AI-ASSISTED DISTRIBUTED RISK ASSESSMENT FOR ZERO-TRUST MICROSERVICES: A TAXONOMY AND CONCEPTUAL FRAMEWORK
Keywords:
Zero trust architecture, Microservice security, Vulnerability management, Vulnerability prioritisation, Machine learning for security, Cloud-native security, Attack graphs, Continuous security monitoringAbstract
Microservice and cloud-native architectures have enlarged the software attack surface faster than the methods used to assess its risk have adapted. Conventional vulnerability management remains centralised, static, focused on intrinsic severity, and disconnected from access control, none of which suits a distributed system in which risk depends on context and connectivity rather than on isolated flaws. This paper proposes a conceptual framework for distributed, AI-assisted risk assessment that addresses this mismatch. The framework is a synthesis of four research literatures, namely zero-trust architecture, microservice and cloud-native security, vulnerability analytics, and software risk management, and the paper first shows precisely where these literatures fail to meet. A six-dimensional taxonomy then organises the design space of distributed risk assessment, classifying approaches by signal source, granularity, analytical technique, risk model, zero-trust integration point, and temporality, and exposing the combination that no current approach occupies. To fill that gap, the paper proposes a four-layer framework in which lightweight per-service agents collect multi-source evidence, AI-assisted analytics estimate exploitation likelihood and detect anomalies, a graph-aware aggregation layer propagates risk across the service dependency graph, and an integration layer feeds a continuous per-service risk score into the zero-trust policy engine. An illustrative scenario shows how a contextually significant but low-severity vulnerability would be surfaced and contained. The contribution is conceptual rather than experimentally validated; the paper closes by setting out the open challenges of data, robustness, performance, consistency, explainability, and evaluation that lie between the framework and a deployable system.References
[1] Velepucha Flores P. A Survey on Microservices Architecture: Principles, Patterns and Migration Challenges. IEEE Access, 2023. DOI: 10.1109/ACCESS.2023.3305687.
[2] Di Francesco P, Malavolta I, Lago P, et al. Architecting with Microservices: A Systematic Mapping Study. Journal of Systems and Software, 2019. DOI: 10.1016/j.jss.2019.01.001.
[3] Le T, Bao L, Lo D, et al. A Survey on Data-Driven Software Vulnerability Assessment and Prioritization. ACM Computing Surveys, 2022. DOI: 10.1145/3529757.
[4] Spring J, Hatleback E, Householder A, et al. Time to Change the CVSS? IEEE Security & Privacy, 2021. DOI: 10.1109/MSEC.2020.3044475.
[5] Rose S, Borchert O, Mitchell S, et al. Zero Trust Architecture (NIST SP 800-207). NIST Special Publication, 2020. DOI: 10.6028/NIST.SP.800-207.
[6] Dasgupta D, Akhtar Z, Sen S. Machine Learning in Cybersecurity: A Comprehensive Survey. The Journal of Defense Modeling and Simulation, 2020. DOI: 10.1177/1548512920951275.
[7] Jacobs J, Romanosky S, Edwards B, et al. Exploit Prediction Scoring System (EPSS). Digital Threats: Research and Practice, 2021. DOI: 10.1145/3436242.
[8] Syed M H, Fernandez E B, Ilyas M, et al. Zero Trust Architecture (ZTA): A Comprehensive Survey. IEEE Access, 2022. DOI: 10.1109/ACCESS.2022.3174679.
[9] He Y, Li Y, Zhang X, et al. A Survey on Zero Trust Architecture: Challenges and Future Trends. Wireless Communications and Mobile Computing, 2022. DOI: 10.1155/2022/6476274.
[10] Buck C, Olenberger C, Schweizer A, et al. Never Trust, Always Verify: A Multivocal Literature Review on Current Knowledge and Research Gaps of Zero-Trust. Computers & Security, 2021. DOI: 10.1016/j.cose.2021.102436.
[11] Teerakanok S, Uehara T, Inomata A. Migrating to Zero Trust Architecture: Reviews and Challenges. Security and Communication Networks, 2021. DOI: 10.1155/2021/9947347.
[12] Sarkar S, Chatterjee S, Misra S, et al. Security of Zero Trust Networks in Cloud Computing: A Comparative Review. Sustainability, 2022. DOI: 10.3390/su141811213.
