skip to main content
research-article

VULCON: A System for Vulnerability Prioritization, Mitigation, and Management

Published: 12 June 2018 Publication History

Abstract

Vulnerability remediation is a critical task in operational software and network security management. In this article, an effective vulnerability management strategy, called VULCON (VULnerability CONtrol), is developed and evaluated. The strategy is based on two fundamental performance metrics: (1) time-to-vulnerability remediation (TVR) and (2) total vulnerability exposure (TVE). VULCON takes as input real vulnerability scan reports, metadata about the discovered vulnerabilities, asset criticality, and personnel resources. VULCON uses a mixed-integer multiobjective optimization algorithm to prioritize vulnerabilities for patching, such that the above performance metrics are optimized subject to the given resource constraints. VULCON has been tested on multiple months of real scan data from a cyber-security operations center (CSOC). Results indicate an overall TVE reduction of 8.97% when VULCON optimizes a realistic security analyst workforce’s effort. Additionally, VULCON demonstrates that it can determine monthly resources required to maintain a target TVE score. As such, VULCON provides valuable operational guidance for improving vulnerability response processes in CSOCs.

References

[1]
2017. Microsoft Exploitability Index. Accessed September 29, 2017. Retrieved from https://technet.microsoft.com/en-us/security/cc998259.
[2]
2017. Symantec Threat Severity Assessment. Accessed September 29, 2017. Retrieved from https://www.symantec.com/security_response/severityassessment.jsp.
[3]
2017. Tenable Network Security. Accessed September 29, 2017. Retrieved from https://www.tenable.com/blog/new-nessus-feature-added-csv-export.
[4]
2018. Creating a Patch and Vulnerability Management Program, Recommendations of the National Institute of Standards and Technology (NIST). Accessed March 21, 2018. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-40ver2.pdf.
[5]
2018. Payment Card Industry (PCI) Data Security Standard. Accessed March 21, 2018. Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time===1521778935419.
[6]
Anthony Afful-Dadzie and Theodore T. Allen. 2014. Data-driven cyber-vulnerability maintenance policies. Journal of Quality Technology 46, 3 (2014), 234.
[7]
Anthony Afful-Dadzie and Theodore T. Allen. 2016. Control charting methods for autocorrelated cyber vulnerability data. Quality Engineering 28, 3 (2016), 313--328.
[8]
Luca Allodi and Fabio Massacci. 2014. Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security (TISSEC) 17, 1 (2014), 1.
[9]
Belaid Aouni, Cinzia Colapinto, and Davide La Torre. 2014. Financial portfolio management through the goal programming model: Current state-of-the-art. European Journal of Operational Research 234, 2 (2014), 536--545.
[10]
Seyed Mohammad Asadzadeh and Ali Azadeh. 2014. An integrated systemic model for optimization of condition-based maintenance with human error. Reliability Engineering 8 System Safety 124 (2014), 117--131.
[11]
Christian Biener, Martin Eling, and Jan Hendrik Wirfs. 2015. Insurability of cyber risk: An empirical analysis. Geneva Papers on Risk and Insurance-Issues and Practice 40, 1 (2015), 131--158.
[12]
Jean Camp, Lorrie Cranor, Nick Feamster, Joan Feigenbaum, Stephanie Forrest, David Kotz, Wenke Lee, Patrick Lincoln, Vern Paxson, Mike Reiter, Ron Rivest, William Sanders, Stefan Savage, Sean Smith, Eugene Stafford, and Sal Stolfo. 2009. Data for cybersecurity research: Process and “Wish List”. Retrieved from http://www.ljean.com/files/data-wishlist.pdf.
[13]
Hasan Cavusoglu, Huseyin Cavusoglu, and Jun Zhang. 2008. Security patch management: Share the burden or share the damage? Management Science 54, 4 (2008), 657--670.
[14]
Kelley Dempsey, Nirali Shah Chawla, Arnold Johnson, Ronald Johnston, Alicia Clay Jones, Angela Orebaugh, Matthew Scholl, and Kevin Stine. 2012. Information security continuous monitoring (ISCM) for federal information systems and organizations. CreateSpace Independent Publishing Platform, National Institute of Standards and Technology Special Publication 800-137.
[15]
Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box web vulnerability scanner. In USENIX Security Symposium. 523--538.
[16]
Tudor Dumitras and Darren Shou. 2011. Toward a standard benchmark for computer security research. In Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS Workshop). Citeseer.
[17]
Rajesh Ganesan, Sushil Jajodia, and Hasan Cam. 2017. Optimal scheduling of cybersecurity analysts for minimizing risk. ACM Transactions on Intelligent Systems and Technology (TIST) 8, 4 (2017), 52.
[18]
Rajesh Ganesan, Sushil Jajodia, Ankit Shah, and Hasan Cam. 2016. Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Transactions on Intelligent Systems and Technology (TIST) 8, 1 (2016), 4.
[19]
Richard J. Holden. 2011. Lean thinking in emergency departments: A critical review. Annals of Emergency Medicine 57, 3 (March 2011), 265--278.
[20]
Hannes Holm, Mathias Ekstedt, and Dennis Andersson. 2012. Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Transactions on Dependable and Secure Computing 9, 6 (2012), 825--837.
[21]
Hannes Holm, Teodor Sommestad, Jonas Almroth, and Mats Persson. 2011. A quantitative evaluation of vulnerability scanning. Information Management 8 Computer Security 19, 4 (2011), 231--247.
[22]
Leora I. Horwitz, Jeremy Green, and Elizabeth H. Bradley. 2010. US emergency department performance on wait time and length of visit. Annals of Emergency Medicine 55, 2 (February 2010), 133--41.
[23]
James P. Ignizio. 1983. Generalized goal programming. An overview. Computers and Operations Research 10, 4 (1983), 277--289.
[24]
Omid Jadidi, S. Zolfaghari, and Sergio Cavalieri. 2014. A new normalized goal programming model for multi-objective problems: A case of supplier selection and order allocation. International Journal of Production Economics 148 (2014), 158--165.
[25]
Miles A. McQueen, Trevor A. McQueen, Wayne F. Boyer, and May R. Chaffin. 2009. Empirical estimates and observations of 0day vulnerabilities. In 42nd Hawaii International Conference on System Sciences, 2009 (HICSS’09). IEEE, 1--12.
[26]
Peter Mell, Karen Scarfone, and Sasha Romanosky. 2007. A complete guide to the common vulnerability scoring system version 2.0. In FIRST-Forum of Incident Response and Security Teams. 1--23.
[27]
Christos H. Papadimitriou. 1981. On the complexity of integer programming. Journal of the ACM (JACM) 28, 4 (1981), 765--768.
[28]
Ronald L. Rardin. 1998. Optimization in Operations Research. Prentice-Hall.
[29]
Ankit Shah, Rajesh Ganesan, Sushil Jajodia, and Hasan Cam. 2017. A methodology to measure and monitor level of operational effectiveness of a CSOC. International Journal of Information Security 17 (2017), 1--14.
[30]
Shari J. Welch, Brent R. Asplin, Suzanne Stone-Griffith, Steven J. Davidson, James Augustine, Jeremiah Schuur, and Emergency Department Benchmarking Alliance. 2011. Emergency department operational metrics, measures and definitions: Results of the Second Performance Measures and Benchmarking Summit. Annals of Emergency Medicine 58, 1 (July 2011), 33--40.

