Container technology plays an essential role in many Information and Communications Technology(ICT)systems.However,containers face a diversity of threats caused by vulnerable packages within container images.Previous ...Container technology plays an essential role in many Information and Communications Technology(ICT)systems.However,containers face a diversity of threats caused by vulnerable packages within container images.Previous vulnerability scanning solutions for container images are inadequate.These solutions entirely depend on the information extracted from package managers.As a result,packages installed directly from the source code compilation,or packages downloaded from the repository,etc.,are ignored.We introduce DAVS–A Dockerfile analysis-based vulnerability scanning framework for OCI-based container images to deal with the limitations of existing solutions.DAVS performs static analysis using file extraction based on Dockerfile information to obtain the list of Potentially Vulnerable Files(PVFs).The PVFs are then scanned to figure out the vulnerabilities in the target container image.The experimental shows the outperform of DAVS on detecting Common Vulnerabilities and Exposures(CVE)of 10 known vulnerable images compared to Clair–the most popular container image scanning project.Moreover,DAVS found that 68%of real-world container images are vulnerable from different image registries.展开更多
In this paper, we conduct research on the essential network equipment risk assessment method based on vulnerability scanning technology. A growing number of hackers wanton invasion of the computer, through the network...In this paper, we conduct research on the essential network equipment risk assessment method based on vulnerability scanning technology. A growing number of hackers wanton invasion of the computer, through the network to steal important information, or destroy the network, the paralyzed which caused huge losses to the state and society. Find a known vulnerability rather than to find the unknown vulnerabilities much easier, which means that most of the attacker' s use is common vulnerabilities. Therefore, we adopt the advantages of the technique to finalize the methodology for the essential network equipment risk assessment which will be meaningful.展开更多
The integrated linkage control problem based on attack detection is solved with the analyses of the security model including firewall, intrusion detection system (IDS) and vulnerability scan by game theory. The Nash...The integrated linkage control problem based on attack detection is solved with the analyses of the security model including firewall, intrusion detection system (IDS) and vulnerability scan by game theory. The Nash equilibrium for two portfolios of only deploying IDS and vulnerability scan and deploying all the technologies is investigated by backward induction. The results show that when the detection rates of IDS and vulnerability scan are low, the firm will not only inspect every user who raises an alarm, but also a fraction of users that do not raise an alarm; when the detection rates of IDS and vulnerability scan are sufficiently high, the firm will not inspect any user who does not raise an alarm, but only inspect a fraction of users that raise an alarm. Adding firewall into the information system impacts on the benefits of firms and hackers, but does not change the optimal strategies of hackers, and the optimal investigation strategies of IDS are only changed in certain cases. Moreover, the interactions between IDS & vulnerability scan and firewall & IDS are discussed in detail.展开更多
基金supported by the Institute of Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea Government(MSIT)(No.2020-0-00952)Development of 5G edge security technology for ensuring 5G+service stability and availability.
文摘Container technology plays an essential role in many Information and Communications Technology(ICT)systems.However,containers face a diversity of threats caused by vulnerable packages within container images.Previous vulnerability scanning solutions for container images are inadequate.These solutions entirely depend on the information extracted from package managers.As a result,packages installed directly from the source code compilation,or packages downloaded from the repository,etc.,are ignored.We introduce DAVS–A Dockerfile analysis-based vulnerability scanning framework for OCI-based container images to deal with the limitations of existing solutions.DAVS performs static analysis using file extraction based on Dockerfile information to obtain the list of Potentially Vulnerable Files(PVFs).The PVFs are then scanned to figure out the vulnerabilities in the target container image.The experimental shows the outperform of DAVS on detecting Common Vulnerabilities and Exposures(CVE)of 10 known vulnerable images compared to Clair–the most popular container image scanning project.Moreover,DAVS found that 68%of real-world container images are vulnerable from different image registries.
文摘In this paper, we conduct research on the essential network equipment risk assessment method based on vulnerability scanning technology. A growing number of hackers wanton invasion of the computer, through the network to steal important information, or destroy the network, the paralyzed which caused huge losses to the state and society. Find a known vulnerability rather than to find the unknown vulnerabilities much easier, which means that most of the attacker' s use is common vulnerabilities. Therefore, we adopt the advantages of the technique to finalize the methodology for the essential network equipment risk assessment which will be meaningful.
基金The National Natural Science Foundation of China(No.71071033)the Innovation Project of Jiangsu Postgraduate Education(No.CX10B_058Z)
文摘The integrated linkage control problem based on attack detection is solved with the analyses of the security model including firewall, intrusion detection system (IDS) and vulnerability scan by game theory. The Nash equilibrium for two portfolios of only deploying IDS and vulnerability scan and deploying all the technologies is investigated by backward induction. The results show that when the detection rates of IDS and vulnerability scan are low, the firm will not only inspect every user who raises an alarm, but also a fraction of users that do not raise an alarm; when the detection rates of IDS and vulnerability scan are sufficiently high, the firm will not inspect any user who does not raise an alarm, but only inspect a fraction of users that raise an alarm. Adding firewall into the information system impacts on the benefits of firms and hackers, but does not change the optimal strategies of hackers, and the optimal investigation strategies of IDS are only changed in certain cases. Moreover, the interactions between IDS & vulnerability scan and firewall & IDS are discussed in detail.