1. Taxonomies of Attacks and Vulnerabilities in Computer Systems
Igure, V.M.; Williams, R.D.
IEEE Communications Surveys & Tutorials, Volume: 10  Issue: 1 (2008)
R 林昕彥
R 陳政彥

2. Why do we need taxonomy?
Their main goal was to organize information about known vulnerabilities or attacks, so that designers could use that information to build more secure systems or defense systems
If the classification is based on the actual vulnerability exploited by the attack, the dimension of classification can be considered as the cause of flaw
The taxonomy provides useful information to find unknown vulnerabilities as well as to avoid introducing similar vulnerabilities in future designs.
They provide a classification of testing techniques based on the vulnerability the test is meant to discover. Each test class discovers all the vulnerabilities that have similar characteristics

3. Attack sophistication vs. intruder technical knowledge

4. INTRODUCTION

5. Introduction
Security assessment of a system is the process of determining the system’s capability to resist attacks
This process typically involves probing the system to detect the presence of known vulnerabilities
most attacks typically exploit known vulnerabilities
This process is limited because it only searches for known vulnerabilities
Security assessment is an objective process only as long as it is limited to searching for known weaknesses
Probing a system to detect previously unidentified flaws is still a very subjective process

6. Introduction
Prior work has attempted to gain an understanding of the characteristics and nature of known vulnerabilities to support the prediction of vulnerabilities in new systems
The first step in understanding vulnerabilities is to classify them into a taxonomy based on their characteristics
A taxonomy classifies the large number of vulnerabilities into a few well defined and easily understood categories
Such classification can serve as a guiding framework for performing a systematic security assessment of a system
This article provides a state-of-the-art survey of existing security related taxonomies
The survey covers papers published between 1974 and 2006

7. TAXONOMIES AND SECURITY ASSESSMENT

8. Taxonomies and Security Assessment
A taxonomy is formally defined as “the study of the general principles of scientific classification”
This classification is done according to the relationships between the characteristics of the objects
A good taxonomy also provides a common language for the study of the field

9. Taxonomies and Security Assessment
taxonomies of vulnerabilities and attacks might be useful in the security assessment process
can also be useful for system designers
can also provide a way to explore unknown attacks
Many taxonomies of attacks and vulnerabilities have been published over the years, but there is still no standard or universally accepted taxonomy
Our primary interest is in the development and use of attack and vulnerability taxonomies in the security assessment process

10. ATTACK TAXONOMIES

11. Attacks Goals Dimension of taxonomy Comments
Types of Computer Crimes (Perry & Wallich 1984)
Listing main types of crimes
Two-dimensional matrix: crime vs. users committing the crime
Common characteristics: source of attack
Replay Attacks in Crypto-Protocols (Syverson 1994)
“consider which detection, representation, or prevention
mechanisms are appropriate for a replay
attack”
Source of attack is the primary dimension
of classification
Common characteristic: source of attack
Types of Misuse (Brinkley
& Schell 1995)
Listing of types of misuse; Not intended to be a taxonomy
Two-level hierarchy; classes are not
properly defined
Provides overview of types of misuse
IDS Attack Signatures
(Kumar 1995)
Classified attack signatures to develop comprehensive
database for an IDS
Based on manifestation of attacks in
network traffic and logs
Applied in IDS development
Types of Misuse
(Attacks) (Lindquist &
Jonsson 1997)
“Makes systematic study possible” “useful for
reporting incidents to response teams” “included a
grading of the severity”
Extended Neumann and Parker’s taxonomy
Discuss usefulness of selecting a
good dimension of classification

12. Attacks Goals Dimension of taxonomy Comments Attacks Against
Information Systems
(Cohen 1997)
“Putting all of the methods of attack into a classification
scheme and co-locating them with each other so that knowledgeable experts can … consider… possible attacks”
No classification, just a long list of
known attacks
An exhaustive list of attacks is static and needs to be constantly
updated to keep it relevant
Attacks (Lough 2001)
Develop a taxonomy of attacks in wireless networks
Distilled the classes discussed in prior
work on taxonomies into four common categories
The categories are similar to the
basic security properties
Attacks against Mobile
Agents (Man, Wei 2001)
“Used in the analysis of existing protection
schemes … useful for research developments”
Hierarchical taxonomy:
1. Intention
2. Number of attackers
3. Read vs. non-read
Classification is not based on
characteristics of attack
DoS Attacks in WSNs
(Wood, Stankovic 2002)
Highlight the various threats faced by WSNs
Attacks classified under the various network
layers of the communication protocol
Dimension is similar to location
of flaws
Sybil Attacks in WSNs
(Newsome et al. 2004)
“To better understand the implications of the Sybil
attack and how to defend against it”
Multidimensional:
1. Mode of communication
2. Type of identity
3. Simultaneity
Underscores the need for a taxonomy
to study a new field

