Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
144 tokens/sec
GPT-4o
8 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Towards Deep Learning Enabled Cybersecurity Risk Assessment for Microservice Architectures (2403.15169v1)

Published 22 Mar 2024 in cs.SE

Abstract: The widespread adoption of microservice architectures has given rise to a new set of software security challenges. These challenges stem from the unique features inherent in microservices. It is important to systematically assess and address software security challenges such as software security risk assessment. However, existing approaches prove inefficient in accurately evaluating the security risks associated with microservice architectures. To address this issue, we propose CyberWise Predictor, a framework designed for predicting and assessing security risks associated with microservice architectures. Our framework employs deep learning-based natural language processing models to analyze vulnerability descriptions for predicting vulnerability metrics to assess security risks. Our experimental evaluation shows the effectiveness of CyberWise Predictor, achieving an average accuracy of 92% in automatically predicting vulnerability metrics for new vulnerabilities. Our framework and findings serve as a guide for software developers to identify and mitigate security risks in microservice architectures.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (58)
  1. Self-adaptive microservice-based systems-landscape and research opportunities. In International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS), pages 167–178. IEEE, 2021.
  2. Dynamic multi-metric thresholds for scaling applications using reinforcement learning. IEEE Transactions on Cloud Computing, 2022.
  3. A review on c3i systems’ security: Vulnerabilities, attacks, and countermeasures. ACM Computing Surveys, 55(9):1–38, 2023.
  4. Smart hpa: A resource-efficient horizontal pod auto-scaler for microservice architectures. arXiv preprint arXiv:2403.07909, 2024.
  5. Monolithic vs. microservice architecture: A performance and scalability evaluation. IEEE Access, 10:20357–20374, 2022.
  6. On microservice analysis and architecture evolution: A systematic mapping study. Applied Sciences, 11(17):7856, 2021.
  7. Security in microservices architectures. Procedia Computer Science, 181:1225–1236, 2021.
  8. Microservices: yesterday, today, and tomorrow. Present and ulterior software engineering, pages 195–216, 2017.
  9. Overview of smartphone security: Attack and defense techniques. In Computer and Cyber Security, pages 249–279. Auerbach Publications, 2018.
  10. Ramaswamy Chandramouli. Microservices-based application systems. NIST Special Publication, 800(204):800–204, 2019.
  11. From the decorator pattern to circuit breakers in microservices. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing, pages 1733–1735, 2018.
  12. Authentication and authorization of end user in microservice architecture. In Journal of Physics: Conference Series, volume 910, page 012060. IOP Publishing, 2017.
  13. Cavas: Neutralizing application and container security vulnerabilities in the cloud native era. In Security and Privacy in Communication Networks: 14th International Conference, SecureComm 2018, Singapore, Singapore, August 8-10, 2018, Proceedings, Part I, pages 471–490. Springer, 2018.
  14. Vulnerability Metrics National Vulnerability Database. https://nvd.nist.gov/vuln-metrics/cvss#, Last Access: Dec 2023.
  15. General Information National Vulnerability Database. https://nvd.nist.gov/general, Last Access: Dec 2023.
  16. Automated security assessment for the internet of things. In 2021 IEEE 26th Pacific Rim International Symposium on Dependable Computing (PRDC), pages 47–56. IEEE, 2021.
  17. Sentiment classification: Review of text vectorization methods: Bag of words, tf-idf, word2vec and doc2vec. SLU Journal of Science and Technology, 4(1 & 2):27–33, 2022.
  18. Vinod Varma Vegesna. Utilising vapt technologies (vulnerability assessment & penetration testing) as a method for actively preventing cyberattacks. International Journal of Management, Technology and Engineering, 12, 2023.
  19. Transformers: State-of-the-art natural language processing. In Proceedings of the 2020 conference on empirical methods in natural language processing: system demonstrations, pages 38–45, 2020.
  20. Huggingface’s transformers: State-of-the-art natural language processing. arXiv preprint arXiv:1910.03771, 2019.
  21. Replication package of CyberWise Predictor. https://github.com/MajidAbdulsatar/CyberWise-Predictor.
  22. CyberWise Predictor DL Model. https://github.com/MajidAbdulsatar/CyberWise-Predictor-DL-model-finetuner.
  23. Sugandh Shah and BM Mehtre. An automated approach to vulnerability assessment and penetration testing using net-nirikshak 1.0. In 2014 IEEE International Conference on Advanced Communications, Control and Computing Technologies, pages 707–712. IEEE, 2014.
  24. Cve based classification of vulnerable iot systems. In Theory and Applications of Dependable Computer Systems: Proceedings of the Fifteenth International Conference on Dependability of Computer Systems DepCoS-RELCOMEX, June 29–July 3, 2020, Brunów, Poland 15, pages 82–93. Springer, 2020.
