will be able to mitigate them in a timely fashion. This work will initially focus on four proactive time-related information categories, namely the obsolete (software) platform, out-of-date (malware) signature, (hardware) degradation due to wear-and-tear, and (software) expiry. Obviously, other categories can later be similarly appended based on this framework.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
