面向SaaS云平台的安全漏洞评分方法研究

李舟; 唐聪; 胡建斌; 陈钟

doi:10.11959/j.issn.1000-436x.2016166

您当前的位置：

首页 >

文章列表页 >

面向SaaS云平台的安全漏洞评分方法研究

学术论文 | 更新时间：2024-10-11

- 面向SaaS云平台的安全漏洞评分方法研究
- Vulnerabilities scoring approach for cloud SaaS
- 通信学报 2016年37卷第8期页码：157-166
- 作者机构：
- 作者简介：
  
  [ "李舟（1987-），男，湖北荆州人，北京大学博士生，主要研究方向为信息安全、基于身份的公钥加密。" ]
  [ "唐聪（1984-），男，湖南永州人，北京大学博士生，主要研究方向为信息安全、云计算、社交网络。" ]
  [ "胡建斌（1971-），男，湖北洪湖人，北京大学副教授，主要研究方向为云计算、物联网、计算机网络安全。" ]
  [ "陈钟（1963-），男，江苏徐州人，北京大学教授、博士生导师，主要研究为密码学、计算机网络与信息安全。" ]
- 基金信息：
  
  国家自然科学基金资助项目;The National Natural Science Foundation of China(61272519);国家自然科学基金资助项目;Foundation Item:The National Natural Science Foundation of China(61170297);国家自然科学基金资助项目;Foundation Item:The National Natural Science Foundation of China(61572080);国家自然科学基金资助项目;Foundation Item:The National Natural Science Foundation of China(61472258)
- DOI：10.11959/j.issn.1000-436x.2016166
  中图分类号： TP393
- 网络出版日期：2016-08，
  
  纸质出版日期：2016-08-25
- 稿件说明：
移动端阅览
李舟, 唐聪, 胡建斌, 等. 面向SaaS云平台的安全漏洞评分方法研究[J]. 通信学报, 2016,37(8):157-166.

Zhou LI, Cong TANG, Jian-bin HU, et al. Vulnerabilities scoring approach for cloud SaaS[J]. Journal on communications, 2016, 37(8): 157-166.
李舟, 唐聪, 胡建斌, 等. 面向SaaS云平台的安全漏洞评分方法研究[J]. 通信学报, 2016,37(8):157-166. DOI： 10.11959/j.issn.1000-436x.2016166.

Zhou LI, Cong TANG, Jian-bin HU, et al. Vulnerabilities scoring approach for cloud SaaS[J]. Journal on communications, 2016, 37(8): 157-166. DOI： 10.11959/j.issn.1000-436x.2016166.

摘要

对不同的第三方提供的云服务进行漏洞评分是一项充满挑战的任务。针对一些基于云平台的重要因素，例如业务环境（业务间的依赖关系等），提出了一种新的安全框架VScorer，用于对基于不同需求的云服务进行漏洞评分。通过对VScorer输入具体的业务场景和安全需求，云服务商可以在满足安全需求的基础上获得一个漏洞排名。根据漏洞排名列表，云服务提供商可以修补最关键的漏洞。在此基础上开发了VScorer的原型，并且证实它比现有最具有代表性的安全漏洞评分系统CVSS表现得更为出色。

Abstract

There are full of challenges to score vulnerabilities of cloud services developed by different third-party pro-viders.Although there have been a few systems for scoring vulnerabilities (e.g.

CVSS) of many existing software

most of them are unable to be leveraged to score vulnerabilities in cloud services

because they fail to consider some important factors located in the clouds such as business context (i.e.

dependency relationships between services).VScorer

a novel security frame work to score vulnerabilities in various cloud services were presented based on different given require-ments.By inputting concrete business context and security requirement into VScorer

cloud provider can get a ranking list of vulnerabilities in the business based on the given security requirement.Following the ranking list

cloud provider was able to patch the most critical vulnerabilities first.A prototype was developed and VScorer can be demonstrazed to work better than current representative vulnerability scoring system CVSS.

关键词

Keywords

references

RISTENPART T , TROMER E , SHACHAM H , et al . Hey,you,get off of my cloud:exploring information leakage in third-party compute clouds [C ] // ACM Conference on Computer and Communications Se-curity . c 2009 : 199 - 212 .

BELLOVIN S . On the brittleness of software and the infeasibility of security metrics [J ] . IEEE Security and Privacy , 2006 , 4 ( 4 ): 96 - .

BOZORGI M , SAUL L , SAVAGE , et al . Beyond heuristics:learning to classify vulnerabilities and predict exploits [C ] // ACM Sigkdd Inter-national Conference on Knowledge Discovery ＆ Data Mining . ACM , c 2010 : 105 - 114 .

IBM . IBM Internet Security Systems X-Force 2008 Trend and Risk Report [R ] . White paper , 2009 .

A complete guide to the common vulnerability scoring system [S ] .

OWASP Top Ten [EB/OL ] . http://www.owasp.org/,2013. http://www.owasp.org/,2013. , 2003 .

SANS Top-20 Security Risks [EB/OL ] . http://www.sans.org/ top20 http://www.sans.org/ top20 , 2009 .

CHEN X , ZHANG M , MAO Z , et al . Automating network application dependency discovery:Experiences,limitations,and new solu-tions [C ] // Usenix Symposium on Operating Systems Design ＆ Im-plementation . c 2008 : 117 - 130 .

ENSEL C . A scalable approach to automated service dependency modeling in heterogeneous environments [C ] // IEEE International En-terprise Distributed Object Computing Conference . c 2001 : 128 - 139 .

DOUGHERTY C . Vulnerability metric [EB/OL ] . https://www.se-curecoding.cert.org/confluence/display/seccode/Vulnerability+Metric https://www.se-curecoding.cert.org/confluence/display/seccode/Vulnerability+Metric , c 2008 , 07 , 24 .

SAWILLA R OU X . Identifying critical attack assets in depend-ency attack graphs [C ] // European Symposium on Computer Secu-rity-esorics . c 2008 : 18 - 34 .

OSVDB . The open source vulnerability database [S ] .

CVE Editorial Board . Common vulnerabilities and exposures:the standard for information security vulnerability names [S ] .

GYONGYI Z , GARCIA H , PEDERSEN J . GARCIA H,PEDERSEN J.Combating web spam with trustrank [C ] // Thirtieth International Conference on Very Large Data Bases . c 2010 : 576 - 587 .

CHRISTOS T . Software for Cloud [S ] .

SCARFONE K MELL P . An analysis of cvss version 2 vulnerabil-ity scoring [C ] // FDTC 2013 . International Symposium on Empirical Software Engi-neering ＆ Measurement c 2009 : 516 - 525 .

FRUHWIRTH C MANNISTO T . Improving cvss-based vulnerability prioritization and response with context information [C ] // ESEM . International Symposium on Empirical Software Engi-neering ＆ Measurement c 2009 : 535 - 544 .

MOORE D SHANNON C CLAFFY K . A case study on the spread and victims of an Internet worm [C ] // ESEM . Internet Measurement Workshop c 2002 : 273 - 284 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于Wi-Fi指纹且计算外包的室内定位隐私保护方案

矿山微功耗安全监测物联网系统的研究与应用

基于语义扩展类型论的云服务替换性判定研究

带准备时间和截止期约束的云服务工作流调度算法

SaaS多租户数据放置的优化调整策略研究