面向SaaS云平台的安全漏洞评分方法研究

doi:10.11959/j.issn.1000-436x.2016166

Abstract

Abstract:

There are full of challenges to score vulnerabilities of cloud services developed by different third-party pro-viders.Although there have been a few systems for scoring vulnerabilities (e.g.,CVSS) of many existing software,most of them are unable to be leveraged to score vulnerabilities in cloud services,because they fail to consider some important factors located in the clouds such as business context (i.e.,dependency relationships between services).VScorer,a novel security frame work to score vulnerabilities in various cloud services were presented based on different given require-ments.By inputting concrete business context and security requirement into VScorer,cloud provider can get a ranking list of vulnerabilities in the business based on the given security requirement.Following the ranking list,cloud provider was able to patch the most critical vulnerabilities first.A prototype was developed and VScorer can be demonstrazed to work better than current representative vulnerability scoring system CVSS.

Key words: SaaS, cloud service, vulnerability scoring system, CVSS

Zhou LI,Cong TANG,Jian-bin HU,Zhong CHEN. Vulnerabilities scoring approach for cloud SaaS[J]. Journal on Communications, 2016, 37(8): 157-166.

Figures/Tables 14

References 18

[1]	RISTENPART T , TROMER E , SHACHAM H , et al. Hey,you,get off of my cloud:exploring information leakage in third-party compute clouds[C]// ACM Conference on Computer and Communications Se-curity. c2009:199-212.
[2]	BELLOVIN S . On the brittleness of software and the infeasibility of security metrics[J]. IEEE Security and Privacy, 2006,4(4): 96-.
[3]	BOZORGI M , SAUL L , SAVAGE , et al. Beyond heuristics:learning to classify vulnerabilities and predict exploits[C]// ACM Sigkdd Inter-national Conference on Knowledge Discovery ＆ Data Mining. ACM, c2010:105-114.
[4]	IBM. IBM Internet Security Systems X-Force 2008 Trend and Risk Report[R]. White paper, 2009.
[5]	A complete guide to the common vulnerability scoring system[S].
[6]	OWASP Top Ten[EB/OL]. , 2003.
[7]	SANS Top-20 Security Risks[EB/OL]. , 2009.
[8]	CHEN X , ZHANG M , MAO Z , et al. Automating network application dependency discovery:Experiences,limitations,and new solu-tions[C]// Usenix Symposium on Operating Systems Design ＆ Im-plementation. c2008:117-130.
[9]	ENSEL C . A scalable approach to automated service dependency modeling in heterogeneous environments[C]// IEEE International En-terprise Distributed Object Computing Conference. c2001:128-139.
[10]	DOUGHERTY C . Vulnerability metric[EB/OL]. , c2008,07,24.
[11]	SAWILLA R OU X . Identifying critical attack assets in depend-ency attack graphs[C]// European Symposium on Computer Secu-rity-esorics. c2008:18-34.
[12]	OSVDB . The open source vulnerability database[S].
[13]	CVE Editorial Board. Common vulnerabilities and exposures:the standard for information security vulnerability names[S].
[14]	GYONGYI Z , GARCIA H , PEDERSEN J . GARCIA H,PEDERSEN J.Combating web spam with trustrank[C]// Thirtieth International Conference on Very Large Data Bases. c2010:576-587.
[15]	CHRISTOS T . Software for Cloud[S].
[16]	SCARFONE K MELL P . An analysis of cvss version 2 vulnerabil-ity scoring[C]// FDTC 2013. International Symposium on Empirical Software Engi-neering ＆ Measurement c2009:516-525.
[17]	FRUHWIRTH C MANNISTO T . Improving cvss-based vulnerability prioritization and response with context information[C]// ESEM. International Symposium on Empirical Software Engi-neering ＆ Measurement c2009:535-544.
[18]	MOORE D SHANNON C CLAFFY K . A case study on the spread and victims of an Internet worm[C]// ESEM. Internet Measurement Workshop c2002:273-284.

Metrics

Recommended 0

No Suggested Reading articles found!

