Semantic modeling approach for software vulnerabilities data sources

Abstract: Data sources describing software security vulnerabilities are commonly used by software engineers not only increase the security of software systems but also enhance software productivity and reduce maintenance costs. However, with the constantly growing amount of available security vulnerability information and this information being spread across heterogeneous resources, software developers are struggling in taking full advantage of these resources. The Semantic Web and its supporting technology stack have been widely promoted to support the modeling, reuse and interoperability among heterogeneous data sources. In our research we present a Semantic Web enabled knowledge model which provides a formal and semi-automated approach for unifying vulnerability information resources. As part of this knowledge modeling approach, we also take advantage of Formal Concept Analysis (FCA) to identify vulnerability related knowledge concepts and model them at various abstraction levels. We illustrate the applicability and flexibility of our approach through several usage examples that take advantage of our unified knowledge model and Semantic Web inference services to provide new types of vulnerability analysis.