• Title/Summary/Keyword: Security vulnerability evaluation

Search Result 103, Processing Time 0.042 seconds

A quantitative assessment method of network information security vulnerability detection risk based on the meta feature system of network security data

  • Lin, Weiwei;Yang, Chaofan;Zhang, Zeqing;Xue, Xingsi;Haga, Reiko
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.15 no.12
    • /
    • pp.4531-4544
    • /
    • 2021
  • Because the traditional network information security vulnerability risk assessment method does not set the weight, it is easy for security personnel to fail to evaluate the value of information security vulnerability risk according to the calculation value of network centrality, resulting in poor evaluation effect. Therefore, based on the network security data element feature system, this study designed a quantitative assessment method of network information security vulnerability detection risk under single transmission state. In the case of single transmission state, the multi-dimensional analysis of network information security vulnerability is carried out by using the analysis model. On this basis, the weight is set, and the intrinsic attribute value of information security vulnerability is quantified by using the qualitative method. In order to comprehensively evaluate information security vulnerability, the efficacy coefficient method is used to transform information security vulnerability associated risk, and the information security vulnerability risk value is obtained, so as to realize the quantitative evaluation of network information security vulnerability detection under single transmission state. The calculated values of network centrality of the traditional method and the proposed method are tested respectively, and the evaluation of the two methods is evaluated according to the calculated results. The experimental results show that the proposed method can be used to calculate the network centrality value in the complex information security vulnerability space network, and the output evaluation result has a high signal-to-noise ratio, and the evaluation effect is obviously better than the traditional method.

Refining software vulnerbility Analysis under ISO/IEC 15408 and 18045 (ISO/IEC 15408, 18045 기반 소프트웨어 취약성 분석 방법론)

  • Im, Jae-Woo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.5
    • /
    • pp.969-974
    • /
    • 2014
  • CC (Common Criteria) requires collecting vulnerability information and analyzing them by using penetration testing for evaluating IT security products. Under the time limited circumstance, developers cannot help but apply vulnerability analysis at random to the products. Without the systematic vulnerability analysis, it is inevitable to get the diverse vulnerability analysis results depending on competence in vulnerability analysis of developers. It causes that the security quality of the products are different despite of the same level of security assurance. It is even worse for the other IT products that are not obliged to get the CC evaluation to be applied the vulnerability analysis. This study describes not only how to apply vulnerability taxonomy to IT security vulnerability but also how to manage security quality of IT security products practically.

Vulnerability Analysis using the Web Vulnerability Scanner (Web Vulnerability Scanner를 이용한 취약성 분석)

  • Jang, Hee-Seon
    • Convergence Security Journal
    • /
    • v.12 no.4
    • /
    • pp.71-76
    • /
    • 2012
  • As the use of Mashups, web3.0, JavaScript and AJAX(Asynchronous JavaScript XML) widely increases, the new security threats for web vulnerability also increases when the web application services are provided. In order to previously diagnose the vulnerability and prepare the threats, in this paper, the classification of security threats and requirements are presented, and the web vulnerability is analyzed for the domestic web sites using WVS(Web Vulnerability Scanner) automatic evaluation tool. From the results of vulnerability such as XSS(Cross Site Scripting) and SQL Injection, the total alerts are distributed from 0 to 31,177, mean of 411, and standard deviation of 2,563. The results also show that the web sites of 22.5% for total web sites has web vulnerability, and the previous defenses for the security threats are required.

PKG-VUL: Security Vulnerability Evaluation and Patch Framework for Package-Based Systems

  • Lee, Jong-Hyouk;Sohn, Seon-Gyoung;Chang, Beom-Hwan;Chung, Tai-Myoung
    • ETRI Journal
    • /
    • v.31 no.5
    • /
    • pp.554-564
    • /
    • 2009
  • In information security and network management, attacks based on vulnerabilities have grown in importance. Malicious attackers break into hosts using a variety of techniques. The most common method is to exploit known vulnerabilities. Although patches have long been available for vulnerabilities, system administrators have generally been reluctant to patch their hosts immediately because they perceive the patches to be annoying and complex. To solve these problems, we propose a security vulnerability evaluation and patch framework called PKG-VUL, which evaluates the software installed on hosts to decide whether the hosts are vulnerable and then applies patches to vulnerable hosts. All these operations are accomplished by the widely used simple network management protocol (SNMP). Therefore, system administrators can easily manage their vulnerable hosts through PKG-VUL included in the SNMP-based network management systems as a module. The evaluation results demonstrate the applicability of PKG-VUL and its performance in terms of devised criteria.

A Study on Security Evaluation for Mobile Web Services Message (모바일 웹서비스 메시지의 보안 평가에 관한 연구)

  • Lee, Seoung-Hyeon;Lee, Jae-Seung
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2007.06a
    • /
    • pp.765-768
    • /
    • 2007
  • In this paper, the security evaluation method about mobile web services message is suggested in the method for improving the safety an reliability about the mobile web services message. In order that the goal of this paper is accomplished, the security threat and the security vulnerability which can be occurred in the mobile web services message are defined. The evaluation method for performing the security evaluation about the mobile web services message is defined. Also, the requirements for the mobile web services message security evaluation are defined. Finally, the evaluation framework for performing the mobile web services message security evaluation is constituted, and the evaluation scenario example is suggested. By using the mobile web services message security evaluation defined in the paper, before the mobile web services is deployed, the security threats and security vulnerability can be verified. Also, the countermeasure for the security threat and security vulnerability discovered in the verification result can be prepared. Therefore, the sorority and reliability about the mobile web services can be improved.

