Predicting Exploitations of Information Systems Vulnerabilities Through Attackers’ Characteristics

Abstract

The main goal of proactive security is to prevent attacks before they happen. In modern information systems it largely depends on the vulnerability management process, where prioritization is one of the key steps. A widely used prioritization policy based only upon a common vulnerability scoring system (CVSS) score is frequently criticised for bad effectiveness. The main reason is that the CVSS score alone is not a good predictor of vulnerability exploitation in the wild. Therefore, the aim of the research in this field is to determine in what way we can improve our prediction abilities. Clearly, software vulnerabilities are commodities used by attackers. Hence, it makes sense considering their characteristics in vulnerability prioritization. In contrast, one should be able to measure and compare the effectiveness of various policies. Therefore, an important goal of this paper was to develop an evaluation model, which would allow such comparisons. For this purpose, we developed an agent-based simulation model which measures the exposure of information system to exploitable vulnerabilities. Besides, some policies which take into account human threats were defined and then compared with the most popular existing methods. Experimental results imply that the proposed policy, which is based on CVSS vectors and attacker characteristics, achieves the highest effectiveness among existing methods.