Hao Zhuang,Florian Pydde

DOI: https://doi.org/10.48550/arXiv.1611.07383

2016-12-07

Abstract:Understanding the severity of vulnerabilities within cloud services is particularly important for today service <a class="link-external link-http" href="http://administrators.Although" rel="external noopener nofollow">this http URL</a> many systems, e.g., CVSS, have been built to evaluate and score the severity of vulnerabilities for administrators, the scoring schemes employed by these systems fail to take into account the contextual information of specific services having these vulnerabilities, such as what roles they play in a particular service. Such a deficiency makes resulting scores unhelpful. This paper presents a practical framework, NCVS, that offers automatic and contextual scoring mechanism to evaluate the severity of vulnerabilities for a particular service. Specifically, for a given service S, NCVS first automatically collects S contextual information including topology, configurations, vulnerabilities and their dependencies. Then, NCVS uses the collected information to build a contextual dependency graph, named CDG, to model S context. Finally, NCVS scores and ranks all the vulnerabilities in S by analyzing S context, such as what roles the vulnerabilities play in S, and how critical they affect the functionality of S. NCVS is novel and useful, because 1) context-based vulnerability scoring results are highly relevant and meaningful for administrators to understand each vulnerability importance specific to the target service; and 2) the workflow of NCVS does not need instrumentation or modifications to any source code. Our experimental results demonstrate that NCVS can obtain more relevant vulnerability scoring results than comparable system, such as CVSS.

Cryptography and Security

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3597503.3639110

2024-01-01

Abstract:It is increasingly suggested to identify emerging software vulner-abilities (SVs) through relevant development activities (e.g., issue reports) to allow early warnings to open source software (OSS) users. However, the support for the following assessment of the de-tected SVs has not yet been explored. SV assessment characterizes the detected SVs to prioritize limited remediation resources on the critical ones. To fill this gap, we aim to enable early vulnerability assessment based on SV-related issue reports (SIR). Besides, we observe the following concerns of the existing assessment techniques: 1) the assessment output lacks rationale and practical value; 2) the associations between Common Vulnerability Scoring System (CVSS) metrics have been ignored; 3) insufficient evaluation sce-narios and metrics. We address these concerns to enhance the prac-ticality of our proposed early vulnerability assessment approach (namely proEVA). Specifically, based on the observation of strong associations between CVSS metrics, we propose a prompt-based model to exploit such relations for CVSS metrics prediction. More-over, we design a curriculum-learning (CL) schedule to guide the model better learn such hidden associations during training. Aside from the standard classification metrics adopted in existing works, we propose two severity-aware metrics to provide a more compre-hensive evaluation regarding the prioritization of the high-severe SVs. Experimental results show that proEVA significantly outper-forms the baselines in both types of metrics. We further discuss the transferability of the prediction model regarding the upgrade of the assessment system, an important yet overlooked evaluation scenario in existing works. The results verify that proEVA is more efficient and flexible in migrating to different assessment systems.

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3663529.3663835

2024-01-01

Abstract:Today’s software industry heavily relies on open source software (OSS). However, the rapidly increasing number of OSS software vulnerabilities (SVs) poses huge security risks to the software supply chain. Managing the SVs in the relied OSS components has become a critical concern for software vendors. Due to the limited resources in practice, an essential focus for the vendors is to locate and prioritize the remediation of critical SVs (CSVs), i.e., those tend to cause huge losses. Particularly, in the software industry, vendors are obliged to comply with the security service level agreement (SLA), which mandates the fix of CSVs within a short time frame (e.g., 15 days). However, to the best of our knowledge, there is no empirical study that specifically investigates CSVs. The existing works only target at general SVs, missing a view of the unique characteristics of CSVs. In this paper, we investigate the distributions (from temporal, type, and repository dimension) and the current remediation practice of CSVs in the OSS ecosystem, especially their differences compared with non-critical SVs (NCSVs). We adopt the industry standard to refer SVs with a 9+ Common Vulnerability Scoring System (CVSS) score as CSVs and others as NCSVs. We collect a large-scale dataset containing 14,867 SVs and artifacts associated with their remediation (e.g., issue report, commit) across 4,462 GitHub repositories. Our findings regarding CSV distributions can help practitioners better locate these hot spots. Regarding the remediation practice, we observe that though CSVs receive higher priorities, some practices (e.g., complicated review and testing pro-cess) may unintentionally cause the delay to their fixes. We also point out the risks of SV information leakage during remediation process, which could leave a window-of-opportunity of over 30 days on median for zero-day attacks. Based on our findings, we provide implications to improve the current CSV remediation practice.