  25. Automated and safe vulnerability assessment. In 21st Annual Computer Security Applications Conference (ACSAC’05), pages 10–pp. IEEE, 2005.
  26. A framework for automating security analysis of the internet of things. Journal of Network and Computer Applications, 83:12–27, 2017.
  27. Performance and reliability analysis of computer systems: an example-based approach using the SHARPE software package. Springer Science & Business Media, 2012.
  28. Quantitative security risk evaluation using cvss metrics by estimation of frequency and maturity of exploit. In Proceedings of the World Congress on Engineering and Computer Science, volume 1, pages 19–21, 2016.
  29. Hasan Cam. Risk assessment by dynamic representation of vulnerability, exploitation, and impact. In Cyber Sensing 2015, volume 9458, pages 71–79. SPIE, 2015.
  30. Better not to use vulnerability’s reference for exploitability prediction. Applied Sciences, 10(7):2555, 2020.
  31. MICHEL Edkrantz. Predicting exploit likelihood for cyber vulnerabilities with machine learning. 2015.
  32. Predicting exploitation of disclosed software vulnerabilities using open-source data. In Proceedings of the 3rd ACM on International Workshop on Security and Privacy Analytics, pages 45–53, 2017.
  33. Conversion of cvss base score from 2.0 to 3.1. In 2021 International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pages 1–3. IEEE, 2021.
  34. Securing microservices and microservice architectures: A systematic mapping study. Computer Science Review, 41:100415, 2021.
  35. Container security: Issues, challenges, and the road ahead. IEEE access, 7:52976–52996, 2019.
  36. Attack graph generation for microservice architecture. In Proceedings of the 34th ACM/SIGAPP symposium on applied computing, pages 1235–1242, 2019.
  37. Overcoming security challenges in microservice architectures. In 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pages 11–20. IEEE, 2018.
  38. Security misconfigurations in open source kubernetes manifests: An empirical study. ACM Transactions on Software Engineering and Methodology, 32(4):1–36, 2023.
  39. Network policies in kubernetes: Performance evaluation and security analysis. In 2021 Joint European Conference on Networks and Communications & 6G Summit (EuCNC/6G Summit), pages 407–412. IEEE, 2021.
  40. Software development activities for secure microservices. In Computational Science and Its Applications–ICCSA 2019: 19th International Conference, Saint Petersburg, Russia, July 1–4, 2019, Proceedings, Part V 19, pages 573–585. Springer, 2019.
  41. A survey on security issues in services communication of microservices-enabled fog applications. Concurrency and Computation: Practice and Experience, 31(22):e4436, 2019.
  42. Integrating continuous security assessments in microservices and cloud native applications. In Proceedings of the10th International Conference on Utility and Cloud Computing, pages 171–180, 2017.
  43. T Kubernetes. Kubernetes. Kubernetes. Retrieved May, 24:2019, 2019.
  44. Sock shop. https://github.com/microservices-demo/microservices-demo, Last Access: Nov. 2023.
  45. Continuous performance testing for microservices. HPI Future SOC Lab–Proceedings 2018, (151):105, 2023.
  46. Anomaly detection in microservice-based systems. Applied Sciences, 13(13):7891, 2023.
  47. A quantitative cvss-based cyber security risk assessment methodology for it systems. pages 1–8, 10 2017.
  48. A weighted deep representation learning model for imbalanced fault diagnosis in cyber-physical systems. Sensors, 18(4):1096, 2018.
  49. Learning from imbalanced data sets with weighted cross-entropy function. Neural processing letters, 50:1937–1949, 2019.
  50. Natural language processing with transformers. ” O’Reilly Media, Inc.”, 2022.
  51. Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805, 2018.
  52. Xlnet: Generalized autoregressive pretraining for language understanding. Advances in neural information processing systems, 32, 2019.
  53. Roberta: A robustly optimized bert pretraining approach. arXiv preprint arXiv:1907.11692, 2019.
  54. Karen Scarfone S. R. Peter Mell. A complete guide to the common vulnerability scoring system. https://www.first.org/cvss/v2/guide, Last Access Dec 2023.
  55. Karen Sparck Jones. A statistical interpretation of term specificity and its application in retrieval. Journal of documentation, 28(1):11–21, 1972.
  56. Distributed representations of words and phrases and their compositionality. Advances in neural information processing systems, 26, 2013.
  57. Predicting vulnerability type in common vulnerabilities and exposures (cve) database with machine learning classifiers. In 2021 12th National Conference with International Participation (ELECTRONICA), pages 1–6, 2021.
  58. NVIDIA. Train with mixed precision. https://docs.nvidia.com/deeplearning/performance/mixed-precision-training/index.html, Last Access: Dec 2023.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets