Cross-Site Scripting (XSS) Detection Integrating Evidences in Multiple Stages

As Cross-Site Scripting (XSS) remains one of the top web security risks, people keep exploring ways to detect such attacks efficiently. So far, existing solutions only focus on the payload in a web request or a response, a single stage of a web transaction. This work proposes a new approach that integrates evidences from both a web request and its response in order to better characterize XSS attacks and separate them from normal web transactions. We first collect complete payloads of XSS and normal web transactions from two databases and extract features from them using the Word2vec technique. Next, we train two Gaussian mixture models (GMM) with these features, one for XSS transaction and one for normal web transactions. These two models can generate two probability scores for a new web transaction, which indicate how similar this web transaction is to XSS and normal traffics respectively. Finally, we put together these two GMM models in classification by combining these two probabilities to further improve detection accuracy

MS IPTV audit collection services

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011Microsoft Mediaroom Internet Protocol Television (MS IPTV), uma plataforma de televisão digital, levou o conceito de televisão a uma dimensão totalmente nova. MS IPTV é um sistema onde o serviço de televisão digital é entregue aos clientes usando Internet Protocol (IP), através de uma conexão de banda larga. Com o advento do IPTV começaram a aparecer novas situações relacionadas com a segurança da televisão, uma vez que, a infra-estrutura começou a ganhar complexidade e exposição a uma série de novos riscos. Por esta razão, a segurança numa infra-estrutura de MS IPTV não é apenas mais uma funcionalidade, mas sim uma necessidade. Podemos mesmo dizer que hoje em dia é obrigatório aguçar o engenho para estar um passo à frente dos atacantes, uma vez que estes estão sempre à espera de uma brecha, para comprometer os sistemas. Uma infra-estrutura como o MS IPTV armazena por omissão dados relativos ao comportamento dos utilizadores ao nível dos logs, no entanto esta informação só se torna relevante se puder ser consultada e analisada com o objetivo de proporcionar uma compreensão a alto nível sobre os diferentes padrões que estão a ocorrer nos servidores ou no comportamento dos utilizadores, uma tarefa que envolve poderosas técnicas de data parsing. A tese apresenta uma abordagem que combina técnicas de data parsing, a fim de analisar os logs relevantes da infra-estrutura de MS IPTV, com o objetivo principal de aumentar a segurança através da investigação dos tipos de informações adicionais que pode ser extraída. Tentámos assim entender se é possível determinar que tipos de ataques estão a ser perpetrados contra a infra-estrutura MS IPTV, com base na análise dos logs. Como o foco central desta tese está no diagnóstico, propomos uma abordagem para descobrir ataques, onde os logs são verificados para identificar grupos coerentes de ocorrências susceptíveis de constituir ataques que apelidámos de padrões. Nos testes, verificámos que a nossa abordagem consegue bons resultados na descoberta de ataques. Os resultados obtidos têm a vantagem adicional de poderem ser integrados na ferramenta de monitorização utilizada pelas equipas de operação dos sistemas da Portugal Telecom, o System Center Operations Manager (SCOM).Microsoft Mediaroom Internet Protocol TeleVision (MS IPTV), one of the platforms for digital TV, took television to an all new dimension level. MS IPTV is described as a system where a digital television service is delivered to consumers using the Internet Protocol over a broadband connection. Since the infrastructure started to gain complexity and exposure to a number of new risks, never envisaged situations related to television security started to appear. For this reason, MS IPTV security is not only a great asset, but also a necessity. Nowadays it is mandatory to sharpen the wit to get ahead of attackers, who are always waiting for a breach to compromise our systems. MS IPTV log servers collect information about user and system behavior. However, this information only becomes relevant if it can be queried and analyzed with the purpose of providing high-level understanding about the different patterns. This task must comprise powerful data parsing techniques, since MS IPTV is able to generate close to one terabyte of logs per day. This thesis presents an approach that combines data parsing techniques in order to analyze relevant MS IPTV logs, with the main objective to increase security through the investigation of what type of additional information can be extracted from the server log files of a MS IPTV platform. The thesis focus is on diagnosis, trying to understand if it is possible to determine what type of attacks are being perpetrated against the MS IPTV infrastructure. We propose an approach for discovering attacks, where the application logs are scanned to identify coherent groups of occurrences that we call patterns, which are likely to constitute attacks. Our results showed that our approach achieves good results in discovering potential attacks. Our output results can be integrated into the MS IPTV monitoring system tool SCOM (System Center Operations Manager), which is an additional advantage over the other monitoring and log management systems

