An Ontology-based Approach to Model Common Vulnerabilities and Exposures in Information Security

Machine understandable security vulnerabilities are in need for security content automation [2]. Common Vulnerabilities and Exposures (CVE) is an industry standard of common names for publicly known information security vulnerabilities, and has been widely adopted by organizations to provide better coverage, easier interoperability, and enhanced security [1]. In this paper, we focus our research on the problem domain of software vulnerability and propose an ontology-based approach to model security vulnerabilities listed in NVD [2], providing machine understandable CVE vulnerability knowledge and reusable security vulnerabilities interoperability. We illustrate the major design ideas of our ontology and give examples to illustrate how the ontology can be populated with the knowledge from standards. In addition, we also give examples to demonstrate the benefit of using ontology to study the nature of vulnerabilities and the relationships between vulnerabilities and its related areas.