TY - GEN
T1 - VCPEC
T2 - 10th International Conference on Communication and Network Security, ICCNS 2020
AU - Wang, Xuefei
AU - Ma, Rui
AU - Tian, Donghai
AU - Wang, Xiajing
N1 - Publisher Copyright:
© 2020 ACM.
PY - 2020/11/27
Y1 - 2020/11/27
N2 - Vulnerability correlation analysis has become a key technique in the field of vulnerability analysis, which effectively addresses the limitation of only analyzing an isolated vulnerability. Even though the existing techniques have demonstrated their effectiveness in assessing the complex relationship between the vulnerabilities, they remain limited in accurately locating critical vulnerabilities. To overcome this issue, we design a vulnerability correlation analysis method, named VCPEC, to discover critical vulnerabilities using extended coritivity theory towards a novel privilege model. The key idea is to construct a vulnerability correlation graph (VCG) according to the system privilege grading strategy and the vulnerability privilege escalation paths, reducing the complexity in the graph. Then use the extended coritivity theory to calculate the core of the VCG, that means the critical vulnerabilities can be further recognized. Thus, by repairing critical vulnerabilities to achieve efficient protection of target system, saving the cost of repairing vulnerabilities. We design and perform experiments to verify the feasibility and efficiency of VCPEC in real-world software systems. And the results show that VCPEC can accurately locate critical vulnerabilities.
AB - Vulnerability correlation analysis has become a key technique in the field of vulnerability analysis, which effectively addresses the limitation of only analyzing an isolated vulnerability. Even though the existing techniques have demonstrated their effectiveness in assessing the complex relationship between the vulnerabilities, they remain limited in accurately locating critical vulnerabilities. To overcome this issue, we design a vulnerability correlation analysis method, named VCPEC, to discover critical vulnerabilities using extended coritivity theory towards a novel privilege model. The key idea is to construct a vulnerability correlation graph (VCG) according to the system privilege grading strategy and the vulnerability privilege escalation paths, reducing the complexity in the graph. Then use the extended coritivity theory to calculate the core of the VCG, that means the critical vulnerabilities can be further recognized. Thus, by repairing critical vulnerabilities to achieve efficient protection of target system, saving the cost of repairing vulnerabilities. We design and perform experiments to verify the feasibility and efficiency of VCPEC in real-world software systems. And the results show that VCPEC can accurately locate critical vulnerabilities.
KW - Coritivity theory
KW - Privilege escalation
KW - Vulnerability correlation analysis
UR - http://www.scopus.com/inward/record.url?scp=85102950506&partnerID=8YFLogxK
U2 - 10.1145/3442520.3442526
DO - 10.1145/3442520.3442526
M3 - Conference contribution
AN - SCOPUS:85102950506
T3 - ACM International Conference Proceeding Series
SP - 99
EP - 108
BT - ICCNS 2020 - 2020 10th International Conference on Communication and Network Security
PB - Association for Computing Machinery
Y2 - 27 November 2020 through 29 November 2020
ER -