Cited By

View all
  • (2024)Enterprise Security Patch Management with Deep Reinforcement LearningSSRN Electronic Journal10.2139/ssrn.4816905Online publication date: 2024
  • (2024)Alert Prioritisation in Security Operations Centres: A Systematic Survey on Criteria and MethodsACM Computing Surveys10.1145/369546257:2(1-36)Online publication date: 14-Sep-2024
  • (2024)Vulnerability management digital twin for energy systemsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3671013(1-11)Online publication date: 30-Jul-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security
ACM Transactions on Privacy and Security  Volume 21, Issue 4
November 2018
142 pages
ISSN:2471-2566
EISSN:2471-2574
DOI:10.1145/3232648
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 June 2018
Accepted: 01 March 2018
Revised: 01 November 2017
Received: 01 May 2017
Published in TOPS Volume 21, Issue 4

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Cyber-security analysts
  2. cyber-security operations center (CSOC)
  3. multiobjective optimization
  4. structured vulnerability response programs
  5. vulnerability triage and management

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

  • Army Research Office (ARO)
  • MURI

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)163
  • Downloads (Last 6 weeks)11
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Enterprise Security Patch Management with Deep Reinforcement LearningSSRN Electronic Journal10.2139/ssrn.4816905Online publication date: 2024
  • (2024)Alert Prioritisation in Security Operations Centres: A Systematic Survey on Criteria and MethodsACM Computing Surveys10.1145/369546257:2(1-36)Online publication date: 14-Sep-2024
  • (2024)Vulnerability management digital twin for energy systemsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3671013(1-11)Online publication date: 30-Jul-2024
  • (2024)Applied Machine Learning for Information SecurityDigital Threats: Research and Practice10.1145/36520295:1(1-5)Online publication date: 11-Mar-2024
  • (2024)Automated Security Findings Management: A Case Study in Industrial DevOpsProceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice10.1145/3639477.3639744(312-322)Online publication date: 14-Apr-2024
  • (2024)Dynamic Neural Control Flow Execution: an Agent-Based Deep Equilibrium Approach for Binary Vulnerability DetectionProceedings of the 33rd ACM International Conference on Information and Knowledge Management10.1145/3627673.3679726(1215-1225)Online publication date: 21-Oct-2024
  • (2024)Do You Play It by the Books? A Study on Incident Response Playbooks and Influencing Factors2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00060(3625-3643)Online publication date: 19-May-2024
  • (2024)VulNet: Towards improving vulnerability management in the Maven ecosystemEmpirical Software Engineering10.1007/s10664-024-10448-629:4Online publication date: 5-Jun-2024
  • (2024)Dynamic vulnerability severity calculator for industrial control systemsInternational Journal of Information Security10.1007/s10207-024-00858-423:4(2655-2676)Online publication date: 1-Aug-2024
  • (2023)The Current Research Status of AI-Based Network Security Situational AwarenessElectronics10.3390/electronics1210230912:10(2309)Online publication date: 19-May-2023
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media