Artificial intelligence
Building a secure computer system
Building a secure computer system
Practical UNIX security
Computer security basics
An integrated framework for security and dependability
Proceedings of the 1998 workshop on New security paradigms
Security metrics for source code structures
Proceedings of the fourth international workshop on Software engineering for secure systems
Quantified security is a weak hypothesis: a critical survey of results and assumptions
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
TELE-INFO'06 Proceedings of the 5th WSEAS international conference on Telecommunications and informatics
Hi-index | 0.00 |
The lack of a standard gauge for quantifying computer system vulnerability is a hindrance to communicating information about vulnerabilities, and is thus a hindrance to reducing those vulnerabilities. The inability to address this issue through uniform semantics often leads to uncoordinated efforts at combating exposure to common avenues of exploitation. The de-facto standard for evaluating computer security is the government's Trusted Computer Evaluation Criteria, also known as the Orange Book. However, it is a generally accepted fact that the majority of non-government multi-user computer systems are classified into one of its two lower classes. The link between the higher classes and government classified data, makes the measure unsuitable for commercial use.This project presents a feasible approach for resolving this problem by introducing a standardized assessment. It introduces a method, termed the System Vulnerability Index (SVI), that analyzes a number of factors that affect security. These factors are evaluated and combined, through the use of special rules, to provide a measure of vulnerability. The strength of this method is in its abstraction of the problem, which makes it applicable to various operating systems and hardware implementations. User and superuser actions, as well as clues to a potentially breached state of security, serve as the basis for the security relevant factors. Facts for assessment are presented in a form suitable for implementation in a rule-based expert system.