13. Attacks Goals Dimension of taxonomy Comments DoS Attacks (Hussain et
“Provide the classification component of a realtime
attack analysis to aid network administrators”
Source of attack: single source vs. multiple
sources
Taxonomy can be used to
develop tools for real-time
defense
Web Attacks (Alvarez,
Petrovic 2003)
“Help designers … build more secure application
… a useful reference framework for security application”
Multidimensional taxonomy based on a
“Web attack life cycle”
Common classification types:
vulnerability; service; target
Attacks: Defense centric
(Killourhy et al. 2004)
“Organizes attacks by virtue of the way they manifest
as anomalies in sensor data”
Anomaly seen in sensor data; four categories
Mostly relevant only in IDS; lowlevel
categories
DDoS Attack and
Defense Mechanisms
(Mirkovic, Reiher 2004)
“Structure the DDoS field and facilitate a global
view of the problem and solution space”
Eight characteristics of an attack; three
characteristics of defenses
Common characteristic: exploited
weakness; impact on victim;
type of victim
Internet Attacks
(Mostow, Bott 2000);
(Delooze — 2004)
Build an attack simulator; Taxonomy was used in
the simulator model
Effects of the attack
Common characteristic: DoS,
Deception, Reconnaissance,
Unauthorized access

14. Attacks Goals Dimension of taxonomy Comments Attacks in VANETS (Golle
et al. — 2004)
Taxonomy was not the main aim
1. Nature
2. Target
3. Scope
4. Impact
Common characteristic nature
of attack; impact on victim;
scope; target;
Shellcode Attacks (Arce
2004)
“Understanding these programs’ technical capabilities
and their connection to those who develop
and use them”
Functional perspective:
1. Attack vector
2. Exploitation technique
3. Payload
Multiple ways to trigger a vulnerability
Attacks (Hansman, Hunt
— 2005)
Develop a “pragmatic taxonomy that is useful to
those dealing with attacks on a regular basis.”
Four taxonomies based on:
2. Attack target
3. Vulnerability
4. Payload
For application-specific
taxonomies, it might be possible
to combine all these into
one taxonomy

15. Types of Computer Crimes [17]
The six classes of users are not distinct
Two-dimensional matrix of computer attacks
First dimension: Users
Operators, programmers, data entry, internal users, outside users, and intruders
Second dimension: Computer crimes
Physical destruction, information destruction, data diddling, theft of services, browsing, and theft of information

16. Types of Computer Misuse [18]
Level One:
Theft of computer resources
Disruption of computer resources
Unauthorized disclosure of information
Unauthorized modification of information
Level Two:
Human error
User abuse of authority
Direct probing
Probing with malicious software
Direct penetration
Subversion of security mechanism

17. Information System Attacks [19]
First attempts at developing a taxonomy to help the security assessment process
put all possible attacks under a single taxonomy
could be used to predict future attacks in existing systems
The biggest drawback of [19] is that it is not a classification
It is merely a long list of all known attacks
The article lists 94 different attacks on information systems

18. Computer Attack [24]
In [24] Neumann identified 26 different kinds of computer attacks and classified them into nine categories:
External
Hardware misuse
Masquerading
Pest programs
Bypasses
Active misuse
Passive misuse
Inactive misuse
Indirect misuse
This can be considered a hierarchical taxonomy because it has two levels of classification

19. Classify Computer Security Intrusions [7]
Lindquist and Jonsson’s taxonomy [7, 26] is a very good example of one that is suitable for a security assessment process
the first to introduce the notion of dimension of classification
they extended three of Neumann and Parker’s categories into multiple subdivisions:
Bypass of intended controls
Active misuse of resources
Passive misuse of resources

20. IDS Related Taxonomies
Two main types of IDSs:
Signature-based system
Anomaly-based system
The primary motivation for this classification was to provide a defense-centric taxonomy to help network defenders

21. Signature-based system
Every attack manifests itself as some kind of event or sequence of events in a network
These unique events are called the signatures of the attack
Every known attack is given a signature based on its characteristics
Attack taxonomy can ensure that all known attacks are represented in the database

22. Signature-based system
In [27] Kumar presents a taxonomy signatures to help build an effective IDS
Attack signatures are classified into five categories:
Existence
Sequence
Partial order
Duration
Interval

