Taxonomies of Attacks and Vulnerabilities in Computer
SystemsIgure, V.M.; Williams, R.D.
IEEE Communications Surveys & Tutorials, Volume: 10 Issue: 1
Why do we need taxonomy?Their main goal was to organize
information about known vulnerabilities or attacks, so that
designers could use that information to build more secure systems
or defense systemsIf the classification is based on the actual
vulnerability exploited by the attack, the dimension of
classification can be considered as the cause of flawThe taxonomy
provides useful information to find unknown vulnerabilities as well
as to avoid introducing similar vulnerabilities in future
designs.They provide a classification of testing techniques based
on the vulnerability the test is meant to discover. Each test class
discovers all the vulnerabilities that have similar
Attack sophistication vs. intruder technical knowledge
IntroductionSecurity assessment of a system is the process of
determining the systems capability to resist attacksThis process
typically involves probing the system to detect the presence of
known vulnerabilities most attacks typically exploit known
vulnerabilitiesThis process is limited because it only searches for
known vulnerabilitiesSecurity assessment is an objective process
only as long as it is limited to searching for known
weaknessesProbing a system to detect previously unidentified flaws
is still a very subjective process
IntroductionPrior work has attempted to gain an understanding of
the characteristics and nature of known vulnerabilities to support
the prediction of vulnerabilities in new systemsThe first step in
understanding vulnerabilities is to classify them into a taxonomy
based on their characteristicsA taxonomy classifies the large
number of vulnerabilities into a few well defined and easily
understood categoriesSuch classification can serve as a guiding
framework for performing a systematic security assessment of a
systemThis article provides a state-of-the-art survey of existing
security related taxonomiesThe survey covers papers published
between 1974 and 2006
TAXONOMIES AND SECURITY ASSESSMENT
Taxonomies and Security AssessmentA taxonomy is formally defined
as the study of the general principles of scientific
classificationThis classification is done according to the
relationships between the characteristics of the objectsA good
taxonomy also provides a common language for the study of the
Taxonomies and Security Assessmenttaxonomies of vulnerabilities
and attacks might be useful in the security assessment processcan
also be useful for system designerscan also provide a way to
explore unknown attacksMany taxonomies of attacks and
vulnerabilities have been published over the years, but there is
still no standard or universally accepted taxonomyOur primary
interest is in the development and use of attack and vulnerability
taxonomies in the security assessment process
AttacksGoalsDimension of taxonomyCommentsTypes of Computer
Crimes (Perry & Wallich 1984)Listing main types of
crimesTwo-dimensional matrix: crime vs. users committing the
crimeCommon characteristics: source of attackReplay Attacks in
Crypto-Protocols (Syverson 1994)consider which detection,
representation, or preventionmechanisms are appropriate for a
replayattackSource of attack is the primary dimensionof
classificationCommon characteristic: source of attackTypes of
Misuse (Brinkley& Schell 1995)Listing of types of misuse; Not
intended to be a taxonomyTwo-level hierarchy; classes are
notproperly definedProvides overview of types of misuseIDS Attack
Signatures(Kumar 1995)Classified attack signatures to develop
comprehensivedatabase for an IDSBased on manifestation of attacks
innetwork traffic and logsApplied in IDS developmentTypes of
Misuse(Attacks) (Lindquist &Jonsson 1997)Makes systematic study
possible useful forreporting incidents to response teams included
agrading of the severityExtended Neumann and Parkers
taxonomyDiscuss usefulness of selecting agood dimension of
AttacksGoalsDimension of taxonomyCommentsAttacks
AgainstInformation Systems(Cohen 1997)Putting all of the methods of
attack into a classificationscheme and co-locating them with each
other so that knowledgeable experts can consider possible attacksNo
classification, just a long list ofknown attacksAn exhaustive list
of attacks is static and needs to be constantlyupdated to keep it
relevantAttacks (Lough 2001)Develop a taxonomy of attacks in
wireless networksDistilled the classes discussed in priorwork on
taxonomies into four common categoriesThe categories are similar to
thebasic security propertiesAttacks against MobileAgents (Man, Wei
2001)Used in the analysis of existing protectionschemes useful for
research developmentsHierarchical taxonomy:1. Intention2. Number of
attackers3. Read vs. non-readClassification is not based
oncharacteristics of attackDoS Attacks in WSNs(Wood, Stankovic
2002)Highlight the various threats faced by WSNsAttacks classified
under the various networklayers of the communication
protocolDimension is similar to locationof flawsSybil Attacks in
WSNs(Newsome et al. 2004)To better understand the implications of
the Sybilattack and how to defend against itMultidimensional:1.