漏洞	可利用性	威胁级别
CVE-2007-1747	0.801	2.0
CVE-2008-3648	0.45	2.0
CVE-2006-6077	0.304 5	3.0
CVE-2008-5410	0.702	2.0
CVE-2008-0231	0.34	1.0
CVE-2008-0600	0.54	3.0

式(2)	式(4)	CVSS
CVE-2008-5410	CVE-2008-5410	CVE-2008-0600
CVE-2008-0600	CVE-2008-0600	CVE-2006-6077
CVE-2007-1747	CVE-2007-1747	CVE-2007-1747
CVE-2008-3648	CVE-2006-6077	CVE-2008-5410
CVE-2006-6077	CVE-2008-3648	CVE-2008-3648
CVE-2008-0231	CVE-2008-0231	CVE-2008-0231

漏洞	可利用性	威胁级别
V-2009-4447	0.7	3.0
V-2009-3508	0.5	2.5
V-2006-6077	0.7	4.0
V-2007-6410	0.6	3.5
V-2008-3631	0.5	2.5

式(2)	式(4)	CVSS
V-2009-3508	V-2006-6077	V-2006-6077
V-2007-6410	V-2009-3508	V-2007-6410
V-2006-6077	V-2007-6410	V-2009-4447
V-2009-4447	V-2009-4447	V-2009-3508
V-2008-3631	V-2008-3631	V-2008-3631

漏洞	可利用性	威胁级别
V-2010-4307	0.71	3.0
V-2009-2208	0.53	2.5
V-2010-9337	0.212	2.0
V-2009-9010	0.103	2.5
V-2009-1031	0.503	2.5
V-2009-2675	0.52	2.5

Vulnerabilities scoring approach for cloud SaaS

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 14

References 18

Related Articles 10

Metrics

Recommended 0

[1]	Liming PU,Shuxin LIU,Ruihao DING,Kai WANG. Heterogeneous executor scheduling algorithm for mimic cloud service [J]. Journal on Communications, 2020, 41(3): 17-24.
[2]	Da ZHANG,Jinong WANG,Hu JI,Hao JI,Yunfeng ZHAO. Research and application of micropower safety monitoring IoT system for mine [J]. Journal on Communications, 2020, 41(2): 44-57.
[3]	Shunfu JIN, Haixing WU, Tiantian HUO, Wenjuan ZHAO. On the performance optimization for the cloud architecture with sleep-mode and registration service [J]. Journal on Communications, 2019, 40(10): 127-136.
[4]	Xian-qing WANG,Chang-qin HUANG,UOXuan LUO,Rui-hua NIE,Yong TANG,Xiao-yong MEI. Determining substitutability of cloud services supported by semantically extended type theory [J]. Journal on Communications, 2016, 37(2): 20-31.
[5]	Hong SHEN,Xiao-ping LI. Algorithm for the cloud service workflow scheduling with setup time and deadline constraints [J]. Journal on Communications, 2015, 36(6): 183-192.
[6]	. Research on the optimization adjustment strategy for the SaaS multi-tenant data placement [J]. Journal on Communications, 2014, 35(Z2): 10-71.
[7]	Xiao-na LI,Qing-zhong LI,Lan-ju KONG,Zhong-min YAN. Research on the optimization adjustment strategy for the SaaS multi-tenant data placement [J]. Journal on Communications, 2014, 35(Z2): 63-71.
[8]	Xiao-na LI,Qing-zhong LI,Lan-ju KONG,Cheng PANG. Research on multi-tenant data partition mechanism for SaaS application based on shared schema [J]. Journal on Communications, 2012, 33(Z1): 110-120.
[9]	Zhen-dong WU,Dian-xi SHI,Bo DING,Huai-min WANG. Research in mobile cloud service framework based on contexts integrated situation [J]. Journal on Communications, 2011, 32(9A): 96-101.
[10]	Xiu-wei ZHANG,Ke-qing HE,Jian WANG,Zheng LI. SaaS service supermarket building model and service recommendation approach [J]. Journal on Communications, 2011, 32(9A): 158-165.