[13] Dhiman G, Singh S, Alenezi M, et al. A Review and Comparative Analysis of Relevant Approaches of Zero Trust Network Model. Sensors, 2024. DOI: 10.3390/s24041328.
[14] Chen S, Zhang Y, Li Y, et al. A Security Awareness and Protection System for 5G Smart Healthcare Based on Zero-Trust Architecture. IEEE Internet of Things Journal, 2020. DOI: 10.1109/JIOT.2020.3041042.
[15] Yao X, Wang H, Wang P, et al. Dynamic Access Control and Authorization System Based on Zero-Trust Architecture. ACM Conference Proceedings, 2020. DOI: 10.1145/3437802.3437824.
[16] Ramezanpour K, Jagannath J. Intelligent Zero Trust Architecture for 5G/6G Networks: Principles, Challenges, and the Role of Machine Learning. Computer Networks, 2022. DOI: 10.1016/j.comnet.2022.109358.
[17] Stanojević M, Stojanović Z, Tasić N, et al. Fighting Insider Threats with Zero-Trust in Microservice-Based Smart Grid OT Systems. Acta Polytechnica Hungarica, 2023. DOI: 10.12700/APH.20.6.2023.6.13.
[18] Yarygina T, Bagge A H. Overcoming Security Challenges in Microservice Architectures. IEEE SOSE, 2018. DOI: 10.1109/SOSE.2018.00011.
[19] Hannousse A, Yahiouche S. Securing Microservices and Microservice Architectures: A Systematic Mapping Study. Computer Science Review, 2021. DOI: 10.1016/j.cosrev.2021.100415.
[20] Pereira-Vale A, Márquez G, Astudillo H, et al. Security in Microservice-Based Systems: A Multivocal Literature Review. Computers & Security, 2021. DOI: 10.1016/j.cose.2021.102200.
[21] Ponce F, Márquez G, Astudillo H. Smells and Refactorings for Microservices Security: A Multivocal Literature Review. Journal of Systems and Software, 2022. DOI: 10.1016/j.jss.2022.111393.
[22] Mateus-Coelho N, Cruz-Correia R, Adão P. Security in Microservices Architectures. Procedia Computer Science, 2021. DOI: 10.1016/j.procs.2021.01.320.
[23] Chen L, Magdy W, Rahman M A, et al. With Great Abstraction Comes Great Responsibility: Sealing the Microservices Attack Surface. IEEE SecDev, 2019. DOI: 10.1109/SecDev.2019.00027.
[24] Sultan S, Ahmad I, Dimitriou T. Container Security: Issues, Challenges, and the Road Ahead. IEEE Access, 2019. DOI: 10.1109/ACCESS.2019.2911732.
[25] Casalicchio E, Iannucci S. The State-of-the-Art in Container Technologies: Application, Orchestration and Security. Concurrency and Computation: Practice and Experience, 2020. DOI: 10.1002/cpe.5668.
[26] Rahman M A, Williams L, Meneely A, et al. Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study. ACM Conference Proceedings, 2023. DOI: 10.1145/3579639.
[27] Minna S, Vaarandi R, Pezaros D, et al. Understanding the Security Implications of Kubernetes Networking. IEEE Security & Privacy, 2021. DOI: 10.1109/MSEC.2021.3094726.
[28] Theodoropoulos A, Mylonas A, Gritzalis D. Security in Cloud-Native Services: A Survey. Journal of Cybersecurity and Privacy, 2023. DOI: 10.3390/jcp3040034.
[29] Li W, Lemieux Y, Gao J, et al. Service Mesh: Challenges, State of the Art, and Future Research Opportunities. IEEE SOSE, 2019. DOI: 10.1109/SOSE.2019.00026.
[30] Chandramouli R. Building Secure Microservices-Based Applications Using Service-Mesh Architecture (NIST SP 800-204A). NIST Special Publication, 2020. DOI: 10.6028/NIST.SP.800-204A.
[31] Chandramouli R, Butcher Z. Attribute-Based Access Control for Microservices-Based Applications Using a Service Mesh (NIST SP 800-204B). NIST Special Publication, 2021. DOI: 10.6028/NIST.SP.800-204B.
[32] Preuveneers D, Joosen W. Towards Multi-party Policy-based Access Control in Federations of Cloud and Edge Microservices. IEEE EuroS&PW, 2019. DOI: 10.1109/EUROSPW.2019.00010.
