Chapter 1

INTRODUCTION
1.1 INTRODUCTION
Despite the rapid growth of applied vulnerability research and secure software
development, Vulnerability Management is the cyclical practice of identifying, classifying,
remediating, and mitigating vulnerabilities. This vital function has been a normal part of
hardening defenses and identifying weaknesses to systems, processes, and strategies in the
military and in the private sector. With growing complexity in organizations, it has become
necessary to draw out this function as a unique practice complete with supporting security tools
(i.e., ISS Internet Scanner, or Retina etc [8, 9]). Recently beyond Trust’s report examines all of
the published Microsoft vulnerabilities in 2009 and all of the published Windows 7
vulnerabilities to date to quantify the effectiveness of removing administrator rights for
mitigating Microsoft vulnerabilities. By Considering some of existed Vulnerabilities sec-tools
and mitigate them by using single graphical user interface SVIM, which perform various
attacks on target system to ensure the system is safe and secure.

1.2 RELATED WORK

There has been some research relevant to vulnerability management. First of all the
MITRE Corporation is well known for their creation of CVE naming mechanism. Common
vulnerabilities and exposures is a list of standardized names for vulnerabilities and other
information security exposures. CVE aims to standardize the names for all public known
vulnerabilities and security exposures. CVE is great for coordination between databases and
tools, but it is not as beneficial to people not using these products. CVE also has a long screening
process and a board to make final decisions, which makes it impossible to keep up with the flood
of vulnerabilities. Martin gave their practical proposal in on managing vulnerabilities using CVE.
MITRE just released a new standard for vulnerability assessment language OVAL [14] in
November 2002. The open vulnerability assessment language is a common language for security
experts to discuss and agree on technical details about how to check for the presence of
vulnerabilities on a computer system. The vulnerabilities are identified by OVAL queries like

1
SQL that perform the checks. OVAL also faces the same problem of having a long screening
process that might delay the release of vulnerability checks. There is also much other work on
vulnerability classifications, and practical methodologies or principles of conventional
vulnerability management etc. But unfortunately we have not seen any research on integrated
vulnerability management that we think is the way forward.

1.1 MOTIVATION

The goal of project is running a vulnerability scanner is to identify devices on your

network that are open to known vulnerabilities. After performing an initial vulnerability scan you
will need to implement a process for addressing the identified vulnerabilities. In most cases there
will be patches or updates available to cure the problem. Security professional’s rush to update
source codes by implementing patches and downloading fixes while expert hackers write
malicious code to exploit these vulnerabilities. Once an automated SVIM tool is developed, it
proliferates rapidly across the Internet.

1.2 OBJECTIVES

In this project, we propose a system architecture and model to asses the secure system
vulnerability management by finding vulnerabilities of individual local machines in LAN
environment and finding what are the local ports which are available and vulnerabilities which
are existed in the current system and finding the remedies through patch management system, we
use CVSS, CCE[5] systems to measure the vulnerabilities and determine the presence of the mis-
configuration[39] in the system. IDS keep the role of monitoring and analyzing the traffic in a
timely manner.

2
1.3 OUTLINE OF THE THESIS

The organization of this thesis progresses from the theoretical to implementation aspects of
Security Vulnerability Integrated Management Tool. The project deals with the development of
efficient architecture and models for checking for host vulnerabilities and patch management.
This thesis discusses broadly the preliminary concepts required for vulnerabilities, causes,
identifying & removing vulnerabilities and provides a detailed survey of literature along with
both theoretical and implementation aspects of the proposed algorithms. The rest of this thesis is
organized as outlined below:

Chapter 2 gives a brief introduction to “Security Vulnerability Management System”

Elementary Concepts of Vulnerabilities and what type of vulnerabilities, OS Detection,
Vulnerability Metrics are discussed briefly. Possible improvements in the performance of
Security vulnerability management architecture are discussed based on the works of earlier
researchers. Rob Paterson proposed an article describes an innovative approach to modeling
network designs in order to quantify their ability to mitigate the impact of Security attacks on
end-user services. Some architectures and models to provide more security in network
environment will present the literature. Thus this chapter is a survey of related literature.

Chapter 3 contains the theoretical discussions of system proposed in this project work.
Problem definition, with necessary assumptions, is clearly stated. Our proposed approach is
explained in detail. A theoretical approach is presented for better understanding of the proposed
approach and solutions.

Chapter 4 contains the architecture, design and implementation details of the proposed
system. In implementation stage, we have developed the tool contains three modules. One is
port scanning, vulnerability scanning & assessment and third one is patch management. The
Vulnerability scanning generates list of vulnerabilities and through the integrated tool patches are
automated by Integrated tool.

3
 In Chapter 5 the results of the implementation of security vulnerability integrated
management tool are discussed. With the results obtained, we define whether the network system
is having vulnerabilities and necessary patches apply through patch management system.

Chapter 6 is the concluding chapter of the thesis where inferences and future scope of
study is drafted.

4
Chapter 2
A SURVEY OF LITERATURE

2.1 INTRODUCTION

Robert A. Martin,[21] ”Integrating Your Information Security Vulnerability Management

Capabilities through Industry Standards (CVE & OVAL)”, Proposed an important changes lo the
cyber security industry, being fostered by the Common Vulnerability Exposures (CVE) and
Open Vulnerability Assessment Language (OVAL-) Initiatives. These changes will transform the
way your enterprise deals with vulnerabilities in the commercial and open source components.
OVAL is aimed to provide the means for standardized vulnerability assessment and result in
consistent and reproducible information assurance metrics for systems.

Anil Sharma, Jason R. Martin [22], Proposed as Vulnerabilities can be classified based on
their location as application vulnerabilities, network vulnerabilities, or host vulnerabilities. This
paper describes Ferret, a new software tool for checking host vulnerabilities. Ferret helps system
administrators by quickly finding vulnerabilities that are present on a host. Ferret is extensible,
and can easily be kept up-to-date through addition of checks for new vulnerabilities as they are
discovered.

H.T.Tian, Y.L.Luo [23] proposed “Automated Vulnerability Management”, facing

numerous attackers armed with complicated, automated tools, current manual vulnerability
management by administrators is so time consuming, error-prone. Administrators also do need
automated defensive tools. This paper proposes an open framework of automated vulnerability
management that dramatically alleviates the burden of administrators and improves the security
of systems.

5
 Kaarina Karppinen , Mikael Lindvall [24] “Detecting Security Vulnerabilities with
Software Architecture Analysis Tools “,We studied security architecture analysis tools can assist
in detecting security vulnerabilities that are caused by architecture violations. The tool, we were
able to capture the dynamic pattern of a user breaking in to the system using the back door.
Based on the dynamic information in combination with the static information, we obtained a
good picture of the visual image of the back door. Such “visual images” can be used to detect
vulnerabilities and ultimately help to design software architectures that meet their security
requirements.

Xiangqun Qiu, Rob Paterson [25], proposed an article describes an innovative approach
to modeling network designs in order to quantify their ability to mitigate the impact of security
attacks on end-user services. The methodology has been developed and implemented into a tool
that calculates end-user downtime and failure rate. The application of security vulnerability
modeling during design enables designers to evaluate design options and quantify the outage
risks for different design strategies.

Hao Wang and Jairo Camargo [26] Measuring Similarity for Security Vulnerabilities “,
this paper proposes a vulnerability similarity measurement to compare different vulnerabilities
according to a set of criteria. Approach is based on the structural hierarchy of vulnerabilities, and
the similarity is defined using established mathematical models. The National Vulnerability
Database and the Ontology of Vulnerability Management provide the information necessary for
the similarity calculation. The similarity measurement can be used in many areas of vulnerability
management, such as vulnerability classification, mitigation, and patching.