Proposing to use artificial neural Networks for NoSQL attack detection

[EN] Relationships databases have enjoyed a certain boom in software worlds until now. These days, with the rise of modern applications, unstructured data production, traditional databases do not completely meet the needs of all systems. Regarding these issues, NOSQL databases have been developed and are a good alternative. But security aspects stay behind. Injection attacks are the most serious class of web attacks that are not taken seriously in NoSQL. This paper presents a Neural Network model approach for NoSQL injection. This method attempts to use the best and most effective features to identify an injection. The features used are divided into two categories, the first one based on the content of the request, and the second one independent of the request meta parameters. In order to detect attack payloads features, we work on character level analysis to obtain malicious rate of user inputs. The results demonstrate that our model has detected more attack payloads compare with models that work black list approach in keyword level

Experimental Penetration Testing Teaching and Learning for High School Students Using Cloud Computing

The need for high school students trained in ICT to developing cybersecurity skills implies the understanding of threats on security. Considering that the aim of hacking is to circumvent restrictions, the goal of this experimental course is to train students in understanding hacking to improve security. Currently, the reality of hacking has alarmingly evolved and shaped an undeniable black market of information where talented teenagers are not exempt to partake. Despite the fact that the formal teaching and learning of hacking inside high schools can be seen as miseducation, that misunderstanding is faced in this work by addressing both the defensive and offensive security from the perspective of penetration testing. By developing progressive challenges over an adaptive cloud environment, the students can be taught hacking from a constructive perspective. A cloud-based attack surface is implemented which consists of a set of systems gradually prepared by means of scripts. The theoretical and practical lessons are directed by a set of scaffolded and constructivist challenges. The discussion about ethics is confronted and remains present throughout the teaching and learning process. Finally, the results and empirical findings of the students are analyzed and measured demonstrating that high school students can acquire skills to protect information for the community, and for themselves

Revisiting RFC2350 20 years later: a hands-on approach to security monitoring and incident response

