• Title, Summary, Keyword: vulnerability

Search Result 2,330, Processing Time 0.046 seconds

A study on automation of AV(Atomic Vulnerability) ID assignment (단위 취약점 식별자 부여 자동화에 대한 연구)

  • Kim, Hyung-Jong
    • Journal of Internet Computing and Services
    • /
    • v.9 no.6
    • /
    • pp.49-62
    • /
    • 2008
  • AV (Atomic Vulnerability) is a conceptual definition representing a vulnerability in a systematic way, AVs are defined with respect to its type, location, and result. It is important information for meaning based vulnerability analysis method. Therefore the existing vulnerability can be expressed using multiple AVs, CVE (common vulnerability exposures) which is the most well-known vulnerability information describes the vulnerability exploiting mechanism using natural language. Therefore, for the AV-based analysis, it is necessary to search specific keyword from CVE's description and classify it using keyword and determination method. This paper introduces software design and implementation result, which can be used for atomic vulnerability analysis. The contribution of this work is in design and implementation of software which converts informal vulnerability description into formal AV based vulnerability definition.

  • PDF

Vulnerability Analysis using the Web Vulnerability Scanner (Web Vulnerability Scanner를 이용한 취약성 분석)

  • Jang, Hee-Seon
    • Convergence Security Journal
    • /
    • v.12 no.4
    • /
    • pp.71-76
    • /
    • 2012
  • As the use of Mashups, web3.0, JavaScript and AJAX(Asynchronous JavaScript XML) widely increases, the new security threats for web vulnerability also increases when the web application services are provided. In order to previously diagnose the vulnerability and prepare the threats, in this paper, the classification of security threats and requirements are presented, and the web vulnerability is analyzed for the domestic web sites using WVS(Web Vulnerability Scanner) automatic evaluation tool. From the results of vulnerability such as XSS(Cross Site Scripting) and SQL Injection, the total alerts are distributed from 0 to 31,177, mean of 411, and standard deviation of 2,563. The results also show that the web sites of 22.5% for total web sites has web vulnerability, and the previous defenses for the security threats are required.

A Study for Rule Integration in Vulnerability Assessment and Intrusion Detection using Meaning Based Vulnerability Identification Method (의미기반 취약점 식별자 부여 기법을 사용한 취약점 점검 및 공격 탐지 규칙 통합 방법 연구)

  • Kim, Hyung-Jong;Jung, Tae-In
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.18 no.3
    • /
    • pp.121-129
    • /
    • 2008
  • This paper presents vulnerability identification method based on meaning which is making use of the concept of atomic vulnerability. Also, we are making use of decomposition and specialization processes which were used in DEVS/SES to get identifiers. This vulnerability representation method is useful for managing and removing vulnerability in organized way. It is helpful to make a relation between vulnerability assessing and intrusion detection rules in lower level. The relation enables security manager to response more quickly and conveniently. Especially, this paper shows a mapping between Nessus plugins and Snort rules using meaning based vulnerability identification method and lists usages based on three goals that security officer keeps in mind about vulnerability. The contribution of this work is in suggestion of meaning based vulnerability identification method and showing the cases of its usage for the rule integration of vulnerability assessment and intrusion detection.

Extended Linear Vulnerability Discovery Process

  • Joh, HyunChul
    • Journal of Multimedia Information System
    • /
    • v.4 no.2
    • /
    • pp.57-64
    • /
    • 2017
  • Numerous software vulnerabilities have been found in the popular operating systems. And recently, robust linear behaviors in software vulnerability discovery process have been noticeably observed among the many popular systems having multi-versions released. Software users need to estimate how much their software systems are risk enough so that they need to take an action before it is too late. Security vulnerabilities are discovered throughout the life of a software system by both the developers, and normal end-users. So far there have been several vulnerability discovery models are proposed to describe the vulnerability discovery pattern for determining readiness for patch release, optimal resource allocations or evaluating the risk of vulnerability exploitation. Here, we apply a linear vulnerability discovery model into Windows operating systems to see the linear discovery trends currently observed often. The applicability of the observation form the paper show that linear discovery model fits very well with aggregate version rather than each version.

The Vulnerability Analysis for Virtualization Environment Risk Model Management Systematization (가상화 환경 위험도 관리체계화를 위한 취약점 분석)

  • Park, Mi-Young;Seung, Hyen-Woo;Lim, Yang-Mi
    • Journal of Internet Computing and Services
    • /
    • v.14 no.3
    • /
    • pp.23-33
    • /
    • 2013
  • Recently in the field of IT, cloud computing technology has been deployed rapidly in the current society because of its flexibility, efficiency and cost savings features. However, cloud computing system has a big problem of vulnerability in security. In order to solve the vulnerability of cloud computing systems security in this study, impact types of virtual machine about the vulnerability were determined and the priorities were determined according to the risk evaluation of virtual machine's vulnerability. For analyzing the vulnerability, risk measurement standards about the vulnerability were defined based on CVSS2.0, which is an open frame work; and the risk measurement was systematized by scoring for relevant vulnerabilities. Vulnerability risk standards are considered to suggest fundamental characteristics of vulnerability and to provide the degree of risks and consequently to be applicable to technical guides to minimize the vulnerability. Additionally, suggested risk standard of vulnerability is meaningful as the study content itself and could be used in technology policy project which is to be conducted in the future.