Muhammed Fatih Bulut,Abdulhamid Adebayo,Daby Sow,Steve Ocepek

DOI: https://doi.org/10.48550/arXiv.2206.11182

2022-06-22

Cryptography and Security

Abstract:Organizations struggle to handle sheer number of vulnerabilities in their cloud environments. The de facto methodology used for prioritizing vulnerabilities is to use Common Vulnerability Scoring System (CVSS). However, CVSS has inherent limitations that makes it not ideal for prioritization. In this work, we propose a new way of prioritizing vulnerabilities. Our approach is inspired by how offensive security practitioners perform penetration testing. We evaluate our approach with a real world case study for a large client, and the accuracy of machine learning to automate the process end to end.

Ruyi Wang,Ling Gao,Qian Sun,Deheng Sun

DOI: https://doi.org/10.1109/mines.2011.27

2011-01-01

Abstract:Through scoring vulnerabilities according to their risks, mastering statuses of vulnerabilities, security managers could adjust the configuration for computer security in time and give repair methods to different vulnerabilities flexibly. Since scoring vulnerabilities is significant for evaluating and repairing vulnerabilities, this paper presents a vulnerability scoring mechanism based on CVSS by analyzing advantages and disadvantages of CVSS and comparing with some improved CVSS-based methods. Our improved scoring mechanism makes the vulnerability evaluating more exactly and effectively, simplifying the process of vulnerability evaluating.

Miguel Santana,Vinicius V. Cogo,Alan Oliveira de Sá

2024-05-14

Abstract:Background: Timely prioritising and remediating vulnerabilities are paramount in the dynamic cybersecurity field, and one of the most widely used vulnerability scoring systems (CVSS) does not address the increasing likelihood of emerging an exploit code. Aims: We present SecScore, an innovative vulnerability severity score that enhances CVSS Threat metric group with statistical models from empirical evidences of real-world exploit codes. Method: SecScore adjusts the traditional CVSS score using an explainable and empirical method that more accurately and promptly captures the dynamics of exploit code development. Results: Our approach can integrate seamlessly into the assessment/prioritisation stage of several vulnerability management processes, improving the effectiveness of prioritisation and ensuring timely remediation. We provide real-world statistical analysis and models for a wide range of vulnerability types and platforms, demonstrating that SecScore is flexible according to the vulnerability's profile. Comprehensive experiments validate the value and timeliness of SecScore in vulnerability prioritisation. Conclusions: SecScore advances the vulnerability metrics theory and enhances organisational cybersecurity with practical insights.

Cryptography and Security

SiFan Liu,Jie Wu,ZhiHui Lu,Hui Xiong

DOI: https://doi.org/10.1109/scc.2013.12

2013-01-01

Abstract:Security issues of cloud computing are always being concerned by customers. Research on a virtual machine's quantitative or qualitative value of risk will be a good start to know the security status of a cloud data center. Risk assessment is a solution for really understanding security procedures of the network and information system, analyzing where security threats come from and how much loss the risk can cause. By means of the combination of risk assessment with cloud computing, we can assess the risk value of virtual machines, and the security of data center can be ensured by administrator who has ability to quickly locate the risk points and easily control and reduce the risks. In this paper, we present VMRaS (a novel virtual machine risk assessment scheme in the cloud environment), a scheme that can assess the risk of a virtual machine. First, we introduce the process, criteria and algorithms of risk assessment. And then we present the design and implementation of VMRaS. We evaluate a prototype of VMRaS which is deployed on an Open Stack-based cloud computing resource management platform. The result shows that VMRaS works well in the Open Stack-based cloud environment.

Julia Wunder,Andreas Kurtz,Christian Eichenmüller,Freya Gassmann,Zinaida Benenson

DOI: https://doi.org/10.48550/arXiv.2308.15259

2024-05-08

Abstract:The Common Vulnerability Scoring System (CVSS) is a popular method for evaluating the severity of vulnerabilities in vulnerability management. In the evaluation process, a numeric score between 0 and 10 is calculated, 10 being the most severe (critical) value. The goal of CVSS is to provide comparable scores across different evaluators. However, previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ. This raises the following questions: Are CVSS evaluations consistent? Which factors influence CVSS assessments? We systematically investigate these questions in an online survey with 196 CVSS users. We show that specific CVSS metrics are inconsistently evaluated for widespread vulnerability types, including Top 3 vulnerabilities from the "2022 CWE Top 25 Most Dangerous Software Weaknesses" list. In a follow-up survey with 59 participants, we found that for the same vulnerabilities from the main study, 68% of these users gave different severity ratings. Our study reveals that most evaluators are aware of the problematic aspects of CVSS, but they still see CVSS as a useful tool for vulnerability assessment. Finally, we discuss possible reasons for inconsistent evaluations and provide recommendations on improving the consistency of scoring.

