vrank: a context-aware approach to vulnerability scoring and ranking in soa
文献类型:会议论文
| 作者 | Jiang Jianchun ; Ding Liping ; Zhai Ennan ; Yu Ting |
| 出版日期 | 2012 |
| 会议名称 | 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012 |
| 会议日期 | June 20, 2012 - June 22, 2012 |
| 会议地点 | Gaithersburg, MD, United states |
| 关键词 | Information services Service oriented architecture (SOA) Software reliability |
| 页码 | 61-70 |
| 中文摘要 | With the rapid adoption of the concepts of Service Oriented Architecture (SOA), sophisticated business processes and tasks are increasingly realized through composing distributed software components offered by different providers. Though such practices offer advantages in terms of cost-effectiveness and flexibility, those components are not immune to vulnerabilities. It is therefore important for the administrator of some composed service to evaluate the threats of such vulnerabilities accordingly within limited available information. Since almost all the existing efforts (e.g., CVSS) fail to consider specific context-aware information which is the specific character of SOA, they could not be adopted into SOA for scoring vulnerabilities. In this paper, we present VRank, a novel framework for the scoring and ranking of vulnerabilities in SOA. Different from existing efforts, for a given vulnerability, VRank not only considers its intrinsic properties (e.g., exploitability), but also takes into account the contexts of the services having this vulnerability, e.g., what roles they play in the composed service and how critical it is to the security objective of the service. The resulting scoring and ranking of vulnerabilities are thus highly relevant and meaningful to the composed service. We present the detailed design of VRank, and compare it with CVSS. Our experiments indicate VRank is able to provide much more useful ranking lists of vulnerabilities for complex composed services. © 2012 IEEE. |
| 英文摘要 | With the rapid adoption of the concepts of Service Oriented Architecture (SOA), sophisticated business processes and tasks are increasingly realized through composing distributed software components offered by different providers. Though such practices offer advantages in terms of cost-effectiveness and flexibility, those components are not immune to vulnerabilities. It is therefore important for the administrator of some composed service to evaluate the threats of such vulnerabilities accordingly within limited available information. Since almost all the existing efforts (e.g., CVSS) fail to consider specific context-aware information which is the specific character of SOA, they could not be adopted into SOA for scoring vulnerabilities. In this paper, we present VRank, a novel framework for the scoring and ranking of vulnerabilities in SOA. Different from existing efforts, for a given vulnerability, VRank not only considers its intrinsic properties (e.g., exploitability), but also takes into account the contexts of the services having this vulnerability, e.g., what roles they play in the composed service and how critical it is to the security objective of the service. The resulting scoring and ranking of vulnerabilities are thus highly relevant and meaningful to the composed service. We present the detailed design of VRank, and compare it with CVSS. Our experiments indicate VRank is able to provide much more useful ranking lists of vulnerabilities for complex composed services. © 2012 IEEE. |
| 收录类别 | EI |
| 会议主办者 | IEEE Reliability Society |
| 会议录 | Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012
 |
| 语种 | 英语 |
| ISBN号 | 9780769547428 |
| 源URL | [http://ir.iscas.ac.cn/handle/311060/15754]  |
| 专题 | 软件研究所_软件所图书馆_会议论文 |
| 推荐引用方式 GB/T 7714 | Jiang Jianchun,Ding Liping,Zhai Ennan,et al. vrank: a context-aware approach to vulnerability scoring and ranking in soa[C]. 见:2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012. Gaithersburg, MD, United states. June 20, 2012 - June 22, 2012. |
入库方式: OAI收割
来源:软件研究所
浏览0
下载0
收藏0
其他版本
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。