Trabalho de projecto de mestrado em Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2018Hoje em dia, o uso de diferentes tipos de informação encontra-se fundamental-mente associado aos principais processos de negócios de uma organização. Estes proces-sos podem ser de vários tipos como por exemplo, a execução de diferentes aplicações, execução de comandos personalizados num computador remoto ou a instalação de com-plexas aplicações. Qualquer tipo de perturbação do correto comportamento destes pro-cessos pode resultar em perdas substanciais e de todo indesejadas para uma organização, sendo por isso que estas têm vindo a investir cada vez mais na segurança da sua informa-ção. Este tópico pode ser definido como a preservação da confidencialidade, integri-dade e disponibilidade da informação, sendo o seu principal objetivo, além de proteger essa informação de qualquer pessoa com intenções maliciosas, o de garantir que todos os incidentes de segurança que afetaram uma determinada organização no passado não vol-tem a acontecer no presente ou no futuro. Mais ainda, se por algum motivo estes aconte-cerem de novo, pelo menos devem ter um impacto muito menor na infraestrutura do que no passado. Estas premissas são normalmente atingidas através da implementação e mo-nitorização de diversificados controlos de segurança, de uma forma geral posicionados em locais estratégicos da infraestrutura da organização, por forma a dar á equipa de se-gurança uma visão global daquilo que está a acontecer na infraestrutura a qualquer mo-mento. É comum quando se fala num Centro de Operações de Segurança (SOC), de se imaginar uma sala espaçosa e de última geração, composta por equipamentos topo de gama e repleta de engenheiros especializados, apesar de isso não constituir, naturalmente, um requisito. Um SOC é basicamente definido por aquilo que faz, podendo fornecer uma variedade de serviços a um vasto conjunto de clientes, desde a deteção e resposta a inci-dentes de segurança, a ações de sensibilização por forma a alertar para alguns dos riscos a que os utilizadores podem estar expostos diariamente, a identificação, quantificação e priorização de vulnerabilidades, entre outros. No âmbito deste trabalho, e primeiro que tudo, foram identificados diversos pro-blemas/desafios que existem atualmente no mundo da segurança da informação e que emergiram durante a fase de pesquisa e investigação que foi levada a cabo. Seguidamente, são apresentados e discutidos os pontos teóricos principais que devem servir de base á construção e posterior manutenção de um qualquer Centro de Operações de Segurança (SOC). Começando pela constituição da equipa responsável por levar a cabo as operações, são apresentados dois possíveis modelos de divisão de responsabilidades. De seguida, são enumeradas as diferentes fases de maturidade de um SOC, passando posteriormente pelos conceitos de Logging, onde são discutidos os conceitos de Logging proactivo e reativo, Eventos, Alertas - sendo explicadas as 4 categorias de alertas com que a equipa de segu-rança irá ter de lidar, SIEMs e Log Management – onde é explicado no que consistem estas duas tecnologias e quais os seus propósitos, sendo depois feita uma comparação entre si. Seguidamente, é abordado o tema de resposta a incidentes de segurança, pas-sando pela sua definição e respetivo ciclo de vida. Neste, são enumeradas e respetiva-mente explicadas todas as fases que o constituem, dando ênfase ás tarefas que o respetivo analista de segurança deve levar a cabo em cada delas. Outro ponto central deste trabalho, é a revisão do RFC2350. Este documento es-pecifica as boas práticas da comunidade, sendo o seu principal objetivo o de expressar as expectativas gerais da comunidade acerca das equipas de resposta a incidentes de segu-rança (CSIRT’s). Uma vez que não é possível delinear um conjunto de requisitos que se possam aplicar a todas as equipas de segurança, é fornecida uma descrição de alguns tópicos e questões centrais, por forma a fornecer algum tipo de orientação. Todas as partes integrantes da CSIRT precisam e têm o direito de conhecer e compreender por completo todas as políticas e procedimentos que esta possui. Por forma a conseguir fazê-lo, a CSIRT deve fornecer um modelo de formulário formal e detalhado que contenha toda essa infor-mação, e que possa ser consultado por toda a sua comunidade de clientes. Por fim, e ainda naquilo que diz respeito aos pontos teóricos, são apresentados dois documentos de duas entidades de referência (SANS e MITRE), ambos relacionados com a construção e manutenção de Centros de Operações de Segurança. Finda a parte teórica, é então apresentada a contribuição deste trabalho, sendo esta constituída por um detalhado e completo guia que tem como principal propósito demons-trar como montar de forma correta e eficiente um Centro de Operações de Segurança, sendo primeiro enumeradas as diferentes tecnologias consideradas essenciais para o seu correto funcionamento (SIEM, Log Management, Ticketing e CSIRT), assim como onde estas e a CSIRT devem ser posicionadas dentro da infraestrutura da organização. Posto isto, são devidamente explicadas as diversas fases que constituem o seu