• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文会议>International conference on information security practice and experience >Increasing Automated Vulnerability Assessment Accuracy on Cloud and Grid Middleware
【24h】

Increasing Automated Vulnerability Assessment Accuracy on Cloud and Grid Middleware

机译:云和网格中间件上的自动化漏洞评估准确性不断提高

获取原文
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

The fast adaptation of Cloud computing has led to an increase in novel information technology threats. The targets of these new threats range from large scale distributed system, such as the Large Hadron Collider by the CERN, to industrial (water, power, electricity, oil, gas, etc.) distributed systems, i.e. SCADA systems. The use of automated tools for vulnerability assessment is quite attractive, but while these tools can find common problems in a program's source code, they miss a significant number of critical and complex vulnerabilities. In addition, middleware systems frequently base their security on mechanisms such as authentication, authorization, and delegation. While these mechanisms have been studied in depth and can control key resources, they are not enough to assure that all application's resources are safe. Therefore, security of distributed systems have been placed under the watchful eye of security practitioners in government, academia, and industry. To tackle the problem of assessing the security of critical middleware systems, we propose a new automated vulnerability assessment approach, called Attack Vector Analyzer (AvA), which is able to automatically hint at which middleware components should be assessed and why. AvA is based on automating part of the First Principles Vulnerability Assessment, an analyst-centric (manual) methodology that has been used successfully to evaluate many production middleware systems. AvA's results are language-independent, provide a comprehensive assessment attack vector in the middleware, and it is based on the Common Weakness Enumeration (CWE) system, a widely-use labeling of security weaknesses. Our results are contrasted against a previous manual vulnerability assessment of the CrossBroker grid resource manager, and corroborate which middleware components should be assessed and why.
机译:云计算的快速适应导致新型信息技术威胁的增加。这些新威胁的目标范围从大型分布式系统(例如CERN的大型强子对撞机)到工业(水,电力,电力,石油,天然气等)分布式系统(即SCADA系统)。使用自动化工具进行漏洞评估非常吸引人,但是尽管这些工具可以在程序的源代码中发现常见问题,但它们却遗漏了大量关键和复杂的漏洞。另外,中间件系统经常将其安全性建立在诸如身份验证,授权和委派之类的机制上。虽然已经对这些机制进行了深入研究并可以控制关​​键资源,但是它们不足以确保所有应用程序的资源都是安全的。因此,分布式系统的安全性已被政府,学术界和工业界的安全从业者所注意。为了解决评估关键中间件系统安全性的问题,我们提出了一种新的自动化漏洞评估方法,称为攻击矢量分析器(AvA),它能够自动提示应评估哪些中间件组件以及为什么进行评估。 AvA基于“第一原则”漏洞评估的一部分的自动化,该原则是以分析师为中心(手动)的方法,已成功地用于评估许多生产中间件系统。 AvA的结果与语言无关,在中间件中提供了全面的评估攻击媒介,并且基于通用弱点枚举(CWE)系统,它是安全漏洞广泛使用的标记。我们的结果与之前对CrossBroker网格资源管理器的手动漏洞评估进行了对比,并确定了应该评估哪些中间件组件以及为什么进行评估。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号