Conferences

• IFIP International Symposium on Human Aspects of Information Security & Assurance (HAISA 2021); papers due April 26, 2021
• New Security Paradigms Workshop (NSPW 2021); papers due May 21, 2021

---

My Links

• My Home Page
• Books
• Classes
• Papers
• Reports and Notes
• Research
• Security in Programming
• Service
• Students
• Talks
• Miscellaneous
• My Family
• About Me (CV and such)

---

Other Links

• Cybersecurity Club
• Computer Security Lab
• Dept. of Computer Science
• College of Engineering
• University of California, Davis
• City of Davis
• County of Yolo
• State of California
• United States of America

---

Me

• This Quarter’s Classes
• Office Hours for This Quarter
• Contacting Me
• My Personal Blog
  (Last Entry September 4, 2020; “Don’t Vote Twice”)

---

Current Time in Davis, CA, USA

A Critical Analysis of Vulnerability Taxonomies

Citation

• M. Bishop and D. Bailey, “A Critical Analysis of Vulnerability Taxonomies”, Technical Report CSE-96-11, Dept. of Computer Science, University of California at Davis, Davis, CA 95616-8562 (Sep. 1996).

Paper

• PDF
• PS

About This Report

From the introduction:

A taxonomy is a system of classification allowing one to uniquely identify something. The best known example, the science of systematics, classifies animals and plants into groups showing the relationship between each. Further, the classification is unique, so two of the same animal will always be classified with the same groups. That is, if one considers the hierarchy to be a tree structure and uniquely numbers each branch, each species of animal or plant is uniquely identified by a 6-tuple (kingdoms, phylums, classes, orders, family, genus).

A taxonomy for security vulnerabilities should provide the same benefits. The specific goals of such a taxonomy are to provide a historical record of the vulnerabilities in a form that system designers and implementers can use to anticipate flaws in their systems; to describe the vulnerabilities in a form useful for detection; to show common characteristics in related flaws for prevention and elimination; and to enable a security monitor to detect exploitation (or attempted exploitation) of the flaws. A taxonomy similar to the biological classification of plants and animals will do these.

Such a taxonomy allows one to classify each vulnerability as a unique ordered tuple. This is essential to detecting new vulnerabilities. Perhaps more importantly, it allows us to determine how many instances of a larger class of flaws are known, which in turn suggests where efforts to reduce or eliminate the flaws should be focused. It also allows us to characterize conditions under which the flaw arises, suggesting ways to detect new instances of the flaw.

The next section contains a precise definition of taxonomy, as well as a review of the PA, RISOS, and Aslam classification schema. The third section shows that two security flaws may be taxonomized in multiple ways under all of these schemes. The paper concludes with some observations on taxonomies and some ideas on how to develop a more precise taxonomy.

Background

This was prepared for a NIST workshop on sharing vulnerability data.

---

Last updated on Thursday, April 15, 2021 11:21:00 PM PDT