Taxonomies of attacks and vulnerabilities in computer systems

IEEE Communications Surveys and Tutorials

Volumn 10, Issue 1, 2008, Pages 6-19

  Igure, Vinay M ^a   Williams, Ronald D ^a  

^a UNIVERSITY OF VIRGINIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

SECURITY ASSESSMENT;

NETWORK SECURITY; SURVEYS;

TAXONOMIES;

EID: 68949173234     PISSN: None     EISSN: 1553877X     Source Type: Journal    
DOI: 10.1109/COMST.2008.4483667     Document Type: Review

References (69)

1. I. Arce, "More Bang for the Bug: An Account of 2003's Attack Trends," IEEE Sec. & Privacy, vol. 2, no. 1, Jan.-Feb. 2004, pp. 66-68.
2. C. E. Landwehr et al., "A Taxonomy of Computer Program Security Flaws," ACM Comp. Surveys, vol. 26, no. 3, Sept. 1994, pp. 211-54.
3. R. Bisbey II and D. Hollingworth, "Protection Analysis: Final Report," ISI/SR-78-13, USC/Info. Sci. Inst., Marina Del Rey, CA, May 1978.
4. K. Jiwnani and M. Zelkowitz, "Susceptibility Matrix: A New Aid to Software Auditing," IEEE Sec. & Privacy, vol. 2, no. 2, Mar-Apr 2004, pp.16-21.
5. Merriam-Webster Online Dictionary, http://www.m-w.com
6. J. D. Howard and T. A. Longstaff, "A Common Language for Computer Security Incidents," Sandia tech. rep. SAND98-8667, Oct. 1998.
7. U. Lindquist and E. Jonsson, "How to Systematically Classify Computer Security Intrusions," Proc. IEEE Symp. Sec. and Privacy, 4-7 May 1997, pp.154-63.
8. J. Mirkovic and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms," ACM SIGCOMM Comp. Commun. Rev., vol. 34, no. 2, Apr. 2004, pp. 39-53.
9. P. Syverson, "A Taxonomy of Replay Attacks [cryptographic protocols]," Proc. Comp. Sec. Foundations Wksp., 14-16 June 1994, pp. 187-91.
10. V. Raskin et al., "Ontology in Information Security: A Useful Theoretical Foundation and Methodological Tool," Proc. New Sec. Paradigms Wksp., Cloudcroft, NM, 2001, pp. 53-59.
11. A. Gray, "An Historical Perspective of Software Vulnerability Management," Info. Sec. Tech. Rep., vol. 8, no. 4, Apr. 2003, pp. 34-44.
12. CERT Coordination Center Vulnerability Database, http://www.kb.cert.org/ vuls
13. Common Vulnerabilities and Exposures List, http://www.cve.mitre.org/
14. M. Bishop, "Vulnerabilities Analysis," Proc. 2nd Int'l. Symp. Recent Advances in Intrusion Detection, Sept. 1999, pp. 125-36.
15. D. L. Lough, "A Taxonomy of Computer Attacks with Applications to Wireless Networks," Ph.D. dissertation, Virginia Tech, Apr. 2001.
16. C. Attanasio, P. Markenstein, and R. J. Phillips, "Penetrating an Operating System: a Study of VM/370 Integrity," IBM Sys. J., vol. 15, no. 1, 1976, pp. 102-16.
17. T. S. Perry and P. Wallich, "Can Computer Crime Be Stopped?" IEEE Spectrum, vol. 21, no. 5, May 1984, pp. 34-45.
18. D. L. Brinkley and R. R. Schell, "What Is There to Worry About? An Introduction to the Computer Security Problem," Information Security: An Integrated Collection of Essays, pp. 11-39, IEEE Comp. Soc. Press, 1995.
19. F. Cohen, "Information System Attacks: A Preliminary Classification Scheme," Comp. & Sec., vol. 16, no. 1, 1997, pp. 29-46.
20. F. Cohen, "Information System Defenses: A Preliminary Classification Scheme," Comp. & Sec., vol. 16, no. 2, 1997, pp. 94-114.
21. P. G. Neumann et al., "A Provably Secure Operating System," Tech. rep. SRI Project 2581, Contract DAAB03-73-C-1454, Prepared for USAECOM, Stanford Research Inst., 13 June, 1975.
