{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,2]],"date-time":"2026-02-02T22:42:14Z","timestamp":1770072134022,"version":"3.49.0"},"publisher-location":"Cham","reference-count":58,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319256443","type":"print"},{"value":"9783319256450","type":"electronic"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015]]},"DOI":"10.1007\/978-3-319-25645-0_29","type":"book-chapter","created":{"date-parts":[[2015,11,23]],"date-time":"2015-11-23T12:24:45Z","timestamp":1448281485000},"page":"405-417","source":"Crossref","is-referenced-by-count":10,"title":["Assessing Attack Surface with Component-Based Package Dependency"],"prefix":"10.1007","author":[{"given":"Su","family":"Zhang","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xinwen","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xinming","family":"Ou","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Liqun","family":"Chen","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nigel","family":"Edwards","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jing","family":"Jin","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2015,11,6]]},"reference":[{"key":"29_CR1","unstructured":"VMware ESX and VMware ESXi - The Market Leading Production-Proven Hypervisors. VMware Inc. (2009). http:\/\/www.vmware.com\/files\/pdf\/VMware-ESX-and-VMware-ESXi-DS-EN.pdf"},{"key":"29_CR2","doi-asserted-by":"crossref","unstructured":"Abate, P., Di Cosmo, R., Boender, J., Zacchiroli, S.: Strong dependencies between software components. In: Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 89\u201399. IEEE Computer Society (2009)","DOI":"10.1109\/ESEM.2009.5316017"},{"key":"29_CR3","doi-asserted-by":"crossref","unstructured":"Cheng, P., Wang, L., Jajodia, S., Singhal, A.: Aggregating cvss base scores for semantics-rich network security metrics. In: Proceedings of the 31st IEEE International Symposium on Reliable Distributed Systems (SRDS 2012). IEEE Computer Society (2012)","DOI":"10.1109\/SRDS.2012.4"},{"key":"29_CR4","doi-asserted-by":"crossref","unstructured":"Chowdhury, I., Zulkernine, M.: Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities?. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1963\u20131969. ACM (2010)","DOI":"10.1145\/1774088.1774504"},{"key":"29_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"137","DOI":"10.1007\/978-3-319-08915-7_5","volume-title":"Models@run.time","author":"SA DeLoach","year":"2014","unstructured":"DeLoach, S.A., Ou, X., Zhuang, R., Zhang, S.: Model-driven, moving-target defense for enterprise network security. In: Bencomo, N., France, R., Cheng, B.H.C., A\u00dfmann, U. (eds.) Models@run.time. LNCS, vol. 8378, pp. 137\u2013161. Springer, Heidelberg (2014)"},{"key":"29_CR6","unstructured":"Drake, J.J.: Exploiting memory corruption vulnerabilities in the java runtime (2011)"},{"key":"29_CR7","unstructured":"Ellison, R.J., Goodenough, J.B., Weinstock, C.B., Woody, C.: Evaluating and mitigating software supply chain security risks. Technical report, DTIC Document (2010)"},{"key":"29_CR8","doi-asserted-by":"crossref","unstructured":"Goichon, F., Salagnac, G., Parrend, P., Fr\u00e9not, S.: Static vulnerability detection in java service-oriented components. Journal in Computer Virology, 1\u201312 (2012)","DOI":"10.1007\/s11416-012-0172-1"},{"key":"29_CR9","doi-asserted-by":"crossref","unstructured":"Gong, L.: Java security: a ten year retrospective. In: Annual Computer Security Applications Conference, ACSAC 2009, pp. 395\u2013405. IEEE (2009)","DOI":"10.1109\/ACSAC.2009.44"},{"issue":"4","key":"29_CR10","doi-asserted-by":"crossref","first-page":"561","DOI":"10.3233\/JCS-130475","volume":"21","author":"J Homer","year":"2013","unstructured":"Homer, J., Zhang, S., Ou, X., Schmidt, D., Du, Y., Rajagopalan, S.R., Singhal, A.: Aggregating vulnerability metrics in enterprise networks using attack graphs. Journal of Computer Security 21(4), 561\u2013597 (2013)","journal-title":"Journal of Computer Security"},{"key":"29_CR11","doi-asserted-by":"crossref","unstructured":"Howard, M., Pincus, J., Wing, J.: Measuring relative attack surfaces. In: Computer Security in the 21st Century, pp. 109\u2013137 (2005)","DOI":"10.1007\/0-387-24006-3_8"},{"key":"29_CR12","doi-asserted-by":"crossref","unstructured":"Huang, H., Zhang, S., Ou, X., Prakash, A., Sakallah, K.: Distilling critical attack graph surface iteratively through minimum-cost sat solving. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 31\u201340. ACM (2011)","DOI":"10.1145\/2076732.2076738"},{"key":"29_CR13","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.advengsoft.2012.08.002","volume":"54","author":"MA Khan","year":"2012","unstructured":"Khan, M.A., Mahmood, S.: A graph based requirements clustering approach for component selection. Advances in Engineering Software 54, 1\u201316 (2012)","journal-title":"Advances in Engineering Software"},{"key":"29_CR14","unstructured":"Li, T., Zhou, X., Brandstatter, K., Raicu, I.: Distributed key-value store on hpc and cloud systems. In: 2nd Greater Chicago Area System Research Workshop (GCASR). Citeseer (2013)"},{"key":"29_CR15","doi-asserted-by":"crossref","unstructured":"Li, T., Zhou, X., Brandstatter, K., Zhao, D., Wang, K., Rajendran, A., Zhang, Z., Raicu, I.: Zht: A light-weight reliable persistent dynamic scalable zero-hop distributed hash table. In: 2013 IEEE 27th International Symposium on Parallel & Distributed Processing (IPDPS), pp. 775\u2013787. IEEE (2013)","DOI":"10.1109\/IPDPS.2013.110"},{"key":"29_CR16","doi-asserted-by":"crossref","unstructured":"Liu, X., Edwards, S., Riga, N., Medhi, D.: Design of a software-defined resilient virtualized networking environment. In: 11th International Conference on the Design of Reliable Communication Networks (DRCN), pp. 111\u2013114. IEEE (2015)","DOI":"10.1109\/DRCN.2015.7148999"},{"key":"29_CR17","doi-asserted-by":"crossref","unstructured":"Lv, Z., Su, T.: 3D seabed modeling and visualization on ubiquitous context. In: SIGGRAPH Asia 2014 Posters, SA 2014, pp. 33:1\u201333:1. ACM, New York (2014)","DOI":"10.1145\/2668975.2668977"},{"key":"29_CR18","doi-asserted-by":"crossref","unstructured":"Manadhata, P., Wing, J.M.: Measuring a system\u2019s attack surface. Technical report, DTIC Document (2004)","DOI":"10.21236\/ADA458115"},{"issue":"3","key":"29_CR19","doi-asserted-by":"publisher","first-page":"371","DOI":"10.1109\/TSE.2010.60","volume":"37","author":"PK Manadhata","year":"2011","unstructured":"Manadhata, P.K., Wing, J.M.: An attack surface metric. IEEE Transactions on Software Engineering 37(3), 371\u2013386 (2011)","journal-title":"IEEE Transactions on Software Engineering"},{"key":"29_CR20","unstructured":"Marouf, S.M.: An Extensive Analysis of the Software Security Vulnerabilities that exist within the Java Software Execution Environment. PhD thesis, University of Wisconsin (2008)"},{"key":"29_CR21","unstructured":"Mell, P., Scarfone, K., Romanosky, S.: A complete guide to the common vulnerability scoring system version 2.0. In: Published by FIRST-Forum of Incident Response and Security Teams, pp. 1\u201323 (2007)"},{"key":"29_CR22","doi-asserted-by":"crossref","unstructured":"Nasiri, S., Azmi, R., Khalaj, R.: Adaptive and quantitative comparison of J2EE vs. net based on attack surface metric. In: 2010 5th International Symposium on Telecommunications (IST), pp. 199\u2013205. IEEE (2010)","DOI":"10.1109\/ISTEL.2010.5734024"},{"key":"29_CR23","unstructured":"Neuhaus, S., Zimmermann, T.: The beauty and the beast: vulnerabilities in red hat\u2019s packages. In: Proceedings of the 2009 Conference on USENIX Annual Technical Conference, USENIX 2009, p. 30. USENIX Association, Berkeley (2009)"},{"key":"29_CR24","doi-asserted-by":"crossref","unstructured":"Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529\u2013540. ACM (2007)","DOI":"10.1145\/1315245.1315311"},{"key":"29_CR25","doi-asserted-by":"crossref","unstructured":"Parrend, P.: Enhancing automated detection of vulnerabilities in java components. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 216\u2013223. IEEE (2009)","DOI":"10.1109\/ARES.2009.9"},{"key":"29_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1007\/978-3-540-87891-9_6","volume-title":"Component-Based Software Engineering","author":"P Parrend","year":"2008","unstructured":"Parrend, P., Fr\u00e9not, S.: Classification of component vulnerabilities in java service oriented programming (SOP) platforms. In: Chaudron, M.R.V., Ren, X.-M., Reussner, R. (eds.) CBSE 2008. LNCS, vol. 5282, pp. 80\u201396. Springer, Heidelberg (2008)"},{"key":"29_CR27","series-title":"Communications in Computer and Information Science","doi-asserted-by":"publisher","first-page":"148","DOI":"10.1007\/978-3-642-22333-4_17","volume-title":"Future Information Technology","author":"PM P\u00e9rez","year":"2011","unstructured":"P\u00e9rez, P.M., Filipiak, J., Sierra, J.M.: LAPSE+ static analysis security software: Vulnerabilities detection in java EE applications. In: Park, J.J., Yang, L.T., Lee, C. (eds.) FutureTech 2011, Part I. CCIS, vol. 184, pp. 148\u2013156. Springer, Heidelberg (2011)"},{"key":"29_CR28","doi-asserted-by":"crossref","unstructured":"Qian, H., Andresen, D.: Jade: An efficient energy-aware computation offloading system with heterogeneous network interface bonding for ad-hoc networked mobile devices. In: 15th IEEE\/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel\/Distributed Computing (SNPD) (2014)","DOI":"10.1109\/SNPD.2014.6888703"},{"key":"29_CR29","doi-asserted-by":"crossref","unstructured":"Qian, H., Andresen, D.: Emerald: Enhance scientific workflow performance with computation offloading to the cloud. In: 2015 IEEE\/ACIS 14th International Conference on Computer and Information Science (ICIS), pp. 443\u2013448. IEEE (2015)","DOI":"10.1109\/ICIS.2015.7166634"},{"key":"29_CR30","doi-asserted-by":"crossref","unstructured":"Qian, H., Andresen, D.: An energy-saving task scheduler for mobile devices. In: 2015 IEEE\/ACIS 14th International Conference on Computer and Information Science (ICIS), pp. 423\u2013430. IEEE (2015)","DOI":"10.1109\/ICIS.2015.7166631"},{"key":"29_CR31","unstructured":"Raemaekers, S., van Deursen, A., Visser, J.: Exploring risks in the usage of third party libraries. In: The Goal of the BElgian-NEtherlands Software eVOLution Seminar, p. 31 (2011)"},{"key":"29_CR32","doi-asserted-by":"crossref","unstructured":"Su, Y., Wang, Y., Agrawal, G., Kettimuthu, R.: Sdquery dsi: integrating data management support with a wide area data transfer protocol. In: Proceedings of the International Conference on High Performance Computing, Networking, Storage and Analysis, p. 47. ACM (2013)","DOI":"10.1145\/2503210.2503270"},{"key":"29_CR33","doi-asserted-by":"crossref","unstructured":"Vijayakumar, H., Jakka, G., Rueda, S., Schiffman, J., Jaeger, T.: Integrity walls: Finding attack surfaces from mandatory access control policies. In: Proceedings of the 7th ACM Symposium on Information, Computer, and Communications Security (ASIACCS 2012), May 2012","DOI":"10.1145\/2414456.2414500"},{"key":"29_CR34","unstructured":"Wang, J.J.-Y., Sun, Y., Gao, X.: Sparse structure regularized ranking. Multimedia Tools and Applications, 1\u201320 (2014)"},{"key":"29_CR35","unstructured":"Wang, K., Liu, N., Sadooghi, I., Yang, X., Zhou, X., Lang, M., Sun, X.