[33] Venčkauskas A, Toldinas J, Grigaliūnas Š, et al. Enhancing Microservices Security with Token-Based Access Control Method. Sensors, 2023. DOI: 10.3390/s23063363.
[34] Li Z, Zou D, Xu S, et al. VulDeePecker: A Deep Learning-Based System for Vulnerability Detection. NDSS, 2018. DOI: 10.14722/ndss.2018.23158.
[35] Zhou Y, Liu S, Siow J, et al. Devign: Effective Vulnerability Identification by Learning Comprehensive Program Semantics via Graph Neural Networks. arXiv, 2019. DOI: 10.48550/arXiv.1909.03496.
[36] Cao Y, Liu X, Wen J, et al. BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection. Information and Software Technology, 2021. DOI: 10.1016/j.infsof.2021.106576.
[37] Wang S, Liu T, Tan L, et al. Combining Graph-Based Learning With Automated Data Collection for Code Vulnerability Detection. IEEE TIFS, 2020. DOI: 10.1109/TIFS.2020.3044773.
[38] Hanif M, Maffeis S, Sasse M A, et al. The Rise of Software Vulnerability: Taxonomy of Software Vulnerabilities Detection and Machine Learning Approaches. Journal of Network and Computer Applications, 2021. DOI: 10.1016/j.jnca.2021.103009.
[39] Wartschinski L, Noller Y, Rieck K, et al. VUDENC: Vulnerability Detection with Deep Learning on a Natural Codebase for Python. Information and Software Technology, 2022. DOI: 10.1016/j.infsof.2021.106809.
[40] Pearce H, Ahmad B, Tan B, et al. Examining Zero-Shot Vulnerability Repair with Large Language Models. IEEE Symposium on Security and Privacy, 2023. DOI: 10.1109/SP46215.2023.10179420.
[41] Zhou Y, Liu S, Zhang J, et al. Large Language Model for Vulnerability Detection: Emerging Results and Future Directions. ACM Conference Proceedings, 2024. DOI: 10.1145/3639476.3639762.
[42] Yao Y, Xiao N, Liu Z, et al. A Survey on Large Language Model (LLM) Security and Privacy: The Good, The Bad, and The Ugly. High-Confidence Computing, 2024. DOI: 10.1016/j.hcc.2024.100211.
[43] Costa D, Antunes N, Vieira M. Predicting CVSS Metric via Description Interpretation. IEEE Access, 2022. DOI: 10.1109/ACCESS.2022.3179692.
[44] Singh J, Joshi K P. A Framework for Zero-Day Vulnerabilities Detection and Prioritization. Journal of Information Security and Applications, 2019. DOI: 10.1016/j.jisa.2019.03.011.
[45] Koo D, Kim J, Cho S, et al. Attack Graph Generation with Machine Learning for Network Security. Electronics, 2022. DOI: 10.3390/electronics11091332.
[46] Rajapakse R N, Zahedi M, Babar M A. Challenges and Solutions When Adopting DevSecOps: A Systematic Review. Information and Software Technology, 2021. DOI: 10.1016/j.infsof.2021.106700.
[47] Akbar M A, Shameem M, Ahmad S, et al. Toward Successful DevSecOps in Software Development Organizations: A Decision-Making Framework. Information and Software Technology, 2022. DOI: 10.1016/j.infsof.2022.106894.
[48] Kumar R, Goyal R. Modeling Continuous Security: A Conceptual Model for Automated DevSecOps Using Open-Source Software over Cloud (ADOC). Computers & Security, 2020. DOI: 10.1016/j.cose.2020.101967.
[49] Enck W, Williams L. Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations. IEEE Security & Privacy, 2022. DOI: 10.1109/MSEC.2022.3142338.
[50] Okafor C, Munaiah N, Meneely A, et al. SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties. ACM CCS, 2022. DOI: 10.1145/3560835.3564556.
[51] Xia P, Bao L, Lo D, et al. An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead. ICSE, 2023. DOI: 10.1109/ICSE48619.2023.00219.
[52] Liu Y, Wang Y, Li H, et al. Unsupervised Detection of Microservice Trace Anomalies through Service-Level Deep Bayesian Networks. ISSRE, 2020. DOI: 10.1109/ISSRE5003.2020.00014.