23. Anomaly-based system
Looking for any network activity that deviates from the norm
Killourhy et al. [28] developed a taxonomy of attacks based on their manifestation as anomalies in IDS sensor data
Every attack manifests itself either as a:
Foreign symbol
Minimal foreign sequence
Dormant sequence
Non-anomalous sequence

24. DoS Attack Related Taxonomies
Attacker can carry out a successful attack without penetrating the target network
In [29] Neumann lists three types of DoS attacks based on the source of the attack
no network penetration and can be carried out remotely over the Internet
attacker exploits some known vulnerability to penetrate the network and then carries out resource exhaustion attacks
distributed DoS (DDoS) attacks, attackers penetrate or compromise many third party computers and use them to launch a DoS attack against the target network

25. DoS Attack Related Taxonomies
Mirkovic and Reiher [8] intended to build a taxonomy that would provide a complete overview of the field of DDoS attacks and defenses
Each attack has multiple characteristics, and Mirkovic and Reiher classify attacks along multiple dimensions
This classification is not mutually exclusive
Eight dimensions:
Degree of automation
Exploited weakness
Source address validity
Attack rate dynamics
Possibility of characterization (based on packet content)
Persistence of agent set
Victim type
Impact on the victim

26. DoS Attack Related Taxonomies
In [35] Campbell uses a novel dance metaphor to characterize DoS attacks
He characterizes a DoS attacker as a third person interrupting two dancing partners
He groups all DoS attacks under four classes that represent the attacker’s strategy for success:
Partner -> spoofing
Flood -> flooding
Trip -> shutting down
Intervene -> interception

27. Web Attack Taxonomies
Alvarez and Petrovic [34] analyzed and classified Web attacks, their goal was to extract useful information for application developers to build more secure systems

28. Specialized Attack Taxonomies
There are many attack taxonomies that cover only certain specific applications
Man and Wei [42] developed a taxonomy of attacks against mobile agents
The goal of the work was to understand all possible attacks against mobile agents and then use this understanding to develop appropriate protection mechanisms
The first level of classification in [42] divides attacks into two categories based on the intentions of the attack
hierarchical, and this characteristic is useful for security assessment

29. Taxonomies for Security Assessment
Lough presents an exhaustive survey of computer attack and vulnerability taxonomies in [15]
Classifies all attacks under four categories:
Incorrect validation
Incorrect exposure
Incorrect randomness
Incorrect deallocation
This classification is made on the cause of attack dimension
Lough’s taxonomy is not application-specific

30. Taxonomies for Security Assessment
In [25] Hansman and Hunt aim to develop a “pragmatic taxonomy that is useful to those dealing with attacks on a regular basis.”
They conclude that it is difficult to develop an effective tree-structure taxonomy of attacks
Four dimension:
Attack vector
Attack target
Vulnerabilities and exploits
Attacks with payloads
If the taxonomy were application-specific instead of trying to incorporate all possible kinds of attacks, it might not be very difficult to develop a single tree-structure taxonomy of attacks

31. VULNERABILITY TAXONOMIES

32. Vulnerability Taxonomy
One of the earliest works on this topic was done by McPhee.
McPhee’s paper was published in 1974, and since then there has been much research done on computer security.
McPhee lists seven class of integrity flaws in operating systems:
System data in user area
Non-unique identification of system resource
System violation of storage protection
User data passed as system data
User-supplied address of protected control blocks
Concurrent use of serial resources
Uncontrolled sensitive system resource

33. Vulnerability Taxonomy
Attanasio described the methodology and results of penetration testing experiments.
The penetration analysts had three goals:
The paper does not provide a taxonomy, as that was not their goal, but it makes the important contribution of listing operations system characteristics that are likely to have flaws.
To obtain information to which they were not entitled
To launch a DoS attack by exhausting resources
To obtain resources bypassing the accountability mechanisms

34. Vulnerability Taxonomy
After the penetration testing experiment, Attanasio et al. Listed 16 OS features that are likely to have flaws:
Implicit or explicit resource sharing mechanisms
Man-machine interfaces administered by the OS
Configuration management problem
Add-on features
Design modifications and design extensions
Parameter checking
Control of security descriptors

35. Vulnerability Taxonomy
Error handling
Side effects
Parallelism
Access to microprogramming
Complex interfaces
Duplication of function
Limits and prohibitions
Access to residual information
Violation of design principles

36. TAXONOMY OF SOFTWARE PROGRAM FLAWS

37. Taxonomy of Software Program Flaws
The Research in Secured Operating Systems (RISOS) project and the Protection Analysis (PA) project were two of the earliest efforts at producing taxonomies of vulnerabilities in computer software.
Both of the projects examined the vulnerabilities in different operating systems.

