ICTON 2019 Th.P.

Container Based Analysis Tool for Vulnerability Prioritization

in Cyber Security Systems
M. Walkowski1, M. Biskup, A. Szewczyk, J. Oko1, and S. Sujecki1
1
Department of Telecommunications and Teleinformatics, Faculty of Electronics, Wroclaw University of Science
and Technology, Wyb. Wyspianskiego 27, 50-370 Wroclaw, Poland
*Tel: (4871) 3204588, Fax: (4871) 322 3664, e-mail: Slawomir.Sujecki@pwr.edu.pl
ABSTRACT
A container-based analysis tool is developed for application in vulnerability prioritization for cyber security
systems. The specific way in which the software is developed, i.e. containerization, allows easy scaling and thus
helps improving the data processing speed thus reducing time to vulnerability remediation. The results obtain
confirm that significant computational time saving can be easily obtained by increasing the number of
containers. This makes the developed software particularly suitable for application within cloud computing
environment.
Keywords: cloud computing, cyber security, vulnerability scanning.

1. INTRODUCTION
With the developing demand for information technology (IT) industry services and growing software
complexity, the need for improving system security increases rapidly. Only in 2018 around 17 308 vulnerabilities
were disclosed which means that over 300 gaps in IT systems and applications were detected within a week [1].
As a result, some of the revealed gaps had an influence on the work of enterprises and resulted in significant
financial loss. For instance, the malware WannaCry campaign infected more than 2000 computers and encrypted
irretrievably large amount of the data in a span of few days. One of the ways of preventing such scenarios is
appropriate vulnerability management.
Vulnerability management (VM) can be described as a process that includes identification, classification,
mending and buffering of the threats whilst scanning the network using specialized software tools. Hence, VM is
an integral part of the network and organization security policies [2-6]. The most important element of VM is
vulnerability scanning, which uses specialized software, such as Nessus or Qualys, to analyze a particular system
in order to find potential system or application gaps, incorrect configurations or invalid security rules.
Because of its importance vulnerability scanning and management process is a subject of intensive research
[2-14]. One of the important problems researched within VM is the handling of large amount of data produced
by vulnerability scanners. Also, the detected vulnerabilities have to be assessed and classified according to the
severity of the potential attack threat to the system. In order to assess the severity of computer system security
vulnerabilities the standard common vulnerability scoring system CVSS, initially version 2.0, was created and
later on upgraded to version 3.0 [15-17]. CVSS 3.0 assesses the criticality of a threat by considering the
following metrics: access vector, attack complexity, privilege required, user interaction, scope, confidentiality,
integrity and availability impact, which are used to calculate the base score. The large amount of data produced
by vulnerability scanners were subject to several attempts aimed at streamlining the vulnerability management
process by means of expert systems [9], neural networks [10], machine learning [11]. The main problem
addressed here is an efficient implementation of the scoring system on available computational resources and
development of prioritization of CVSS results in the context of the particular system that uses containerization.
The main difference for containerization when compared with the so far used virtual machine solution is that
container does not need to run operating system stack for a new service. Additionally, it allows running the same
application without customizing the operating system on each side. This results in lesser overhead when
delivering service and thus simplifies that scaling process. Hence, the container-based software is well suited for
deployment within a cloud computing environment.
In particular, the following article presents an approach that enables an efficiency increase of processing the
data generated by a vulnerability scanner and time reduction in informing stakeholders about potential
cybersecurity threats. A specific issue that we address in this contribution is a new solution in the area of the
cloud computing recently being pursued in the context of the ever increasing data amount requirements, which
relies on the implementation of containerization. The developed software is scalable and well suited for
deployment within cloud computing environment. The developed software gathers data form the public
vulnerability databases and vulnerability scanners and prioritizes corporate infrastructure devices that require the
most urgent attention of administrators.

