Abstract
Vulnerability remediation is a critical task in operational software and network security management. In this article, an effective vulnerability management strategy, called VULCON (VULnerability CONtrol), is developed and evaluated. The strategy is based on two fundamental performance metrics: (1) time-to-vulnerability remediation (TVR) and (2) total vulnerability exposure (TVE). VULCON takes as input real vulnerability scan reports, metadata about the discovered vulnerabilities, asset criticality, and personnel resources. VULCON uses a mixed-integer multiobjective optimization algorithm to prioritize vulnerabilities for patching, such that the above performance metrics are optimized subject to the given resource constraints. VULCON has been tested on multiple months of real scan data from a cyber-security operations center (CSOC). Results indicate an overall TVE reduction of 8.97% when VULCON optimizes a realistic security analyst workforce’s effort. Additionally, VULCON demonstrates that it can determine monthly resources required to maintain a target TVE score. As such, VULCON provides valuable operational guidance for improving vulnerability response processes in CSOCs.
- 2017. Microsoft Exploitability Index. Accessed September 29, 2017. Retrieved from https://technet.microsoft.com/en-us/security/cc998259.Google Scholar
- 2017. Symantec Threat Severity Assessment. Accessed September 29, 2017. Retrieved from https://www.symantec.com/security_response/severityassessment.jsp.Google Scholar
- 2017. Tenable Network Security. Accessed September 29, 2017. Retrieved from https://www.tenable.com/blog/new-nessus-feature-added-csv-export.Google Scholar
- 2018. Creating a Patch and Vulnerability Management Program, Recommendations of the National Institute of Standards and Technology (NIST). Accessed March 21, 2018. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-40ver2.pdf.Google Scholar
- 2018. Payment Card Industry (PCI) Data Security Standard. Accessed March 21, 2018. Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time===1521778935419.Google Scholar
- Anthony Afful-Dadzie and Theodore T. Allen. 2014. Data-driven cyber-vulnerability maintenance policies. Journal of Quality Technology 46, 3 (2014), 234.Google Scholar
Cross Ref
- Anthony Afful-Dadzie and Theodore T. Allen. 2016. Control charting methods for autocorrelated cyber vulnerability data. Quality Engineering 28, 3 (2016), 313--328.Google Scholar
Cross Ref
- Luca Allodi and Fabio Massacci. 2014. Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security (TISSEC) 17, 1 (2014), 1. Google Scholar
Digital Library
- Belaid Aouni, Cinzia Colapinto, and Davide La Torre. 2014. Financial portfolio management through the goal programming model: Current state-of-the-art. European Journal of Operational Research 234, 2 (2014), 536--545.Google Scholar
Cross Ref
- Seyed Mohammad Asadzadeh and Ali Azadeh. 2014. An integrated systemic model for optimization of condition-based maintenance with human error. Reliability Engineering 8 System Safety 124 (2014), 117--131.Google Scholar
- Christian Biener, Martin Eling, and Jan Hendrik Wirfs. 2015. Insurability of cyber risk: An empirical analysis. Geneva Papers on Risk and Insurance-Issues and Practice 40, 1 (2015), 131--158.Google Scholar
Cross Ref
- Jean Camp, Lorrie Cranor, Nick Feamster, Joan Feigenbaum, Stephanie Forrest, David Kotz, Wenke Lee, Patrick Lincoln, Vern Paxson, Mike Reiter, Ron Rivest, William Sanders, Stefan Savage, Sean Smith, Eugene Stafford, and Sal Stolfo. 2009. Data for cybersecurity research: Process and “Wish List”. Retrieved from http://www.ljean.com/files/data-wishlist.pdf.Google Scholar
- Hasan Cavusoglu, Huseyin Cavusoglu, and Jun Zhang. 2008. Security patch management: Share the burden or share the damage? Management Science 54, 4 (2008), 657--670. Google Scholar
Digital Library
- Kelley Dempsey, Nirali Shah Chawla, Arnold Johnson, Ronald Johnston, Alicia Clay Jones, Angela Orebaugh, Matthew Scholl, and Kevin Stine. 2012. Information security continuous monitoring (ISCM) for federal information systems and organizations. CreateSpace Independent Publishing Platform, National Institute of Standards and Technology Special Publication 800-137. Google Scholar
Digital Library
- Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box web vulnerability scanner. In USENIX Security Symposium. 523--538. Google Scholar
Digital Library
