Vulnerabilities scoring approach for cloud SaaS

Zhou LI; Cong TANG; Jian-bin HU; Zhong CHEN

doi:10.11959/j.issn.1000-436x.2016166

您当前的位置：

首页 >

文章列表页 >

Vulnerabilities scoring approach for cloud SaaS

Papers | 更新时间：2024-10-11

- Vulnerabilities scoring approach for cloud SaaS
- Journal on Communications Vol. 37, Issue 8, Pages: 157-166(2016)
- 作者机构：
  
  北京大学信息科学技术学院，北京 100871
- 作者简介：
- 基金信息：
- DOI：10.11959/j.issn.1000-436x.2016166
  CLC： TP393
- Online First：2016-08，
  
  Published：25 August 2016
- 稿件说明：
移动端阅览
Zhou LI, Cong TANG, Jian-bin HU, et al. Vulnerabilities scoring approach for cloud SaaS[J]. Journal on Communications, 2016, 37(8): 157-166.
DOI：

Zhou LI, Cong TANG, Jian-bin HU, et al. Vulnerabilities scoring approach for cloud SaaS[J]. Journal on Communications, 2016, 37(8): 157-166. DOI： 10.11959/j.issn.1000-436x.2016166.

摘要

对不同的第三方提供的云服务进行漏洞评分是一项充满挑战的任务。针对一些基于云平台的重要因素，例如业务环境（业务间的依赖关系等），提出了一种新的安全框架VScorer，用于对基于不同需求的云服务进行漏洞评分。通过对VScorer输入具体的业务场景和安全需求，云服务商可以在满足安全需求的基础上获得一个漏洞排名。根据漏洞排名列表，云服务提供商可以修补最关键的漏洞。在此基础上开发了VScorer的原型，并且证实它比现有最具有代表性的安全漏洞评分系统CVSS表现得更为出色。

Abstract

There are full of challenges to score vulnerabilities of cloud services developed by different third-party pro-viders.Although there have been a few systems for scoring vulnerabilities (e.g.

CVSS) of many existing software

most of them are unable to be leveraged to score vulnerabilities in cloud services

because they fail to consider some important factors located in the clouds such as business context (i.e.

dependency relationships between services).VScorer

a novel security frame work to score vulnerabilities in various cloud services were presented based on different given require-ments.By inputting concrete business context and security requirement into VScorer

cloud provider can get a ranking list of vulnerabilities in the business based on the given security requirement.Following the ranking list

cloud provider was able to patch the most critical vulnerabilities first.A prototype was developed and VScorer can be demonstrazed to work better than current representative vulnerability scoring system CVSS.

关键词

Keywords

references

RISTENPART T , TROMER E , SHACHAM H , et al . Hey,you,get off of my cloud:exploring information leakage in third-party compute clouds [C ] // ACM Conference on Computer and Communications Se-curity . c 2009 : 199 - 212 .

BELLOVIN S . On the brittleness of software and the infeasibility of security metrics [J ] . IEEE Security and Privacy , 2006 , 4 ( 4 ): 96 - .

BOZORGI M , SAUL L , SAVAGE , et al . Beyond heuristics:learning to classify vulnerabilities and predict exploits [C ] // ACM Sigkdd Inter-national Conference on Knowledge Discovery ＆ Data Mining . ACM , c 2010 : 105 - 114 .

IBM . IBM Internet Security Systems X-Force 2008 Trend and Risk Report [R ] . White paper , 2009 .

A complete guide to the common vulnerability scoring system [S ] .

OWASP Top Ten [EB/OL ] . http://www.owasp.org/,2013. http://www.owasp.org/,2013. , 2003 .

SANS Top-20 Security Risks [EB/OL ] . http://www.sans.org/ top20 http://www.sans.org/ top20 , 2009 .

CHEN X , ZHANG M , MAO Z , et al . Automating network application dependency discovery:Experiences,limitations,and new solu-tions [C ] // Usenix Symposium on Operating Systems Design ＆ Im-plementation . c 2008 : 117 - 130 .

ENSEL C . A scalable approach to automated service dependency modeling in heterogeneous environments [C ] // IEEE International En-terprise Distributed Object Computing Conference . c 2001 : 128 - 139 .

DOUGHERTY C . Vulnerability metric [EB/OL ] . https://www.se-curecoding.cert.org/confluence/display/seccode/Vulnerability+Metric https://www.se-curecoding.cert.org/confluence/display/seccode/Vulnerability+Metric , c 2008 , 07 , 24 .

SAWILLA R OU X . Identifying critical attack assets in depend-ency attack graphs [C ] // European Symposium on Computer Secu-rity-esorics . c 2008 : 18 - 34 .

OSVDB . The open source vulnerability database [S ] .

CVE Editorial Board . Common vulnerabilities and exposures:the standard for information security vulnerability names [S ] .

GYONGYI Z , GARCIA H , PEDERSEN J . GARCIA H,PEDERSEN J.Combating web spam with trustrank [C ] // Thirtieth International Conference on Very Large Data Bases . c 2010 : 576 - 587 .

CHRISTOS T . Software for Cloud [S ] .

SCARFONE K MELL P . An analysis of cvss version 2 vulnerabil-ity scoring [C ] // FDTC 2013 . International Symposium on Empirical Software Engi-neering ＆ Measurement c 2009 : 516 - 525 .

FRUHWIRTH C MANNISTO T . Improving cvss-based vulnerability prioritization and response with context information [C ] // ESEM . International Symposium on Empirical Software Engi-neering ＆ Measurement c 2009 : 535 - 544 .

MOORE D SHANNON C CLAFFY K . A case study on the spread and victims of an Internet worm [C ] // ESEM . Internet Measurement Workshop c 2002 : 273 - 284 .

Views

1539

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Privacy-preserving indoor localization scheme based on Wi-Fi fingerprint with outsourced computing

Research and application of micropower safety monitoring IoT system for mine

Determining substitutability of cloud services supported by semantically extended type theory

Algorithm for the cloud service workflow scheduling with setup time and deadline constraints

Research on the optimization adjustment strategy for the SaaS multi-tenant data placement

Related Author

Sirui ZHANG

Qiuxia ZHAO

Xiaokun ZHENG

Jin CAO

Yinghui ZHANG

Yunfeng ZHAO

Hao JI

Hu JI

Related Institution

The College of Computer, Qinghai Normal University

School of Cyber Engineering, Xidian University

School of Cyberspace Security, Xi’an University of Posts ＆Telecommunications

Beijing Center for Patent Examination Cooperation of Patent Office of State Intellectual Property Office

South Africa “Belt and Road” Joint Laboratory for Sustainable Development and Utilization of Mineral Resources,,China

AI问答

⁰