Mode of communication2. Type of identity3. SimultaneityUnderscores
the need for a taxonomyto study a new field
AttacksGoalsDimension of taxonomyCommentsDoS Attacks (Hussain
etal. 2003)Provide the classification component of a realtimeattack
analysis to aid network administratorsSource of attack: single
source vs. multiplesourcesTaxonomy can be used todevelop tools for
real-timedefenseWeb Attacks (Alvarez,Petrovic 2003)Help designers
build more secure application a useful reference framework for
security applicationMultidimensional taxonomy based on aWeb attack
life cycleCommon classification types:vulnerability; service;
targetAttacks: Defense centric(Killourhy et al. 2004)Organizes
attacks by virtue of the way they manifestas anomalies in sensor
dataAnomaly seen in sensor data; four categoriesMostly relevant
only in IDS; lowlevelcategoriesDDoS Attack andDefense
Mechanisms(Mirkovic, Reiher 2004)Structure the DDoS field and
facilitate a globalview of the problem and solution spaceEight
characteristics of an attack; threecharacteristics of
defensesCommon characteristic: exploitedweakness; impact on
victim;type of victimInternet Attacks(Mostow, Bott 2000);(Delooze
2004)Build an attack simulator; Taxonomy was used inthe simulator
modelEffects of the attackCommon characteristic: DoS,Deception,
AttacksGoalsDimension of taxonomyCommentsAttacks in VANETS
(Golleet al. 2004)Taxonomy was not the main aim1. Nature2. Target3.
Scope4. ImpactCommon characteristic natureof attack; impact on
victim;scope; target;Shellcode Attacks (Arce2004)Understanding
these programs technical capabilitiesand their connection to those
who developand use themFunctional perspective:1. Attack vector2.
Exploitation technique3. PayloadMultiple ways to trigger a
vulnerabilityAttacks (Hansman, Hunt 2005)Develop a pragmatic
taxonomy that is useful tothose dealing with attacks on a regular
basis.Four taxonomies based on:1. Attack vector2. Attack target3.
Vulnerability4. PayloadFor application-specifictaxonomies, it might
be possibleto combine all these intoone taxonomy
Types of Computer Crimes Two-dimensional matrix of computer
attacksFirst dimension: UsersOperators, programmers, data entry,
internal users, outside users, and intrudersSecond dimension:
Computer crimesPhysical destruction, information destruction, data
diddling, theft of services, browsing, and theft of informationThe
six classes of users are not distinct
Types of Computer Misuse Level One:Theft of computer
resourcesDisruption of computer resourcesUnauthorized disclosure of
informationUnauthorized modification of informationLevel Two:Human
errorUser abuse of authorityDirect probingProbing with malicious
softwareDirect penetrationSubversion of security mechanism
Information System Attacks First attempts at developing a
taxonomy to help the security assessment processput all possible
attacks under a single taxonomycould be used to predict future
attacks in existing systemsThe biggest drawback of  is that it
is not a classificationIt is merely a long list of all known
attacksThe article lists 94 different attacks on information
Computer Attack In  Neumann identified 26 different
kinds of computer attacks and classified them into nine
programsBypassesActive misusePassive misuseInactive misuseIndirect
misuseThis can be considered a hierarchical taxonomy because it has
two levels of classification
Classify Computer Security Intrusions Lindquist and Jonssons
taxonomy [7, 26] is a very good example of one that is suitable for
a security assessment processthe first to introduce the notion of
dimension of classificationthey extended three of Neumann and
Parkers categories into multiple subdivisions:Bypass of intended
controlsActive misuse of resourcesPassive misuse of resources
IDS Related TaxonomiesTwo main types of IDSs:Signature-based
systemAnomaly-based systemThe primary motivation for this
classification was to provide a defense-centric taxonomy to help
Signature-based systemEvery attack manifests itself as some kind
of event or sequence of events in a networkThese unique events are
called the signatures of the attackEvery known attack is given a
signature based on its characteristicsAttack taxonomy can ensure
that all known attacks are represented in the database
Signature-based systemIn  Kumar presents a taxonomy
signatures to help build an effective IDSAttack signatures are
classified into five categories:ExistenceSequencePartial
Anomaly-based systemLooking for any network activity that
deviates from the normKillourhy et al.  developed a taxonomy of
attacks based on their manifestation as anomalies in IDS sensor
dataEvery attack manifests itself either as a:Foreign symbolMinimal
foreign sequenceDormant sequenceNon-anomalous sequence