Jinyoo Kim, Yashwant K.[27]. “Vulnerability Discovery in Multi-Version Software

Systems” We propose a new approach for quantitatively modeling the vulnerability discovery
process, based on shared source code measurements among multi version software systems. The
applicability of the approach is examined using two open source software systems. We observe
that vulnerabilities continue to be discovered for an older version because part of its code is
shared by the newer and more popular later version. Thus, even when the installed base of an
older version has declined, vulnerabilities applicable to it are still discovered. Our results are

6
validated using the source code and vulnerability data for two major versions of Apache HTTP
Web server and two major versions of Mysql, DBMS.

Wei Pan, Weihua Li [28]. ”Reverse Analysis and Vulnerability Detection for Network
System Software” In this paper, a novel approach which uses reverse analysis and vulnerability
detection technologies to deal with security problems on critical network system. Adaptive
reverse analysis we propose is used to dig out potential vulnerabilities, which might be abused by
unauthorized and unlawful communities. A new vulnerability detection model is designed to
provide safety precautions through detecting vulnerabilities and monitoring program behaviors.
Our investigation aims to improve the ability to guard network system against malicious attacks.
The proposed schemes demonstrate that our approach can effectively perform security detection
and management of network system software.

Moohun Lee, Sunghoon Cho [29],”A Rule-based Security Auditing Tool for Software
Vulnerability Detection”, In this paper, we propose rule-based security auditing tool that
analyzes structure of target code to solve these problems, define this as rule, and detect malicious
codes and software vulnerabilities. Proposed auditing tool can construct secure ubiquitous
computing environment, because it will be used by a common software audit tool that detects
malicious codes and software vulnerabilities at the same time.

Gary McGraw [30],”Testing for Security during Development: Why We Should Scrap
Penetrate-and-Patch”, the paper work is based on the generally held belief that a large proportion
of security violations result from errors introduced during software development.

Hassan Rasheed, Randy Y.C. Chow [31], “Automated Risk Assessment for Sources and
Targets of Vulnerability Exploitation”, the primary focus is assessing the risk to and from access
control request sources and targets. This process is critical in building effective dynamic access
control methods that utilize assessment data for policy enforcement. Information on vulnerability
exploitation attempts is used to derive risk assessments for entities in the system. To validate the
approach, we demonstrate the use of our assessment method on analyzing the sources and targets
in a widely used intrusion detection data set.

7
S,M.Furnell, A.AL-Ayed [32],”The Research on a Patch Management System for Enterprise
Vulnerability Update”. The paper designs and implements a patch management system for
vulnerability precaution protection which can efficiently repair vulnerabilities of computer
systems in time. Developing a vulnerability management system needs two steps: constructing a
vulnerability analysis database and implementing vulnerability management system (VMS)
application software. The vulnerability analysis database is constructed based on CVE, Microsoft
and others to report vulnerabilities in standard result forms by updating newest information, and
is organized to be suitable to the distributed enterprise network. The VMS suggested in this
paper can provide fast and more accurate vulnerability repair and proper guidelines to
corresponding vulnerabilities.

Jung-jin Park, Jin-sub Park[33] ,” Windows Security Patch Auto-Management System Based on
XML”, In recent days, damages to information systems and network due to worm and virus
using vulnerabilities of windows security have been rapidly increasing. How to deal with the
attack using vulnerabilities of windows program is to install patch appropriately and rapidly.
This study suggests security patch auto-management system which installs security patch file
automatically to clients through automatic downloading of the patch from MS download center
based on XML as existing patch management system needs intervention of managers.

Ching-Huang Lin, [34]”A Study and Implementation of Vulnerability Assessment and Mis
configuration Detection”, The proposed a system to resolve vulnerability and mis-configuration
issues. We focus on the aspect of vulnerability assessment. We use CVSS (Common
Vulnerability Scoring System) to measure the vulnerability severity to the organization and help
administrators with patch management. For the configuration portion, we use CCE (Common
Configuration Enumeration) configuration scanner to scan the system and determine the
presence of the mis-configuration in the system. The experiments show that our system can help
administrators to understand their own systems and enhance system security.

8
2.2 ELEMENTARY CONCEPTS

2.21 VULNERABILITY:
In computer security, the term vulnerability is a weakness which allows an attacker to
reduce a system's Information Assurance. Vulnerability is the intersection of three elements - a
system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the
flaw. To be vulnerable, an attacker must have at least one applicable tool or technique that can
connect to a system weakness. In this frame, vulnerability is also known as the attack surface. A
security risk may be classified as vulnerability. Vulnerability with one or more known instances
of working and fully-implemented attacks is classified as an exploit.

2.22 CAUSES:

• Familiarity: Using common, well-known code, software, operating systems, and/or

hardware increases the probability an attacker has or can find the knowledge and tools to
exploit the flaw.
• Connectivity: More physical connections, privileges, ports, protocols, and services and
time each of those are accessible increase vulnerability.
• Password management flaws: The computer user uses weak passwords that could be
discovered by brute force. The computer user stores the password on the computer where
a program can access it. Users re-use passwords between many programs and websites.
• Fundamental operating system design flaws: The operating system designer chooses to
enforce sub optimal policies on user/program management. For example operating
systems with policies such as default permit grant every program and every user full
access to the entire computer. This operating system flaw allows viruses and malware to
execute commands on behalf of the administrator.
• Internet Website Browsing: Some internet websites may contain harmful Spyware or
Adware that can be installed automatically on the computer systems. After visiting those
websites, the computer systems become infected and personal information will be
collected and passed on to third party individuals.

9
 • Software bugs: The programmer leaves an exploitable bug in a software program. The
software bug may allow an attacker to misuse an application.
• Unchecked user input: The program assumes that all user input is safe. Programs that
do not check user input can allow unintended direct execution of commands or SQL
statements (known as Buffer overflows, SQL injection or other non-validated inputs).

2.23 Identifying and removing vulnerabilities:

Many software tools exist that can aid in the discovery (and sometimes removal) of
vulnerabilities in a computer system. Though these tools can provide an auditor with a good
overview of possible vulnerabilities present, they can not replace human judgment. Relying
solely on scanners will yield false positives and a limited-scope view of the problems present in
the system. Vulnerabilities have been found in every major operating system including
Windows, Mac OS, various forms of Unix and Linux, OpenVMS, and others. The only way to
reduce the chance of a vulnerability being used against a system is through constant vigilance,
including careful system maintenance (e.g. applying software patches), best practices in
deployment (e.g. the use of firewalls and access controls) and auditing (both during development
and throughout the deployment lifecycle).

2.24 Examples of Vulnerabilities:

Vulnerabilities may result from weak passwords, software bugs, a computer virus or
other malware, a script code injection, a SQL injection. Three examples: an attacker finds and
uses an overflow weakness to install malware to export sensitive data; an attacker convinces a
user to open a email message with attached malware; an insider copies a hardened, encrypted
program onto a thumb drive and cracks it at home. In the system context, computer users can
also be considered flaws, see Social engineering (security). Common types of software flaws that
lead to vulnerabilities include:
• Memory safety violations, such as:
• Buffer overflows
• Dangling pointers
• Input validation errors, such as:

10
 • Format string bugs
• SQL injection
• Code injection
• E-mail injection
• Directory traversal
• Cross-site scripting in web applications
• HTTP header injection
• HTTP response splitting
• Privilege-confusion bugs, such as:
• Cross-site request forgery in web applications
• Click jacking
• FTP bounce attack

2.3 Vulnerability Scanner:

A Vulnerability Scanner is a computer program designed to assess computers, computer

systems, networks or applications for weaknesses. There are a number of types of vulnerability
scanners available today, distinguished from one another by a focus on particular targets. While
functionality varies between different types of vulnerability scanners, they share a common, core
purpose of enumerating the vulnerabilities present in one or more targets. Vulnerability scanners
are a core technology component of Vulnerability management.
Types of Vulnerability Scanners:
• Port Scanner
• Network Enumerator
• Network Vulnerability Scanner
• Web Application Security Scanner
• Computer worm

Port Scanner: Nmap has grown in functionality over the years, it began as an efficient port
scanner, and that remains its core function. The simple command Nmap <target> scans more
than 1660 TCP ports on the host <target>. While many port scanners have traditionally lumped

11
all ports into the open or closed states, Nmap is much more granular. It divides ports into six
states: open, closed, filtered, unfiltered, open filtered, or closed filtered.

