VRank: A context-aware approach to vulnerability scoring and ranking in SOA

Jianchun Jiang, Liping Ding, Ennan Zhai, Ting Yu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

With the rapid adoption of the concepts of Service Oriented Architecture (SOA), sophisticated business processes and tasks are increasingly realized through composing distributed software components offered by different providers. Though such practices offer advantages in terms of cost-effectiveness and flexibility, those components are not immune to vulnerabilities. It is therefore important for the administrator of some composed service to evaluate the threats of such vulnerabilities accordingly within limited available information. Since almost all the existing efforts (e.g., CVSS) fail to consider specific context-aware information which is the specific character of SOA, they could not be adopted into SOA for scoring vulnerabilities. In this paper, we present VRank, a novel framework for the scoring and ranking of vulnerabilities in SOA. Different from existing efforts, for a given vulnerability, VRank not only considers its intrinsic properties (e.g., exploitability), but also takes into account the contexts of the services having this vulnerability, e.g., what roles they play in the composed service and how critical it is to the security objective of the service. The resulting scoring and ranking of vulnerabilities are thus highly relevant and meaningful to the composed service. We present the detailed design of VRank, and compare it with CVSS. Our experiments indicate VRank is able to provide much more useful ranking lists of vulnerabilities for complex composed services.

Original languageEnglish
Title of host publicationProceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012
Pages61-70
Number of pages10
DOIs
Publication statusPublished - 1 Oct 2012
Externally publishedYes
Event2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012 - Gaithersburg, MD, United States
Duration: 20 Jun 201222 Jun 2012

Other

Other2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012
CountryUnited States
CityGaithersburg, MD
Period20/6/1222/6/12

Fingerprint

Service oriented architecture (SOA)
Cost effectiveness
Industry
Experiments

Keywords

  • Context
  • Ranking and scoring
  • Service-oriented architecture
  • Vulnerabilities

ASJC Scopus subject areas

  • Software
  • Safety, Risk, Reliability and Quality

Cite this

Jiang, J., Ding, L., Zhai, E., & Yu, T. (2012). VRank: A context-aware approach to vulnerability scoring and ranking in SOA. In Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012 (pp. 61-70). [6258295] https://doi.org/10.1109/SERE.2012.16

VRank : A context-aware approach to vulnerability scoring and ranking in SOA. / Jiang, Jianchun; Ding, Liping; Zhai, Ennan; Yu, Ting.

Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012. 2012. p. 61-70 6258295.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Jiang, J, Ding, L, Zhai, E & Yu, T 2012, VRank: A context-aware approach to vulnerability scoring and ranking in SOA. in Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012., 6258295, pp. 61-70, 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012, Gaithersburg, MD, United States, 20/6/12. https://doi.org/10.1109/SERE.2012.16
Jiang J, Ding L, Zhai E, Yu T. VRank: A context-aware approach to vulnerability scoring and ranking in SOA. In Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012. 2012. p. 61-70. 6258295 https://doi.org/10.1109/SERE.2012.16
Jiang, Jianchun ; Ding, Liping ; Zhai, Ennan ; Yu, Ting. / VRank : A context-aware approach to vulnerability scoring and ranking in SOA. Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012. 2012. pp. 61-70
@inproceedings{2800b83d3d554ffba33b4b88a5729d98,
title = "VRank: A context-aware approach to vulnerability scoring and ranking in SOA",
abstract = "With the rapid adoption of the concepts of Service Oriented Architecture (SOA), sophisticated business processes and tasks are increasingly realized through composing distributed software components offered by different providers. Though such practices offer advantages in terms of cost-effectiveness and flexibility, those components are not immune to vulnerabilities. It is therefore important for the administrator of some composed service to evaluate the threats of such vulnerabilities accordingly within limited available information. Since almost all the existing efforts (e.g., CVSS) fail to consider specific context-aware information which is the specific character of SOA, they could not be adopted into SOA for scoring vulnerabilities. In this paper, we present VRank, a novel framework for the scoring and ranking of vulnerabilities in SOA. Different from existing efforts, for a given vulnerability, VRank not only considers its intrinsic properties (e.g., exploitability), but also takes into account the contexts of the services having this vulnerability, e.g., what roles they play in the composed service and how critical it is to the security objective of the service. The resulting scoring and ranking of vulnerabilities are thus highly relevant and meaningful to the composed service. We present the detailed design of VRank, and compare it with CVSS. Our experiments indicate VRank is able to provide much more useful ranking lists of vulnerabilities for complex composed services.",
keywords = "Context, Ranking and scoring, Service-oriented architecture, Vulnerabilities",
author = "Jianchun Jiang and Liping Ding and Ennan Zhai and Ting Yu",
year = "2012",
month = "10",
day = "1",
doi = "10.1109/SERE.2012.16",
language = "English",
isbn = "9780769547428",
pages = "61--70",
booktitle = "Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012",