DoS Attack Related TaxonomiesAttacker can carry out a successful
attack without penetrating the target networkIn  Neumann lists
three types of DoS attacks based on the source of the attackno
network penetration and can be carried out remotely over the
Internetattacker exploits some known vulnerability to penetrate the
network and then carries out resource exhaustion attacksdistributed
DoS (DDoS) attacks, attackers penetrate or compromise many third
party computers and use them to launch a DoS attack against the
DoS Attack Related TaxonomiesMirkovic and Reiher  intended to
build a taxonomy that would provide a complete overview of the
field of DDoS attacks and defensesEach attack has multiple
characteristics, and Mirkovic and Reiher classify attacks along
multiple dimensionsThis classification is not mutually
exclusiveEight dimensions:Degree of automationExploited
weaknessSource address validityAttack rate dynamicsPossibility of
characterization (based on packet content)Persistence of agent
setVictim typeImpact on the victim
DoS Attack Related TaxonomiesIn  Campbell uses a novel dance
metaphor to characterize DoS attacksHe characterizes a DoS attacker
as a third person interrupting two dancing partnersHe groups all
DoS attacks under four classes that represent the attackers
strategy for success:Partner -> spoofingFlood -> floodingTrip
-> shutting downIntervene -> interception
Web Attack TaxonomiesAlvarez and Petrovic  analyzed and
classified Web attacks, their goal was to extract useful
information for application developers to build more secure
Specialized Attack TaxonomiesThere are many attack taxonomies
that cover only certain specific applicationsMan and Wei 
developed a taxonomy of attacks against mobile agentsThe goal of
the work was to understand all possible attacks against mobile
agents and then use this understanding to develop appropriate
protection mechanismsThe first level of classification in 
divides attacks into two categories based on the intentions of the
attackhierarchical, and this characteristic is useful for security
Taxonomies for Security AssessmentLough presents an exhaustive
survey of computer attack and vulnerability taxonomies in
Classifies all attacks under four categories:Incorrect
validationIncorrect exposureIncorrect randomnessIncorrect
deallocationThis classification is made on the cause of attack
dimensionLoughs taxonomy is not application-specific
Taxonomies for Security AssessmentIn  Hansman and Hunt aim
to develop a pragmatic taxonomy that is useful to those dealing
with attacks on a regular basis.They conclude that it is difficult
to develop an effective tree-structure taxonomy of attacksFour
dimension:Attack vectorAttack targetVulnerabilities and
exploitsAttacks with payloadsIf the taxonomy were
application-specific instead of trying to incorporate all possible
kinds of attacks, it might not be very difficult to develop a
single tree-structure taxonomy of attacks
Vulnerability TaxonomyOne of the earliest works on this topic
was done by McPhee.
McPhees paper was published in 1974, and since then there has
been much research done on computer security.
McPhee lists seven class of integrity flaws in operating
System data in user areaNon-unique identification of system
resourceSystem violation of storage protectionUser data passed as
system dataUser-supplied address of protected control
blocksConcurrent use of serial resourcesUncontrolled sensitive
Vulnerability TaxonomyAttanasio described the methodology and
results of penetration testing experiments. The penetration
analysts had three goals:
The paper does not provide a taxonomy, as that was not their
goal, but it makes the important contribution of listing operations
system characteristics that are likely to have flaws.
To obtain information to which they were not entitledTo launch a
DoS attack by exhausting resourcesTo obtain resources bypassing the
Vulnerability TaxonomyAfter the penetration testing experiment,
Attanasio et al. Listed 16 OS features that are likely to have
Implicit or explicit resource sharing mechanismsMan-machine
interfaces administered by the OSConfiguration management problem
Add-on featuresDesign modifications and design extensionsParameter
checkingControl of security descriptors
Error handlingSide effectsParallelismAccess to
microprogrammingComplex interfacesDuplication of functionLimits and
prohibitionsAccess to residual informationViolation of design
TAXONOMY OF SOFTWARE PROGRAM FLAWS
Taxonomy of Software Program FlawsThe Research in Secured
Operating Systems (RISOS) project and the Protection Analysis (PA)
project were two of the earliest efforts at producing taxonomies of
vulnerabilities in computer software.
