UVDA：自动化融合异构安全漏洞库框架的设计与实现

doi:10.11959/j.issn.1000-436x.2015218

摘要/Abstract

摘要：

安全漏洞是网络安全的关键，漏洞库旨在收集、评估和发布安全漏洞信息。然而，漏洞库相互之间存在数据的冗余和异构，导致漏洞信息共享困难。针对上述问题，收集和分析了15个主流漏洞库共计84.2万条漏洞数据。基于文本挖掘技术提出了漏洞去除重复的规则（准确率为94.4%），以及漏洞数据库融合（UVDA,uniform vulnerability database alliance）框架。最后在多个漏洞库上，实现了UVDA框架，实现过程完全自动化。生成的UVDA数据库已经应用于国家安全漏洞库，并且可以按照产品型号和时间进行统一的检索，推进了漏洞信息发布机制标准化进程。

关键词: 信息安全, 数据融合, 漏洞数据库, 文本挖掘, UVDA

Abstract:

Security vulnerability was the core of network security.Vulnerability database was designed to collect,assess and publish vulnerability information.However,there was redundant and heterogeneous data in vulnerability database which leads to sharing difficulty of vulnerability information among vulnerability database.15 main vulnerability database with a total of 842 thousands of vulnerability data items were connected and analyzed.Based on text mining technology,a rule of removing duplicate form vulnerabilities whose accuracy rate was 94.4% and vulnerability database fusion framework(UVDA)were proposed.Finally,three representative vulnerability database were used to realize UVDA framework,which made the process fully automatic.The generated UVDA vulnerability database has been used in national security vulnerability database and can be retrieved according to uniform product version and date time,promoting the standardization process of vulnerability information release mechanism.

Key words: information security, data fusion, vulnerability database, text mining, UVDA

温涛,张玉清,刘奇旭,杨刚. UVDA：自动化融合异构安全漏洞库框架的设计与实现[J]. 通信学报, 2015, 36(10): 235-244.

Tao WEN,Yu-qing ZHANG,Qi-xu LIU,Gang YANG. UVDA:design and implementation of automation fusion framework of heterogeneous security vulnerability database[J]. Journal on Communications, 2015, 36(10): 235-244.

图/表 16

图1

表1

表2

表3

图2

图3

图4

图5

表4

表5

表6

表7

各个字段计算量分析"

指标	参考链接	厂商与产品型号	CVSS指标	漏洞类型
可取值	371 762	105 352	729	20
复杂度	100	$\frac{105352 \times 10}{2}$	1	1
数量级	7	11	3	2

表7

图6

表8

各个融合框架计算量比较"

算法	计算复杂度	复杂度数量级
VSMH	105 352×105 352×50 + 729 + 20	11
ABVD	105 352×105 352×50 + 729	11
UFVD	371 762×100 + 729	7
SVAS	371 762×100	7
UVDA	$371762 \times 100 + \frac{15887 \times 10}{2}$	7