}

TY - GEN

T1 - VRank

T2 - A context-aware approach to vulnerability scoring and ranking in SOA

AU - Jiang, Jianchun

AU - Ding, Liping

AU - Zhai, Ennan

AU - Yu, Ting

PY - 2012/10/1

Y1 - 2012/10/1

N2 - With the rapid adoption of the concepts of Service Oriented Architecture (SOA), sophisticated business processes and tasks are increasingly realized through composing distributed software components offered by different providers. Though such practices offer advantages in terms of cost-effectiveness and flexibility, those components are not immune to vulnerabilities. It is therefore important for the administrator of some composed service to evaluate the threats of such vulnerabilities accordingly within limited available information. Since almost all the existing efforts (e.g., CVSS) fail to consider specific context-aware information which is the specific character of SOA, they could not be adopted into SOA for scoring vulnerabilities. In this paper, we present VRank, a novel framework for the scoring and ranking of vulnerabilities in SOA. Different from existing efforts, for a given vulnerability, VRank not only considers its intrinsic properties (e.g., exploitability), but also takes into account the contexts of the services having this vulnerability, e.g., what roles they play in the composed service and how critical it is to the security objective of the service. The resulting scoring and ranking of vulnerabilities are thus highly relevant and meaningful to the composed service. We present the detailed design of VRank, and compare it with CVSS. Our experiments indicate VRank is able to provide much more useful ranking lists of vulnerabilities for complex composed services.

AB - With the rapid adoption of the concepts of Service Oriented Architecture (SOA), sophisticated business processes and tasks are increasingly realized through composing distributed software components offered by different providers. Though such practices offer advantages in terms of cost-effectiveness and flexibility, those components are not immune to vulnerabilities. It is therefore important for the administrator of some composed service to evaluate the threats of such vulnerabilities accordingly within limited available information. Since almost all the existing efforts (e.g., CVSS) fail to consider specific context-aware information which is the specific character of SOA, they could not be adopted into SOA for scoring vulnerabilities. In this paper, we present VRank, a novel framework for the scoring and ranking of vulnerabilities in SOA. Different from existing efforts, for a given vulnerability, VRank not only considers its intrinsic properties (e.g., exploitability), but also takes into account the contexts of the services having this vulnerability, e.g., what roles they play in the composed service and how critical it is to the security objective of the service. The resulting scoring and ranking of vulnerabilities are thus highly relevant and meaningful to the composed service. We present the detailed design of VRank, and compare it with CVSS. Our experiments indicate VRank is able to provide much more useful ranking lists of vulnerabilities for complex composed services.

KW - Context

KW - Ranking and scoring

KW - Service-oriented architecture

KW - Vulnerabilities

UR - http://www.scopus.com/inward/record.url?scp=84866686375&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84866686375&partnerID=8YFLogxK

U2 - 10.1109/SERE.2012.16

DO - 10.1109/SERE.2012.16

M3 - Conference contribution

AN - SCOPUS:84866686375

SN - 9780769547428

SP - 61

EP - 70

BT - Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012

ER -