38. Taxonomy of Software Program Flaws
The seven classes of vulnerabilities in the RISOS project were:
Incomplete parameter validation
Inconsistent parameter validation
Implicit sharing of privileged/confidential data
Inadequate identification
Authentication or authorization
Asynchronous validation or inadequate serialization
Violable prohibition or limiting and exploitable logic error

39. Taxonomy of Software Program Flaws
The ten classes from the PA project were:
Consistency of data over time
Validation of operands
Validation of residuals
Validation of naming
Validation of domain
Serialization
Interrupted atomic operations
Exposed misrepresentations
Queue management dependencies
Critical operator selection error

40. Taxonomy of Software Program Flaws
The categories of both the RISOS and PA classifications indicate that the dimension of classification was by operations.
This means that the categories represent operations of the OS which can be misused to cause attacks.
The RISOS and PA categories would be greatly beneficial in a larger taxonomy.

41. Taxonomy of Software Program Flaws
Bishop analyzed the RISOS and PA taxonomies, and showed that these classes could be mapped onto each other.
Bishop classified each vulnerability along six axes:
Nature of the flaw
Time of introduction
Exploitation domain of the vulnerability
The effect domain
The minimum number of components needed to exploit the vulnerability
The source of the identification of the vulnerability

42. Taxonomy of Software Program Flaws
After the PA project, the most influential work on taxonomies of flaws was done by Landwehr et al.
They did not limit their taxonomy to operating systems but provided a more general taxonomy of flaws in computer programs.
They classified their flaws in three different dimensions:
Genesis
Time of introduction
location

43. Taxonomy of Software Program Flaws
Jiwnani et al. used Landwehr’s taxonomy to aid security testing.
They adapted Landwehr’s three dimensions to build a matrix that related the cause of the vulnerability.
To be effective, the taxonomy must be used in conjunction with all the dimensions of the classification.
The assessment process can be more systematic if these dimensions are arranged hierarchically.

44. Taxonomy of Software Program Flaws
All the work we have seen so far classified attacks or vulnerabilities based on some inherent characteristic of the attack or vulnerability itself.
Krsul departed from this norm.
He developed a taxonomy based on the observation that most of the vulnerabilities were introduced into programs because of mistaken assumptions by the programmer.
He classified flaws according to the assumption that led to their introduction into the software.

45. Taxonomy of Software Program Flaws
Aslam focused only on the UNIX operating system.
Aslam’s taxonomy is hierarchical, and the first level had three main categories:
Configuration flaws
Environment flaws
Coding flaws
The dimension of classification for these three classes is the cause of the flaw.

46. Taxonomy of Software Program Flaws
Du and Mathur described each flaw with multiple attributes. They classify flaws along three axes:
Cause
Impact
Fix
Landwehr’s original genesis class had two main subclasses: intentional and inadvertent flaws.
Du and Mathur ignore the intentional flaws. Instead, they focused on the inadvertent flaws in the software.
Since the taxonomy provides details about the flaws, it could be effective in a security assessment process.

47. Taxonomy of Software Program Flaws
Kamara et al. successfully use Du and Mathur’s taxonomy for analyzing vulnerabilities in Internet firewalls.
They break down a firewall into its constituent components, and its operations and data flow.
They analyze some of the well-known firewall vulnerabilities, and map them to both Du and Mathur’s taxonomy and the specific operations and parts of the firewalls.
The result is a matrix that identifies which operations and parts of a firewall are likely to produce flaws.
This is very useful in future security assessments of other firewalls as well as in preventing the same kinds of flaws in new products.

48. Taxonomy of Software Program Flaws
Gray’s aim was to develop a taxonomy of vulnerabilities that would be useful to people in various positions in a software development organization.
Gray combined the work of Landwehr, Bishop, and Wang into an extended and multi-perspective taxonomy.

49. Taxonomy of Software Program Flaws
The taxonomy had ten classes of program flaws:
Genesis
Time of introduction
Location
Execution environment
Quality impact
Method of discovery
Thread and exploitation scenarios
Monitoring and exploitation scenarios
Limitation and remediation scenarios
Elimination methods

50. Taxonomy of Software Program Flaws
Gray’s approach of combining all the perspectives within one taxonomy is not very efficient.
Gray does not offer any subclasses for any of these classes.
Such a single-level taxonomy does not provide adequate information about the flaws.
This ineffectiveness shows that taxonomies are most useful when they are developed for a particular application from a specific perspective.

51. Taxonomy of Software Program Flaws
Tsipenyuk et al. seek to simplify the existing software vulnerabilities taxonomies.
They claim that most of the existing taxonomies are too complex.

