A Non-Intrusive and Context-Based Vulnerability Scoring Framework for Cloud Services

TL;DR

This paper introduces NCVS, a practical framework that automatically assesses vulnerability severity in cloud services by considering contextual information, providing more relevant scores than traditional methods like CVSS.

Contribution

The paper presents a novel, non-intrusive, context-aware vulnerability scoring framework for cloud services that improves relevance and accuracy of severity assessments.

Findings

NCVS produces more relevant vulnerability scores than CVSS.

It automatically collects contextual information without source code modifications.

NCVS effectively models service context using a dependency graph.

Abstract

Understanding the severity of vulnerabilities within cloud services is particularly important for today service administrators.Although many systems, e.g., CVSS, have been built to evaluate and score the severity of vulnerabilities for administrators, the scoring schemes employed by these systems fail to take into account the contextual information of specific services having these vulnerabilities, such as what roles they play in a particular service. Such a deficiency makes resulting scores unhelpful. This paper presents a practical framework, NCVS, that offers automatic and contextual scoring mechanism to evaluate the severity of vulnerabilities for a particular service. Specifically, for a given service S, NCVS first automatically collects S contextual information including topology, configurations, vulnerabilities and their dependencies. Then, NCVS uses the collected information to build a contextual dependency graph, named CDG, to model S context. Finally, NCVS scores and ranks all the vulnerabilities in S by analyzing S context, such as what roles the vulnerabilities play in S, and how critical they affect the functionality of S. NCVS is novel and useful, because 1) context-based vulnerability scoring results are highly relevant and meaningful for administrators to understand each vulnerability importance specific to the target service; and 2) the workflow of NCVS does not need instrumentation or modifications to any source code. Our experimental results demonstrate that NCVS can obtain more relevant vulnerability scoring results than comparable system, such as CVSS.