skip to main content
10.1145/3649153.3652999acmconferencesArticle/Chapter ViewAbstractPublication PagescfConference Proceedingsconference-collections
poster

From Exploit Prediction in the Wild to System-Specific Cyber Security Risk Metrics: Work in Progress

Published: 02 July 2024 Publication History

Abstract

System specific cyber security risk depends on the likelihoods of potential multi-step attacks that combine multiple vulnerabilities and the corresponding losses. These likelihoods are typically obtained under assumptions that exploits of individual vulnerabilities are statistically joint independent random events and the probabilities of these events can be estimated from the data on vulnerability exploits in the wild, e.g., using the Common Vulnerability Scoring System (CVSS). However, these assumptions, which do not account for the inherently adversarial nature of the attacker-defender interactions, may lead to significant inaccuracies in cyber risk estimation and thus result in highly inefficient risk mitigation decisions. We propose a framework for system-specific cyber security risk evaluation, which addresses some of these shortcomings of the conventional risk evaluation techniques by combining public information, e.g., obtained from CVSS, with private information which the system defender may be reluctant to disclose. In the proposed framework, public information on the vulnerability exploits in the wild determines system-specific cybersecurity risk envelope, and defender estimates system cyber security risk inside this envelope using the available private information on the former attacks.

References

[1]
P. Mell, K. Scarfone, and S. Romanosky, "The Common Vulnerability Scoring System (CVSS) andIts Applicability to Federal Agency Systems," NIST Interagency Report 7435, available at https://nvlpubs.nist.gov/nistpubs/legacy/ir/nistir7435.pdf.
[2]
L. Wang, T. Islam, T. Long, A. Singhal and S. Jajodia, "An Attack Graph Based Probabilistic Security Metrics," 22nd IFIP WG 11.3 Working Conference on Data and Application Security, London, UK, July 2008.
[3]
S. Ahmadi-Javid, Amir, "Entropic value-at-risk: A new coherent risk measure". Journal of Optimization Theory and Applications. 155 (3): 1105--1123, 2012.
[4]
V. Marbukh, "Towards Robust Security Risk Metrics for Networked Systems: Work in Progress," 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM), Bordeaux, France, 2021, pp. 658--661.

Index Terms

  1. From Exploit Prediction in the Wild to System-Specific Cyber Security Risk Metrics: Work in Progress

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CF '24: Proceedings of the 21st ACM International Conference on Computing Frontiers
    May 2024
    345 pages
    ISBN:9798400705977
    DOI:10.1145/3649153
    Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 02 July 2024

    Check for updates

    Author Tags

    1. Cybersecurity risk
    2. brute-force attack
    3. cyber security risk envelope
    4. intelligent attack
    5. system-specific metrics

    Qualifiers

    • Poster
    • Research
    • Refereed limited

    Conference

    CF '24
    Sponsor:

    Acceptance Rates

    CF '24 Paper Acceptance Rate 33 of 105 submissions, 31%;
    Overall Acceptance Rate 273 of 785 submissions, 35%

    Upcoming Conference

    CF '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • 0
      Total Citations
    • 35
      Total Downloads
    • Downloads (Last 12 months)35
    • Downloads (Last 6 weeks)2
    Reflects downloads up to 11 Feb 2025

    Other Metrics

    Citations

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media