2. SOFTWARE ARCHITECTURE AND EXAMPLE RESULTS

The following section describes the details of the developed software for an implementation of the analysis tool
that performs prioritization of vulnerabilities identified by a vulnerability scanner. The implemented software

978-1-7281-2779-8/19/$31.00 ©2019 IEEE 1

ICTON 2019 Th.P.1

uses a software architecture that is based on microservices and containerization. Figure 1 shows the schematic
structure of the developed analysis tool. The software has a modular structure. Since the vulnerability assessment
may change overnight, even if no new scanning has occurred, the component called “Scheduler” (Fig. 1) has
been implemented. “Scheduler” approximately every 15 minutes instructs “Worker” module to connect to
National Vulnerability Database (NVD) in order to download the latest vulnerability scoring. The “Worker”
module also downloads data from the Nessus vulnerability scanner. Due to the container technology applied
“Worker” module is able to scale itself horizontally depending on the requirements and available resources. This
significantly shortens waiting time for an update of results produced by Nessus and NVD. The results retrieved
by “Worker” module are fed simultaneously to “Database” and “Elasticsearch” modules that are optimized to
respectively store and perform searching of large amount of data. Next, the presentation of results provided by
“Elasticsearch” modules is performed by “Dashboard” module. Furthermore, the “Dashboard” module allows for
customizing the output of “Elasticsearch” module. The software is managed from the “Configuration Panel”
which is only available to the system administrator. Finally, the “Task Monitor” module allows for observing
currently performed activities for monitoring purposes. Once the vulnerability prioritization is completed the
system operator receives from the “Dashboard” module a list of vulnerabilities that require immediate handling.
The “Elasticsearch” module uses criteria that prioritize devices with the highest rate of detected vulnerability and
with the highest possibility of remote code execution by a publicly available exploit. Finally, we note that the
entire software has been implemented in cloud computing environment [17-20].

Figure 1. A schematic diagram of developed software tool for vulnerability prioritization.

Table 1 shows a fragment of the results generated by developed software tool for vulnerability prioritization
that provides an IP addresses, CVE and CVSS 2.0 score. The list is arranged according to the following criteria:
x vulnerability with the highest possible assessment
x remote code execution
x publicly available exploit
The vulnerabilities that achieve the highest score in all three categories have the highest position in the
Table 1. The system operator can easily track the relevant machine by the IP address and take suitable action.
The scalability of the developed software allows reducing the time between requesting prioritization and
obtaining the results thus reducing time to vulnerability remediation.
Table 1. A sample output of program.

Figure 2 shows the simulation time dependence for the developed software (Fig. 1) on the number of
containers for a data base taken from NVD. The simulations were carried out within cloud computing
environment within OpenShift container application platform developed by Red Hat. The results shown in Fig. 1
demonstrate the scalability potential of the developed software. The calculation time reduction when using four
containers is almost 40% less than using just one container.

2
ICTON 2019 Th.P.1

20
18
16
14
TIME [MIN]
12
10
8
6
4
2
0
1 2 3 4
Figure 2. Dependence of calculation time on the number of containers.
CONTAINERS

3. CONCLUSIONS
In summary, the presented article shows that using containerization a software tool for vulnerability
prioritization can be efficiently implemented within a cloud computing environment allowing for effective
scaling. The presented approach helps reducing time to vulnerability remediation.
The future research will focus on developing an algorithm that enables to eliminate false positive results which
derive from scanning software. Filtering out false positive results will further reduce time-to-vulnerability-
remediation and total-vulnerability-exposure, facilitate the network administrators work by allowing them to
focus on genuine deficiencies present within the infrastructure.

ACKNOWLEDGEMENTS
The authors wish to thank Wroclaw University of Science and Technology (statutory activity) for financial
support.