processo de cons-trução (Identificação de data sources, normalização de logs, identificação de eventos re-levantes e implementação). De seguida, e após o centro estar montado e funcional, são enumeradas e debatidas diferentes formas de realizar uma cuidada e atenta monitorização da infraestrutura, através da definição de alarmes, da construção de dashboards e da apli-cação de técnicas de threat intelligence. Por fim, é abordado o tema de resposta a incidentes de segurança, sendo fornecido e devidamente explicado um workflow genérico de resposta a incidentes, o qual clara-mente explicita as diferentes interações que devem existir entre os diferentes membros da CSIRT, para cada uma das fases previamente identificadas aquando da definição do ciclo de vida de um incidente. São ainda enumeradas as diferentes categorias de incidente co-mumente utilizadas pela comunidade, assim como é apresentada e propriamente expli-cada uma plataforma de ticketing especialmente desenhada para o contexto de resposta a incidentes de segurança (Request Tracker for Incident Response - RTIR), sendo ainda explicado, de uma forma geral, a forma como esta funciona, sendo ainda fornecidos al-guns screenshots da mesma. Após a apresentação da solução, a mesma foi colocada em prática através da apli-cação dos conceitos aqui apresentados a um caso de estudo para a construção de um Cen-tro de Operações de Segurança para uma grande empresa nacional, por forma a produzir evidências práticas que permitissem demonstrar a eficiência da solução proposta. Após a sua montagem, foram então levadas a cabo diversas tarefas de monitorização, nomeada-mente a especificação de diferentes alarmes e a definição e criação de diferentes dashbo-ards que permitissem á equipa de segurança conseguir visualizar aquilo que se encontra a acontecer na infraestrutura da empresa a qualquer momento. Por fim, é abordado o conceito de resposta a incidentes de segurança, sendo apre-sentada e acompanhada de forma minuciosa a resposta a um incidente de segurança (In-jeção de Cross-Site-Scripting - XSS), sendo evidenciadas todas as interações que o ana-lista de segurança deve ter com a plataforma de ticketing aquando da passagem pelas diversas fases do ciclo de vida do incidente. Em jeito de conclusão, é referido de que forma é que este trabalho vem resolver os problemas/ desafios que haviam sido identificados durante a fase de pesquisa e inves-tigação, sendo inclusive especificada a parte da solução que vem resolver cada um dos diferentes pontos. Após algumas considerações finais, é levado a cabo um apanhado geral de todo o trabalho que foi desenvolvido, sendo posteriormente apresentadas algumas su-gestões daquilo que poderá advir como trabalho futuro relativamente a este tema.Nowadays, with the amount of information being produced and exchanged at any given moment, data security has become a central discussion topic, with companies spending more money than ever trying to protect their own resources. Also, with the rise of Cyber Criminality, new ways of infiltrating or simply disturbing businesses through their Information Technology (IT) systems (for example, by exhausting their resources) are discovered almost on a daily basis. This requires a sophisticated defense strategy from these companies, which is based on the aggregation of several dedicated operational security functions into a single security department - a Security Operation Center (SOC). A SOC’s main goal is to detect, analyze, respond to, report on and prevent any sort of security incident. In order to do that, they need not only to be properly assembled and configured, but they need to have a vast array of sophisticated detection and prevention technologies, a virtual sea of Cyber Intelligence reporting information and immediate access to a set of talented IT professionals ready to mitigate any incoming security incident. In order to achieve this, this work will first identify the different problems/challenges that were identified during the research phase, and then give a detailed background on some of the major theoretical concepts behind SOCs as well as revisit the RFC2350’s main concepts, which is the standard for Computer Security Incident Response Teams (CSIRTs), it will also provide a detailed guide on how to properly assemble and maintain a Security Operations Center, and then show how to perform a variety of security monitoring and incident response tasks. After this, the proposed solution will be put into practice and will be used to build a brand new SOC for a major Portuguese company. Once the assembling process has finished, some security monitoring tasks will then be performed (definition of different alarms and creation of several dashboards). Then, the incident response lifecycle will be meticulously reviewed, in a response to a real security incident (Cross-Site-Scripting - XSS Injection). A special emphasis will be put in the different interactions the security analyst should engage with the ticketing platform in use. Lastly, some considerations on how this work solves the problems/ issues that were previously identified is given, and some considerations on possible future work are provided