Guidelines for the VESTAP-based Climate Change Vulnerability Assessment (VESTAP 기반 기후변화 취약성 평가 지침)

  • Park, Doo-Sun;Park, Boyoung;Jung, Eunhwa
    • Journal of Climate Change Research
    • /
    • v.8 no.4
    • /
    • pp.339-346
    • /
    • 2017
  • The Korea Adaptation Center for Climate Change (KACCC) located in Korea Environment Institute has serviced a climate change vulnerability assessment support tool (VESTAP) since 2014 in order to help local governments to establish their own adaptation plans. Owing to its easy usage, the VESTAP has been utilized by not only local governments but also academia for examination of climate change vulnerability in various fields. However, the KACCC has not suggested a standard usage how to compose indices for climate exposure, sensitivity, and adaptation capacity which are main components of vulnerability although the KACCC manages operation and application of the VESTAP. Many users had no choice but to compose indices based on their own interpretation on the components of vulnerability. This technical note suggests the standard usage of VESTAP by reevaluating some vulnerability assessments previously developed. This may help users to correctly compose indices for climate change vulnerability assessment, and may minimize possibility of inter-user inconsistency in definition of vulnerability assessments.

Human Responses as Landscape Indicators of the Place Vulnerability (장소 취약도에 대한 경관지표로서의 인간의 대응)

  • HAN, Joo-Yup;LEE, Min-Boo
    • Journal of The Geomorphological Association of Korea
    • /
    • v.19 no.1
    • /
    • pp.109-121
    • /
    • 2012
  • Human responses, such as construction of levees, are a spatial representation of the place vulnerability which is induced by a geomorphic hazard like flooding. Human responses include all forms of human activities to reduce the place vulnerability and they seem to be related with reducing vulnerability rather than reducing geomorphic hazards. Diverse human responses to the perceived environment bring about changes in the place vulnerability. People respond spatially to their vulnerability of the place in diverse ways from their experience and perceived risk. Human responses have quantitative possibilities in predicting and modeling the place vulnerability. Building the model of a dynamic place vulnerability to the diverse geomorphic hazards requires basic maps of geomorphic processes and human responses in the region.

Refining software vulnerbility Analysis under ISO/IEC 15408 and 18045 (ISO/IEC 15408, 18045 기반 소프트웨어 취약성 분석 방법론)

  • Im, Jae-Woo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.5
    • /
    • pp.969-974
    • /
    • 2014
  • CC (Common Criteria) requires collecting vulnerability information and analyzing them by using penetration testing for evaluating IT security products. Under the time limited circumstance, developers cannot help but apply vulnerability analysis at random to the products. Without the systematic vulnerability analysis, it is inevitable to get the diverse vulnerability analysis results depending on competence in vulnerability analysis of developers. It causes that the security quality of the products are different despite of the same level of security assurance. It is even worse for the other IT products that are not obliged to get the CC evaluation to be applied the vulnerability analysis. This study describes not only how to apply vulnerability taxonomy to IT security vulnerability but also how to manage security quality of IT security products practically.

Study of a Flood Vulnerability Assessment for Climate Change and Utilizing the Vulnerability-based Disaster Response in Jeju-do (기후변화에 따른 제주도의 홍수 취약성 평가 및 취약성 기반 소방 대응 활용 연구)

  • Lim, Chae-Hyun;Park, Yong-Yi
    • Fire Science and Engineering
    • /
    • v.30 no.6
    • /
    • pp.64-70
    • /
    • 2016
  • This study assessed the flood vulnerability of Jeju-do depending on climate change using VESTAP. The results showed that the flood vulnerability of Jeju-do in the future (2020s, 2030s and 2040s) will increase continuously compared to the present time (2010s). In particular, the flood vulnerability of Jeju-si is expected to be higher than Seogwipo-si prior to 2030s. Conversely, the flood vulnerability of Seogwipo-si is expected to be higher than Jeju-si after 2030. These analysis results confirmed the characteristics of flood vulnerability between Seogwipo-si and Jeju-si and the growth of flood vulnerability entirely within Jeju-do.

Vulnerability Assessment and Analysis of Gangwon Provincial Forest Sector in Response to Climate Change (기후변화 대비 강원 지역 산림부문 현황 분석 및 취약성 평가)

  • Chae, Hee-Mun;Lee, Hyun-Ju;Um, Gi-Jeung
    • Journal of Forest and Environmental Science
    • /
    • v.28 no.2
    • /
    • pp.106-117
    • /
    • 2012
  • In an effort to analyze the impact of climate change, Gangwon provincial forest was divided into three sectors; forest ecology, forest disaster, and forest productivity and analysis of their current status from 2000 to 2009 and vulnerability assessment by climate change has been carried in this study. In case of vulnerability assessment, except for the forest ecology, forest disaster (forest fires and forest pests) and forest productivity sectors were analyzed in current status, the year of 2020, and 2050. It turned out that vulnerability of forest fires in the field of disaster would become worse and forest pests also would make more impact even though there is some variation in different areas. In case of the vulnerability of forest productivity there would be not a big difference in the future compared with current vulnerability. Systematic research on the sensitivity index used for vulnerability assessment is necessary since vulnerability assessment result greatly depends on the use of climate exposure index and adaptive capacity index.