隨著資訊科技的發展,資訊安全的威脅一直存在,網路上的威脅和攻擊例如病毒、蠕蟲、駭客入侵、阻斷服務攻擊(DoS)或分散式阻斷服務攻擊(DDoS)攻擊等可以利用軟體的漏洞對系統進行攻擊。鑒於軟體漏洞對系統危害影響重大,各個機構與研究單位針對漏洞資料,建置漏洞資料庫,現有的防火牆、防毒軟體、入侵偵測系統、系統漏洞掃瞄等防禦機制也有本身使用的漏洞資料庫。基於自身使用上的考量,對同一個系統漏洞,各家描述的方式不一,所使用的編號也不相同,造成使用上的不便以及不同防禦機制對漏洞整合的困難。
CVE是目前漏洞資料的標準編號,主要的漏洞資料庫均有包含CVE編號的對應,但運用CVE編號整合漏洞資料有CVE編號認可緩慢、CVE更新速度較慢、CVE的漏洞描述精簡、其他漏洞資料庫CVE Mapping不足等問題。
本研究以案例式推理的方法,將不同漏洞資料庫的漏洞知識整合。個別的漏洞知識視為單一的案例,建立每一個漏洞描述的特徵關鍵字,運用漏洞描述特徵關鍵字對案例進行相似性分析,找出不同漏洞資料庫中最為相似的漏洞資料,歸納出相同的系統漏洞,藉此整合不同的漏洞資料庫。
Information security threats, such as viruses, worms, hacker intrusions, denial of services(DoS), distributed denial of services(DDoS) attack systems through software vulnerabilities, have been existed for a long time. Accompany with the information technology development, the quantity of information security threats have also increased from time to time. Some organizations and research centers built their own vulnerability databases by collecting software vulnerability information. Tools such as firewalls, anti-virus softwares, intrusion detection systems(IDS), vulnerability scanners have different vulnerability database as well. Basing on their different purposes and usages, a specific vulnerability has different description and has different number in different vulnerability databases. It is not convenient for using vulnerability information and difficult to integrate guarding mechanism between different vulnerability databases. CVE vulnerability number is adopted by most venders now. Major vulnerability databases have CVE number mapping. The problem of using CVE number to integrate vulnerability information is that CVE announces and updates its vulnerability number and description much slower than the others. Also CVE has short vulnerability description and other vulnerability databases have insufficient CVE Mapping.
The research applies Case-Based Reasoning method to integrate vulnerability knowledge among different vulnerability databases. Each individual vulnerability description is treated as a single case. Keywords in vulnerability descriptions are extracted to perform similarity analyses.