Security assessment of open source third-parties applications

Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. In this dissertation we discuss challenges that large software vendors face when they must integrate and maintain FOSS components into their software supply chain. Each time a vulnerability is disclosed in a FOSS component, a software vendor must decide whether to update the component, patch the application itself, or just do nothing as the vulnerability is not applicable to the deployed version that may be old enough to be not vulnerable. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components, and offer more than a decade of support and security fixes for applications that include these components. First, we design a framework for performing security vulnerability experimentations. In particular, for testing known exploits for publicly disclosed vulnerabilities against different versions and software configurations. Second, we provide an automatic screening test for quickly identifying the versions of FOSS components likely affected by newly disclosed vulnerabilities: a novel method that scans across the entire repository of a FOSS component in a matter of minutes. We show that our screening test scales to large open source projects. Finally, for facilitating the global security maintenance of a large portfolio of FOSS components, we discuss various characteristics of FOSS components and their potential impact on the security maintenance effort, and empirically identify the key drivers

INTEGRATION OF INTELLIGENCE TECHNIQUES ON THE EXECUTION OF PENETRATION TESTS (iPENTEST)

Penetration Tests (Pentests) identify potential vulnerabilities in the security of computer systems via security assessment. However, it should also benefit from widely recognized methodologies and recommendations within this field, as the Penetration Testing Execution Standard (PTES). The objective of this research is to explore PTES, particularly the three initial phases: 1. Pre-Engagement Interactions; 2. Intelligence Gathering; 3. Threat Modeling; and ultimately to apply Intelligence techniques to the Threat Modeling phase. To achieve this, we will use open-source and/or commercial tools to structure a process to clarify how the results were reached using the research inductive methodology. The following steps were implemented: i) critical review of the “Penetration Testing Execution Standard (PTES)”; ii) critical review of Intelligence Production Process; iii) specification and classification of contexts in which Intelligence could be applied; iv) definition of a methodology to apply Intelligence Techniques to the specified contexts; v) application and evaluation of the proposed methodology to real case study as proof of concept. This research has the ambition to develop a model grounded on Intelligence techniques to be applied on PTES Threat Modeling phase

The importance to manage data protection in the right way: Problems and solutions

Information and communication technology (ICT) has made remarkable impact on the society, especially on companies and organizations. The use of computers, databases, servers, and other technologies has made an evolution on the way of storing, processing, and transferring data. However, companies access and share their data on internet or intranet, thus there is a critical need to protect this data from destructive forces and from the unwanted actions of unauthorized users. This thesis groups a set of solutions proposed, from a company point of view, to reach the goal of \u201cManaging data protection\u201d. The work presented in this thesis represents a set of security solutions, which focuses on the management of data protection taking into account both the organizational and technological side. The work achieved can be divided into set of goals that are obtained particularly from the needs of the research community. This thesis handles the issue of managing data protection in a systematic way, through proposing a Data protection management approach, aiming to protect the data from both the organizational and the technological side, which was inspired by the ISO 27001 requirements. An Information Security Management System (ISMS) is then presented implementing this approach, an ISMS consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization\u2019s information security to achieve business objectives, The goal of ISMS is to minimize risk and ensure continuity by pro-actively limiting the impact of a security breach. To be well-prepared to the potential threats that could occur to an organization, it is important to adopt an ISMS that helps in managing the data protection process, and in saving time and effort, minimizes cost of any loss. After that, a comprehensive framework is designed for the security risk management of Cyber Physical Systems (CPSs), this framework represents the strategy used to manage the security risk management, and it falls inside the ISMS as a security strategy. Traditional IT risk assessment methods can do the job (security risk management for a CPS); however, and because of the characteristics of a CPS, it is more efficient to adopt a solution that is wider than a method that addresses the type, functionalities and complexity of a CPS. Therefore, there is a critical need to follow a solution that breaks the restriction to a traditional risk assessment method, and so a high-level framework is proposed, it encompasses wider set of procedures and gives a great attention to the cybersecurity of these systems, which consequently leads to the safety of the physical world. In addition, inside the ISMS, another part of the work takes place, suggesting the guidelines to select an applicable Security Incident and Event Management (SIEM) solution. It also proposes an approach that aims to support companies seeking to adopt SIEM systems into their environments, suggesting suitable answers to preferred requirements that are believed to be valuable prerequisites a SIEM system should have; and to suggest criteria to judge SIEM systems using an evaluation process composed of quantitative and qualitative methods. This approach, unlike others, is customer driven which means that customer needs are taken into account when following the whole approach, specifically when defining the requirements and then evaluating the suppliers\u2019 solutions. At the end, a research activity was carried out aiming classify web attacks on the network level, since any information about the attackers might be helpful and worth a lot to the cyber security analysts. And so, using network statistical fingerprints and machine learning techniques, a two-layers classification system is designed to detect the type of the web attack and the type of software used by the attackers

