A Taxonomy for Network Vulnerabilities

The number of reported vulnerabilities is dramatically rising every year. In addition, the combination of different kinds of network devices, services and applications in a complex manner lead to increase the complexity of vulnerabilities. Increasing the number of vulnerabilities and their complications show the importance of vulnerability taxonomies which could provide a common language for defining vulnerabilities and help analyze and assess them. Both the advantages of using vulnerability taxonomies and the features of the taxonomies that have ever been suggested encouraged us to offer the new network vulnerability taxonomy. Our proposed taxonomy is a multidimensional and hierarchical taxonomy which classifies network vulnerabilities based on their location, cause and impact. These are three dimensions of our taxonomy. We use ITU-T X-805 security architecture to provide a comprehensive layered classification for the location dimension and also use common weakness enumeration (CWE) project to provide a complete layered classification for the cause dimension of the proposed taxonomy. Finally, we evaluate our taxonomy based on taxonomy requirements. In addition, to demonstrate the usefulness of our taxonomy, a case study applies the taxonomy to a number of network vulnerabilities. We also use this taxonomy to analyze network vulnerabilities. The result of our analysis is a matrix that demonstrates the distribution of network vulnerabilities based on their causes, locations and impacts. In addition to offering a taxonomy that is specific to network vulnerabilities and is beneficial for analyzing network vulnerabilities by covering almost all possible combinations of causes, locations, and impacts, we also introduce and consider network activities in the classification of location dimension for the first time.