-H., Raicu, I.: Overcoming hadoop scaling limitations through distributed task execution"},{"key":"29_CR36","doi-asserted-by":"crossref","unstructured":"Wang, K., Zhou, X., Chen, H., Lang, M., Raicu, I.: Next generation job management systems for extreme-scale ensemble computing. In: Proceedings of the 23rd International Symposium on High-Performance Parallel and Distributed Computing, pp. 111\u2013114. ACM (2014)","DOI":"10.1145\/2600212.2600703"},{"key":"29_CR37","doi-asserted-by":"crossref","unstructured":"Wang, K., Zhou, X., Qiao, K., Lang, M., McClelland, B., Raicu, I.: Towards scalable distributed workload manager with monitoring-based weakly consistent resource stealing. In: Proceedings of the 24rd International Symposium on High-Performance Parallel and Distributed Computing, pp. 219\u2013222. ACM (2015)","DOI":"10.1145\/2749246.2749249"},{"key":"29_CR38","doi-asserted-by":"crossref","unstructured":"Wang, K., Zhou, X., Li, T., Zhao, D., Lang, M., Raicu, I.: Optimizing load balancing and data-locality with data-aware scheduling. In: 2014 IEEE International Conference on Big Data (Big Data), pp. 119\u2013128. IEEE (2014)","DOI":"10.1109\/BigData.2014.7004220"},{"key":"29_CR39","doi-asserted-by":"crossref","unstructured":"Wang, Y., Nandi, A., Agrawal, G.: Saga: array storage as a DB with support for structural aggregations. In: Proceedings of the 26th International Conference on Scientific and Statistical Database Management, p. 9. ACM (2014)","DOI":"10.1145\/2618243.2618270"},{"key":"29_CR40","doi-asserted-by":"crossref","unstructured":"Wang, Y., Su, Y., Agrawal, G.: Supporting a light-weight data management layer over hdf5. In: 2013 13th IEEE\/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGrid), pp. 335\u2013342. IEEE (2013)","DOI":"10.1109\/CCGrid.2013.9"},{"key":"29_CR41","doi-asserted-by":"crossref","unstructured":"Wei, F., Roy, S., Ou, X., Robby.: Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329\u20131341. ACM (2014)","DOI":"10.1145\/2660267.2660357"},{"key":"29_CR42","doi-asserted-by":"crossref","unstructured":"Xiong, H., Zheng, Q., Zhang, X., Yao, D.: Cloudsafe: Securing data processing within vulnerable virtualization environments in the cloud. In: 2013 IEEE Conference on Communications and Network Security (CNS), pp. 172\u2013180. IEEE (2013)","DOI":"10.1109\/CNS.2013.6682705"},{"key":"29_CR43","unstructured":"Yamaguchi, F., Lindner, F., Rieck, K.: Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning. In: Proceedings of the 5th USENIX conference on Offensive Technologies, p. 13. USENIX Association (2011)"},{"issue":"1\u20132","key":"29_CR44","doi-asserted-by":"publisher","first-page":"244","DOI":"10.14778\/1920841.1920875","volume":"3","author":"H Zhang","year":"2010","unstructured":"Zhang, H., Diao, Y., Immerman, N.: Recognizing patterns in streams with imprecise timestamps. Proceedings of the VLDB Endowment 3(1\u20132), 244\u2013255 (2010)","journal-title":"Proceedings of the VLDB Endowment"},{"key":"29_CR45","doi-asserted-by":"crossref","unstructured":"Zhang, H., Diao, Y., Immerman, N.: On complexity and optimization of expensive queries in complex event processing. In: Proceedings of the 2014 ACM SIGMOD International Conference on Management of Data, pp. 217\u2013228. ACM (2014)","DOI":"10.1145\/2588555.2593671"},{"key":"29_CR46","unstructured":"Zhang, S.: Deep-diving into an easily-overlooked threat: Inter-vm attacks. Whitepaper, provided by Kansas State University, TechRepublic\/US2012 (2013). http:\/\/www.techrepublic.com\/resourcelibrary\/whitepapers\/deep-diving-into-an-easilyoverlooked-threat-inter-vm-attacks"},{"key":"29_CR47","unstructured":"Zhang, S.: Quantitative risk assessment under multi-context environments. PhD thesis, Kansas State University (2014)"},{"key":"29_CR48","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1007\/978-3-642-23088-2_15","volume-title":"Database and Expert Systems Applications","author":"S Zhang","year":"2011","unstructured":"Zhang, S., Caragea, D., Ou, X.: An empirical study on using the national vulnerability database to predict software vulnerabilities. In: Hameurlain, A., Liddle, S.W., Schewe, K.