Quantitative Evaluation of Extensive Vulnerability Set Using Cost Benefit Analysis

Abstract

The significant expansion in network size to support new paradigms such as cloud computing, IoT (Internet of Things), etc. together with the exponential increase in vulnerabilities has challenged the existing security mechanisms greatly. These challenges have opened many avenues for research in network security. However, while attack graphs play an important role in analyzing vulnerabilities, analyzing large attack graphs itself is a major issue. Therefore, it is necessary to extract only the critical part of the attack graph. Although technologies have been developed for attack path characterization, there is a lack of hybrid technology that can differentiate between similar behavior attack paths. We have proposed a cost-based path characterization technique that takes the attack node's vulnerability complexity into account and significantly reduces the number of vulnerabilities that need to be patched to avoid the major segment of attack graph. Moreover, we have used a real network prototype to validate the performance of the proposed scheme. The proposed scheme works well in cases where some vulnerabilities have similar risk scores. To the best of our knowledge, this is the first time that a cost-effective approach for attack path analysis has been proposed.