Both of the projects examined the vulnerabilities in different
Taxonomy of Software Program FlawsThe seven classes of
vulnerabilities in the RISOS project were:
Incomplete parameter validationInconsistent parameter
validationImplicit sharing of privileged/confidential
dataInadequate identificationAuthentication or
authorizationAsynchronous validation or inadequate
serializationViolable prohibition or limiting and exploitable logic
Taxonomy of Software Program FlawsThe ten classes from the PA
Consistency of data over timeValidation of operandsValidation of
residualsValidation of namingValidation of
domainSerializationInterrupted atomic operationsExposed
misrepresentationsQueue management dependenciesCritical operator
Taxonomy of Software Program FlawsThe categories of both the
RISOS and PA classifications indicate that the dimension of
classification was by operations.
This means that the categories represent operations of the OS
which can be misused to cause attacks.
The RISOS and PA categories would be greatly beneficial in a
Taxonomy of Software Program FlawsBishop analyzed the RISOS and
PA taxonomies, and showed that these classes could be mapped onto
Bishop classified each vulnerability along six axes:
Nature of the flawTime of introductionExploitation domain of the
vulnerabilityThe effect domainThe minimum number of components
needed to exploit the vulnerabilityThe source of the identification
of the vulnerability
Taxonomy of Software Program FlawsAfter the PA project, the most
influential work on taxonomies of flaws was done by Landwehr et
They did not limit their taxonomy to operating systems but
provided a more general taxonomy of flaws in computer programs.
They classified their flaws in three different
dimensions:GenesisTime of introductionlocation
Taxonomy of Software Program FlawsJiwnani et al. used Landwehrs
taxonomy to aid security testing.
They adapted Landwehrs three dimensions to build a matrix that
related the cause of the vulnerability.
To be effective, the taxonomy must be used in conjunction with
all the dimensions of the classification.
The assessment process can be more systematic if these
dimensions are arranged hierarchically.
Taxonomy of Software Program FlawsAll the work we have seen so
far classified attacks or vulnerabilities based on some inherent
characteristic of the attack or vulnerability itself.
Krsul departed from this norm.
He developed a taxonomy based on the observation that most of
the vulnerabilities were introduced into programs because of
mistaken assumptions by the programmer.
He classified flaws according to the assumption that led to
their introduction into the software.
Taxonomy of Software Program FlawsAslam focused only on the UNIX
Aslams taxonomy is hierarchical, and the first level had three
main categories:Configuration flawsEnvironment flawsCoding
The dimension of classification for these three classes is the
cause of the flaw.
Taxonomy of Software Program FlawsDu and Mathur described each
flaw with multiple attributes. They classify flaws along three
Landwehrs original genesis class had two main subclasses:
intentional and inadvertent flaws.
Du and Mathur ignore the intentional flaws. Instead, they
focused on the inadvertent flaws in the software.
Since the taxonomy provides details about the flaws, it could be
effective in a security assessment process.
Taxonomy of Software Program FlawsKamara et al. successfully use
Du and Mathurs taxonomy for analyzing vulnerabilities in Internet
They break down a firewall into its constituent components, and
its operations and data flow.
They analyze some of the well-known firewall vulnerabilities,
and map them to both Du and Mathurs taxonomy and the specific
operations and parts of the firewalls.
The result is a matrix that identifies which operations and
parts of a firewall are likely to produce flaws.
This is very useful in future security assessments of other
firewalls as well as in preventing the same kinds of flaws in new
Taxonomy of Software Program FlawsGrays aim was to develop a
taxonomy of vulnerabilities that would be useful to people in
various positions in a software development organization.
Gray combined the work of Landwehr, Bishop, and Wang into an
extended and multi-perspective taxonomy.
Taxonomy of Software Program FlawsThe taxonomy had ten classes
of program flaws:
GenesisTime of introductionLocationExecution environmentQuality
impactMethod of discoveryThread and exploitation
scenariosMonitoring and exploitation scenariosLimitation and
remediation scenariosElimination methods
Taxonomy of Software Program FlawsGrays approach of combining
all the perspectives within one taxonomy is not very efficient.
Gray does not offer any subclasses for any of these classes.
Such a single-level taxonomy does not provide adequate
information about the flaws.
This ineffectiveness shows that taxonomies are most useful when
they are developed for a particular application from a specific
Taxonomy of Software Program FlawsTsipenyuk et al. seek to
simplify the existing software vulnerabilities taxonomies.