  • PDF

Automated Attack Path Enumeration Method based on System Vulnerabilities Analysis (시스템 취약점 분석을 통한 침투 경로 예측 자동화 기법)

  • Kim, Ji Hong;Kim, Huy Kang
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.5
    • /
    • pp.1079-1090
    • /
    • 2012
  • As the number of information asset and their vulnerabilities are increasing, it becomes more difficult for network security administrators to assess security vulnerability of their system and network. There are several researches for vulnerability analysis based on quantitative approach. However, most of them are based on experts' subjective evaluation or they require a lot of manual input for deriving quantitative assessment results. In this paper, we propose HRMS(Hacking and Response Measurement System) for enumerating attack path using automated vulnerability measurement automatically. HRMS can estimate exploitability of systems or applications based on their known vulnerability assessment metric, and enumerate attack path even though system, network and application's information are not fully given for vulnerability assessment. With this proposed method, system administrators can do proactive security vulnerability assessment.

An Study on the Impact of N/A Check Item on the Security Level Result through Empirical Verification (실증검증을 통한 N/A 점검항목이 보안 수준 결과에 미치는 영향에 관한 연구)

  • Lee, Jun Ho;Sung, Kyung Sang;Oh, Hea Seok
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.3 no.8
    • /
    • pp.271-276
    • /
    • 2014
  • This study analyzed that N/A check items affect the results of the security level degree, when performing vulnerability analysis evaluation. For this, we were used vulnerability analysis evaluation range, check items and quantitative calculation method. Furthermore, were applied grade and weight for the importance of the items. In addition, because technology develop rapidly, the institution is always exposed risk. therefore, this study was carried out empirical analysis by applying RAL(Risk Acceptabel Level). According to the analyzed result N/A check items factors affecting the level of security has been proven. In other words, this study found that we shall exclude inspection items irrelevant to the institution characteristics, when perform vulnerability analysis evaluation. In this study suggested that security level evaluation shall performed, after that exclude items irrelevant to the institution characteristics based on empirical verification. And also, it proposed that model research is required for establish check items for which analysis-evaluate vulnerability based on empirical verification.

A Study of Effectiveness of the Improved Security Operation Model Based on Vulnerability Database (취약점 데이터베이스 기반 개선된 보안관제 모델의 효과성 연구)

  • Hyun, Suk-woo;Kwon, Taekyoung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.29 no.5
    • /
    • pp.1167-1177
    • /
    • 2019
  • In this paper, the improved security operation model based on the vulnerability database is studied. The proposed model consists of information protection equipment, vulnerability database, and a dashboard that visualizes and provides the results of interworking with detected logs. The evaluation of the model is analyzed by setting up a simulated attack scenario in a virtual infrastructure. In contrast to the traditional method, it is possible to respond quickly to threats of attacks specific to the security vulnerabilities that the asset has, and to find redundancy between detection rules with a secure agent, thereby creating an optimal detection rule.

A Study on the Development and Application of Efficient Evaluation Criteria for Performance Testing of Commercial Open Source Vulnerability Scanning Tools (상용 오픈소스 취약점 스캐닝 도구의 성능 시험을 위한 효율적 평가 기준 개발 및 적용)

  • Shin, Kangsik;Jung, Dong-Jae;Choe, Min-Ji;Cho, Ho-Mook
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.32 no.4
    • /
    • pp.709-722
    • /
    • 2022
  • The recent "Log4j Security Vulnerability Incident" has occurred, and the information system that uses the open source "Log4J" has been exposed to vulnerabilities. The incident brought great vulnerabilities in the information systems of South Korea's major government agencies or companies and global information systems, causing problems with open source vulnerabilities. Despite the advantages of many advantages, the current development paradigm, which is developed using open source, can easily spread software security vulnerabilities, ensuring open source safety and reliability. You need to check the open source. However, open source vulnerability scan tools have various languages and functions. Therefore, the existing software evaluation criteria are ambiguous and it is difficult to evaluate advantages and weaknesses, so this paper has developed a new evaluation criteria for the vulnerability analysis tools of open source

A Study on Information Security Management of Hospital Web Sites (의료기관 종별 웹 사이트 정보보안 관리 실태 연구)

  • Kim, Jong-Min;Ryu, Hwang-Gun
    • The Korean Journal of Health Service Management
    • /
    • v.9 no.2
    • /
    • pp.23-32
    • /
    • 2015
  • In this paper, we evaluated web security vulnerability and privacy information management of hospital web sites which are registered at the Korea Hospital Association. Vulnerability Scanner (WVS) based on the OWASP Top 10 was used to evaluate the web security vulnerability of the web sites. And to evaluate the privacy information management, we used ten rules which were based on guidelines for protecting privacy information on web sites. From the results of the evaluation, we discovered tertiary hospitals had relatively excellent web security compared to other type of hospitals. But all the hospital types had not only high level vulnerabilities but also the other level of vulnerabilities. Additionally, 97% of the hospital web sites had a certain level of vulnerability, so a security inspection is needed to secure the web sites. We discovered a few SQL Injection and XSS vulnerabilities in the web sites of tertiary hospitals. However, these are very critical vulnerabilities, so all hospital types have to be inspected to protect their web sites against attacks from hacker. On the other hand, the inspection results of the tertiary hospitals for privacy information management had a better compliance rate than that of the other hospital types.