Automatic Association of Quality Requirements and Quantifiable Metrics for Cloud Security Certification

• URL: http://arxiv.org/abs/2503.09460v1
• Date: Wed, 12 Mar 2025 15:06:45 GMT
• Title: Automatic Association of Quality Requirements and Quantifiable Metrics for Cloud Security Certification
• Authors: John Bianchi, Shuya Dong, Luca Petrillo, Marinella Petrocchi,
• Abstract summary: The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is one of the first cybersecurity schemes in Europe.<n>This paper proposes an approach based on Sentence Transformers to automatically associate requirements and metrics.
• Score: 0.14999444543328289
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is one of the first cybersecurity schemes in Europe, defined by the European Union Agency for Cybersecurity (ENISA). It aims to encourage cloud providers to strengthen their cybersecurity policies in order to receive an official seal of approval from European authorities. EUCS defines a set of security requirements that the cloud provider must meet, in whole or in part, in order to achieve the security certification. The requirements are written in natural language and cover every aspect of security in the cloud environment, from logging access to protecting the system with anti-malware tools to training staff. Operationally, each requirement is associated with one or more evaluable metrics. For example, a requirement to monitor access attempts to a service will have associated metrics that take into account the number of accesses, the number of access attempts, who is accessing, and what resources are being used. Partners in the European project Medina, which ended in October 2023, defined 163 metrics and manually mapped them to 70 EUCS requirements. Manual mapping is intuitively a long and costly process in terms of human resources. This paper proposes an approach based on Sentence Transformers to automatically associate requirements and metrics. In terms of correctness of associations, the proposed method achieves a Normalized Discounted Cumulative Gain of 0.640, improving a previous experiment by 0.146 points.

Related papers

• Llama-3.1-FoundationAI-SecurityLLM-Base-8B Technical Report [50.268821168513654]
  We present Foundation-Sec-8B, a cybersecurity-focused large language model (LLMs) built on the Llama 3.1 architecture. We evaluate it across both established and new cybersecurity benchmarks, showing that it matches Llama 3.1-70B and GPT-4o-mini in certain cybersecurity-specific tasks. By releasing our model to the public, we aim to accelerate progress and adoption of AI-driven tools in both public and private cybersecurity contexts.
  arXiv  Detail & Related papers  (2025-04-28T08:41:12Z)
• TrustZero - open, verifiable and scalable zero-trust [0.0]
  This thesis introduces TrustZero, a scalable layer of zero-trust security built around a universal "trust token"<n>By integrating ZTA principles with cryptography, TrustZero establishes a secure web-of-trust framework adaptable to legacy systems and inter-organisational communication.
  arXiv  Detail & Related papers  (2025-02-14T16:38:08Z)
• EMERALD: Evidence Management for Continuous Certification as a Service in the Cloud [0.7499722271664147]
  Lack of cloud-specific security certifications hinder transparency and accountability in the provision and usage of European cloud services.<n> EMERALD aims to provide agile and lean re-certification to consumers that adhere to a defined level of security and trust.
  arXiv  Detail & Related papers  (2025-02-11T07:49:10Z)
• Combined Hyper-Extensible Extremely-Secured Zero-Trust CIAM-PAM architecture [0.0]
  This paper introduces the Combined Hyper-Extensible Extremely-Secured Zero-Trust (CHEZ) CIAM-PAM architecture.<n>The framework addresses critical security gaps by integrating password-less authentication, adaptive multi-factor authentication, microservice-based PEP, multi-layer RBAC and multi-level trust systems.<n>It also includes end-to-end data encryption, and seamless integration with state-of-the-art AI-based threat detection systems.
  arXiv  Detail & Related papers  (2025-01-03T09:49:25Z)
• Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
  We propose Authenticated Cyclic Redundancy Integrity Check (ACRIC) ACRIC preserves backward compatibility without requiring additional hardware and is protocol agnostic. We show that ACRIC offers robust security with minimal transmission overhead ( 1 ms)
  arXiv  Detail & Related papers  (2024-11-21T18:26:05Z)
• Global Challenge for Safe and Secure LLMs Track 1 [57.08717321907755]
  The Global Challenge for Safe and Secure Large Language Models (LLMs) is a pioneering initiative organized by AI Singapore (AISG) and the CyberSG R&D Programme Office (CRPO) This paper introduces the Global Challenge for Safe and Secure Large Language Models (LLMs), a pioneering initiative organized by AI Singapore (AISG) and the CyberSG R&D Programme Office (CRPO) to foster the development of advanced defense mechanisms against automated jailbreaking attacks.
  arXiv  Detail & Related papers  (2024-11-21T08:20:31Z)
• Service Level Agreements and Security SLA: A Comprehensive Survey [51.000851088730684]
  This survey paper identifies state of the art covering concepts, approaches, and open problems of SLA management. It contributes by carrying out a comprehensive review and covering the gap between the analyses proposed in existing surveys and the most recent literature on this topic. It proposes a novel classification criterium to organize the analysis based on SLA life cycle phases.
  arXiv  Detail & Related papers  (2024-01-31T12:33:41Z)
• A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
  The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure. This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus. We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
  arXiv  Detail & Related papers  (2024-01-19T14:52:04Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• The Security and Privacy of Mobile Edge Computing: An Artificial Intelligence Perspective [64.36680481458868]
  Mobile Edge Computing (MEC) is a new computing paradigm that enables cloud computing and information technology (IT) services to be delivered at the network's edge. This paper provides a survey of security and privacy in MEC from the perspective of Artificial Intelligence (AI) We focus on new security and privacy issues, as well as potential solutions from the viewpoints of AI.
  arXiv  Detail & Related papers  (2024-01-03T07:47:22Z)
• Performance Analysis of Security Certificate Management System in Vehicle-to-Everything (V2X) [0.0]
  This study implements end entities and a Security Credential Management System conforming to IEEE 1609.2 and IEEE 1609.2.1 standards. It measures the computation and transmission times for each security communication action within the system from the perspective of end entities.
  arXiv  Detail & Related papers  (2023-09-18T02:24:33Z)
• Identity Prove Limited Information Governance Policy against cyber security persistent threats [0.0]
  IDPL applies an information governance based on the ISO/IEC:2022 standard of security and optimum performance. The company should ensure a right person, a real person, authenticating in real-time. The company has in-house systems focused on all potential risks to client data and its information system assets.
  arXiv  Detail & Related papers  (2023-09-05T10:00:10Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.