Cryptography and Security

Luis Alberto Benthin Sanguino,Rafael Uetz

DOI: https://doi.org/10.48550/arXiv.1705.05347

2017-05-16

Abstract:In this paper, we analyze the Common Platform Enumeration (CPE) dictionary and the Common Vulnerabilities and Exposures (CVE) feeds. These repositories are widely used in Vulnerability Management Systems (VMSs) to check for known vulnerabilities in software products. The analysis shows, among other issues, a lack of synchronization between both datasets that can lead to incorrect results output by VMSs relying on those datasets. To deal with these problems, we developed a method that recommends to a user a prioritized list of CPE identifiers for a given software product. The user can then assign (and, if necessary, adapt) the most suitable CPE identifier to the software so that regular (e.g., daily) checks can find known vulnerabilities for this software in the CVE feeds. Our evaluation of this method shows that this interaction is indeed necessary because a fully automated CPE assignment is prone to errors due to the CPE and CVE shortcomings. We implemented an open-source VMS that employs the proposed method and published it on GitHub.

Cryptography and Security

H. T. Tian,L. S. Huang,J. L. Shan,G. L. Chen

DOI: https://doi.org/10.1007/978-3-540-24679-4_182

2004-01-01

Abstract:Vulnerability management plays a key role in the security area, but it is now too time-consuming, and error-prone. Based on a machine-readable vulnerability description language CVML, this paper proposes an automated vulnerability management framework through web services, which alleviates the burden of administrators and improves the security of systems dramatically.

Morgan Reece,Theodore Edward Lander Jr.,Matthew Stoffolano,Andy Sampson,Josiah Dykstra,Sudip Mittal,Nidhi Rastogi

2023-07-08

Abstract:With the increasing use of multi-cloud environments, security professionals face challenges in configuration, management, and integration due to uneven security capabilities and features among providers. As a result, a fragmented approach toward security has been observed, leading to new attack vectors and potential vulnerabilities. Other research has focused on single-cloud platforms or specific applications of multi-cloud environments. Therefore, there is a need for a holistic security and vulnerability assessment and defense strategy that applies to multi-cloud platforms. We perform a risk and vulnerability analysis to identify attack vectors from software, hardware, and the network, as well as interoperability security issues in multi-cloud environments. Applying the STRIDE and DREAD threat modeling methods, we present an analysis of the ecosystem across six attack vectors: cloud architecture, APIs, authentication, automation, management differences, and cybersecurity legislation. We quantitatively determine and rank the threats in multi-cloud environments and suggest mitigation strategies.

Cryptography and Security

Zhicheng Zhu,Kun Lan,Zhihong Rao,Yuguang Zhang

DOI: https://doi.org/10.1088/1742-6596/1732/1/012051

2021-01-01

Journal of Physics: Conference Series

Abstract:Abstract With the development of IoT technology, the number of attacks against IoT software chain vulnerabilities is greater than ever, and a reasonable vulnerability assessment system needs to be established for research. The Common Vulnerability Scoring System (CVSS) is a free, public risk assessment system used by information security vendors to assess the severity of vulnerability threats. However, CVSS is insufficient because of the strong subjectivity in the selection of measurement standards and the allocation of evaluation index weights. Based on this reason, this paper designs and proposes a more objective risk assessment method for IoT software chain vulnerabilities, and verifies the feasibility and effectiveness of the method through experiments.

English Else

Xiang Li,Xin Jin,Qixu Wang,Mingsheng Cao,Xingshu Chen

DOI: https://doi.org/10.1155/2018/3078272

2018-01-01

Wireless Communications and Mobile Computing

Abstract:The Internet of Things (IoT) offers a wide variety of benefits to our daily lives in many ways, ranging from smart wearable devices to industrial systems. However, it also brings well-known security and compliance concerns, especially in the physical layer. In addition, due to numerous IoT architectures which have been developed and deployed based on the cloud, the security and compliance of IoT depend on the cloud thoroughly. In this paper, a secure and compliant continuous assessment framework (SCCAF) is proposed to evaluate the security and compliance levels of cloud services in life-cycle. The SCCAF facilitates cloud service to customers to select an optimal cloud service provider (CSP) which satisfies their desired security requirements. Moreover, it also enables cloud service customers to evaluate the compliance of the selected CSP in the process of using cloud services. To evaluate the performance and availability of SCCAF, we carry out a series of experiments with case study and real-world scenario datasets. Experimental results show that SCCAF can assess the security and compliance of CSPs efficiently and effectively.