Network Enumerator: Network Enumerator is a computing activity in which user names, and
info on groups, shares and services of networked computers are retrieved. It retrieves
information about which servers are connected to a specific network and what operating system
is run on them. This type of program scans networks for vulnerabilities in the security of that
network. If there is vulnerability with the security of the network, it will send a report back to a
hacker who may use this info to exploit that network glitch to gain entry to the network or for
other malicious activities. Ethical hackers often also use the information to remove the glitches
and strengthen their network. Malicious hackers can, on entry of the network, get to security
sensitive information or corrupt the network making it useless. If this network belonged to a
company which used this network on a regular basis, the company would lose the function to
send information internally to other departments.

Network Vulnerability Scanner: It scans your network and ports to detect, assess and correct
security vulnerabilities with minimal administrative effort. As an administrator, you have to deal
separately with problems related to vulnerability issues, patch management and network
auditing, at times using multiple products.

Web Application Security Scanner: A web application security scanner can facilitate the
automated review of a web application with the expressed purpose of discovering security
vulnerabilities, and are required to comply with various regulatory requirements. Web
application scanners can look for a wide variety of vulnerabilities, including:

 Input / Output validation: (Cross-site Scripting, SQL Injection etc.)

 Specific application problems
 Server configuration mistakes/errors/version

12
2.4 OS Detection:

OS detection using TCP/IP stack fingerprinting is one of the Nmap main function. Nmap
sends a series of TCP and UDP packets to the remote host and examines practically every bit in
the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support
and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to
its nmap-os-db database of more than a thousand known OS fingerprints and prints out the OS
details if there is a match. Each fingerprint includes a freeform textual description of the OS, and
a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS
generation, and device type (general purpose, router, switch, game console, etc).

If Nmap is unable to guess the OS of a machine, and conditions are good (e.g. at least one
open port and one closed port were found),

2.5 Intrusion Detection System

Intrusion Detection System means a combination of software and hardware used to

detect the illegal access. It can be classified into host intrusion detection (HIDS) and network
intrusion detection (NIDS). Host Intrusion Detection Systems are software installed on the local
system. Typical HIDS are very similar to virus protection software. They look for activity that
matches a known attack signature and either allows the activity or prevents it. Some HIDS
depend on abnormality detection; where current traffic is compared against baseline traffic, with
anything that is not part of the baseline causing an alert. HIDS provides a more customizable and
accurate method of intrusion detection but is much more administratively intensive than NIDS
and, in an enterprise with several servers, could be substantially more expensive. Network
Intrusion Detection Systems use information gathered from a passive interface in promiscuous
mode to detect attack patterns. NIDS, depending on placement within a network, can provide a
great deal of network visibility and protect a substantial number of hosts with a single device and
configuration. Most NIDS, but not all, now provide some sort of reaction such as alerting an
Administrator and blocking further communication with the attacking host. A typical NIDS is to
generate the rules, to send/receive alarm or log messages, Cooperate with firewalls, which are
installed at some important points in the LAN, NIDS would be a kind of equipments to

13
strengthen the network security, because not only it can detect the intrusion from outside, but
also can detect the inside attacks. Obviously, its own safety is vital as it has been an important
part of every deployment.

2.6 Metrics for Software Vulnerabilities:

Vulnerability evaluation plays a central role for security posture and risk management.
Vulnerability refers to flaws or weakness in a system’s design, implementation, or operation and
management that could be exploited to violate the system’s security policy. Any flaw or
weakness in an information system could be exploited to gain unauthorized access to, damage or
compromise the information system. In order to evaluate vulnerability, we need well-defined
security metrics to measure the severity level of a vulnerability based on scientific, systematic,
and quantitative approaches. Without well-defined security metrics, companies find themselves
difficult to compare and select different security options accurately. Cost-benefit analysis and
ROI (return on investment) calculations are becoming standard pre-requisites for any
information security product sale or purchase.

The CVSS (Common Vulnerability Scoring System) provides a tool to quantify the
severity and risk of a vulnerability to an information asset in a computing environment. It was
designed by NIST [5](National Institute of Standard and Technology) and a team of industry
partners. CVSS metrics for vulnerabilities are divided into three groups Base Metrics-measure
the intrinsic and fundamental characteristics of vulnerabilities that do not change over time or in
different environments. Temporal Metrics- measure those attributes of vulnerabilities that change
over time but do not change among user environments. Environmental metrics- measure those
vulnerability characteristics that are relevant and unique to a particular user’s environment.

14
2.7 Security Configuration Settings:

The Common Vulnerability Scoring System (CVSS) is an open specification for

measuring the major characteristics of security related software flaws and scoring the potential
impact of exploiting software flaws and the relative difficulty of exploitation. CVSS has been
widely adopted by the information technology community. The original motivation for
developing CVSS was to provide a consistent way of expressing vulnerability-related
information that organizations could use to prioritize their mitigation responses to new software
flaws. (Although the CVSS specification does not explicitly state that it only applies to software
flaw vulnerabilities, every example in the specification involves a software flaw, and there are
many other statements that strongly imply that its scope is limited to software flaws.)

CVSS: CVSS base metrics are vulnerability attributes that are constant over time and across all
implementations and environments. A formula is applied to the base metrics’ values for a
vulnerability to calculate its base score. Other CVSS metrics represent vulnerability attributes
that change over time (temporal) and that are organization and implementation-specific
(environmental). The focus of our research is the base metrics. CVSS v2 has six base metrics,
three of which relate to exploitability. Access Vector measures the exploitation range (e.g., local,
over a network). Authentication measures whether an attacker must authenticate to a target
before exploiting vulnerability. Access Complexity measures how hard it is to exploit
vulnerability after the target is accessed and any necessary authentication has been performed.

Together, the exploitability metrics measure how readily an attacker can attempt to
exploit vulnerability. CVSS v2 also has three metrics related to impact. Conf Impact measures
thePotential degree of impact to a target’s confidentiality, and Integ Impact and Avail Impact
perform similar measurements for integrity and availability. The impact metrics measure the
impact that an attacker can cause to a target by exploiting vulnerability.

15
Chapter 3
SVIM TOOL ARCHITECTURE

3.1 INTRODUCTION

In the field of Security, researchers focused their contributions in VM (vulnerability

management) as surveyed in chapter 2. In this chapter, we proposed SVIM Architecture &
Implemented a tool for security vulnerability integrated management. Existed Security
vulnerability tools used to do functionality individually. Problem definition, proposed approach
along with architecture proposed is the content in this chapter.

