Introduction

HPI-VDB portal (https://hpi-vdb.de/) is the result of research work being conducted by IT-Security Engineering Team at Prof. Christoph Meinel's chair "Internet Technologies and Systems" at HPI. It is a comprehensive and up-to-date repository which contains a large number of known vulnerabilities of Software. The vulnerability information being gathered from Internet is evaluated, normalized, and centralized in the high perforance database. The textual descriptions about each vulnverability entry are grabbed from the public portals of other vulnerability databases, software vendors, as well as many relevant public webpages, etc. A well-structured data model is used to host all pieces of information which is related to the specific vulnerability entry. Thanks to the high quality data serialized in the high performance In-Memory database, many fancy services can be provided, including browsing, searching, self-diagnosis, Attack Graph (AG), etc. Additionally, we offer many types of API for IT developers to leverage our database for their development. 

Deliverable

  • Public Portal: https://hpi-vdb.de/ (more services are available after login)

Features

  • Structured representation of known vulnerabilities
  • API to programs for purpose of security analytics and others
  • Rich searching functionality using CVE-ID, CWE-ID, CPE-ID, Full text, ...
  • Addon services (login needed): exportation, self-diagnosis, Attack Graph, ...
  • Daily update to include the latest published/confirmed vulnerabilities
  • As of on Oct. 10, 2015, there are 71,920 vulnerabilities concerning about 178,480 software
  • Basic statistics, visualization, and analytics, are possible

Publications

  • F. Cheng, A. Azodi, D. Jaeger, Ch. Meinel, Multi-Core Supported High Performance Security Analytics, in the Proceeding of the 13th IEEE International Conference on Scalable Computing and Communication (ScalCom'13), Chengdu, China, December 20-22, 2013 (to appear)
  • A. Azodi, D. Jaeger, F. Cheng, Ch. Meinel, A New Approach to Building a Multi-Tier Direct Access Knowledgebase For IDS/SIEM Systems, in the Proceeding of the 11th IEEE InternationalConference on Dependable, Autonomic and Secure Computing (DASC'13), Chengdu, China, December 20-22, 2013 (to appear)
  • F. Cheng, A. Azodi, D. Jaeger, Ch. Meinel, Security Event Correlation Supported by Multi-Core Architecture, in the Proceeding of the 3rd IEEE  International Conference on IT Convergence and Security (ICITS'13), Macau, China, December16-18, 2013 (to appear)
  • A. Sapegin, D. Jaeger, A. Azodi, M. Gawron, F. Cheng, Ch. Meinel, Hierarchical Object Log Format for Normalisation of Security Events, in the Proceeding of the 9th International Conference on Information Assurance and Security (IAS'13), Tunis, Tunisia, December 04-06, 2013 (to appear) 
  • F. Cheng, S. Roschke, Ch. Meinel, An Integrated Network Scanning Tool for Attack Graph Construction, in Proceedings of the 6th International Conference on Grid and Pervasive Computing (GPC'11), Springer LNCS 6646, Oulu, Finland, May 11-13, 2011.
  • S. Roschke, F. Cheng, Ch. Meinel, Using Vulnerability Information and Attack Graphs for Intrusion Detection , in Proceedings of the 6th International Conference on Information Assurance and Security(IAS'10), IEEE Press, Atlanta, USA, August 23-25, 2010.
  • F. Cheng, S. Roschke, R. Schuppenies, Ch. Meinel, Remodeling Vulnerability Information, in Post-Proceedings (selected revised paper) of the 5th SKLOIS Conference on Information Security and Cryptology (INSCRYPT'09), Springer LNCS 6151. Beijing, China. December 12 - 15, 2009.
  • S. Roschke, F. Cheng, R. Schuppenies, Ch. Meinel, Towards Unifying Vulnerability Information for Attack Graph Construction, in Proceedings of the 12th  Information Security Conference (ISC'09), Springer LNCS 5735, Pisa, Italy, September 7 - 9, 2009.
  • Robert Schuppenies, MSc.: Automatic Extraction of Vulnerability Information for Attack Graphs, HPI Master Thesis, Mar. 2009, 

Team

  • Prof. Dr. Christoph Meinel
  • Dr. Feng Cheng
  • Marian Gawron, MSc.
  • Andrey Sapegin
  • David Jaeger, MSc.

Contact

IT-Security Engineering Team
Hasso-Plattner-Institute
Prof.-Dr.-Helmert-Str. 2-3
D-14482 Potsdam
Tel.: +49 (0) 331 / 5509-222
Fax.: +49 (0) 331 / 5509-325
Email: hpi-vdb(at)hpi.uni-potsdam.de
Web: https://hpi-vdb.de

Acknowledge

The HPI-VDB portal as well as the relevant research work are non-profit. The data and services offered by HPI-VDB.de are all free of charge and can only be used for personal and non-commercial use. We are thankful to:

  • our former team members: Robert Schuppenies and Sebastian Roschke (both now with Google Inc., in Mountain View, USA), for their exploratory work in this project;
  • HPI Master student team: Marian Gawron, Anton Gulenko, Patrick Schulze, Gary Yao, for the development of the first prototype of HPI-VDB;
  • SAP SE and HPI FutureSoC Lab for offering us the required Hardware and Software, especially, the modern HPI HANA database;
  • many other public VDBs and software vendors, e.g., NVD, OSVDB, Secunia, CERT, OVAL, SecurityFocus, Microsoft Security Bulletins, Google Security Notes, SAP Security Notes, etc.