VULCON: A System for Vulnerability Prioritization, Mitigation, and Management

Farris, Katheryn A.; Shah, Ankit; Cybenko, George; Ganesan, Rajesh; Jajodia, Sushil

doi:10.1145/3196884

Title: VULCON: A System for Vulnerability Prioritization, Mitigation, and Management

Journal Article · Tue Jun 12 00:00:00 EDT 2018 · ACM Transactions on Privacy and Security

DOI:https://doi.org/10.1145/3196884· OSTI ID:1470730

Farris, Katheryn A. ^[1]; Shah, Ankit ^[2]; Cybenko, George ^[1]; Ganesan, Rajesh ^[2]; Jajodia, Sushil ^[2]

Dartmouth College
George Mason University, Fairfax, VA

Vulnerability remediation is a critical task in operational software and network security management. In this paper, an effective vulnerability management strategy, called VULCON (VULnerability CONtrol), is developed and evaluated. The strategy is based on two fundamental performance metrics: i). Time-to-Vulnerability Remediation (TVR) and; ii). Total Vulnerability Exposure (TVE). VULCON takes as input real vulnerability scan reports, metadata about the discovered vulnerabilities, asset criticality, and personnel resources. VULCON uses a mixed integer multi-objective optimization algorithm to prioritize vulnerabilities for patching, such that the above performance metrics are optimized subject to the given resource constraints. VULCON has been tested on multiple months of real scan data from a Cyber-Security Operations Center (CSOC). Results indicate an overall Total Vulnerability Exposure reduction of 8.97\% when VULCON optimizes a realistic security analyst workforce's effort. Additionally, it is demonstrated that VULCON can determine monthly resources required to maintain a target TVE score. As such, VULCON provides valuable operational guidance for improving vulnerability response processes in CSOCs.

Cite

Export

Save

Research Organization:: Pacific Northwest National Lab. (PNNL), Richland, WA (United States)

Sponsoring Organization:: USDOE

DOE Contract Number:: AC05-76RL01830

OSTI ID:: 1470730

Report Number(s):: PNNL-SA-133665

Journal Information:: ACM Transactions on Privacy and Security, Vol. 21, Issue 4; ISSN 2471-2566

Country of Publication:: United States

Language:: English

References (12)

US Emergency Department Performance on Wait Time and Length of Visit Horwitz, Leora I.; Green, Jeremy; Bradley, Elizabeth H. Annals of Emergency Medicine, Vol. 55, Issue 2 https://doi.org/10.1016/j.annemergmed.2009.07.023	journal	February 2010
A new normalized goal programming model for multi-objective problems: A case of supplier selection and order allocation Jadidi, O.; Zolfaghari, S.; Cavalieri, S. International Journal of Production Economics, Vol. 148 https://doi.org/10.1016/j.ijpe.2013.10.005	journal	February 2014
On the complexity of integer programming Papadimitriou, Christos H. Journal of the ACM, Vol. 28, Issue 4 https://doi.org/10.1145/322276.322287	journal	October 1981
Lean Thinking in Emergency Departments: A Critical Review Holden, Richard J. Annals of Emergency Medicine, Vol. 57, Issue 3 https://doi.org/10.1016/j.annemergmed.2010.08.001	journal	March 2011
Security Patch Management: Share the Burden or Share the Damage? Cavusoglu, Hasan; Cavusoglu, Huseyin; Zhang, Jun Management Science, Vol. 54, Issue 4 https://doi.org/10.1287/mnsc.1070.0794	journal	April 2008
Financial portfolio management through the goal programming model: Current state-of-the-art Aouni, Belaid; Colapinto, Cinzia; La Torre, Davide European Journal of Operational Research, Vol. 234, Issue 2 https://doi.org/10.1016/j.ejor.2013.09.040	journal	April 2014
Generalized goal programming An overview Ignizio, James P. Computers & Operations Research, Vol. 10, Issue 4 https://doi.org/10.1016/0305-0548(83)90003-5	journal	January 1983
Control charting methods for autocorrelated cyber vulnerability data Afful-Dadzie, Anthony; Allen, Theodore T. Quality Engineering, Vol. 28, Issue 3 https://doi.org/10.1080/08982112.2015.1125926	journal	March 2016
Insurability of Cyber Risk: An Empirical Analysis Biener, Christian; Eling, Martin; Wirfs, Jan Hendrik The Geneva Papers on Risk and Insurance - Issues and Practice, Vol. 40, Issue 1 https://doi.org/10.1057/gpp.2014.19	journal	June 2014
Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks Holm, Hannes; Ekstedt, Mathias; Andersson, Dennis IEEE Transactions on Dependable and Secure Computing, Vol. 9, Issue 6 https://doi.org/10.1109/TDSC.2012.66	journal	November 2012
Toward a standard benchmark for computer security research: the worldwide intelligence network environment (WINE) Dumitras, Tudor; Shou, Darren Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security - BADGERS '11 https://doi.org/10.1145/1978672.1978683	conference	January 2011
Emergency Department Operational Metrics, Measures and Definitions: Results of the Second Performance Measures and Benchmarking Summit Welch, Shari J.; Asplin, Brent R.; Stone-Griffith, Suzanne Annals of Emergency Medicine, Vol. 58, Issue 1 https://doi.org/10.1016/j.annemergmed.2010.08.040	journal	July 2011

Similar Records

Methodology for prioritizing cyber-vulnerable critical infrastructure equipment and mitigation strategies.

Technical Report · Thu Apr 01 00:00:00 EDT 2010 · OSTI ID:1470730

Dawson, Lon Andrew; Stinebaugh, Jennifer A

Cyber-Physical Security Assessment (CyPSA) Toolset

Software · Wed Aug 31 00:00:00 EDT 2016 · OSTI ID:1470730

Garcia, Luis; Patapanchala, Panini; Zonouz, Saman; +11 more

Assessing Vulnerabilities, Risks, and Consequences of Damage to Critical Infrastructure

Technical Report · Fri Feb 04 00:00:00 EST 2011 · OSTI ID:1470730

Suski, N; Wuest, C

Title: VULCON: A System for Vulnerability Prioritization, Mitigation, and Management

Citation Formats

References (12)

Similar Records

Related Subjects