22. P. G. Neumann, "Computer System Security Evaluation," Proc. Nat'l. Comp. Conf., vol. 47, June 1978, pp. 1087-95.
23. P. G. Neumann and D. B. Parker, "A Summary of Computer Misuse Techniques," Proc. 12th Nat'l Comp. Sec. Conf., 1989, pp. 396-407.
24. P. G. Neumann, Computer Related Risks, ACM Press, 1995.
25. S. Hansman and R. Hunt, "A Taxonomy of Network and Computer Attacks," Comp. & Sec., vol. 24, no. 1, Feb. 2005, pp. 31-43.
26. U. Lindquist and E. Jonsson, "A Map of Security Risks Associated with Using COTS," IEEE Computer, vol. 31 no. 6, June 1998, pp. 60-66.
27. S. Kumar, "Classification and Detection of Computer Intrusions," Ph.D. thesis, Purdue Univ., May 1995.
28. K. S. Killourhy, R. A. Maxion, and K. M. C. Tan, "A Defense-Centric Taxonomy Based on Attack Manifestations," Proc. Int'l. Conf. Dependable Sys. and Networks, 28 June-1 July 2004, pp. 91-100.
29. Lee Gerber, "Denial of Service Attacks Rip the Internet," IEEE Computer, vol. 33, no. 4, Apr. 2000, pp. 12-17.
30. P. G. Neumann, "Denial-of-Service Attacks," ACM Commun., vol 43. no. 4, Apr. 2000, pp. 136.
31. S. Kumar, "PING Attack - How Bad Is It?" Comp. & Sec. J., vol. 25, issue 5, July 2006, pp. 332-37.
32. S. Kumar, "On Impact of Distributed Denial of Service (DDoS) Attack due to ARP Storm," Lecture Notes in Comp. Sci., vol. LNCS-3421, Springer-Verlag, Apr. 2005.
33. A. Hussain, J. Heidemann, and C. Papadopoulos, "Denial-of-Service: A Framework for Classifying Denial of Service Attacks," Proc. Conf. Apps., Tech., Architectures, and Protocols for Comp. Commun., Aug. 2003, pp. 99-110.
34. G. Alvarez and S. Petrovic, "A Taxonomy of Web Attacks Suitable for Efficient Encoding," Comp. & Sec., vol. 22, no. 5, 2003, pp. 435-49.
35. P. L. Campbell, "The Denial-of-Service Dance," IEEE Sec. & Privacy, vol. 3, no. 6, Nov.-Dec. 2005, pp. 34-40.
36. G. Conti and M. Ahamad, "A Framework for Countering Denial-of-Information Attacks," IEEE Sec. & Privacy, vol. 3, no. 6, Nov.-Dec. 2005, pp. 50-56.
37. M. Abadi and R. Needham, "Prudent Engineering Practice for Cryptographic Protocols," IEEE Trans. Software Eng., vol. 22, no. 1, Jan 1996, pp. 6-15.
38. A. Wood and J. A. Stankovic, "Denial of Service in Sensor Networks," IEEE Computer, vol. 35, no. 10, Oct. 2002, pp. 54-62.
39. J. Newsome et al., "The Sybil Attack in Sensor Networks: Analysis & Defenses," Proc. 3rd Int'l Symp. Info. Processing in Sensor Networks, Berkeley, CA, 2004, pp. 259-68.
40. I. Arce, "The Shellcode Generation," IEEE Sec. & Privacy, vol. 2, no. 5, Sept.-Oct. 2004, pp.72-76.
41. P. Golle, D. Greene, and J. Staddon, "Security in VANET: Detecting and Correcting Malicious Data in VANETs," Proc. 1st ACM Wksp. Vehic. Ad Hoc Networks, Oct. 2004, pp. 29-37.
42. M. C. Man and V. K. Wei, "A Taxonomy for Attacks on Mobile Agent," EUROCON 2001, vol. 2, 4-7 July 2001, pp. 385-88.
43. J. R. Mostow, J. D. Roberts, and J. Bott, "Integration of an Internet Attack Simulator in an HLA Environment," Proc. IEEE Wksp. Info. Assurance and Sec., West Point, NY, June 6-7, 2000.
44. W. Du and A. P. Mathur, "Categorization of Software Errors that Led to Security Breaches," Proc. 21st Nat'l Info. Sys. Sec. Conf., 1998.
45. L. L. DeLooze, "Classification of Computer Attacks Using a Self-Organizing Map," Proc. 5th Annual IEEE Sys. Man and Cybernetics Info. Assurance Wksp., 2004, pp. 365-69.
46. W. S. McPhee, "Operating System Integrity in OS/VS2," IBM Sys. J., vol. 13, no. 3, 1974, pp. 230-52.