Novel Techniques of Using Diversity in Software Security and Information Hiding

Diversity is an important and valuable concept that has been adopted in many fields to reduce correlated risks and to increase survivability. In information security, diversity also helps to increase both defense capability and fault tolerance for information systems and communication networks, where diversity can be adopted from many different perspectives. This dissertation, in particular, focuses mainly on two aspects of diversity – the application software diversity and the diversity in data interpretation. Software diversity has many advantages over mono-culture in improving system security. A number of previous researches focused on utilizing existing off the shelf diverse software for network protection and intrusion detection, many of which depend on an important assumption – the diverse software utilized in the system is vulnerable only to different exploits. In the first work of this dissertation, we perform a systematic analysis on more than 6,000 vulnerabilities published in 2007 to evaluate the extent to which this assumption is valid. Our results show that the majority of the vulnerable application software products either do not have the same vulnerability, or cannot be compromised with the same exploit code. Following this work, we then propose an intrusion detection scheme which builds on two diverse programs to detect sophisticated attacks on security-critical data. Our model learns the underlying semantic correlation of the argument values in these programs, and consequently gains more accurate context information compared to existing schemes. Through experiments, we show that such context information is effective in detecting attacks which manipulate erratic arguments with comparable false-positive rates. Software diversity does not only exist on desktop and mainframe computers, it also exists on mobile platforms like smartphone operating systems. In our third work in this dissertation, we propose to investigate applications that run on diverse mobile platforms (e.g., Android and iOS) and to use them as the baseline for comparing their security architectures. Assuming that such applications need the same types of privileges to provide the same functionality on different mobile platforms, our analysis of more than 2,000 applications shows that those executing on iOS consistently ask for more permissions than their counterparts running on Android. We additionally analyze the underlying reasons and find out that part of the permission usage differences is caused by third-party libraries used in these applications. Different from software diversity, the fourth work in this dissertation focuses on the diversity in data interpretation, which helps to defend against coercion attacks. We propose Dummy-Relocatable Steganographic file system (DRSteg) to provide deniability in multi user environments where the adversary may have multiple snapshots of the disk content. The diverse ways of interpreting data in the storage allows a data owner to surrender only some data and attribute the unexplained changes across snapshots to the dummy data which are random bits. The level of deniability offered by our file system is configurable by the users, to balance against the resulting performance overhead. Additionally, our design guarantees the integrity of the protected data, except where users voluntarily overwrite data under duress. This dissertation makes valuable contributions on utilizing diversity in software security and information hiding. The systematic evaluation results obtained for mobile and desktop diverse software are important and useful to both research literature and industrial organizations. The proposed intrusion detection system and steganographic file system have been implemented as prototypes, which are effective in protecting valuable user data against adversaries in various threat scenarios

Enhancing Trust –A Unified Meta-Model for Software Security Vulnerability Analysis

Over the last decade, a globalization of the software industry has taken place which has facilitated the sharing and reuse of code across existing project boundaries. At the same time, such global reuse also introduces new challenges to the Software Engineering community, with not only code implementation being shared across systems but also any vulnerabilities it is exposed to as well. Hence, vulnerabilities found in APIs no longer affect only individual projects but instead might spread across projects and even global software ecosystem borders. Tracing such vulnerabilities on a global scale becomes an inherently difficult task, with many of the resources required for the analysis not only growing at unprecedented rates but also being spread across heterogeneous resources. Software developers are struggling to identify and locate the required data to take full advantage of these resources. The Semantic Web and its supporting technology stack have been widely promoted to model, integrate, and support interoperability among heterogeneous data sources. This dissertation introduces four major contributions to address these challenges: (1) It provides a literature review of the use of software vulnerabilities databases (SVDBs) in the Software Engineering community. (2) Based on findings from this literature review, we present SEVONT, a Semantic Web based modeling approach to support a formal and semi-automated approach for unifying vulnerability information resources. SEVONT introduces a multi-layer knowledge model which not only provides a unified knowledge representation, but also captures software vulnerability information at different abstract levels to allow for seamless integration, analysis, and reuse of the modeled knowledge. The modeling approach takes advantage of Formal Concept Analysis (FCA) to guide knowledge engineers in identifying reusable knowledge concepts and modeling them. (3) A Security Vulnerability Analysis Framework (SV-AF) is introduced, which is an instantiation of the SEVONT knowledge model to support evidence-based vulnerability detection. The framework integrates vulnerability ontologies (and data) with existing Software Engineering ontologies allowing for the use of Semantic Web reasoning services to trace and assess the impact of security vulnerabilities across project boundaries. Several case studies are presented to illustrate the applicability and flexibility of our modelling approach, demonstrating that the presented knowledge modeling approach cannot only unify heterogeneous vulnerability data sources but also enables new types of vulnerability analysis