3.2 PROBLEM DEFINITION

There are some aided tools in some phases of VM, but they can only be used separately
in each step to help the administrators. Current vulnerability management is generally a manual,
time-consuming job. As it is mainly based on the individual knowledge and experience of
administrators, VM is also error-prone and leads to certain exposure of systems to attackers.
Even worse point is that VM has to be a ‘non-end’ circular process to keep the system secure,
which means the above four steps should be often repeated time and time whenever necessary
(such as issue of new vulnerabilities, installation of new software, configuration change of
systems, after a suitable maintenance interval etc). The ‘process nature’ of VM makes it
unbearably time consuming. Moreover, as more people and businesses turn to the web, there will
be a continuous increase in the number of systems have to be managed, (imaging an
administrator in charge of 100 hosts) which makes things worse. Administrators often view their
systems within the context of their private networks, but we must begin view the Internet as a
distributed network in which a problem in one node affects all. Poor VM by some administrators
can later affect other networks. Your network might be secure, but others that aren't can be used
to send spam, attempt a DoS attack, and cause problems that have potential to affect us all. So
every system in the Internet should have a good VM. That is difficult to achieve through current

16
solution. In fact, system administrators are in general swamped by the flood of vulnerabilities
and related patches being released. Various research initiatives including the recent survey by the
Department of Trade and Industry of UK[3] have revealed that most breaches occur through
known vulnerabilities that are not properly fixed by administrators, which indicates that current
manual solution VM is seriously time consuming, error-prone and should be improved. To make
things worse, more and more automated attack tools are available freely and easily from various
sources, with which crackers even with little computer knowledge can scan, and penetrate into
hundreds of systems in a night with a cup of coffee in front of the monitor. Even more the
window between the disclosure of vulnerability and the release of exploit code--and then a self-
replicated worm--continues to shrink. How could system administrators defend them selves
against enemies with automated arms? The only answer is automated arm, too.

3.3 PROPOSED APPROACH

We combining various securities tools and make them into an efficient GUI for the system
owners. To analyze the likelihood of a hacker compromising a safety system and increase the
probability of an undetected dangerous fault, we look into some techniques used to get access
and investigate; these will work as a typical safety device. This approach collect source codes
which are existed and preprocess them to filter through dataflow of activities to get assess the
existence of these vulnerabilities in a network environment which are integrated with open
source applications written in java, we developed a Graphical User Interface Tool called SVIM
(Security Vulnerability Integrated Management Tool). The proposed approach scans your
network and ports to detect, assess and correct security vulnerabilities with minimal
administrative effort. As an administrator, you have to deal separately with problems related to
vulnerability issues, patch management and network auditing. our configuration scanner will
scan the PCs and the servers with CCE definitions. Administrators can determine the presence of
mis- configurations, and correct it. We give you a complete picture of your network set-up and
help you to maintain a secure network state faster and more effectively. We use penetration
technique to identify flaws and remedy patches. we proposes an integrated automated framework
of vulnerability management of computer systems.

17
3.4 SYSTEM DESIGN

With networks increasingly proliferating into virtually every aspect of our daily life,
security has gained more and more importance. Unfortunately the speed at which information
technology is advancing guarantees that there will always be a sequence of new, exploitable
security vulnerabilities, which means weaknesses in a system allowing unauthorized action.

According to the latest Symantec Internet Threat Report [1], there was an 81.5% increase
in computer vulnerabilities during 2002. Overall, some 450 new viruses and 250 new
vulnerabilities are discovered globally each month, and these require system updates and
patches. It also shows that 85% of active attacks were classified as ‘reconnaissance’ – the cyber
equivalent of a burglar checking doors and windows to see if they are locked. Only 15% of
attacks were actual exploitation attempts – the burglar entering the building. Most attackers are
looking for commonly known vulnerabilities in a network. If they fail to find them, they are
unlikely to pursue their attack; instead they will seek out an easier target. Symantec Internet
Threat Report shows that 76% of attacks over the last six-month period were opportunistic and
24% were targeted.

We can see from above data most attackers aim at systems with commonly known
vulnerabilities and consequently most security incidents of computer systems arise from one or
more security vulnerabilities in target systems that are not properly fixed or patched by
administrators. Therefore vulnerability management is a very important task in the security area
for system administrators to keep system as resistant as possible to existing and newly
discovered attacks. However current vulnerability management is generally a subjective, manual
process, time consuming and error-prone.

18
 In fact system administrators in general are swamped by the flood of security advisories,
related patches and updating notifications being released. Prevailing of automated attack tools
makes the situation even worse. It should also be emphasized that the window between the
disclosure of vulnerability and the release of exploit code--and then a self-replicated worm--
continues to shrink. So how can we defend ourselves in a manual way against strong enemies
with automated arms? The only answer is to arm up administrators with automated tools too.

Fig 3.4.1 Vulnerability Management Model

19
SVIM performs network scans using vulnerability check databases based on OVAL and SANS
Top 20, providing over 15,000 vulnerability assessments when your network, including any
virtual environment, is scanned. SVIM allows you to analyze the state of your network security
and take action before it is compromised. It detects machines that are vulnerable to infection as
well as identifying machines that have been infected.

When a network scan is complete, Patch Management gives what you need to effectively
deploy and manage patches on all machines across different Microsoft operating systems ,It
automatically download missing security updates, you can also automatically deploy the missing
Microsoft patches or service-packs throughout your network at the end of scheduled scans.

All you need to know about your network by retrieving hardware information on
memory, processors, display adapters, storage devices, motherboard details, printers, and ports in
use. Using baseline comparisons you can check whether any hardware was added or removed
since the last scan. SVM will identify and report unauthorized software installations and provide
alerts or even automatically uninstall unauthorized applications.

3.5 Vulnerability Managements and Current Circumstance

Vulnerability Management (VM) of computer systems is simple and the philosophy is:
start with systems that have no known vulnerabilities and when security vulnerabilities that
affect those systems are announced, quickly apply patches to keep the systems invulnerable. But
in practice, VM is far more complex and daunting that includes four main steps as depicted in

20
 Fig.3.5.1. Vulnerability Management Process

3.5.1. Get and Maintain System Information

Effective VM starts with knowing what systems are to be managed in the management
domain (MD) which maybe a host or a local network. In other words we should set up and
maintain an accurate inventory of system information (such as the hardware type, OS version,
services running, third-party applications etc). There are two basic approaches now: manual and
automated. The manual approach depends on capable people accessing each system, gathering
the information and entering it into a database or spreadsheet. The automated approach involves
purchasing and installing software agents that gather this information. One well-known vendor
product is Tivoli Inventory [7].

21
3.5.2. Get Vulnerability Information

Getting the reliable, exhaustive, and up to date vulnerability information related to target
domain is prerequisite for effective VM. There are many free sources of vulnerability
information such as Bugtraq[2],CERT[4], and ICAT Metabase[5] etc. There are also some
sources of purchasable vulnerability information like Security Intelligence Alert from
SecurityFocus[2], Security Tracker[6] etc. There are no automated tools for administrators
acquire customized vulnerability information because the vulnerability advisories from different
sources are mainly ambiguous text-based description with different formats and terminologies.
According to a survey by SecurityFocus[2] system security administrators now spend an average
of 2.1 hours/day hunting for security information relevant in all kinds of security bulletins and
mailing lists.

3.5.3 Security Patch Auto Management System :

Security patch auto-management system will helps to installs security patch file
automatically to clients through automatic downloading of the patch from MS download center
based on XML as existing patch management system needs intervention of managers. The
security patch auto-management system is composed of SUS service that synchronizes updated
patch files for MS download center, patch management server that manages SUS service, patch
clients and patch files, and patch agents that install patch information and patch to clients.

SUS Service: Public software provided at MS, is operated at the same server as that of patch
management server and if installed, it, a system service, works by automatic scheduling at
background. The main function is a regular downloading of operational information, patch
information and patch files from MS download center according to automatic scheduling [1].

Patch Management Server: This analyses patch information and files downloaded by SUS and
creates XML format patch information files. XML-type patch information files create patch
information file that corresponds to Internet Explorer, operational system and other related patch
information files.

22
Patch Agent: Patch agent analyses kinds and versions management server and internet explorer
version, receives patch ions of XML files operational system created at patch information XML
files that are appropriate for client environment to analyses patch information to be installed and
downloads patch files from patch management server to install them at clients.

Fig 3.5.3 System Architecture of Automatic Patch Management System

Synchronization of MS download center, patch management server provides basic data that can
help create XML-type patch information. Windows security auto management system based on
the XML for quick application of windows security patch. Patch management system introduces
from vendor patch download center at which operational system is provided without intervention
of managers and vendors. As a result, as quick application is possible according to points of
patch announcement,

23
3.5.4. Fixing or Patching

Once a patch is available, some testing needs to be done before patching production
systems to ensure the effectiveness and reliability of the patch. Without an available patch, some
workarounds should be taken to fix the vulnerability. Currently it is the system administrator's
responsibility to locate the necessary files or steps needed to update the system from the results
of assessment and evaluation. Once finished, the administrator can optionally test the system for
possible side effects from the update. If the administrator notices an instance of system
instability, they can rollback to an earlier system state.

Best practices in security design today are open ended, and they are not correlated with
the end-user experience of security. Another problem is the lack of generally agreed on security
metrics, or ill-defined metrics [1]. There is an opportunity to advance the state of the art by
understanding how security design and operational practices explicitly impact end-user services.
This knowledge can then be applied to develop metrics, requirements, and models to evaluate
and optimize designs prior to implementation. Without metrics, security experts are limited in
their ability to measure compliance and manage improvement. What is not measured cannot be
effectively managed and mitigated.

Metrics can be used by security experts to determine the effectiveness of a particular

security design strategy and evaluate which strategy is optimal. Such metrics can also help
identify the level of risk if a given security strategy or action is not taken, and provide guidance
in prioritizing causes and corrective actions. The key lies in the metrics design, which should
represent two basic perspectives: end users as they use the services, and service providers’
operational perspective in terms of total cost of ownership.

Metric parameters need to be continually calibrated with test and field data to ensure that
their application throughout the design process yields realistic results and hence leads to the
appropriate design decisions. The open-ended best practices that exist today call for the
following: software patch updates, anti-virus software, firewall implementation,
password/authentication/encryption, and physical security, among others. Without security

24
metrics, it is very difficult to address questions quantitatively, such as: How effective are the
security strategies? Are the networks and users more secure, and by how much? What are the
implications if some of the security strategies are not implemented? What is the optimum or
most cost effective solution? What are the financial risks of offering a specific SLA that includes
DoS attacks? Security requirements must be established based on various security metrics.

A set of security requirements must be able to address the different levels of criticality of
the various services converged networks support. Security requirements must also be addressed
from the end users’, service providers’, and network operators’ perspectives of security. In this
article the discussion on security requirements and metrics will focus on the end user’s
perspective. As a result, the authors have developed a basic design for security modeling
methodology intended to mitigate the risk of security-related attacks, including DoS-caused
outages. By quantitatively assessing the potential risks caused by end-to-end service security
vulnerability at the early design stage, security design and deployment strategies can be
optimized to mitigate risks at reasonable costs.

The methodology has its greatest leverage when applied at the initial system-level design
stage where system architecture, functional partitioning, technology selection, and critical system
features are defined. At this stage it contributes to ensuring that the design is capable of meeting
security requirements; after that it is simply a quality of implementation problem. For example,
to decide if a particular security design strategy is sufficient and which strategy is optimal, a
quantitative metric-based approach and tool are used to quantify the impact on end-to-end
security vulnerability caused downtime for the proposed system-level design. Compliance/ non-
compliance, major design-related contributors, and design sensitivity related analysis can
therefore be done. The model becomes the focal point to investigate options and to aid designers
in making informed data-driven decisions.

3.5.5 Penetration Testing:

Penetration Testing [35] (also called pen testing) is the practice of testing a computer system,
network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be
automated with software applications or they can be performed manually. Either way, the

25
process includes gathering information about the target before the test (reconnaissance),
identifying possible entry points, attempting to break in (either virtually or for real) and reporting
back the findings. The main objective of penetration testing is to determine security weaknesses.
A pen test can also be used to test an organization's security policy compliance, its employees'
security awareness and the organization's ability to identify and respond to security incidents.
Penetration tests are sometimes called white attacks because in a pen test, the list of strategies.

Targeted Testing: Targeted testing is performed by the organization's IT team and the
penetration testing team working together. It's sometimes referred to as a "lights-turned-on"
approach because everyone can see the test being carried out.

External Testing : This type of pen test targets a company's externally visible servers or devices
including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is
to find out if an outside attacker can get in and how far they can get in once they've gained
access.

Internal Testing: This test mimics an inside attack behind the firewall by an authorized user
with standard access privileges. This kind of test is useful for estimating how much damage a
disgruntled employee could cause.

Blind Testing: A blind test strategy simulates the actions and procedures of a real attacker by
severely limiting the information given to the person or team that's performing the test
beforehand. Typically, they may only be given the name of the company. Because this type of
test can require a considerable amount of time for reconnaissance, it can be expensive.

Double Blind Testing: Double blind testing takes the blind test and carries it a step further. In
this type of pen test, only one or two people within the organization might be aware a test is
being conducted. Double-blind tests can be useful for testing an organization's security
monitoring and incident identification as well as its response procedures.

26
3.6 SECURITY VULNERABILITY MODELING OVERVIEW

Security vulnerability modeling approach. The first step, network vulnerability analysis, is
ideally done at the earliest possible stage of design. It is performed on the target network design
using a design walk-through approach to ensure that for every attack type and target, there is a
security design strategy. To conduct this security vulnerability analysis and assessment, the
following must be completed:

 Determine all possible types of security attacks (e.g., MAC table overflow,
broadcast storm, etc.) and review the security design strategies intended to
address them.
 Analyze the attacks one at a time and evaluate the ability of the security design
strategies to prevent or mitigate each attack.
 For each attack determine the failure mode, impact on service, corrective actions
taken by the design, and the final recovery state.
 Prioritize each result based on the level of risk and the criticality of service with
the impact. The results of this analysis are used to build a model, which describes
the network design failure mode states. The transition rates between the states are
the attack, recovery, and repair patches of the design, and associated design
parameters such as security feature coverage.

The latter measures the ability of a security feature to successfully detect and mitigate an
attack as per design intent..The model quantifies the vulnerability analysis in terms of customer
downtime metrics based on both design and operational parameters. The model can therefore be
used to investigate design options and the sensitivity of high-risk parameters on customer
downtime. The results from security vulnerability and field data analysis become the inputs to
the security downtime model. Critical to the accuracy of the model is the ongoing collection and
analysis of field and test data. The information is stored in a centralized database. The data
include the frequency of security attacks, time to restore services, and security design
effectiveness parameters.

27
 Some engineering rules and assumptions must also be made. An ongoing validation
process should be in place to ensure that the data are kept up to date. The validation process also
ensures that the data are reasonable to be applied to a particular network and the supporting
services. The security vulnerability model and the database make up the integrated security
vulnerability quantification tool. The vulnerability model, which is the core part of the tool, will
be discussed in the following section. Rather than requiring custom modeling for each network
design, we envision a generic tool that allows the user to design any network, and the tool will
automatically generate the security Markov models.

Our proof of-concept approach and tool has been applied to a multiservice enterprise
network, and the tool allows the user some design flexibility. The model can calculate many
security-related dependability metrics, such as service downtime, service disruption frequency,
and security-attack maintenance actions. In this article one particular metric — service downtime
(minutes per year) — is used to illustrate the modeling approach.

The subsequent financial impact of outage caused by security vulnerability downtime is

derived from this metric (dollars per year). This metric-based approach should be used as a
design aid to facilitate business-driven design decisions. Metrics therefore must clearly and
simply represent the external attributes valued by customers based on critical design parameters.
Metrics when purposely defined become a useful tool to ensure that security investment and
improvement plans can be appropriately sized and targeted to meet overall business objectives.

The present modeling approach is an extension to system availability modeling using, a

system security vulnerability analysis, is used to illustrate the basics of modeling. These models
calculate the average time in major failure mode states by determining the relative ratio of input
and output transition rates for each state. Solving Markov models is well known, and there are a
host of commercial tools that automate the design and calculation of these models. Our approach
is different. Rather than providing a tool that uses a Markov model as the user interface, we start
with the network design as the user interface, and the tool designs the Markov models. This
approach results in improved consistency and facilitates putting the effort in design analysis

28
rather than model design. The sample model comprises seven fundamental state types and the
associated transitions between the states.

The state definitions are:

 1 Normal operating state: The network is functioning as specified without any security
vulnerability or failure.
 Auto-recovering state: The network is automatically recovering in response to an attack.
Depending on the duration and function being affected, the impact could be a service-
affecting outage, a service affecting failure, or only a recorded event that has no impact
on service.
 Detected vulnerability state: The network has detected a security vulnerability that puts
the system in a vulnerable state. The system is at a reduced level of protection against
security threats from the normal operating state. However, the incident has been detected,
and the system has been alarmed such that the recovery action can be taken to return the
system to normal operating state (state 1).
 Undetected vulnerability state: This state is similar to state 3 with the exception that this
state is undetected, but it is detectable via a routine system check (e.g., routine exercise
test).
 Undetectable vulnerability state: This state is similar to state 4 with the exception that this
state is undetectable by the routine system check.
 6 Detected outage state (requiring repair action): The network is in an outage state that
has been alarmed and requires a repair action to return it to the normal state.
 7 Undetected outage state (requiring repair action): The network is in an outage state that
has not been alarmed by the network but requires a repair action to return it to the normal
state. Detection is via customer complaints that initiate investigative action followed by
repair action.

29
Chapter 4
DESIGN & IMPLEMENTATION DETAILS

4.1 INTRODUCTION

The “Software Vulnerability Scanner” is a vulnerability scanner based on the NIST standard to
scan the end user system. This scanner performs the scanning of the end point in a LAN
environment. The project is based on the Client/server Environment. The administrator has a
complete control over the systems in LAN environment. The administrator can control the other
systems by using his exceptional rights to access the systems. But when the systems have
vulnerabilities those can cause to compromise by the attackers. So, the attackers may become the
Administrators, they can theft the data or can perform malfunction by taking the administrator
privileges. The Vulnerabilities in the systems can cause the disaster to the systems and
information security in any organization, such as crashing of systems abruptly; These
Vulnerabilities are backdoor for the Attacker to compromise the system.

To reduce risk in system software, we need to patch the systems or we need to reduce the
vulnerabilities while preparing software or we need to protect the vulnerabilities from the
attackers, So that the systems can be safe from the attackers. System software vulnerabilities can
be exploited as the time progresses. The number of Vulnerabilities in the system is also increases
as the time progresses. The software vendors will produce a software patches for the software
vulnerabilities for their products. The vulnerability scanner needs an administrator privileges to
perform the vulnerability scanning by using windows registry. We have to install client software
in client system before scanning and the server has access to perform the scanning using client
software.

30
4.2 Object Oriented Analysis and Design through Unified Modeling Language

4.2.1. Introduction to UML

UML is a method for describing the system architecture in detail using the blueprint.
UML represents a collection of best engineering practices that have proven successful in the
modeling of large and complex systems. The UML is a very important part of developing objects
oriented software and the software development process. The UML uses mostly graphical
notations to express the design of software projects. Using the UML helps project teams
communicate, explore potential designs, and validate the architectural design of the software.
4.2.2 Definition:
UML is a general purpose visual modeling language that is used to
1. Specify
2. Visualize
3. Construct
4. Document
The artifacts of the software system.
UML is a language:
It will provide vocabulary and rules for communications and function on conceptual and physical
representation. So it is modeling language.
UML Specifying:
Specifying means building models that are precise, unambiguous and complete. In particular,
the UML address the specification of all the important analysis, design and implementation
decisions that must be made in developing and displaying a software intensive system.
UML Visualization:
The UML includes both graphical and textual representation. It makes easy to visualize the
system and for better understanding.
UML Constructing:
UML models can be directly connected to a variety of programming languages and it is
sufficiently expressive and free from any ambiguity to permit the direct execution of models.
UML Documenting:
UML provides variety of documents in addition raw executable codes.

31
4.2.3 Goal of UML:
The primary goals in the design of the UML were:
 Provide users with a ready-to-use, expressive visual modeling language so they can
develop and exchange meaningful models.
 Provide extensibility and specialization mechanisms to extend the core concepts.
 Be independent of particular programming languages and development processes.
 Provide a formal basis for understanding the modeling language.
 Encourage the growth of the OO tools market.
 Support higher-level development concepts such as collaborations, frameworks, patterns
and components.
 Integrate best practices.
4.2.3.1. Uses of UML
The UML is intended primarily for software intensive systems. It has been used
effectively for such domain as
1. Enterprise Information System
2. Banking and Financial Services
3. Telecommunications
4. Transportation
5. Defense/Aerospace
6. Retails
7. Medical Electronics
8. Scientific Fields
9. Distributed Web
4.2.3.2. Rules of UML
The UML has semantic rules for
 NAMES: It will call things, relationships and diagrams.
 SCOPE: The content that gives specific meaning to a name.
 VISIBILITY: How those names can be seen and used by others.
 INTEGRITY: How things properly and consistently relate to another.
 EXECUTION: What it means is to run or simulate a dynamic model.

32
4.2.3.3. Building blocks of UML
The vocabulary of the UML encompasses 3 kinds of building blocks
1. Things
2. Relationships
3. Diagrams
4.2.3.4 Things:
Things are the data abstractions that are first class citizens in a model. Things are of 4 types
 Structural Things
 Behavioral Things
 Grouping Things
 An notational Things
4.2.3.5 Relationships:
Relationships tie the things together. Relationships in the UML are
 Dependency
 Association
 Generalization
 Specialization
4.2.3.6 Diagrams:
Diagrams in the UML are of 2 types
 Static Diagrams
 Dynamic Diagrams
Static diagrams consists of
 Class Diagram
 Object Diagram
 Component Diagram
 Deployment Diagram
Dynamic diagrams consists of
1. Sequence Diagram 2.Use case Diagram
3. State chart Diagram 4. Activity Diagram

33
4.3. UML Diagrams:

4.3.1 Class Diagram:

A class diagram shows a set of classes, interfaces and collaborations and their
relationships. These diagrams are the most common diagram found in modeling object-
oriented systems.
COMMON PROPERTIES:

A class diagram is just like as special kind of diagram and shares the same properties as
all other diagrams. But it differs from all other diagrams in its contents.

CONTENTS:

Class diagram commonly contains the following things

 Classes
 Interfaces
 Collaborations
 Dependency, generalization and association relationships.

CLASSES:
Class is a description of a set of objects that share the same attributes, operations,
relationships and semantics. A class implements one or more interfaces. Graphically, a class is
rendered as a rectangle, usually including its name, attributes and operations .

