skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: VULCON: A System for Vulnerability Prioritization, Mitigation, and Management

Abstract

Vulnerability remediation is a critical task in operational software and network security management. In this paper, an effective vulnerability management strategy, called VULCON (VULnerability CONtrol), is developed and evaluated. The strategy is based on two fundamental performance metrics: i). Time-to-Vulnerability Remediation (TVR) and; ii). Total Vulnerability Exposure (TVE). VULCON takes as input real vulnerability scan reports, metadata about the discovered vulnerabilities, asset criticality, and personnel resources. VULCON uses a mixed integer multi-objective optimization algorithm to prioritize vulnerabilities for patching, such that the above performance metrics are optimized subject to the given resource constraints. VULCON has been tested on multiple months of real scan data from a Cyber-Security Operations Center (CSOC). Results indicate an overall Total Vulnerability Exposure reduction of 8.97\% when VULCON optimizes a realistic security analyst workforce's effort. Additionally, it is demonstrated that VULCON can determine monthly resources required to maintain a target TVE score. As such, VULCON provides valuable operational guidance for improving vulnerability response processes in CSOCs.

Authors:
 [1];  [2];  [1];  [2];  [2]
  1. Dartmouth College
  2. George Mason University, Fairfax, VA
Publication Date:
Research Org.:
Pacific Northwest National Lab. (PNNL), Richland, WA (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1470730
Report Number(s):
PNNL-SA-133665
Journal ID: ISSN 2471-2566
DOE Contract Number:  
AC05-76RL01830
Resource Type:
Journal Article
Journal Name:
ACM Transactions on Privacy and Security
Additional Journal Information:
Journal Volume: 21; Journal Issue: 4; Journal ID: ISSN 2471-2566
Country of Publication:
United States
Language:
English

Citation Formats

Farris, Katheryn A., Shah, Ankit, Cybenko, George, Ganesan, Rajesh, and Jajodia, Sushil. VULCON: A System for Vulnerability Prioritization, Mitigation, and Management. United States: N. p., 2018. Web. doi:10.1145/3196884.
Farris, Katheryn A., Shah, Ankit, Cybenko, George, Ganesan, Rajesh, & Jajodia, Sushil. VULCON: A System for Vulnerability Prioritization, Mitigation, and Management. United States. doi:10.1145/3196884.
Farris, Katheryn A., Shah, Ankit, Cybenko, George, Ganesan, Rajesh, and Jajodia, Sushil. Tue . "VULCON: A System for Vulnerability Prioritization, Mitigation, and Management". United States. doi:10.1145/3196884.
@article{osti_1470730,
title = {VULCON: A System for Vulnerability Prioritization, Mitigation, and Management},
author = {Farris, Katheryn A. and Shah, Ankit and Cybenko, George and Ganesan, Rajesh and Jajodia, Sushil},
abstractNote = {Vulnerability remediation is a critical task in operational software and network security management. In this paper, an effective vulnerability management strategy, called VULCON (VULnerability CONtrol), is developed and evaluated. The strategy is based on two fundamental performance metrics: i). Time-to-Vulnerability Remediation (TVR) and; ii). Total Vulnerability Exposure (TVE). VULCON takes as input real vulnerability scan reports, metadata about the discovered vulnerabilities, asset criticality, and personnel resources. VULCON uses a mixed integer multi-objective optimization algorithm to prioritize vulnerabilities for patching, such that the above performance metrics are optimized subject to the given resource constraints. VULCON has been tested on multiple months of real scan data from a Cyber-Security Operations Center (CSOC). Results indicate an overall Total Vulnerability Exposure reduction of 8.97\% when VULCON optimizes a realistic security analyst workforce's effort. Additionally, it is demonstrated that VULCON can determine monthly resources required to maintain a target TVE score. As such, VULCON provides valuable operational guidance for improving vulnerability response processes in CSOCs.},
doi = {10.1145/3196884},
journal = {ACM Transactions on Privacy and Security},
issn = {2471-2566},
number = 4,
volume = 21,
place = {United States},
year = {2018},
month = {6}
}

Works referenced in this record:

US Emergency Department Performance on Wait Time and Length of Visit
journal, February 2010


A new normalized goal programming model for multi-objective problems: A case of supplier selection and order allocation
journal, February 2014

  • Jadidi, O.; Zolfaghari, S.; Cavalieri, S.
  • International Journal of Production Economics, Vol. 148
  • DOI: 10.1016/j.ijpe.2013.10.005

On the complexity of integer programming
journal, October 1981


Lean Thinking in Emergency Departments: A Critical Review
journal, March 2011


Security Patch Management: Share the Burden or Share the Damage?
journal, April 2008

  • Cavusoglu, Hasan; Cavusoglu, Huseyin; Zhang, Jun
  • Management Science, Vol. 54, Issue 4
  • DOI: 10.1287/mnsc.1070.0794

Financial portfolio management through the goal programming model: Current state-of-the-art
journal, April 2014

  • Aouni, Belaid; Colapinto, Cinzia; La Torre, Davide
  • European Journal of Operational Research, Vol. 234, Issue 2
  • DOI: 10.1016/j.ejor.2013.09.040

Generalized goal programming An overview
journal, January 1983


Control charting methods for autocorrelated cyber vulnerability data
journal, March 2016


Insurability of Cyber Risk: An Empirical Analysis
journal, June 2014

  • Biener, Christian; Eling, Martin; Wirfs, Jan Hendrik
  • The Geneva Papers on Risk and Insurance - Issues and Practice, Vol. 40, Issue 1
  • DOI: 10.1057/gpp.2014.19

Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks
journal, November 2012

  • Holm, Hannes; Ekstedt, Mathias; Andersson, Dennis
  • IEEE Transactions on Dependable and Secure Computing, Vol. 9, Issue 6
  • DOI: 10.1109/TDSC.2012.66

Emergency Department Operational Metrics, Measures and Definitions: Results of the Second Performance Measures and Benchmarking Summit
journal, July 2011