Design and Implementation of a Threat-Specific Security Risk Assessment Tool

Security threats posed to individual cloud computing clients vary depending on their specific security requirements. However, Cloud Providers apply generic security risk assessment approaches which result do not consider client-specific security requirements. This results into unrealistic and inaccurate security risk evaluation. In this paper, we describe the detailed design and implementation of a security risk assessment tool. The tool supports a threat-specific method to security risk evaluation. The threat-specific method enables Cloud Providers to evaluate the security risk of their tenants based tenant-specific threats as dictated by their particular security requirements. Evaluation shows that the tool is highly usable, but lacks in scaleability.

[1]  Arif Ghafoor,et al.  Risk-Aware Virtual Resource Management for Multitenant Cloud Datacenters , 2014, IEEE Cloud Computing.

[2]  Jin B. Hong,et al.  Discovering and Mitigating New Attack Paths Using Graphical Security Models , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W).

[3]  Sajal K. Das,et al.  R2Q: A Risk Quantification Framework to Authorize Requests in Web-based Collaborations , 2019, AsiaCCS.

[4]  Pascal Urien,et al.  SARA: Security Automotive Risk Analysis Method , 2018, CPSS@AsiaCCS.

[5]  J. Almasizadeh,et al.  A New Method for Modeling and Evaluation of the Probability of Attacker Success , 2008, 2008 International Conference on Security Technology.

[6]  Jeremy M. Kaplan,et al.  Cloud-Trust—a Security Assessment Model for Infrastructure as a Service (IaaS) Clouds , 2017, IEEE Transactions on Cloud Computing.

[7]  Carla Merkle Westphall,et al.  A framework and risk assessment approaches for risk-based access control in the cloud , 2016, J. Netw. Comput. Appl..

[8]  Lionel C. Briand,et al.  Web Application Vulnerability Prediction Using Hybrid Program Analysis and Machine Learning , 2015, IEEE Transactions on Dependable and Secure Computing.

[9]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[10]  Leyla Bilge,et al.  RiskTeller: Predicting the Risk of Cyber Incidents , 2017, CCS.

[11]  Shancang Li,et al.  Dynamic Security Risk Evaluation via Hybrid Bayesian Risk Graph in Cyber-Physical Social Systems , 2018, IEEE Transactions on Computational Social Systems.

[12]  Gang Chen,et al.  SafeStack: Automatically Patching Stack-Based Buffer Overflow Vulnerabilities , 2013, IEEE Transactions on Dependable and Secure Computing.

[13]  Ernesto Damiani,et al.  Toward Economic-Aware Risk Assessment on the Cloud , 2015, IEEE Security & Privacy.

[14]  Sanjay Kumar Madria,et al.  Offline Risk Assessment of Cloud Service Providers , 2015, IEEE Cloud Computing.

[15]  Jin B. Hong,et al.  CloudSafe: A Tool for an Automated Security Analysis for Cloud Computing , 2019, 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[16]  Hugh R. Medal,et al.  Minimizing expected maximum risk from cyber-attacks with probabilistic attack success , 2016, 2016 IEEE Symposium on Technologies for Homeland Security (HST).

[17]  Daniele Sgandurra,et al.  Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems , 2016, ACM Comput. Surv..

[18]  Roman L. Lysecky,et al.  Probabilistic Threat Detection for Risk Management in Cyber-physical Medical Systems , 2017, IEEE Software.

[19]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[20]  Khaled M. Khan,et al.  ThreatRiskEvaluator: A Tool for Assessing Threat-Specific Security Risks in the Cloud , 2019, 2019 International Conference on Cyber Security for Emerging Technologies (CSET).

[21]  Jin B. Hong,et al.  Threat-Specific Security Risk Evaluation in the Cloud , 2018, IEEE Transactions on Cloud Computing.

[22]  Thomas F. La Porta,et al.  On the Vulnerabilities of the Virtual Force Approach to Mobile Sensor Deployment , 2014, IEEE Transactions on Mobile Computing.

[23]  Ziming Zhao,et al.  Towards Automated Risk Assessment and Mitigation of Mobile Applications , 2015, IEEE Transactions on Dependable and Secure Computing.