- Tudor Dumitras and Darren Shou. 2011. Toward a standard benchmark for computer security research. In Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS Workshop). Citeseer. Google Scholar
Digital Library
- Rajesh Ganesan, Sushil Jajodia, and Hasan Cam. 2017. Optimal scheduling of cybersecurity analysts for minimizing risk. ACM Transactions on Intelligent Systems and Technology (TIST) 8, 4 (2017), 52. Google Scholar
Digital Library
- Rajesh Ganesan, Sushil Jajodia, Ankit Shah, and Hasan Cam. 2016. Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Transactions on Intelligent Systems and Technology (TIST) 8, 1 (2016), 4. Google Scholar
Digital Library
- Richard J. Holden. 2011. Lean thinking in emergency departments: A critical review. Annals of Emergency Medicine 57, 3 (March 2011), 265--278.Google Scholar
Cross Ref
- Hannes Holm, Mathias Ekstedt, and Dennis Andersson. 2012. Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Transactions on Dependable and Secure Computing 9, 6 (2012), 825--837. Google Scholar
Digital Library
- Hannes Holm, Teodor Sommestad, Jonas Almroth, and Mats Persson. 2011. A quantitative evaluation of vulnerability scanning. Information Management 8 Computer Security 19, 4 (2011), 231--247.Google Scholar
- Leora I. Horwitz, Jeremy Green, and Elizabeth H. Bradley. 2010. US emergency department performance on wait time and length of visit. Annals of Emergency Medicine 55, 2 (February 2010), 133--41.Google Scholar
Cross Ref
- James P. Ignizio. 1983. Generalized goal programming. An overview. Computers and Operations Research 10, 4 (1983), 277--289.Google Scholar
Cross Ref
- Omid Jadidi, S. Zolfaghari, and Sergio Cavalieri. 2014. A new normalized goal programming model for multi-objective problems: A case of supplier selection and order allocation. International Journal of Production Economics 148 (2014), 158--165.Google Scholar
Cross Ref
- Miles A. McQueen, Trevor A. McQueen, Wayne F. Boyer, and May R. Chaffin. 2009. Empirical estimates and observations of 0day vulnerabilities. In 42nd Hawaii International Conference on System Sciences, 2009 (HICSS’09). IEEE, 1--12. Google Scholar
Digital Library
- Peter Mell, Karen Scarfone, and Sasha Romanosky. 2007. A complete guide to the common vulnerability scoring system version 2.0. In FIRST-Forum of Incident Response and Security Teams. 1--23.Google Scholar
- Christos H. Papadimitriou. 1981. On the complexity of integer programming. Journal of the ACM (JACM) 28, 4 (1981), 765--768. Google Scholar
Digital Library
- Ronald L. Rardin. 1998. Optimization in Operations Research. Prentice-Hall.Google Scholar
- Ankit Shah, Rajesh Ganesan, Sushil Jajodia, and Hasan Cam. 2017. A methodology to measure and monitor level of operational effectiveness of a CSOC. International Journal of Information Security 17 (2017), 1--14. Google Scholar
Digital Library
- Shari J. Welch, Brent R. Asplin, Suzanne Stone-Griffith, Steven J. Davidson, James Augustine, Jeremiah Schuur, and Emergency Department Benchmarking Alliance. 2011. Emergency department operational metrics, measures and definitions: Results of the Second Performance Measures and Benchmarking Summit. Annals of Emergency Medicine 58, 1 (July 2011), 33--40.Google Scholar
Cross Ref
Index Terms
VULCON: A System for Vulnerability Prioritization, Mitigation, and Management
Recommendations
Deception tactics for network interdiction: A multiobjective approach
This article develops defender-attacker network interdiction models with deception. Here, deception refers to a preemptive and intelligent use of concealed interdiction assets and decoys by the defender, in addition to transparent assets commonly ...
On the performance metrics of multiobjective optimization
ICSI'12: Proceedings of the Third international conference on Advances in Swarm Intelligence - Volume Part IMultiobjective Optimization (MOO) refers to optimization problems that involve two or more objectives. Unlike in the single objective optimization, a set of solutions representing the tradeoff among the different objects rather than an unique optimal ...
Multiobjective Evolutionary Algorithms for Portfolio Management: A comprehensive literature review
In this paper we provide a review of the current state of research on Portfolio Management with the support of Multiobjective Evolutionary Algorithms (MOEAs). Second we present a methodological framework for conducting a comprehensive literature review ...






Comments