47. R. P. Abbott et al., "Security Analysis and Enhancements of Computer Operating Systems," Tech. rep. NBSIR 76-1041, Lawrence Livermore Lab., Inst. for Comp. Sci. and Tech./Nat'l. Bureau of Standards, RISOS Project, Washington, DC, Apr. 1976.
48. M. Bishop, "A Taxonomy of UNIX System and Network Vulnerabilities," Tech. rep. CSE-9510, Dept. of Comp. Sci., UC Davis, May 1995.
49. K. Jiwnani and M. Zelkowitz, "Maintaining Software with a Security Perspective," Proc. Int'l Conf. Software Maintenance, 3-6 Oct. 2002, pp. 194-203.
50. I. Krsul, "Software Vulnerability Analysis," Ph.D. dissertation, Purdue Univ., Coast TR 98-09, 1998.
51. T. Aslam, "A Taxonomy of Security Faults in the Unix Operating System," M.S. thesis, Dept. of Comp. Sci., Purdue Univ., Coast TR 95-09, 1995.
52. S. Kamara et al., "Analysis of Vulnerabilities in Internet Firewalls," Comp. & Sec., vol. 22, no. 3, 2003, pp. 214-32.
53. H. Wang and C. Wang, "Taxonomy of Security Considerations and Software Quality," Commun. ACM, vol. 46, no. 6, June 2003, pp. 75-78.
54. K. Tsipenyuk, B. Chess, andG. McGraw, "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors," IEEE Sec. & Privacy, vol. 3, no. 6, Nov.-Dec. 2005, pp. 81-84.
55. W. D. Yu, D. Aravind, and P. Supthaweesuk, "Software Vulnerability Analysis for Web Services Software Systems," Proc. 11th IEEE Symp. Comp. and Commun, 26-29 June 2006, pp. 740-48.
56. Z. Yongzheng and Y. Xiaochun, "A New Vulnerability Taxonomy Based on Privilege Escalation," Proc. 6th Int'l Conf. Enterprise Info. Sys., 2004, pp. 596-600.
57. B. Lampson, "Protection," Proc. 5th Princeton Conf. Info. Sci. and Sys., Princeton, NJ, 1971,
58. Reprinted in ACM Op. Sys. Rev. 8, no. 1, Jan. 1974, pp 18-24.
59. O. H. Alhazmi and Y. K. Malaiya, "Prediction Capabilities of Vulnerability Discovery Models," Annual Reliability and Maintainability Symp., 23-26 Jan. 2006, pp. 86-91.
60. S. Chen et al., "Security Vulnerabilities: From Analysis to Detection and Masking Techniques," Proc. IEEE, vol. 94, no. 2, Feb. 2006, pp. 407-18.
61. TCP SYN Flooding and IP Spoofing Attacks, CERT(r) Advisory CA-1996-21, http://www.cert.org/advisories/CA-1996-21.html
62. IP Denial-of-Service Attacks, CERT(r) Advisory CA-1997-28, http://www.cert.org/advisories/CA-1997-28.html
63. M. P. Ristenbatt, "Methodology for Network Communication Vulnerability Analysis," MILCOM 1988, vol. 2, 23-26 Oct., pp. 493-99.
64. N. D. Jayaram and P. L. R. Morse, "Network Security - A Taxonomic View," Proc. Euro. Conf. Sec. and Detection, School of Comp. Sci., Univ. of Westmister, U.K., no. 437, 28-30 Apr. 1997.
65. D. Welch and S. Lathrop, "Wireless Security Threat Taxonomy," Info. Assurance Wksp., IEEE Sys., Man and Cybernetics Soc., 18-20 June 2003, pp. 76-83.
66. S. M. Bellovin, "Security Problems in the TCP/IP Protocol Suite," Comp. Commun. Rev., vol. 2, no. 19, Apr. 1989, pp. 32-48.
67. S. M. Bellovin, "A Look Back at 'Security Problems in the TCP/IP Protocol Suite'," Proc. 20th Annual Comp. Sec. Apps. Conf., 2004, pp. 229-49.
68. V. Pothamsetty and B. Akyol, "A Vulnerability Taxonomy for Network Protocols: Corresponding Engineering Best Practice Countermeasures," Proc. 3rd IASTED Int'l Conf. Commun., Internet, and Info. Tech., 2004, pp. 168-75.
69. F. Cao and S. Malik, "Vulnerability Analysis and Best Practices for Adopting IP Telephony in Critical Infrastructure Sectors," IEEE Commun. Mag., vol. 44, no. 4, Apr. 2006, pp. 138-45.