Ping Chen,Dongyan Xu,Bing Mao

DOI: https://doi.org/10.1145/2414456.2414485

2012-01-01

Abstract:In a virtualization-based cloud infrastructure, customers of the cloud deploy virtual machines (VMs) with their own applications and customized runtime environments. The cloud provider supports the execution of these VMs without detailed knowledge of the guest applications and operating systems in the VMs. In addition to elastic resource provisioning for the VMs, a desirable "value-added" service the cloud provider can provide is the emergency response to runtime incidences of software bugs and vulnerabilities. The challenge is to facilitate the automatic runtime detection, location, and patching of the software vulnerability - outside the VMs and without the source code. In this paper, we present CloudER, a cloud "emergency room" architecture that automatically detect, locate, and patch software vulnerabilities in cloud application binaries at runtime. CloudER leverages an existing taint-based system (Demand Emulation) for runtime anomaly detection, employs new algorithms for software vulnerability location and patch generation, and adapts a virtual machine introspection system (XenAccess) for dynamic patching. Our preliminary evaluation experiments with a number of real-world server applications show that CloudER achieves timely response to runtime software faults or attacks from outside the VMs.

Na Wu,Decheng Zuo,Zhan Zhang,Peng Zhou,Yan Zhao

DOI: https://doi.org/10.1587/transinf.2018edp7197

2019-01-01

IEICE Transactions on Information and Systems

Abstract:Cloud computing has attracted a growing number of enterprises to move their business to the cloud because of the associated operational and cost benefits. Improving availability is one of the major concerns of cloud application owners because modern applications generally comprise a large number of components and failures are common at scale. Fault tolerance enables an application to continue operating properly when failure occurs, but fault tolerance strategy is typically employed for the most important components because of financial concerns. Therefore, identifying important components has become a critical research issue. To address this problem, we propose a failure-sensitive structure-based component ranking approach (FSCRank), which integrates component failure impact and application structure information into component importance evaluation. An iterative ranking algorithm is developed according to the structural characteristics of cloud applications. The experimental results show that FSCRank outperforms the other two structure-based ranking algorithms for cloud applications. In addition, factors that affect application availability optimization are analyzed and summarized. The experimental results suggest that the availability of cloud applications can be greatly improved by implementing fault tolerance strategy for the important components identified by FSCRank.

Xiaochen Liu,Chunhe Xia,Jiajin Cao,Jinghua Gao,Zhao Wei

DOI: https://doi.org/10.14257/ijsia.2014.8.6.32

2014-01-01

International Journal of Security and Its Applications

Abstract:Cloud services have become state of the art of resource sharing and interoperability among different service providers. The federated cloud seek to reduce costs and maximize efficiency, provide flexible and reliable services composed of various external cloud service and internal services, but this would introduce a risk of security due to outsourcing. For organization which provide an integrity cloud service must rely on SLA to illustrate the capacity of risk and performance, the various providers involved in the federations or services compositions should effectively distribute the organizational responsibilities and SLA. To solve the fears and deal with the threats associated with outsourcing, new method for selection of outsourcing cloud service providers(CSP) based on assessment of security and performance is urgently needed. This paper presents an approach on how to select the proper CSP to guarantee organizational SLA, which quantify the SLA terms and calculate a security weight, the organization can choose the appropriate CSP based on security weight, meanwhile minimize the business cost. This paper make contribution on modeling the capacity of the CSP, considering the business cost and historical performance. The proposed approach is validated through case study that shows selected CSP through our approach can best meet the organizational security and cost needs.