52. Taxonomy of Software Program Flaws
In order to help software developers and security practitioners, they group all software security flaws under eight classes:
Input validation and representation
API abuse security features time and state
Errors
Code quality
Encapsulation
Environment

53. Taxonomy of Software Program Flaws
Yu et al. provide a framework for analyzing the security of Web software service.
The unique contribution is that they relate all the attacks with the software vulnerabilities each attack exploits.

54. Taxonomy of Software Program Flaws
Yongzheng and Xiochen develop a taxonomy of vulnerabilities to aid the security risk assessment process.
They base on the concept of “privilege sets” and “privilege escalation.”
A vulnerability can be viewed as a feature that gives additional privileges to the attacker.
The paper ranks the privilege sets of nine user classes, ranging from common user to root.
The paper provides a ranking of the impacts of each privilege level, with the root level causing the greatest damage and the user level causing the least.

55. Taxonomy of Software Program Flaws
Wang’s work also explored the link between a flaw and the risk posed by that flaw.
A flaw that could be exploited in multiple ways can be considered more risky.
Than one that can be exploited only in one way.

56. Taxonomy of Software Program Flaws
Alhazmi et al. test the efficacy of vulnerability discovery models to predict the number of vulnerabilities in a software product.
Having a target number of vulnerabilities could help the security analyst, but traditional taxonomy–based classifications would have to be used to find the actual vulnerabilities.

57. Network Vulnerability Taxonomies

58. Network Vulnerability Taxonomies
Ristenbatt describes a methodology name Network Communications Vulnerability Assessment (NCVA)
which was developed to perform network vulnerability assessment.
The first taxonomy classified the various types of networks according to their design.

59. Network Vulnerability Taxonomies
The objective of this taxonomy was to provide the analyst with a high-level overview of the network. The top-level categories were:
The transfer strategy
The network transfer control method
The transfer link structure
Link access method or protocol
System topology architecture

60. Network Vulnerability Taxonomies
The second taxonomy outlined the typical network susceptibilities.
He defines susceptibilities as system features that might be targeted by attackers. Susceptibilities are potential vulnerabilities.
The network susceptibilities taxonomy has five classes:
Topology
Physical layer
Data link layer
Network layer
Management and control

61. Network Vulnerability Taxonomies
Jayaram and Morse provide a taxonomy of security threats to networks. Their taxonomy has five categories:
Physical threats
System weak spots
Malign problems
Access rights
Communication-based threats

62. Network Vulnerability Taxonomies
A more elaborate taxonomy of threats to networks is provided by Welch and Lathrop.
The taxonomy was developed to build a security architecture for a wireless network.
The taxonomy is hierarchical and provides a systematic approach for analyzing al the security threats faced by a network.
They begin by considering threats to each of the basic security properties: confidentiality and integrity.

63. Network Vulnerability Taxonomies
The taxonomy lists seven attacks that pose a threat to security properties:
Traffic analysis
Passive eavesdropping
Active eavesdropping
Unauthorized access
Man-in-the-middle
Session highjacking
Replay attacks

64. Network Vulnerability Taxonomies
Pothamsetty and Akyol made an effort at producing a taxonomy of network protocol vulnerabilities.
Their main goal was to organize information about known vulnerabilities.
They classify the vulnerabilities into seven categories:
Clear text communication
Non-robust protocol message parsing
Insecure protocol state handling
Inability to handle abnormal packet rates
Replay and reuse
Protocol field authentication
Entropy problems

65. Properties of a Taxonomy for Security Assessment

66. Properties of a Taxonomy for Security Assessment
The goal is to identify a set of characteristics for a very specific taxonomy: one that can be used effectively in a security assessment process.
The taxonomy must be tailored to the viewpoint of an assessment professional. It should also help make the process as objective as possible.
The basic properties of such a taxonomy would be:
Application- or system-specific taxonomy
Taxonomy must be layered or hierarchical
First level of classification – attack impact
Second level of classification – system-specific attack types
Third level of classification – system components (attack targets)
Fourth level of classification – system features (source of vulnerability)
Classes need not be mutually exclusive

67. Properties of a Taxonomy for Security Assessment
The efficacy of a security assessment process should be measured by its objectivity and vulnerability coverage.
A process with good vulnerability coverage explores all relevant system features that are likely to have vulnerabilities.
Although there are no metrics for measuring objectivity and vulnerability coverage, we believe that a taxonomy with the above properties greatly aids a security assessment process.

68. Conclusion
This article presents a survey of all taxonomies related to computer and network security.
The survey analyzes existing work on security taxonomies and assess their usefulness in terms of security assessment.
The analysis helps identify specific properties of taxonomies that aid security assessment.