An empirical property-based model for vulnerability analysis and evaluation

This work presents an empirical property-based model to describe Web-based vulnerability. We define a web application using a new descriptive model with pre-condition, behavior, entity and communication property sets. The vulnerable property relationship graph (VPRG) defines a vulnerability as vulnerable properties in application with relations to other properties in cause- and consequence-relationships. The Vulnerable Property Relationship Matrix (VPRM) is used to quantify the existence vulnerability and to measure its impact according to the relations of vulnerable properties to other properties in execution of the web application. A severity score calculation is proposed based on VPRM: the vulnerability severity score is typically the sum of consequence as a result of state changes of every evolving property in the vulnerable property relationship model. The prototype model is applied to a case study involving specified Web vulnerabilities.