Integrating agentic risk signalling in trusted research environments: Automating VEX with Agent2Agent protocols and model context protocol (MCP) in SACRO and TREvolution pipelines

IF 3.1 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Standards & Interfaces Pub Date : 2025-09-30 DOI:10.1016/j.csi.2025.104079

Petar Radanliev , Kayvan Atefi , Omar Santos , Carsten Maple

{"title":"Integrating agentic risk signalling in trusted research environments: Automating VEX with Agent2Agent protocols and model context protocol (MCP) in SACRO and TREvolution pipelines","authors":"Petar Radanliev , Kayvan Atefi , Omar Santos , Carsten Maple","doi":"10.1016/j.csi.2025.104079","DOIUrl":null,"url":null,"abstract":"<div><div>This study presents a framework for automating the generation and validation of machine-readable vulnerability statements, known as Vulnerability-Exploitability Exchange (VEX) artefacts, within secure research environments. The work addresses a critical limitation in existing vulnerability reporting, where static scoring systems often fail to capture whether a flaw is truly exploitable in a specific analytic context. By integrating structured metadata capture, runtime instrumentation, and cryptographically verifiable provenance, the framework classifies vulnerabilities as affected, fixed, or not relevant, supported by machine-readable evidence bundles. The methodology was evaluated using containerised applications seeded with deliberately vulnerable components. Software bill of materials and vulnerability scanners were applied to generate baseline inventories, while reproducibility frameworks validated that results could be independently replicated. Findings demonstrate that automated VEX generation can reduce false positives by distinguishing theoretical from actionable risks, thereby improving security assurance and reproducibility in federated infrastructures. At the same time, the research acknowledges significant challenges. Computational overhead from multi-layered monitoring, dependence on external tools, and the risk of false negatives introduce barriers to adoption. Broader pilot studies across heterogeneous domains and benchmarking on standardised testbeds are required to enhance generalisability. Privacy concerns from extensive runtime monitoring and the need for sustainable maintenance models also demand attention. By combining automation with human oversight and aligning with emerging standards, the study contributes a reproducible, auditable, and context-sensitive approach to vulnerability management. The work provides both a proof-of-concept and a roadmap for refining security practices in sensitive computational environments.</div></div>","PeriodicalId":50635,"journal":{"name":"Computer Standards & Interfaces","volume":"96 ","pages":"Article 104079"},"PeriodicalIF":3.1000,"publicationDate":"2025-09-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Standards & Interfaces","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0920548925001084","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

This study presents a framework for automating the generation and validation of machine-readable vulnerability statements, known as Vulnerability-Exploitability Exchange (VEX) artefacts, within secure research environments. The work addresses a critical limitation in existing vulnerability reporting, where static scoring systems often fail to capture whether a flaw is truly exploitable in a specific analytic context. By integrating structured metadata capture, runtime instrumentation, and cryptographically verifiable provenance, the framework classifies vulnerabilities as affected, fixed, or not relevant, supported by machine-readable evidence bundles. The methodology was evaluated using containerised applications seeded with deliberately vulnerable components. Software bill of materials and vulnerability scanners were applied to generate baseline inventories, while reproducibility frameworks validated that results could be independently replicated. Findings demonstrate that automated VEX generation can reduce false positives by distinguishing theoretical from actionable risks, thereby improving security assurance and reproducibility in federated infrastructures. At the same time, the research acknowledges significant challenges. Computational overhead from multi-layered monitoring, dependence on external tools, and the risk of false negatives introduce barriers to adoption. Broader pilot studies across heterogeneous domains and benchmarking on standardised testbeds are required to enhance generalisability. Privacy concerns from extensive runtime monitoring and the need for sustainable maintenance models also demand attention. By combining automation with human oversight and aligning with emerging standards, the study contributes a reproducible, auditable, and context-sensitive approach to vulnerability management. The work provides both a proof-of-concept and a roadmap for refining security practices in sensitive computational environments.

查看原文本刊更多论文

在可信的研究环境中集成代理风险信号：在SACRO和TREvolution管道中使用Agent2Agent协议和模型上下文协议（MCP）自动化VEX

本研究提出了一个框架，用于在安全的研究环境中自动生成和验证机器可读的漏洞声明，称为漏洞利用交换（VEX）工件。这项工作解决了现有漏洞报告中的一个关键限制，其中静态评分系统通常无法捕获一个缺陷在特定的分析上下文中是否真正可利用。通过集成结构化元数据捕获、运行时检测和加密可验证的来源，该框架将漏洞分类为受影响的、固定的或不相关的，由机器可读的证据包支持。该方法是使用带有故意易受攻击组件的容器化应用程序进行评估的。应用软件物料清单和漏洞扫描器生成基线清单，而可重复性框架验证了结果可以独立复制。研究结果表明，自动生成VEX可以通过区分理论风险和可操作风险来减少误报，从而提高联邦基础设施的安全性和可重复性。与此同时，这项研究也承认存在重大挑战。多层监控带来的计算开销、对外部工具的依赖以及假阴性的风险都是采用的障碍。需要更广泛的跨异质领域的试点研究和标准化测试平台的基准测试，以增强通用性。广泛的运行时监控带来的隐私问题以及对可持续维护模型的需求也需要引起注意。通过将自动化与人工监督结合起来，并与新出现的标准保持一致，该研究为漏洞管理提供了一种可重复的、可审计的和上下文敏感的方法。这项工作为在敏感的计算环境中改进安全实践提供了概念验证和路线图。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Standards & Interfaces 工程技术-计算机：软件工程

CiteScore

11.90

自引率

16.00%

发文量

审稿时长

6 months

期刊介绍： The quality of software, well-defined interfaces (hardware and software), the process of digitalisation, and accepted standards in these fields are essential for building and exploiting complex computing, communication, multimedia and measuring systems. Standards can simplify the design and construction of individual hardware and software components and help to ensure satisfactory interworking. Computer Standards & Interfaces is an international journal dealing specifically with these topics. The journal • Provides information about activities and progress on the definition of computer standards, software quality, interfaces and methods, at national, European and international levels • Publishes critical comments on standards and standards activities • Disseminates user''s experiences and case studies in the application and exploitation of established or emerging standards, interfaces and methods • Offers a forum for discussion on actual projects, standards, interfaces and methods by recognised experts • Stimulates relevant research by providing a specialised refereed medium.