Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Improvement and Utilization of Public N-Day Vulnerability Databases

N-day 취약점 데이터베이스 개선 및 활용 방안 연구

  • JongSeon Jeong (Korea University) ;
  • Jungheum Park (Korea University)
  • 정종선 (고려대학교) ;
  • 박정흠 (고려대학교)
  • Received : 2024.05.16
  • Accepted : 2024.06.28
  • Published : 2024.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

If the software is not updated after the vulnerability is disclosed, it can continue to be attacked. As a result, the importance of N-day detection is increasing as attacks that exploit vulnerabilities increase. However, there is a problem that it is difficult to find specific version information in the published vulnerability database, or that the wrong version or software is outputted. There is also a limitation in that the connection between the published vulnerability databases is not good. In order to overcome these limitations, this paper proposes a method of building information including comprehensive vulnerability information such as CVE, CPE, and Exploit Database into an integrated database. Furthermore, by developing a website for searching for vulnerabilities based on an integrated database built as a result of this study, it is effective in detecting and utilizing vulnerabilities in specific software versions and Windows operating systems.

취약점이 공개된 후 소프트웨어가 업데이트되지 않으면 계속해서 공격을 받을 수 있다. 이로 인해 취약점을 악용하는 공격이 증가하면서 N-day 탐지의 중요성이 커지고 있다. 그러나 공개된 취약점 데이터베이스에서 특정 버전 정보를 찾기 어렵거나 잘못된 버전 혹은 소프트웨어가 출력되는 문제점이 발생한다. 또한 공개된 취약점 데이터베이스 간의 연계가 잘되지 않는다는 한계점이 있다. 본 논문에서는 이러한 한계점을 극복하기 위해 CVE, CPE, Exploit Database와 같은 종합적인 취약점 정보를 포함하는 정보들을 통합된 데이터베이스로 구축하는 방법을 제안한다. 나아가서 본 연구의 결과물로 구축된 통합 데이터베이스 기반 취약점 검색용 웹사이트를 개발함으로써, 특정 소프트웨어의 버전과 Windows 운영체제에서의 취약점을 탐지 및 활용하는데 효용성을 보인다.

Keywords

Acknowledgement

본 연구는 2024년도 정보통신기획평가원의 지원을 받아 수행하였습니다.(RS-2023-00227165, 무기체계 플랫폼에 적용 가능한 바이너리 기반 SW취약점 자동 탐지·분석 기술 개발

References

  1. Bullough, B. L., Yanchenko, A. K., Smith, C. L., & Zipkin, J. R. (2017, March). "Predicting exploitation of disclosed software vulnerabilities using open-source data," In Proceedings of the 3rd ACM on International Workshop on Security and Privacy Analytics pp. 45-53, Mar. 2017. 
  2. L. Bilge and T. Dumitra,s. "Before we knew it: an empirical study of zero-day attacks in the real world," In Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 833-844, Oct. 2012. 
  3. 2024 SK shieldus EQST Annual Report, pp. 11, Dec. 2023 
  4. CVE, "CVE" https://cve.mitre.org/, accessed Apr. 2024 
  5. MoneyToday, "SBOM" https://news.mt.co.kr/mtview.php?no=2023060813394653791/, accessed Apr. 2024 
  6. Scribe, "CPE" https://scribesecurity.com/ko/sbom/standard-formats/#spdx-sbom-standard-format/, accessedApr.2024 
  7. Google Patents, "CPE" https://patents.google.com/patent/KR20180097885A/ko/, accessed Apr. 2024 
  8. NIST, "NIST" https://www.nist.gov/,accessed Apr. 2024 
  9. NVD, "NVD" https://nvd.nist.gov/,accessed Apr. 2024 
  10. Datanet, "OpenSource" http://www.datanet.co.kr/news/articleView.html?idxno=151523/, accessed Apr. 2024 
  11. Ushakov, R., Doynikova, E., Novikova, E., & Kotenko, I. (2021,September). "CPE and CVE based technique for software security risk assessment," In 2021 11th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS) (Vol. 1, pp.353-356, Sep. 2021) 
  12. Sanguino, Luis Alberto Benthin, and Rafael Uetz. "Software vulnerability analysis using CPE and CVE." arXiv preprint arXiv:1705.05347, May. 2017. 
  13. Takahashi, Takeshi, Daisuke Miyamoto, and Koji Nakao. "Toward automated vulnerability monitoring using open information and standardized tools," 2016 IEEE International Conference on Pervasive Computing and Communication Workshops (PerCom Workshops). IEEE, Mar. 2016. 
  14. Cheng, Y., Yang, S., Lang, Z., Shi, Z., & Sun, L. (2023). "VERI: a large-scale open-source components vulnerability detection in iot firmware," Computers & Security, Vol 126, 103068, Mar. 2023 
  15. Ecik, Harun. "Comparison of active vulnerability scanning vs. passive vulnerability detection," 2021 International Conference on Information Security and Cryptology (ISCTURKEY). IEEE, Dec. 2021. 
  16. Qualys, "QualysFreeScan" https://www.qualys.com/community-edition/, accessed May. 2024 
  17. RAPID7, Nexpose Vulnerability Scanner" "https://www.rapid7.com/products/nexpose/, accessed May. 2024 
  18. GreenBone "OpenVas" https://www.greenbone.net/en/, accessed Apr. 2024 
  19. CPE, "CPE" https://cpe.mitre.org/specification/, accessed Apr. 2024 
  20. NVD, "CVE-2021-26237" https://nvd.nist.gov/vuln/detail/CVE-2021-26237/, accessed Apr. 2024 
  21. NVD, "Data Feeds" https://nvd.nist.gov/vuln/data-feeds/ 
  22. Perrone, G., Romano, S. P., d'Ambrosio, N., & Pacchiano, V. "Unleashing Exploit-Db Data for the Automated Exploitation of Intentionally Vulnerable Docker Containers," Available at SSRN 4779063, Mar. 2024 
  23. Yang, H., Park, S., Yim, K., & Lee, M. (2020). "Better not to use vulnerability's reference for exploitability prediction," Applied Sciences, 10(7), 2555, Mar. 2020 
  24. ReadtheDocs, "CPE" https://cpe.readthedocs.io/en/master/model/cpehierarchy/cpe2_3_fs.html, accessed Apr. 2024
  25. NVD, "CPE" https://nvd.nist.gov/products/cpe/, accessed Apr. 2024 
  26. MITRE, "Download" https://cve.mitre.org/data/downloads/index, accessed Apr. 2024 
  27. GitLab, "Exploit-Database" https://gitlab.com/exploit-database/, accessed Apr. 2024 
  28. MITRE, "CVE Search" https://cve.mitre.org/cve/search_cve_list, accessed Apr. 2024 
  29. NVD, "CPE Search" https://nvd.nist.gov/products/cpe/search/, accessed Apr. 2024 
  30. Exploit Database, "Exploit Database" https://www.exploit-db.com/, accessed Apr. 2024 
  31. Security Affairs, "OSVDB" https://securityaffairs.com/46129/security/osvdb-shuts-down.html/, accessed May. 2024 
  32. X, "SecurityTracker" https://twitter.com/securitytracker/, accessed May. 2024 
  33. ZeroDium, "ZeroDium" https://zerodium.com/, accessed May. 2024 
  34. Vuldb, "Vuldb" https://vuldb.com/, accessed May. 2024