REFERENCES
[1] N. Avital, “The state of web application vulnerabilities in 2018,” Application Security, Research and
Reports, Jan 2019
[2] M. Nyanchama, “Enterprise vulnerability management and its role in information security management,”
Information Systems Security, vol. 14, no 3, pp. 29-56, 2005
[3] C. Theisen and L. Williams, “Poster: How bad is it, really? An analysis of severity scores for
vulnerabilities,” in Proc. 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security,
Apr. 2018, no. 20.
[4] J. A. Wang and M. Guo, “OVM: An ontology for vulnerability management,” in Proc. 5th Annual
Workshop on Cyber Security and Information Intelligence Research, Apr. 2009, no. 34.
[5] K. A. Farris, A. Shah, G. Cybenko, R. Ganesan, and S. Jajoda “VULCON: A system for vulnerability
prioritization mitigation, and management,” Journal of ACM Transactions on Privacy and Security,
vol. 21, 1 Oct. 2018.
[6] W. D. Burns and R. Fry, “Network security system with remediation based on value of attacked assets,”
United States Patent, no. US 9,338,181 B1, May 2016.
[7] C. Fruhwirth and T. Mannisto, “Improving CVSS-based vulnerability prioritization and response with
context information,” in Proc. International Symposium on Empirical Software Engineering and
Measurement, Oct. 2009, pp. 535-544.
[8] M. Bozorgi, L. K. Saul, S. Savage, and G. M. Voelker, “Beyond heuristics: Learning to classify
vulnerabilities and predict exploits,” in Proc. 16th ACM SIGKDD International Conference on Knowledge
Discovery and Data Mining, Jul. 2010, pp. 105-114.
[9] H. Holm and K. K. Afridi, “An expert-based investigation of the common vulnerability scoring system,”
Computers and Security, vol. 53, pp. 18-30, Sep. 2015.
[10] A. Beck and S. Rass, “Using neural networks to aid CVSS risk aggregation – An empirically validated
approach,” Journal of Innovation in Digital Ecosystems, vol. 3, no. 2, pp 148-154, Dec. 2016.

3
ICTON 2019 Th.P.1

[11] G. Grieco, G. L. Grinblat, L. Uzal, S. Rawat, J. Feist, and L. Mounier, “Toward large-scale vulnerability
discovery using machine learning,” in Proc. 6th ACM Conference on Data and Application Security and
Privacy, pp. 85-96, Mar. 2016.
[12] Q. Liu and Y. Zhang, “VRSS: A new system for rating and scoring vulnerabilities,” Computer
Communications, vol. 34, no. 3, pp. 264-273, Mar. 2011.
[13] Q. Liu, Y. Zhang, Y. Kong, and Q. Wu, “Improving VRSS-based vulnerability prioritization using analytic
hierarchy process,” Journal of Systems and Software, vol. 85, no. 8, pp. 1699-1708, Apr. 2012.
[14] S. H. Houmb and E. A. Engum, “Quantifying security risk level from CVSS estimates of frequency and
impact,” Journal of Systems and Software, vol. 83, no. 9, pp. 1622-1634, Sep. 2010.
[15] P. Mell, K. Scarfone, and S. Romanosky, “The common vulnerability scoring system (CVSS) and its
applicability to federal agency systems,” NIST Interagency Report 7435, Aug. 2007.
[16] P. Mell, K. Scarfone, and S. Romanowsky, “A complete guide to the common vulnerability scoring system
version 2.0,” National Institute of Standards and Technology, Jul. 2007.
[17] R. Abraham, D. Arora, M. Coles, M. Eckert, M. Heitman, A. Manion, S. Moore, S. Romanowsky,
K. Scarfone, J. Stuppi, C. Wergin, and A. Yooun, “Common Vulnerability Scoring System v3.0:
Specification Document,” First, Jun. 2015.
[18] B. L. Bullough, A. K. Yanchenko, C. L. Smith, and J. R. Zipkin, “Predicting exploitation of disclosed
software vulnerabilities using open-source data,” in Proc. 3rd ACM on International Workshop on Security
and Privacy Analytics, pp. 45-53, Mar. 2017.
[19] M. Walkowski, J. Oko, S. Sujecki, and S. Kozdrowski, “The impact of cyber security on the quality of
service in optical networks,” in Proc. 10th International Conferences on Advanced Service Computing,
Feb. 2018, pp. 53-56.
[20] K. Popovic and Z. Hocenski, “Cloud computing security issues and challenges,” in Proc. 33rd
International Convention, Jun. 2010.
[21] L. Kaufman, “Data security in the world of cloud computing,” IEEE Security and Privacy, vol. 7. no. 4,
Jul.-Aug. 2009.