INTERFACES:

Interface is a collection of operations that specify a service of a class or component. An interface

describes the externally visible behavior of that element. An interface might represent the
complete behavior of a class or component. Graphically, an interface is rendered as a circle
together with its name

34
COLLABORATION:
Collaboration defines an interaction and is a society of roles and other elements that work
together to provide some cooperative behavior. So collaborations have structural as well as
behavioral, dimensions. These Collaborations represent the implementation of patterns that make
up a system. Graphically, collaboration is rendered as an ellipse with dashed lines, usually
including only its name

DEPENDENCY:
Dependency is a semantic relationship between two things in which a change to one thing may
affect the semantics of the other thing. Graphically, a dependency is rendered as a dashed line,
possibly directed, and occasionally including a label.

GENERALIZATION:
A generalization is a specialization / generalization relationship in which objects of the
specialized element (child) are substitutable for objects of the generalized element (parent). In
this way, the child shares the structure and the behavior of the parent. Graphically, a
generalization relationship is rendered as a solid line with a hollow arrow head pointing to the
parent.

ASSOCIATION:
An association is a structural relationship that describes a set of links, a link being a connection
among objects. Aggregation is a special kind of association, representing a structural relationship
between a whole and its parts. Graphically, an association is rendered as a solid line, possibly
directed, occasionally including a label.

35
4.3.1 USE CASE DIAGRAM:

Behavioral diagram defined by and created from a Use-Case Analysis. Its purpose is to present a
graphical overview of the functionality provided by a system in terms of actors their goals
represented as use cases and dependencies between those use cases. The main purpose of a use
case diagram is to show what system functions are performed for which actor. Roles of the actors
in the system can be depicted.

Snap 1:
uc Security Manager

Scan The Network Systems

Available Host / Check Host

Administrator(Owner)

Checking The Vulnerability <<include>>

Attach Patch

Attach Remedy

Fig 4.3.1: Use Case Diagram for Software Vulnerability Integrated Management (SVIM)

The flow of activities represents the clarity of vulnerability assessment and remedy
solutions for the infected systems. Fig represents the use case diagram for verify the system
patch to the target system where the bug occurred.

36
4.3.2 CLASS DIAGRAM:

Static Structure Diagram that describes the structure of a system by showing the systems classes
their attributes, and the relationships between the classes. In the conceptual design of a system, a
number of classes are identified and grouped together in a class diagram which helps to
determine the static relations between those objects. the classes of the conceptual design are
often split in a number of subclasses.
Snap 2:
cd Security Vulnerabilty Management

Scan The Entire Network Identify the Host Name &

And finding the Host Address Vulnerability Assesment
IP-Adress of the System
which are avilable

<<type>>
<<typedef>>
Host
ScanSystem
[f rom java::lang]
+ CheckHost : Number <<exception>>
+ Host Name : Character
+ FindTrue : Boolean Patch Mngt Remedy
+ MAC ID : Character
+ FindFalse : Boolean + HostId
+ IpAddress : Integer
+ NHost() : Constructor + Patch()
+ getHost() : Constructor
+ Scan() : Constructor
+ getId() : Method

Administrator Checking Individual Host

Vulnerabiltiy Manager Having Vulnerabilities
(OWNER)

Administrator <<interface>>
+ AdminName : Character Vulnerability
+ LocalID : Character + LoopHole : Array
+ Scan() : Method + Host Id : Host
+ FindHost() : Method + Ip Address : Integer
+ FindPort() : Method
+ Find VM() : Method
+ Remedy() : Constructor

Fig 4.3.2: Class Diagram for Software Vulnerability Integrated Management (SVIM)

37
4.3.3 WORK FLOW DIAGRAM:

Workflow may be seen as any abstraction of real work, segregated in work share, work split or
other types of ordering. A workflow is a model to represent real work for further assessment,
e.g., for describing a reliably repeatable sequence of operations.

Snap 3:
sd WorkFlow

Administrator Local System VM System V Assesment

: : : :

Checkinh Host

ACK

Scan Vulnerabilities

Vulnerabilities List
Patch Management
<<create>> :
Remedies

Checking For New Vulnerabilites

Fig 4.3.3: Work Flow Diagram for Software Vulnerability Integrated Management (SVIM)

38
Chapter 5
RESULTS & DISCUSSIONS
5.1 INTRODUCTION

The tool was first assessed with a set of reasonably short programs with vulnerabilities created
for this purpose. The tool detected all vulnerabilities in an LAN Environment. This assessment
showed that the tool can indeed find the vulnerabilities that we are interested in, Network
Information, Host availability, etc. The results show that a large number of bugs with CVE-2010,
CPE. The remedies can patch through the patch management system, penetration testing is used
to find the vulnerability. They were not only Intrusions but also overflows, underflows and
signedess problems.

The numbers of vulnerabilities flagged by the tool were Common Vulnerabilities

Enumeration CVE. The manual analysis of each of these vulnerabilities has shown that they are
not really vulnerabilities. There is indeed input data that is propagated to integer manipulation
bugs and then to dangerous calls, but the logic of the program in patch management prevents
these bugs from being attackable.

39
5.2 SVIM Tool Results & Discussions:

SCREEN SHOT 1:

Figure 5.2.1:

As The Figure Shows, It Primarily Scans the Local system Details with Host Name & Ip-
Address & Network information. it will check the Ports which are available in the range < 0-
65535> with in an LAN Environment,

40
SCREEN SHOT 2:

Figure 5.2.2:

As The Figure Shows, In SVIM Tool , When The Button “Existing Vulnerabilities“, we will get
the information of list of vulnerabilities which are already existed will display in a table as list,
we get the Microsoft Download Center. We are attaching the Oval Interpreter and display the
system inventory details.

41
SCREEN SHOT 3:

Figure 5.2.3:

As The Figure Shows, In SVIM Tool, We are attaching the Oval Interpreter and display the
system inventory details.

42
SCREEN SHOT 4:

Figure 5.2.4:

As The Figure Shows, In SVIM Tool, The Tab Patch Management System will upload the XML
of existing system patch and oval interpreter will perform actions and display he list of patches
which are attached to the existing windows operating system and results were performed when
actions are executed.

43
SCREEN SHOT 5:

Figure 5.2.5:

As The Figure Shows, In SVIM Tool, The Clint Systems are generated with an action and we are
finding which operating system the client system is running, we are showing the result in the
workflow tabbed pane.

44
SCREEN SHOT 6:

Figure 5.2.6:

As The Figure Shows, In SVIM Tool, We can store all the log information in a directory where
we can access information for future purpose. Configuration the system info is also completed;
created the file menus and actions also implemented.

45
SCREEN SHOT 7:

Figure 5.2.7:

As The Figure Shows, In SVIM Tool, Help Tab - display are the list of contents (manual) &
information regarding the Tool.

he SVIM Tool Scans the LAN connected Systems and checks detect every single
vulnerability. This assessment showed that the tool can indeed find the vulnerabilities that we
are interested in. Then it was run with the code of 5 open source projects. The results are
displayed in Fig 5.

The results show that a large number of bugs with CVE-2010, CPE. They were not only
Intrusions but also overflows, underflows. The numbers of vulnerabilities flagged by the tool
were Common Vulnerabilities. The manual analysis of each of these vulnerabilities has shown

46
that they are not really vulnerabilities. There is indeed input data that is propagated to integer
manipulation bugs and then to dangerous calls, but the logic of the program in patch
management prevents these bugs from being attackable.

The security vulnerability manager has been implemented in a referenced network environment
on a windows 7 platform, and provides a proof-of-concept for the ideas presented in system
infrastructure. The Main program including visualizing network, network information,
vulnerability scanner, network traffic monitoring tool and bandwidth visualization.

