TY - GEN
T1 - VRank
T2 - 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012
AU - Jiang, Jianchun
AU - Ding, Liping
AU - Zhai, Ennan
AU - Yu, Ting
PY - 2012
Y1 - 2012
N2 - With the rapid adoption of the concepts of Service Oriented Architecture (SOA), sophisticated business processes and tasks are increasingly realized through composing distributed software components offered by different providers. Though such practices offer advantages in terms of cost-effectiveness and flexibility, those components are not immune to vulnerabilities. It is therefore important for the administrator of some composed service to evaluate the threats of such vulnerabilities accordingly within limited available information. Since almost all the existing efforts (e.g., CVSS) fail to consider specific context-aware information which is the specific character of SOA, they could not be adopted into SOA for scoring vulnerabilities. In this paper, we present VRank, a novel framework for the scoring and ranking of vulnerabilities in SOA. Different from existing efforts, for a given vulnerability, VRank not only considers its intrinsic properties (e.g., exploitability), but also takes into account the contexts of the services having this vulnerability, e.g., what roles they play in the composed service and how critical it is to the security objective of the service. The resulting scoring and ranking of vulnerabilities are thus highly relevant and meaningful to the composed service. We present the detailed design of VRank, and compare it with CVSS. Our experiments indicate VRank is able to provide much more useful ranking lists of vulnerabilities for complex composed services.
AB - With the rapid adoption of the concepts of Service Oriented Architecture (SOA), sophisticated business processes and tasks are increasingly realized through composing distributed software components offered by different providers. Though such practices offer advantages in terms of cost-effectiveness and flexibility, those components are not immune to vulnerabilities. It is therefore important for the administrator of some composed service to evaluate the threats of such vulnerabilities accordingly within limited available information. Since almost all the existing efforts (e.g., CVSS) fail to consider specific context-aware information which is the specific character of SOA, they could not be adopted into SOA for scoring vulnerabilities. In this paper, we present VRank, a novel framework for the scoring and ranking of vulnerabilities in SOA. Different from existing efforts, for a given vulnerability, VRank not only considers its intrinsic properties (e.g., exploitability), but also takes into account the contexts of the services having this vulnerability, e.g., what roles they play in the composed service and how critical it is to the security objective of the service. The resulting scoring and ranking of vulnerabilities are thus highly relevant and meaningful to the composed service. We present the detailed design of VRank, and compare it with CVSS. Our experiments indicate VRank is able to provide much more useful ranking lists of vulnerabilities for complex composed services.
KW - Context
KW - Ranking and scoring
KW - Service-oriented architecture
KW - Vulnerabilities
UR - http://www.scopus.com/inward/record.url?scp=84866686375&partnerID=8YFLogxK
U2 - 10.1109/SERE.2012.16
DO - 10.1109/SERE.2012.16
M3 - Conference contribution
AN - SCOPUS:84866686375
SN - 9780769547428
T3 - Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012
SP - 61
EP - 70
BT - Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012
Y2 - 20 June 2012 through 22 June 2012
ER -