Qingyang Zeng,Mohammad Kavousi,Yinhong Luo,Ling Jin,Yan Chen

DOI: https://doi.org/10.1016/j.cose.2023.103173

IF: 5.105

2023-01-01

Computers & Security

Abstract:Cloud-native systems have recently emerged as one of the most popular platforms for application development, providing lightweight virtualization, simplified DevOps procedures, scaling, resource efficiency, monitoring, and more. The typical cloud-native system may include containers, container orchestrators, and service meshes. However, a number of attacks exploit vulnerabilities in different components, leading the attacker to gain control over the cloud-native system. In this paper, we collect, classify, exploit, and mitigate vulnerabilities of different components. Firstly, we choose Docker, Kubernetes, and Istio as the most popular cloud technologies and give each an overview. Secondly, we give an in-depth analysis of the vulnerabilities. We collect cloud-native vulnerabilities over the past five years and propose two classifications of those vulnerabilities. One is based on the architecture of the component, and the other is based on the attack enabled. We exploit vulnerabilities that enable us to discover some insightful findings and provide mitigation solutions. Third, we analyze 15 open-source security tools provided for the cloud-native environment. We argue that among all these security tools, none of them covers all features which we will discuss in this paper. We believe that our analysis of cloud security vulnerabilities and open-source security tools can benefit the security of the cloud-native ecosystem.

Seoungmo An,Taehoon Eom,Jong Sou Park,Jin B. Hong,Armstrong Nhlabatsi,Noora Fetais,Khaled M. Khan,Dong Seong Kim

DOI: https://doi.org/10.48550/arXiv.1903.04271

2019-03-11

Abstract:Cloud computing has been adopted widely, providing on-demand computing resources to improve perfornance and reduce the operational costs. However, these new functionalities also bring new ways to exploit the cloud computing environment. To assess the security of the cloud, graphical security models can be used, such as Attack Graphs and Attack Trees. However, existing models do not consider all types of threats, and also automating the security assessment functions are difficult. In this paper, we propose a new security assessment tool for the cloud named CloudSafe, an automated security assessment for the cloud. The CloudSafe tool collates various tools and frameworks to automate the security assessment process. To demonstrate the applicability of the CloudSafe, we conducted security assessment in Amazon AWS, where our experimental results showed that we can effectively gather security information of the cloud and carry out security assessment to produce security reports. Users and cloud service providers can use the security report generated by the CloudSafe to understand the security posture of the cloud being used/provided.

Cryptography and Security

Alan Raveling,Yanzhen Qu

DOI: https://doi.org/10.24018/ejece.2023.7.4.546

2023-07-12

European Journal of Electrical Engineering and Computer Science

Abstract:This paper has examined the application of the Common Vulnerability Scoring System applied to operational technology or industrial control system-based cybersecurity controls and demonstrated that the unique considerations and aspects of these environments are more accurately captured when compared against a traditional IT based evaluation. Multiple business drivers are compelling consumer goods manufacturers to augment and connect their manufacturing systems bringing with it increases in potential for experiencing a cybersecurity incident [1]. While other business verticals are able to utilize cybersecurity standards and control documents tailored for their industry, manufacturers do not have a set of materials that directly correlate to the operational technology environments in which their systems reside [2]. Cybersecurity practitioners face additional challenges in developing an understanding of the severity of the risks within these environments due to the lack of current quantifiable methods of evaluating the risks. The findings from this research provide cybersecurity practitioners with a repeatable and extensible method to derive the operational risk present to an organization due to the technologies and business strategies employed in the pursuit of business objectives.

Hootan Alavizadeh,Hooman Alavizadeh,Dong Seong Kim,Julian Jang-Jaccard,Masood Niazi Torshiz

DOI: https://doi.org/10.48550/arXiv.1904.01758

2019-04-03

Abstract:Cloud service providers offer their customers with on-demand and cost-effective services, scalable computing, and network infrastructures. Enterprises migrate their services to the cloud to utilize the benefit of cloud computing such as eliminating the capital expense of their computing need. There are security vulnerabilities and threats in the cloud. Many researches have been proposed to analyze the cloud security using Graphical Security Models (GSMs) and security metrics. In addition, it has been widely researched in finding appropriate defensive strategies for the security of the cloud. Moving Target Defense (MTD) techniques can utilize the cloud elasticity features to change the attack surface and confuse attackers. Most of the previous work incorporating MTDs into the GSMs are theoretical and the performance was evaluated based on the simulation. In this paper, we realized the previous framework and designed, implemented and tested a cloud security assessment tool in a real cloud platform named UniteCloud. Our security solution can (1) monitor cloud computing in real-time, (2) automate the security modeling and analysis and visualize the GSMs using a Graphical User Interface via a web application, and (3) deploy three MTD techniques including Diversity, Redundancy, and Shuffle on the real cloud infrastructure. We analyzed the automation process using the APIs and showed the practicality and feasibility of automation of deploying all the three MTD techniques on the UniteCloud.

Cryptography and Security