表8

图7

图8

参考文献 27

[1]	LIU Q X , ZHANG Y Q . VRSS:a new system for rating and scoring vulnerabilities[J]. Computer Communications, 2011,34(3): 264-273.
[2]	ZHAO D Y , FURNELL S M,AL-AYED A . The research on a patch management system for enterprise vulnerability update[A]. Proc of Information Engineering,WASE International Sonference:2[C]. Taiyuan,China, 2009. 250-253.
[3]	MUNIR R , AWAN I , MUFTI M R . A quantitative measure of the security risk level of enterprise networks[A]. Proc of Broadband and Wireless Computing,Communication and Applications(BWCCA),2013 Eighth International Conference[C].Compiegne:IEEE. 2013. 437-442.
[4]	WU W , YIP F , YIU E ,et al. Integrated vulnerability management system for enterprise networks[A]. Proc of e-Technology,e-Commerce and e-Service,The 2005 IEEE International Conference[C]. IEEE, 2005. 698-703.
[5]	SHAHZAD M , SHAFIQ M Z , LIU A X . A large scale exploratory analysis of software vulnerability life cycles[A]. Software Engineering(ICSE),2012 34th International Conference[C]. IEEE, 2012. 771-781.
[6]	BM internet security systems[EB/OL]. .
[7]	NSFocus[EB/OL]. .
[8]	National vulnerability database[EB/OL]. .
[9]	张玉清, 吴舒平, 刘奇旭 ,等. 国家安全漏洞库的设计与实现[J]. 通信学报, 2011,32(6): 93-100. ZHANG Y Q , WU S P , LIU Q X ,et al. Design and implementation of national security vulnerability database[J]. Journal on Communications, 2011,32(6): 93-100.
[10]	OKAMURA H , TOKUZANE M , DOHI T . Security evaluation for software system with vulnerability life cycle and user profiles[A]. Dependable Transportation Systems/Recent Advances in Software Dependability(WDTS-RASD)[C]. IEEE, 2012. 39-44.
[11]	LIU Q X , ZHANG Y Q , KONG Y ,et al. Improving VRSS-based vulnerability prioritization uusing analytic hierarchy process[J]. Journal of Systems and Software, 2012,85(8): 1699-1708.
[12]	WANG L Y K , SUSHIL J , ANOOP S ,et al. K-zero day safety:a network security metric for measuring the risk of unknown vulnerabilities[J]. IEEE Transactions on Dependable and Secure Computing, 2014,11(1): 30-44.
[13]	GHANI H , LUNA J , KHELIL A . Predictive vulnerability scoring in the context of insufficient information availability[A]. Proc of Risks and Security of Internet and Systems(CRiSIS),2013 International Conference La Rochelle[C]. IEEE, 2013. 1-8.
[14]	ALVI A K , ZULKERNINE M . A natural classification scheme for software security patterns[A]. Dependable,Autonomic and Secure Computing(DASC),2011 IEEE Ninth International Conference[C]. IEEE, 2011. 113-120.
[15]	VENTER H S , ELOFF J H P , LI Y L . Standardising vulnerability categories[J]. Computers and Security, 2008,27(3-4): 71-83.
[16]	CHEN Z Q , ZHANG Y , CHEN Z R . A categorization framework for common computer vulnerabilities and exposures[J]. The Computer Journal, 2010,53(5): 551-580.
[17]	TRIPATHI A , SINGH U K . On prioritization of vulnerability categories based on CVSS scores[A]. Computer Sciences and Convergence Information Technology(ICCIT),2011 6th International Conference[C]. IEEE, 2011. 692-697.
[18]	ZHENG C , ZHANG Y Q , SUN Y F ,et al. IVDA:international vulnerability database alliance[A]. Proc of Cybersecurity Summit(WCS),2011 Second Worldwide[C]. London,UK, 2011. 1-6.
[19]	WANG J A , ZHOU L F , GUO M Z ,et al. Measuring similarity for security vulnerabilities[A]. Proc of System Sciences(HICSS),2010 43rd Hawaii International Conference[C]. Honolulu, 2010. 1-10.
[20]	KOCATEKIN T , ISTANBUL T , UNAY D . Text mining in radiology reports[A]. Proc of Signal Processing and Communications Applications Conference(SIU),2013 21st[C]. Haspolat, 2013. 1-4.
[21]	ABDUL-RAHMAN S , MUTALIB S , KHANAFI N A . Exploring feature selection and support vector machine in text categorization[A]. Proc of Computational Science and Engineering(CSE),2013 IEEE 16th International Conference[C]. Sydney,NSW, 2013. 1101-1104.
[22]	Security content automation protocol[EB/OL]. .
[23]	Common vulnerabilities and exposures[EB/OL]. .
[24]	MELL P , SCARFONE K , ROMANOSKY S . Common vulnerability scoring system[J]. Security and Privacy, 2006,4(16): 85-89.
[25]	ARNOLD A D , HYLA B M , ROWE N C . Automatically building an information-security vulnerability database[A]. Proc of Automatically Building an Information-Security Vulnerability Database[C]. West Point,NY, 2006. 376-377.
[26]	GU Y H , LI PEI . Design and research on vulnerability database[A]. Proc of Information and Computing(ICIC),2010 Third International Conference:2[C]. Wuxi,China, 2010. 209-212.
[27]	王晓甜, 张玉清 . 安全漏洞自动收集系统的设计与实现[J]. 计算机工程, 2006,32(20): 177-179. WANG X T , ZHANG Y Q . Design and implementation of security vulnerability auto-collection system[J]. Computer Engineering, 2006,32(20): 177-179.

漏洞库名称(网址)	数量（万）	参考链接	产品型号	CVSS分级	CWE分类
NVD	6.9	100%	100%	100%	100%
SecurityFocus	7.0	100%	100%	42%	42%
OSVDB	11.4	100%	100%	64%	64%
X_Force	9.6	100%	100%	69%	69%
Secunia	5.3	100%	100%	49%	49%
EDB	3.0	100%	92.0%	59%	59%
CXSecurity	2.2	100%	100%	49%	49%
PacketStorm	3.5	100%	100%	6%	6%
CNVD	6.1	100%	100%	48%	48%
CNNVD	7.3	100%	100%	94%	94%
NIPC	7.0	100%	100%	93%	93%
SCAP中文	7.3	100%	100%	95%	95%
Sebug	2.2	100%	100%	14%	14%
NSFocus	3.0	100%	100%	48%	48%
Wooyun	2.4	100%	100%	0%	0%
均值	5.6	100%	99.5%	55.3%	55.3%
总值	84.2	—	—	—	—

算法	参考链接	受影响厂商与产品型号	CVSS指标	漏洞类型
VSMH	—	采用	采用	采用
ABVD	—	采用	采用	—
UFVD	采用	—	采用	—
SVAS	采用	—	—	—
UVDA	采用	采用	—	—

分析指标	参考链接	受影响厂商与产品型号	CVSS指标	漏洞类型
适用率	好	好	差	差
准确率	中	好	差	差
计算量	中	差	好	好

漏洞数量	NVD关于X_Force	X_Force关于NVD	NVD关于NSFocus	NSFocus关于NVD
相同漏洞数	28 578	28 129	8 435	8 802
相关漏洞数	67 099	68 287	25 370	21 239
最终合并数	56 726	56 085	15 980	16 675
漏洞总数	68 864	96 367	68 864	29 589

算法	参考链接	厂商与产品型号	CVSS指标	漏洞类型	适用率
VSMH	—	100%	69.0%	69.0%	69.0%
ABVD	—	100%	69.0%	—	69.0%
UFVD	100%	—	69.0%	—	69.0%
SVAS	100%	—	—	—	100%
UVDA	100%	100%	—	—	100%