-D., Zhou, X. (eds.) DEXA 2011, Part I. LNCS, vol. 6860, pp. 217\u2013231. Springer, Heidelberg (2011)"},{"key":"29_CR49","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"17","DOI":"10.1007\/978-3-642-22424-9_2","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"S Zhang","year":"2011","unstructured":"Zhang, S., Ou, X., Homer, J.: Effective network vulnerability assessment through model abstraction. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 17\u201334. Springer, Heidelberg (2011)"},{"key":"29_CR50","unstructured":"Zhang, S., Ou, X., Singhal, A., Homer, J.: An empirical study of a vulnerability metric aggregation method. In: The 2011 International Conference on Security and Management (SAM 2011), Special Track on Mission Assurance and Critical Infrastructure Protection (STMACIP 2011) (2011)"},{"key":"29_CR51","doi-asserted-by":"crossref","unstructured":"Zhang, S., Zhang, X., Ou, X.: After we knew it: empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across iaas cloud. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 317\u2013328. ACM (2014)","DOI":"10.1145\/2590296.2590300"},{"key":"29_CR52","doi-asserted-by":"crossref","unstructured":"Zhao, D., Zhang, Z., Zhou, X., Li, T., Wang, K., Kimpe, D., Carns, P., Ross, R., Raicu, I.: Fusionfs: Toward supporting data-intensive scientific applications on extreme-scale high-performance computing systems. In: 2014 IEEE International Conference on Big Data (Big Data), pp. 61\u201370. IEEE (2014)","DOI":"10.1109\/BigData.2014.7004214"},{"key":"29_CR53","doi-asserted-by":"crossref","unstructured":"Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: An automatic system for revealing ui-based trigger conditions in android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, pp. 93\u2013104. ACM, New York (2012)","DOI":"10.1145\/2381934.2381950"},{"key":"29_CR54","doi-asserted-by":"crossref","unstructured":"Zheng, Q., Zhu, W., Zhu, J., Zhang, X.: Improved anonymous proxy re-encryption with cca security. In: Proceedings of the 9th ACM Symposium on Information Computer and Communications Security, ASIA CCS 2014, pp. 249\u2013258. ACM, New York (2014)","DOI":"10.1145\/2590296.2590322"},{"key":"29_CR55","doi-asserted-by":"crossref","unstructured":"Zhou, X., Sun, X., Sun, G., Yang, Y.: A combined static and dynamic software birthmark based on component dependence graph. In: International Conference on Intelligent Information Hiding and Multimedia Signal Processing, pp. 1416\u20131421. IEEE (2008)","DOI":"10.1109\/IIH-MSP.2008.145"},{"key":"29_CR56","doi-asserted-by":"crossref","unstructured":"Zhuang, R., Zhang, S., Bardas, A., DeLoach, S.A., Ou, X., Singhal, A.: Investigating the application of moving target defenses to network security. In: 2013 6th International Symposium on Resilient Control Systems (ISRCS), pp. 162\u2013169. IEEE (2013)","DOI":"10.1109\/ISRCS.2013.6623770"},{"key":"29_CR57","unstructured":"Zhuang, R., Zhang, S., DeLoach, S.A., Ou, X., Singhal, A.: Simulation-based approaches to studying effectiveness of moving-target network defense. In: National Symposium on Moving Target Research (2012)"},{"key":"29_CR58","doi-asserted-by":"crossref","unstructured":"Zimmermann, T., Nagappan, N.: Predicting defects using network analysis on dependency graphs. In: ACM\/IEEE 30th International Conference on Software Engineering, ICSE 2008, pp. 531\u2013540. IEEE (2008)","DOI":"10.1145\/1368088.1368161"}],"container-title":["Lecture Notes in Computer Science","Network and System Security"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-25645-0_29","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,5,31]],"date-time":"2025-05-31T13:42:27Z","timestamp":1748698947000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-25645-0_29"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015]]},"ISBN":["9783319256443","9783319256450"],"references-count":58,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-25645-0_29","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015]]}}}