They claim that most of the existing taxonomies are too
Taxonomy of Software Program FlawsIn order to help software
developers and security practitioners, they group all software
security flaws under eight classes:
Input validation and representationAPI abuse security features
time and stateErrorsCode qualityEncapsulationEnvironment
Taxonomy of Software Program FlawsYu et al. provide a framework
for analyzing the security of Web software service.
The unique contribution is that they relate all the attacks with
the software vulnerabilities each attack exploits.
Taxonomy of Software Program FlawsYongzheng and Xiochen develop
a taxonomy of vulnerabilities to aid the security risk assessment
They base on the concept of privilege sets and privilege
A vulnerability can be viewed as a feature that gives additional
privileges to the attacker.
The paper ranks the privilege sets of nine user classes, ranging
from common user to root.
The paper provides a ranking of the impacts of each privilege
level, with the root level causing the greatest damage and the user
level causing the least.
Taxonomy of Software Program FlawsWangs work also explored the
link between a flaw and the risk posed by that flaw.
A flaw that could be exploited in multiple ways can be
considered more risky.Than one that can be exploited only in one
Taxonomy of Software Program FlawsAlhazmi et al. test the
efficacy of vulnerability discovery models to predict the number of
vulnerabilities in a software product.
Having a target number of vulnerabilities could help the
security analyst, but traditional taxonomybased classifications
would have to be used to find the actual vulnerabilities.
NETWORK VULNERABILITY TAXONOMIES
Network Vulnerability TaxonomiesRistenbatt describes a
methodology name Network Communications Vulnerability Assessment
(NCVA)which was developed to perform network vulnerability
The first taxonomy classified the various types of networks
according to their design.
Network Vulnerability TaxonomiesThe objective of this taxonomy
was to provide the analyst with a high-level overview of the
network. The top-level categories were:
The transfer strategyThe network transfer control methodThe
transfer link structureLink access method or protocolSystem
Network Vulnerability TaxonomiesThe second taxonomy outlined the
typical network susceptibilities.
He defines susceptibilities as system features that might be
targeted by attackers. Susceptibilities are potential
The network susceptibilities taxonomy has five classes:
TopologyPhysical layerData link layerNetwork layerManagement and
Network Vulnerability TaxonomiesJayaram and Morse provide a
taxonomy of security threats to networks. Their taxonomy has five
Physical threatsSystem weak spotsMalign problemsAccess
Network Vulnerability TaxonomiesA more elaborate taxonomy of
threats to networks is provided by Welch and Lathrop.
The taxonomy was developed to build a security architecture for
a wireless network.
The taxonomy is hierarchical and provides a systematic approach
for analyzing al the security threats faced by a network.
They begin by considering threats to each of the basic security
properties: confidentiality and integrity.
Network Vulnerability TaxonomiesThe taxonomy lists seven attacks
that pose a threat to security properties:
Traffic analysisPassive eavesdroppingActive
Network Vulnerability TaxonomiesPothamsetty and Akyol made an
effort at producing a taxonomy of network protocol
Their main goal was to organize information about known
They classify the vulnerabilities into seven categories:
Clear text communicationNon-robust protocol message
parsingInsecure protocol state handlingInability to handle abnormal
packet ratesReplay and reuseProtocol field authenticationEntropy
PROPERTIES OF A TAXONOMY FOR SECURITY ASSESSMENT
Properties of a Taxonomy for Security AssessmentThe goal is to
identify a set of characteristics for a very specific taxonomy: one
that can be used effectively in a security assessment process.
The taxonomy must be tailored to the viewpoint of an assessment
professional. It should also help make the process as objective as
The basic properties of such a taxonomy would be:
Application- or system-specific taxonomyTaxonomy must be layered
or hierarchicalFirst level of classification attack impactSecond
level of classification system-specific attack typesThird level of
classification system components (attack targets)Fourth level of
classification system features (source of vulnerability)Classes
need not be mutually exclusive
Properties of a Taxonomy for Security AssessmentThe efficacy of
a security assessment process should be measured by its objectivity
and vulnerability coverage.
A process with good vulnerability coverage explores all relevant
system features that are likely to have vulnerabilities.
Although there are no metrics for measuring objectivity and
vulnerability coverage, we believe that a taxonomy with the above
properties greatly aids a security assessment process.
ConclusionThis article presents a survey of all taxonomies
related to computer and network security.
The survey analyzes existing work on security taxonomies and
assess their usefulness in terms of security assessment.
The analysis helps identify specific properties of taxonomies
that aid security assessment.