After finding the vulnerabilities of the network individual hosts, administrator can attach
the patch to the client which is affected. we mitigates up to 65% of vulnerabilities by this existed
system implementations ,we summarizes the results of applying the tool to test more than 5 open
source applications with a total of more than 1.2 million lines of code. This paper describes
SVIM architecture and results came through experiments.

Security Vulnerability Scan Features and Benefits

SVIM Tool offers an easy-to-use and quality-effective security scanning service for businesses
and organizations of all sizes. It

 Scans from outside the firewall.

 Examines all Internet-connected devices, ports, routers and firewalls.
 Reports on detected services, open IP ports and vulnerabilities.
 Excludes false-positive vulnerabilities from future scans.
 The robust and accurate SVIM Tool Scan runs on optimized Linux servers.

Source Code link in Source Forge:

https://sourceforge.net/apps/trac/sourceforge/attachment/ticket/11919/SVIM%20Tool.rar

47
Chapter 6
CONCLUSION

6.1 CONCLUSIONS

In this Thesis, We implemented SVIM (Security Vulnerability Integrated Management) Tool

used in an network environment and trackback the vulnerabilities of each network and system.
Moreover, we can find bugs, vulnerabilities which are going to be attack the system we user
Oval Interpreter to patch the system vulnerabilities. We understand the usage of mis-
configuration. All the information results regarding our experiment will show that we mitigated
vulnerabilities and patched.

6.2 FUTURE SCOPE OF STUDY

Security Vulnerability Integrated Management Tool, In order to strengthen the security level of
the interconnected system or network, it needs security equipments, security policy and level-up
of security administrator.

48
 BIBLIOGRAPHY

[1] http://www. symantec.com

[2] http://www.securityfocus.com
[3] http://www.dti.gov.uk
[4] http://www.cert.org
[5] http://icat.nist.gov
[6] http://www.securitytracker.com.
[7] http://www.tivoli.com
[8] http://www.nessus.org
[9] http://www.sectools.org
[10] http://www.iss.net
[11] E.G.Amoroso, ‘Fundamentals of Computer Security Technology’, Prentice-Hall PTR,
Upper Saddle River, NJ, 1994.
[12] J.Forristal, G. Shipley, ‘Vulnerability Assessment Scanners’, Network Computing, 8 Jan,
2001.
[13] D.E. Mann, S.M. Christey, ‘Towards a Common Enumeration of Vulnerabilities’, 2nd
Workshop Research with Security Vulnerability Databases, Purdue University, West Lafayette,
1999.
[14] http://oval.mitre.org
[15] D.Zerkle, K.Levitt, ‘Netkuang-a multi-host configuration vulnerability checker’, Proceeding
of the summer 1998 Usenix Conference, April, 1998.
[16] R.A.Martin, ‘Managing vulnerabilities in networked systems’, Computer, Volume: 34 Issue:
11, Nov. 2001, pp: 32-38.
[17] R.Steinberger, ‘Vulnerability Management in Unix Environments’, Information Security
Technical Report, Vol.7, No. 1, 2002, pp26-36, Exodus.
[18] http://www.gocsi.com/awareness/fbi.jhtml
[19] http://www.qualys.com
[20] http://www.security-assessment.com

49
[21] Martin, R.A.; Integrating your information security vulnerability management capabilities
through industry standards (CVE&OVAL),Systems, Man and Cybernetics, 2003. IEEE
International Conference on Volume: 2 Publication Year: 2003, Page(s): 1528 - 1533 vol.2

[22] Tian,H.T.; Huang, L.S.; Zhou, Z.; Luo, Y.L.; Arm up administrators: automated
vulnerability management, Parallel Architectures, Algorithms and Networks, 2004. Proceedings.
7th International Symposium on, Digital Object Identifier: 10.1109/ISPAN.2004.1300542,
Publication Year: 2004.

[23] Anil Sharma; Martin, J.R.; Anand, N.; Cukier, M.; Sanders, W.H.; Ferret: a host
vulnerability checking tool, Dependable Computing, 2004. Proceedings. 10th IEEE Pacific Rim
International Symposium on ,Digital Object Identifier: 10.1109/PRDC.2004.1276595,
Publication Year: 2004.

[24] Karppinen, K.; Lindvall, M.; Yonkwa, L.; Detecting Security Vulnerabilities with Software
Architecture Analysis Tools ,Software Testing Verification and Validation Workshop,2008.
ICSTW'08.IEEE International Conference on, Digital Object Identifier: 10.1109/
ICSTW.2008.14, Publication Year: 2008.

[25] Xiangqun Qiu; Paterson, R.; An innovative network security vulnerability modeling method
and tool ,Communications Magazine, IEEE ,Volume: 48 , Issue: 1.

[26] Ju An Wang; Linfeng Zhou; Minzhe Guo; Hao Wang; Camargo, J.; Measuring Similarity
for Security Vulnerabilities ,System Sciences (HICSS), 2010 43rd Hawaii International
Conference on,DigitalObjectIdentifier:10.1109/HICSS.2010.269,Publication Year: 2010.

[27] Jinyoo Kim; Malaiya, Y.K.; Ray, I.; Vulnerability Discovery in Multi-Version Software
Systems, High Assurance Systems Engineering Symposium, 2007. HASE '07. 10th IEEE,Digital
Object Identifier: 10.1109/HASE.2007.55,Publication Year: 2007.

[28] Wei Pan; Weihua Li; Reverse Analysis and Vulnerability Detection for Network System
Software, Parallel and Distributed Processing with Applications, 2009 IEEE International
Symposiumon,DigitalObjectIdentifier:10.1109/ISPA.2009.73,Publication Year: 2009.

50
[29] Moohun Lee; Sunghoon Cho; Changbok Jang; Heeyong Park; Euiin Choi; A Rule-based
Security Auditing Tool for Software Vulnerability Detection, Hybrid Information Technology,
2006.ICHIT'06.InternationalConferenceon,Volume:2,DigitalObjectIdentifier:10.1109/ICHIT.200
6.253653, Publication Year: 2006 .

[30] McGraw, G.; Testing for security during development: why we should scrap penetrate-and-
patch, Aerospace and Electronic Systems Magazine, IEEE
Volume: 13 , Issue: 4 ,Digital Object Identifier: 10.1109/62.666831,
Publication Year: 1998.

[31] Rasheed, H.; Chow, R.Y.C.; Automated Risk Assessment for Sources and Targets of
Vulnerability Exploitation, Computer Science and Information Engineering, 2009 WRI World
Congress on Volume: 1 Digital Object Identifier: 10.1109/CSIE.2009.947
Publication Year: 2009.

[32] Duanyang Zhao; Furnell, S.M.; Al-Ayed, A.; The Research on a Patch Management
System for Enterprise Vulnerability Update, Information Engineering, 2009. ICIE '09. WASE
International Conference on Volume: 2 , Digital Object Identifier:
10.1109/ICIE.2009.233,Publication Year: 2009.

[33] Jung-jin Park; Jin-sub Park; Jeong-gi Lee; Bong-hoi Kim; Geum-boon Lee; Beom-joon
Cho; Windows Security Patch Auto-Management System Based on XML, Advanced
Communication Technology, The 9th International Conference on
Volume: 1 Digital Object Identifier: 10.1109/ICACT.2007.358382, Publication Year: 2007.

[34] Ching-Huang Lin; Chih-Hao Chen; Chi-Sung Laih; A Study and Implementation of
Vulnerability Assessment and Misconfiguration Detection ,Asia-Pacific Services Computing
Conference, 2008. APSCC '08. IEEE Digital Object Identifier:
10.1109/APSCC.2008.212,Publication Year: 2008 .

51