Policy-Driven Vulnerability Risk Quantification framework for Large-Scale Cloud Infrastructure Data Security

TL;DR

This paper introduces MVRAF, a comprehensive framework for large-scale vulnerability risk assessment in cloud infrastructure, addressing limitations in severity quantification, risk correlation, and cumulative risk analysis.

Contribution

The paper presents a novel, data-driven framework that integrates severity quantification, risk correlation analysis, and empirical risk distribution for improved vulnerability management.

Findings

46.2% of network vulnerabilities are high-risk

Strong correlation between CIA impacts and severity scores

Effective identification of risk hotspots in real-world CVE data

Abstract

The exponential growth of Common Vulnerabilities and Exposures (CVE) disclosures poses significant challenges for enterprise security management, necessitating automated and quantitative risk assessment methodologies. Existing vulnerability analysis approaches suffer from three critical limitations: (1) lack of systematic severity quantification models that integrate heterogeneous attack attributes, (2) insufficient exploration of latent correlations among risk factors, and (3) absence of cumulative risk distribution analysis for prioritized remediation. To address these challenges, we propose MVRAF (Multi-dimensional Vulnerability Risk Assessment Framework), a comprehensive data-driven framework for large-scale CVE security analysis. Our framework introduces three key innovations: (1) a Vulnerability Severity Quantification Model that transforms CVSS attributes into normalized risk metrics through weighted aggregation of exploitability and CIA impact scores, (2) a Risk Factor Correlation Analysis module that captures statistical dependencies among attack vectors, complexity, and privilege requirements via correlation matrices, and (3) an Empirical Risk Distribution mechanism that enables cumulative threat assessment for resource allocation optimization. Extensive experiments on 1,314 real-world CVE records from the National Vulnerability Database demonstrate that our framework effectively identifies risk hotspots, with 46.2% of network-based vulnerabilities classified as high-risk and strong correlations observed between CIA impacts and overall severity scores.