Peter M. Mell

An analysis of CVSS version 2 vulnerability scoring

The Common Vulnerability Scoring System (CVSS) is a specification for measuring the relative severity of software vulnerabilities. Finalized in 2007, CVSS version 2 was designed to address deficiencies found during analysis and use of the original CVSS version. This paper analyzes how effectively CVSS version 2 addresses these deficiencies and what new deficiencies it may have. This analysis is based primarily on an experiment that applied both version 1 and version 2 scoring to a large set of recent vulnerabilities. Theoretical characteristics of version 1 and version 2 scores were also examined. The results show that the goals for the changes were met, but that some changes had a negligible effect on scoring while complicating the scoring process. The changes also had unintended effects on organizations that prioritize vulnerability remediation based primarily on CVSS scores.

A denial-of-service resistant intrusion detection architecture

Abstract As the capabilities of intrusion detection systems (IDSs) advance, attackers may disable organizations’ IDSs before attempting to penetrate more valuable targets. To counter this threat, we present an IDS architecture that is resistant to denial-of-service (DOS) attacks. The architecture frustrates attackers by making IDS components invisible to attackers’ normal means of “seeing” in a network. Upon a successful attack, the architecture allows IDS components to relocate from attacked hosts to operational hosts thereby mitigating the attack. These capabilities are obtained by using mobile agent technology, utilizing network topology features, and by restricting the communication allowed between different types of IDS components.

Understanding Intrusion Detection Systems

Abstract I ntrusion detection is the process of detecting an unauthorized use of, or attack upon, a computer or a telecommunication network. Intrusion detection systems (IDSs)are designed and installed to aid in deterring or mitigating the damage that can be caused by hacking, or breaking into sensitive IT systems. IDSs are software or hardware mechanisms that detect such misuse. IDSs can detect attempts to compromise the confidentiality, integrity, and availability of a computer or network. The attacks can come from outsider attackers on the Internet, authorized insiders who misuse the privileges that have been given them, and unauthorized insiders who attempt to gain unauthorized privileges. IDSs cannot be used in isolation, but must be part of a larger framework of IT security measures.

What's Special about Cloud Security?

Although cloud security concerns have consistently ranked as one of the top challenges to cloud adoption, its not clear what security issues are particular to cloud computing. To approach this question, the author attempts to derive cloud security issues from various cloud definitions and a reference architecture.

Improving the Common Vulnerability Scoring System

The Common Vulnerability Scoring System is an emerging standard for scoring the impact of vulnerabilities. The results of an analysis of the scoring system and that of an experiment scoring a large set of vulnerabilities using the standard are presented. Although the scoring system was found to be useful, it contains a variety of deficiencies that limit its ability to measure the impact of vulnerabilities. The study demonstrates how these deficiencies could be addressed in subsequent versions of the standard and how these changes are backwards-compatible with the existing scoring efforts. In conclusion a recommendation for a revised scoring system and an analysis of experiments that demonstrate how the revision would address deficiencies discovered in the existing version of the standard are presented.

Intrusion Detection and Prevention Systems

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. An intrusion detection system (IDS) is software that automates the intrusion detection process. An intrusion prevention system (IPS) is software that has all the capabilities of an IDS and can also attempt to stop possible incidents. IDS and IPS technologies offer many of the same capabilities, and administrators can usually disable prevention features in IPS products, causing them to function as IDSs. Accordingly, for brevity the term intrusion detection and prevention systems (IDPSs) is used throughout the rest of this chapter to refer to both IDS and IPS technologies. Any exceptions are specifically noted.

Optimizing the Scalability of Network Intrusion Detection Systems Using Mobile Agents

Modern Intrusion Detection Systems (IDSs) are distributed real-time systems that detect unauthorized use or attacks upon an organizations network and/or hosts. The components of most distributed IDSs are arranged in a hierarchical tree structure, where the sensor nodes pass information to the analyzer nodes. Optimal placement of the analyzer nodes results in an improved response time for the IDS, and isolation of attacks within the IDS network. Since the network topology and workload are constantly changing, we are able to maintain near-optimal placement of the analyzer nodes by instantiating them as mobile agents. The analyzer nodes may then relocate, reproduce or be deleted as necessary. Such flexibility improves the response times and the stability of an IDS. The movement of the analyzer nodes also offers some protection against denial-of-service attacks, since secure analyzer nodes will be relocated to take over some of the functionality of the host under attack.

Vulnerability scoring for security configuration settings

The best-known vulnerability scoring standard, the Common Vulnerability Scoring System (CVSS), is designed to quantify the severity of security-related software flaw vulnerabilities. This paper describes our efforts to determine if CVSS could be adapted for use with a different type of vulnerability: security configuration settings. We have identified significant differences in scoring configuration settings and software flaws and have proposed methods for accommodating those differences. We also generated scores for 187 configuration settings to evaluate the new specification.

Restricting Insider Access Through Efficient Implementation of Multi-Policy Access Control Systems

The American National Standards Institute (ANSI) has standardized an access control approach, Next Generation Access Control (NGAC), that enables simultaneous instantiation of multiple access control policies. For large complex enterprises this is critical to limiting the authorized access of insiders. However, the specifications describe the required access control capabilities but not the related algorithms. While appropriate, this leave open the important question as to whether or not NGAC is scalable. Existing cubic reference implementations indicate that it does not. For example, the primary NGAC reference implementation took several minutes to simply display the set of files accessible to a user on a moderately sized system. To solve this problem we provide an efficient access control decision algorithm, reducing the overall complexity from cubic to linear. Our other major contribution is to provide a novel mechanism for administrators and users to review allowed access rights. We provide an interface that appears to be a simple file directory hierarchy but in reality is an automatically generated structure abstracted from the underlying access control graph that works with any set of simultaneously instantiated access control policies. Our work thus provides the first efficient implementation of NGAC while enabling user privilege review through a novel visualization approach. These capabilities help limit insider access to information (and thereby limit information leakage) by enabling the efficient simultaneous instantiation of multiple access control policies.

Using Network Tainting to Bound the Scope of Network Ingress Attacks

This research describes a novel security metric, network taint, which is related to software taint analysis. We use it here to bound the possible malicious influence of a known compromised node through monitoring and evaluating network flows. The result is a dynamically changing defense-in-depth map that shows threat level indicators gleaned from monotonically decreasing threat chains. We augment this analysis with concepts from the complex networks research area in forming dynamically changing security perimeters and measuring the cardinality of the set of threatened nodes within them. In providing this, we hope to advance network incident response activities by providing a rapid automated initial triage service that can guide and prioritize investigative activities.